
Doom Eternal Privacy Policy Allows Collection and Disclosure of Medical Records - gentleman11
https://wrap.bnet.idtech.services/legal/?limited=true&fragment=https%3A%2F%2Fbethesda.net%2Fdata%2Fpp%2Fen_fr.html
======
bhouston
This is nothing story.

There are categories of data per the California privacy law. This is a whole
category called "Consumer Records" and because they collection some of it in
this category they have to declare the whole category.

Tons of companies do the same - 4M for example:

[https://www.google.com/search?q=paper+and+electronic+custome...](https://www.google.com/search?q=paper+and+electronic+customer+records+containing+personal+information%2C+such+as+name%2C+signature%2C+physical+characteristics+or+description%2C+address%2C+telephone+number%2C+education%2C+current+employment%2C+employment+history%2C+social+security+number%2C+passport+number%2C+driver%E2%80%99s+license+or+state+identification+card+number%2C+insurance+policy+number%2C+bank+account+number%2C+credit+card+number%2C+debit+card+number%2C+or+any+other+financial+or+payment+information%2C+medical+information%2C+or+health+insurance+information&oq=paper+and+electronic+customer+records+containing+personal+information%2C+such+as+name%2C+signature%2C+physical+characteristics+or+description%2C+address%2C+telephone+number%2C+education%2C+current+employment%2C+employment+history%2C+social+security+number%2C+passport+number%2C+driver%E2%80%99s+license+or+state+identification+card+number%2C+insurance+policy+number%2C+bank+account+number%2C+credit+card+number%2C+debit+card+number%2C+or+any+other+financial+or+payment+information%2C+medical+information%2C+or+health+insurance+information)

~~~
A4ET8a8uTh0
I do not accept "But everyone is doing it" defense. In fact, if anything, this
is a good indication that it should not be happening. Yes, you are right. This
is how things are. This is not how things should be.

~~~
tqi
I don't think the implication is "everyone is doing it" as much as "these data
categories (and category descriptions) are standardized across every company."

I am not a lawyer, but I think it is reasonable to assume that this when
drafting the law, law makers had to:

\- Choose a set of categories that were not to broad and not too narrow, and
optimized for reader interpretability/clarity

\- Mandate companies to use standard descriptions of these categories in order
to prevent them from obfuscating what it was that was being collected.

It's sad to me how many people here immediately assume either malicious intent
by iD or incompetence by their lawyers as the only possible explanations.
Making something that is widely applicable, easy to interpret, and is
meaningful isn't an easy task. Thats not to say that these categories are
perfect, just saying there's not an objectively "right" answer.

~~~
monadic2
Sad? You’re feeling bad that a corporation might be judged unfairly? Jesus
christ.

~~~
tqi
I’m sad that the people like you arrogantly assume they are smarter than other
people (including those for whom this is literally their job), and if
something doesn’t fall into their narrow concept of “what makes sense” they
default to malice or incompetence as the only explanation and deny the
possibility that complexity or nuance could exist.

~~~
monadic2
You're missing the point—who cares what's right? It's a corporation, not a
person. Why feel sad about unfairness rather than focusing on the source of
the unfairness—data collection itself, or the regulation that people need to
be told and fixing that? There's no need to be sad—and to me, no impulse—if
you actually have power in society to change what's wrong.

~~~
tqi
Actually you're missing the point. I'm not sad for a corporation, I'm sad that
the tech mentality is still that malice/incompetence are the only possible
explanations for things that on the surface don't make sense, and that they
(non experts on the subject at hand) clearly know better and would do a better
job. This is hubris.

------
nitwit005
It's just a table of definitions pulled straight from the California Consumer
Privacy Act (CCPA), which defines 11 categories of information, and requires
that you disclose if you collect it.

------
dang
The submitted title breaks the site guidelines by editorializing. Normally
we'd change it to the article title, but in this case every single comment in
the thread would become meaningless, so I'm going to downweight the submission
instead.

" _Please use the original title, unless it is misleading or linkbait; don 't
editorialize._"

[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

If you want to say what you think is important about an article, that's fine,
but do so in the comments. Then your view will be on a level playing field
with everyone else's.

[https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...](https://hn.algolia.com/?dateRange=all&page=0&prefix=false&query=by%3Adang%20%22level%20playing%20field%22&sort=byDate&type=comment)

~~~
caconym_
Seems like it's less editorializing and more using the title to draw attention
to a fact (not an opinion, it's either true or it isn't) about an existing web
page that might not have been obvious to somebody clicking on a link titled
'ZENIMAX MEDIA ONLINE PRIVACY POLICY' and linking to the same.

Is this not allowed? Usually I actually appreciate it when the link goes
straight to the primary source in these cases rather than some intermediate
news site.

edit: maybe I'm looking at an edited title?

~~~
dang
Cherry-picking one detail and making that the title is actually the leading
form of editorializing. Titles are by far the biggest influence on threads, so
this is a big deal.

On HN, being the submitter of an article doesn't confer any special rights to
frame it for everyone else. That's why we ask people to express their opinions
in the comments rather than the title. HN readers should make up their own
minds about what parts of an article are important.

It's true that this policy can't just be applied mechanically and that there's
room for nuance. In this case, though, the argument that reverting the title
makes the submission a non-story is actually accurate. If the responses in the
comments are correct, then indeed it is a non-story.

~~~
gentleman11
To be honest, I started to write a tweet to get around this rule, but it felt
childish to approach it in that way and I considered a shallow blog post
instead. Next time I'll write the tweet so that the submission can rise to
story status like this thread:
[https://twitter.com/olenskae/status/1283000201993748482](https://twitter.com/olenskae/status/1283000201993748482)

or this one:
[https://twitter.com/paulg/status/1282052801347100675](https://twitter.com/paulg/status/1282052801347100675)

~~~
caconym_
This is exactly what I was thinking.

It's not editorializing. It's framing a discussion of a certain part of a web
page that is _not_ an article by using a title that is a factual statement
about said web page. The obvious "workaround" is to publish some low-effort
tweet or blog post or whatever, which further muddies the waters re: the other
"guideline" which says you should submit primary sources if possible.

I get wanting to take a hard line on titles, but I think the "guideline" as
written is confusing. The bit about editorializing should be taken out, to
make it clear that _actual_ editorializing isn't precisely what's prohibited.

~~~
dang
I don't think that's right. We have a decade of experience with this, and
while there are always corner cases, the HN rule and associated moderation
practice works surprisingly well. It creates a relatively level playing field
and lets the community consider a submission from first principles. That leads
to much more diverse discussion than you get if the title is skewed and primes
everybody.

If people start making tweets purely to put their spin on an article, HN users
will probably notice and flag the post. I mean, who knows. People are welcome
to try. We're not trying to stop anyone from expressing their view—but most of
the time it's cheap and inflammatory when someone hijacks a title to do so.

Title dynamics are fascinating. It used to irritate me that people place so
much importance on titles, but eventually I got it. One way of looking at it
is, it's a power law: the first 1% of information in (let's call it) an
article stream has 90% of the importance. Poof, now it makes sense why titles
are so impactful. I suppose that many power laws seem paradoxical when not
recognized as such.

~~~
caconym_
I'm not making a value judgment or suggesting that you don't know how to run
your website and achieve the results you want, in general, nor am I saying
titles aren't impactful (including in the way you're worried about). On the
contrary, I think HN is moderated well and that its community moderation
features and "algorithms" in general are well thought out.

I'm simply taking issue with the word "editorialize" in this context, because
that's not what this is. There is no "spin" here. This title is solving the
same completely innocent problem I'd have if I wanted to submit a link to
apple.com after a new $PRODUCT was announced, i.e. that the interesting thing
about the linked web page isn't obvious if my title is just 'Apple'. It's fine
if HN doesn't want me to title that submission e.g. 'Apple Announces New 24"
MacBook Pro', but that can't be because it's a case of editorializing, because
it isn't. This does not strike me as substantially different.

I feel like you think I'm saying non-neutral editorializing and framing should
be allowed in titles, which is absolutely not true.

~~~
dang
Ok, I think I understand you better now.

------
scotth
This couldn't possibly be true, could it? Bad copy paste job?

~~~
mywittyname
Maybe consumers should have the ability to sue companies who force them into
irrelevant, spurious, or onerous terms of service. It's not enough that these
likely won't hold up in court, because the possibility exists that they may.

~~~
sailfast
I'm not sure how this would hold up given the inability of United States
congresspersons to prevent forced arbitration language being inserted into
just about every contract we sign every day.

------
gentleman11
Edit: the link broke shortly after I posted it, this one is working:
[https://www.zenimax.com/legal_privacy_us/](https://www.zenimax.com/legal_privacy_us/)

Bought Doom Eternal on the steam sale just recently and found this:

"Customer Records: paper and electronic customer records containing personal
information, such as name, signature, physical characteristics or description,
address, telephone number, education, current employment, employment history,
social security number, passport number, driver’s license or state
identification card number, insurance policy number, bank account number,
credit card number, debit card number, or any other financial or payment
information, medical information, or health insurance information."

This is explicitly listed as collected and disclosed

They also list browsing history:

"Usage Data: internet or other electronic network activity information,
including, but not limited to, browsing history"

~~~
ocdtrekkie
I'd want to say: "Good thing they don't have access to any of that", but
unfortunately, one place Steam has not innovated at all is security: It's very
good at installing games on your computer, but those games can mostly do
whatever they want once they're there.

Microsoft got a lot of hate (some deserved, some not) for pushing the
Microsoft Store and UWP as a potential game distribution platform (originally
with some exclusives from the Xbox side of the world), but for all its faults,
it used sandboxing.

~~~
strombofulous
I have lots of friends who play shooting games semi-competitvely (they're all
in the very high ranks of overwatch/csgo/etc). They are all _very, very, very_
excited about Valorant's ring-0 anticheat. Lots of people want features that
can't be achieved with a sandbox.

~~~
ocdtrekkie
I definitely understand that. Cheaters have pushed me out of most first-person
shooters I'd enjoyed. But I also have significant concerns about game
companies having that much access to my general-use computer.

Perhaps the solution here is not to do personal/sensitive work on gaming
machines, but then we're right back to having separate game consoles...

~~~
jhardy54
Alternatively: Only play video games with people in your trust network.
Friends, friends of friends, etc., so that you have some recourse against
griefing and cheating.

~~~
ocdtrekkie
This doesn't really help: I don't have a choice on whether or not my shooter
of choice implements anti-cheat.

Perhaps an ideal scenario would let a player choose whether or not to enable a
game's anti-cheat, but that it'd be required for certain matchmaking and
(obviously) competitive features. So that I can opt out if I'm just trying the
game casually or just playing with friends in a private room, but can enable
it if it's something I intend to play seriously and am invested in enough to
give deep access to my system?

------
lbacaj
As someone who currently works in healthcare tech I can tell you that taking
on health records is one of the riskiest things any company could ever do. In
fact we try to keep health records as isolated as technically, and humanly,
possible.

For each HIPAA violation a company will be fined $10,000 dollars per customer.
If ten million records on a database are part of a breach the company can be
out of business.

It boggles the mind that anyone would want to take on that liability.

[https://www.hhs.gov/hipaa/for-individuals/guidance-
materials...](https://www.hhs.gov/hipaa/for-individuals/guidance-materials-
for-consumers/index.html)

~~~
roywiggins
It takes more than storing medical data to be covered by HIPAA. Usually you
have to be a medical provider or have a business agreement with a medical
provider. If I upload an MRI scan to imgur, imgur isn't instantly governed by
HIPAA.

This means data harvesting companies can siphon up this stuff where they can
find it. As long as they don't have a particular contractual relationship with
an actual hospital, it's just like any other data, and they're not governed by
HIPAA.

There may be some other ways to get governed by HIPAA, but that's the general
rule. It's hard to do by accident.

~~~
londons_explore
Data brokers aren't interested in a couple of records here or there of x-rays
from Imgur.

They want millions of records with some kind of identifier, and some kind of
predictive value. Eg. The number of ice creams I buy might be a good predictor
of if I'll be buying diabetes treatment next year.

Without all 3, your data won't be used.

------
fpgaminer
I've had my gaming machine on a separate box for awhile now. Games and their
DRM have been getting worse and worse. Even games like Kerbal Space Program,
which I loved, harvested all your browsing data. Like, seriously, WTF?

So I've kept all that garbage on its own box. It's nicer that way anyway,
since I don't use Windows as my daily driver it helps me keep a Windows
machine around for other toxic software like Photoshop.

I previously did it in a VM with GPU passthrough, which worked quite well and
I think is a decent option for people who can't afford the cost/space of a
second machine. Nowadays, thanks to the death of Moore's Law, I had a
perfectly capable older machine lying around that I could use instead. That's
slightly less maintenance, since the GPU passthrough would occasionally need
twiddling after qemu or kvm updates.

EDIT: I will add, for the couples years I was doing GPU passthrough, I didn't
notice any difference in performance compared to when I moved the same GPU
over to a physical box. In fact, there was this weird audio bug that I
originally thought was because of the VM, but it persisted on the real machine
and turned out to just be a bug in NVidia's audio driver. So besides the
maintenance burden, GPU passthrough was great.

~~~
dyingkneepad
> I've had my gaming machine on a separate box for awhile now.

I do the same, I bought my box from Sony, it's called Playstation 4. Never had
to worry about driver updates, incompatible games, sanboxing, anything. 5/5
would recommend.

~~~
amatecha
Yeah I also love playing games at half the graphical fidelity, resolution, and
framerate! :P I have all current-gen consoles, but none of them compare to a
high-specced PC on a 144hz monitor.

~~~
jorvi
At the distances people sit from their TV, taken with the average TV sizes,
going higher than 1080p is not needed. You'd need to sit closer than 2m (!) to
a 55" TV to be able to observe the fidelity increase from 4K.[0]

The same goes for very fine particle effects or extremely high resolution
textures. You just won't notice it. That is not to say those things don't have
a place, they are amazing and definitely look amazing at the close distances
one sits from a PC monitor. Its just not an apples-to-apples comparison.

I also feel that past 60Hz+FPS, the higher numbers bring very diminishing
returns, especially for controllers. Although I'd much rather see modern
consoles go 1080p120fps than 4k60fps.

[0] [https://www.hellotech.com/blog/wp-
content/uploads/2019/10/sc...](https://www.hellotech.com/blog/wp-
content/uploads/2019/10/screen-size-value-proposition.jpg)

~~~
GordonS
> You'd need to sit closer than 2m (!) to a 55" TV to be able to observe the
> fidelity increase from 4K

You do realise that not everyone lives in a mansion? 2m is a fairly common
distance from eyeballs to the TV here in the UK.

~~~
jorvi
When I was still in university even in the tiniest of student rooms I pretty
much always sat at least at 2m distance from my/a TV. No mansions involved.
Take out your measuring tape and extend it 2m from the middle of your couch,
or conversely extend 2m from your TV. It is not as big a viewing distance as
you think.

------
Argorak
I think this is mostly laziness - they just say "yes" to everything, without
checking if it actually happens.

They also share:

> thermal, olfactory, or similar information such as, CCTV footage,
> photographs, and call recordings and other audio recording (e.g., recorded
> meetings and webinars).

I like olfactory a lot.

------
archi42
"Do-Not-Sell. California residents have the right to opt-out of our sale of
their personal information. Opt-out rights can be exercised by going to
[https://bethesda.net/document/cookie-
preferences](https://bethesda.net/document/cookie-preferences). We do not sell
personal information about residents who we know are younger than 16 years
old." Holy sht; not that it surprises me, but, well...

~~~
XCSme
The Do-Not-Sell should be the default, and maybe be incentivized somehow to
turn it on if you prefer to do so.

~~~
coderintherye
Depending on the state you live in, write to and convince your state
legislatures to pass a law.

Once > X number of states have such laws, it will be the right economic choice
for companies to make it the default for everyone rather than doing it
selectively by state.

------
falcolas
A quick reminder - this is the same game which had a ring-0 anti-cheat system
installed and run with the game. They stepped it back a bit after the outcry
(and install on people's system), but IIRC it is still installed and run if
you play Doom Eternal multi-player.

So, it's entirely conceivable that this very "covered" data was collected and
pushed up to their systems as a part of their "anti-cheat" detection, either
from a HD sweep or from in-memory data in other applications (like the
browser).

~~~
chrisseaton
I don't understand - how do they escape from user-space to ring zero?

~~~
dcow
When you click “allow” when its installer (or originally its store’s
installer) asks for administrative privileges.

------
vsareto
People are wondering why they would include this, but I bet accessibility
settings could be considered medical information e.g. if you turn on
colorblind or other assistance. If the game sends back all of your settings,
they'd see you turned that on and could make a reasonable guess that you are.

~~~
gentleman11
Good point, but its listed as explicitly disclosed and/or sold

------
Dirak
Theres only mention of medical or health records on the page that I could find
is:

"Categories of personal information:"

"Customer Records: paper and electronic customer records containing personal
information, such as name, signature, [...] medical information, or health
insurance information"

I would give ID the benefit of doubt here and say this just boilerplate legal
text.

------
nimbius
Bethesda seems to have conflated playing their game with applying for a job
with the UAC on phobos.

------
A4ET8a8uTh0
This just makes my blood boil. I am definitely not unbiased here. I purchased
Doom on steam before it got laden with the heavy DRM. It was a fun ride, but
it is now hard for me to justify the full price I paid. It is only a shame I
can't attempt to return it now after they rendered it unusable from my
perspective.

Still, my gaming PC is also my tax PC, and minor projects PC and since I am no
longer a kid, I have a lot of information floating on it I would not want
other people to know. How is this normal state of affairs?

I will submit request for refund just in case. It might get denied, but maybe
they will at least get the message.

------
yumraj
But how do they get this data?

I wonder if someone just copy pasted this form without actually reading,
though perhaps that is giving too much benefit of doubt.

------
everdrive
Thinking about this for a minute. It's got to be a matter of the DRM system.
They're anticipating that they could collect _any_ data from your PC, and are
trying to cover their bases.

------
goldfishlover
Isn't doom eternal mostly single player? what's the deal here?

------
teej
I wonder if this is laziness (my bet) or if it’s due to the seizure warning
they show before the game starts.

------
tasubotadas
Copy-paste gone wrong by lazy laywers. They will release a fixed version in a
few days.

------
m3kw9
I’m not sure how my medical records can be taken from playing this game?

~~~
Rebelgecko
I don't know about this game in particular, but many games install spyware for
anticheat and DRM purposes.

For example, Blizzard's anticheat software phones home with the title bar text
of every open window on the computer. If I leave a browser tab open from my
doctor's portal, I can totally envision how Blizzard would end up collecting
some of my medical data.

~~~
dvdgsng
Crazy. Any more examples, details and links?

------
bibinou
it's an inclusing OR defining the concept of personal information.

------
danielscrubs
Which would break GDPR laws even if you got customers to sign it.

Really sloppy work.

