
An Eve Online corporation has been hit with a GDPR request from an ex-member - dlgeek
https://massivelyop.com/2019/01/05/an-eve-online-corporation-has-been-hit-with-a-gdpr-request-from-an-ex-member/
======
zizee
As much as I like the idea of "right to be forgotten", it seems to me that an
unintended consequence is that non-technical people hosting forums/blogs etc.
will be at risk of GDPR requests that they cannot comply with due to lack of
technical skills. This will have a silencing effect for people wanting to
operate non-profit sites as they won't be able to afford to comply with such
requests. They will be forced to either shutdown, or be in breach of law.

Perhaps some people will say "good, if you cannot run a site conforming to all
laws of the land then you should shutdown". If you think that, consider this:
as these laws pile up it will get more and more difficult to operate, leaving
only the very tech/law savvy, and big business.

This is not the democratization of information that the web promised oh so
many years ago.

On a semi-related note: if you are a small SASS operator wanting to comply
with such requests, what are you meant to do about your DB backups that
contain data that is meant to be forgotten?

[edits: punctuation/grammar]

~~~
ThePhysicist
I think most of the larger forum software providers have implemented functions
to comply with GDPR (i.e. delete, restrict and extract user data).

Concerning backups: If you have a short turnaround time (e.g. 14 days) it
shouldn’t be a problem, the legislation acknowledges the fact that deleting
data and ensuring data integrity (also in accordance with GDPR) are sometimes
mutually exclusive from a practical point of view. You need to make sure that
deletion requests also get honored when restoring from backup though, so
ideally you want to store the requests in a third system and check them when
you restore backups.

Concerning the democratic aspect of participating in the online world I think
GDPR actually helps, as before it was not possible to reliably get your own
data deleted, rectified or transferred, which is not very democratic either
IMHO.

~~~
DoubleGlazing
>Concerning the democratic aspect of participating in the online world I think
GDPR actually helps, as before it was not possible to reliably get your own
data deleted, rectified or transferred, which is not very democratic either
IMHO

This is where the GDPR has really helped me. I posted a comment on a blog
critical of a government data sharing initiative. Nothing illegal, or
questionable - it was a simple two sentence opinion comment which I posted
under my real name. I didn't stop to think for a minute that it would cause me
any problems.

It did. I discovered that I couldn't get to work on any government projects
because when a background check was carried out on me, the above comment was
found and according to Revenue (the gov agency responsible for such checks) it
indicated that I was hostile to the governments IT plans.

I asked the blog owner (same country as me) to please remove the comment, they
refused. So I submitted a right to be forgotten request to Google to stop the
blog post appearing in searches for my name.

~~~
theelous3
Ireland? In Ireland, civil servants are not allowed to express political
affiliation or opinion, so rather than it being a case of "we don't like what
you said", it would be a case of "you said something political, and it
persists."

I'm not sure if the contract for Revenue is _exactly_ the same as the civil
service, but I would presume on this front it is very similar.

~~~
DoubleGlazing
Yep.

There have been three occasions where the IT contracting firm I was working
for sent me to work on government IT projects as a contractor. None of them
were for Revenue, but it is Revenue who do these checks for all other
departments. On one occasion my employer managed to pull a few strings to get
me on the project (DSP), on the other two I was told no government work for me
(HSE and DoT).

On one of the three three occasions I was forwarded an email from Revenue that
said "he expresses a desire for personal privacy that indicates he would be
unwilling to fully embrace the governments data sharing strategy".

I did write to a few news outlets about this, none were interested. Even the
ICCL wasn't interested, which really surprised me.

------
ThePhysicist
I don’t understand where’s the difficulty in answering this request? If the
person doesn’t have a user account anymore on the site there shouldn’t be much
data of him/her left anyway. If there is data left just collect it, send it to
the person and delete it afterwards (surely there’s a way to search posts by
author in their forum software). I can understand that such requests are
difficult to answer for companies that run many different IT services, but
this case seems pretty trivial to me.

~~~
dleslie
The hobbyists may not have access to do so. Perhaps their site is on a VPS or
worse, a SAAS product?

And why should a Canadian running a site on American servers have to fear EU
law? Why isn't it the EU citizen's responsibility to know, understand and
abide by the rules and regulations of the countries they're visiting online?

~~~
t0astbread
Because that would be a loophole to sidestep EU laws?

If you offer your services in the EU, you have to respect EU law.

~~~
yoz-y
If you run a website, is "not blocking users from the EU" considered as
providing services in the EU?

I am genuinely curious because in that case GDPR seems to impact many
companies disregarding whether they actually do any business here.

~~~
belorn
There is no simple answer without more context, but if they are not doing any
business from those users then the answer is likely no. There are several
exceptions for normal operation of running a public website on the Internet.

------
taspeotis
The subtitle is "[d]isgruntled ex-guildie effectively invents new way to grief
in EVE" but it sounds like the request in question was sent to a website
outside of EVE. This could happen with other games or, you know, websites
unrelated to games at all...

~~~
tapland
Corp (guild) forums are an important part of EVE and preferred over posting
news and operations on Discord for example since you can set it up to serve
unique texts to each user, making it easier to find them if they leak to other
corps, and hidden changes in the website that will give it away in case the
corp news leak by screenshot.

~~~
LeftTurnSignal
/sidenote

I've tried playing Eve quite a few times, and it just isn't my thing. Reading
about Eve, however, has always been an absolute joy.

Even comments like this (which makes complete sense in hindsight) shows me how
much (for better or worse) people put into a "sandbox" or game like Eve.

I swear some of the stories are much better than the stuff they toss in
theatres.

------
anonymfus
Why they don't want to answer request? It's still would be a nice thing to do
ever if not required by law.

~~~
wvenable
They could probably spend all day every day answering these requests. How do
they even know it's valid? Could I just request all your information?

~~~
peteretep
> How do they even know it's valid?

They can require you to prove this before processing your application, under
GDPR.

------
scarejunba
I wonder if there's business in GDPR trolling websites. Does it count as
extortion if you give someone personal data and then say they must delete it
or pay you money to not kick up a fuss.

Honestly, it sounds like it should be legal. Like the way ADA or CEQA trolling
is. After all, that provides a valuable function.

~~~
geocar
Yes. And I think there's an astroturfing movement from large data warehouses
in the US that attempt to add confusion by talking about weird cases that
don't really exist.

The GDPR is actually quite simple to comply with for most people: European
businesses have been doing it for years since the GDPR is largely the
unification of various data protection regulations.

I suspect as more people learn that, that trolling business will fall by the
wayside...

------
sharpshadow
Guys think about the ranking lists.. you want your data deleted and you kind
of also have to delete all related data to that account like everything. I can
imagine already some people hacking top 100 ranking list accounts and deleting
them to remove them from the ranking to get elevated themselves.

~~~
zaarn
You don't have to delete everything. In case of ranking lists, it would
sufficient to tombstone the data; replace the name with "[deleted account]"
and link it to a page that explains the account data was requested to be
deleted.

GDPR Deletion Requests only cover data for which's processing you either used
consent, used the legitimate interest clause or is part of a protected
category (sexuality, religion, etc.). Some parts of "legitimate interest" that
continue to be legitimate interest (like for example, billing information for
tax and fraud prevention) you may continue to keep it around as well.

------
fhrow4484
What's interesting, and pointed out by a Reddit comment:
[https://www.reddit.com/r/legaladvice/comments/acsdf3/comment...](https://www.reddit.com/r/legaladvice/comments/acsdf3/comment/eddcc3u)

There's no way to identify that the person making the request is who he/she
says he/she is. The irony is that for services like Facebook, Facebook could
ask for a scan of your id/passport to confirm it's you, (and would it also
have to keep that scan saved somewhere in case it later needs to prove that it
"authenticated" the gdpr request correctly?)

But in this case, how to determine it's really the user? Should "Bob"
identifies himself by disclosing his password, and have the admin test of the
login works?!

~~~
icebraining
Doesn't Even have some sort of user profile? Bob could update it saying "yes,
I made a GDPR request to X on date Y".

~~~
fhrow4484
That's true, here it could be sufficient.

------
menzoic
How would this work if the data was stored on an immutable blockchain?

~~~
M2Ys4U
Storing it on an immutable blockchain probably violates the GDPR in the first
place, at least if you have no method to render the data unreadable.

To wit, Article 25 of the GDPR ("Data protection by design and by default"):

> 1\. Taking into account the state of the art, the cost of implementation and
> the nature, scope, context and purposes of processing as well as the risks
> of varying likelihood and severity for rights and freedoms of natural
> persons posed by the processing, the controller shall, both at the time of
> the determination of the means for processing and at the time of the
> processing itself, implement appropriate technical and organisational
> measures, such as pseudonymisation, which are designed to implement data-
> protection principles, such as data minimisation, in an effective manner and
> to integrate the necessary safeguards into the processing in order to meet
> the requirements of this Regulation and protect the rights of data subjects.

> 2\. The controller shall implement appropriate technical and organisational
> measures for ensuring that, by default, only personal data which are
> necessary for each specific purpose of the processing are processed. That
> obligation applies to the amount of personal data collected, the extent of
> their processing, the period of their storage and their accessibility. In
> particular, such measures shall ensure that by default personal data are not
> made accessible without the individual's intervention to an indefinite
> number of natural persons.

------
tql
So the GDPR is only about personal data? What are my responsibilities if I run
a chan, i.e., I store no personal data about my posts other than the IP
address where they originated? What if I use some tracking technology such as
a cookie or localStorage to identify unique browsers regardless of their IP
address?

~~~
geocar
You have to make it clear to people that you're using these technologies and
how long you keep their data. You _should_ also explain how you keep this data
safe.

If you suffer a data breach you have to disclose this, and you are potentially
liable for it if you could've protected users from that breach by
technological means (applying patches, salting passwords, encryption, and so
on). If your breach includes too much personal data( _) this could be serious.

If you think you want to keep data forever, then your liabilities for that
data extend forever. You should consider if this is really what you want, or
if you might want to simply delete old backups and scrub identifying
information after some time.

(_) The regulator will evaluate this by considering how the _people_ that
personal data is about will be affected. This is a difficult question to ask
-- a chan user might at worst suffer potential embarrassment being linked to
posts, so I suspect the regulator will view loss lightly, unless it could
easily and reasonably be prevented.

The ICO has really good guidance about this on their website:

[https://ico.org.uk/for-organisations/business/](https://ico.org.uk/for-
organisations/business/)

~~~
bumbledraven
> a chan user might at worst suffer potential embarrassment being linked to
> posts

Embarassment? People _lose their jobs_ in America for espousing commonly-held
conservative views. They can be _arrested_ in Europe for the same thing.

~~~
geocar
I understand your point, but this isn't a special risk introduced by the GDPR,
and from the perspective of a regulator, I don't think they are going to
consider the linking someone to illegal behaviour to be additional liabilities
for the company suffering the breach.

That being said, if your "chan" provides a safe haven for illegal behaviour,
you might have other non-GDPR problems as well.

~~~
bumbledraven
I see what you mean. As an explanation of how a GPDR regulator would view
things, what you say makes sense.

------
dmitriid
> the corp in question was blindsided by the request just as many real-life
> businesses were when the law came into effect last year

“blindsided” bullcrap again

~~~
jplayer01
Probably because it's a single guy running a small forum for a 70 man guild in
a spaceship MMO. Why would anybody in that situation expect to get a GDPR
request? Especially when it's clear the person in question is just bullying
the forum owner.

~~~
Symbiote
The greatest GDPR risk to my employer is from former employees wanting to
cause hassle.

We have very little user data, just an email address and a name, and no
tracking. Of course we have much more information about staff.

That's going to be a common situation, especially for non-tech or offline
businesses.

