GDPR compliance stymies hypergrid travelers
After Europe’s new data privacy regulations, GDPR, went into effect on May 25, OpenSim users saw a flurry of requests from grid owners asking them to agree to new privacy policies. Sometimes, those messages would pop up in the middle of a hypergrid trip, hindering travel.
DigiWorldz, for example, has adopted a system that blocks users or prevent them from accessing the grid until they are able to agree to terms of service. This affects local and hypergrid users alike.
“We have implemented a system which, when a local user tries to login, or a hypergrid users tries to visit, we first check to see if they have authorized their avatar,” Terry Ford told Hypergrid Business.
Clicking the provided link takes users to a web authorization page, and, after authorizing their avatars, they can then continue as usual. In theory.
In practice, some hypergrid users find it hard to access the grids either because they do not read instructions detailed on each page about the information they ought to provide or do not understand them at all, said Ford.
“If they do not enter the correct information, they will never get in,” he said.
But that formal approval step, especially for hypergrid visitors, might not be strictly necessary under GDPR, he added. “There are some interpretations of the GDPR which indicate since we are collecting minimal data, there is no need to specifically ask for it as it is required in order for our systems to function. Under these conditions, we only need to let the user know what we collect, how we use it, how long we keep it, and inform them of their rights to be forgotten, and allow them to have a copy of the data we have collected.”
Other grids are also reporting that hypergrid visitors are having problems getting in.
Half of all hypergrid visitors to Craft-World did not click on the link to give consent, grid owner Raffaele Macis told Hypergrid Business shortly after the new policy went into effect. “It has only been three days and perhaps not a significant amount of time to talk about impact,” he added. “Some people need time to get used to new procedures.”
The DigiWorldz pop-up automatically directs users to the website when they click the OK button. Craft, however, requires them to right-click the links to to the page where they can agree to the new terms.
The high rejection for users leaving without giving consent could be because of a number of factors, Macis said. For instance, some people do not read the information presented on pop up windows and give up immediately when they see denial of teleport. “Some grid did not create a similar procedure, so people think, ‘I did not do this in my grid, why should I do it for another grid?'”
In addition, not all viewers have clickable links in their pop-up messages. Firestorm, the most popular viewer, does. Other viewers require users to copy the link, open their browser, and paste in the link manually.
“This is work, too much for some,” Macis said.
Great Canadian Grid also requires local and hypergrid users need to authorize their avatar to access or before they can login, according to its new terms of service for compliant to GDPR, grid owner Roderick MacDougall told Hypergrid Business.
All local users of both Openvue and AiLand, which are run by The University of Edinburgh is a charitable body, registered in Scotland, have been notified and given contact information for the grid manager. A section has been added to the TOS to give grid manager contact details and to explain what is logged and for how long this is retained.
“Both grids have only a few local avatars who have regions and creator roles,” grid owner Austin Tate told Hypergrid Business. “Most use is it as an openly accessible hypergrid destination.
Snikygrid, which is located in Germany, also posted a message to users about the changes in policy and TOS including the fact that their IP addresses, Media Access Control addresses, usernames, passwords and optionally, e-mail addresses are collected and stored securely to facilitate provision of services.
Some grids went even further than just updating their terms of services and requiring consent.
GreekLife, in addition to adding a new approval step for visitors, also did a grid restart to delete all historical logging data just to be on the safe side.
“GreekLife never saved any real information, just email for news and grid updates, all payments are made with the security of PayPal so nothing changed,” a GreekLife spokesperson told Hypergrid Business.
TangleGrid, citing “crazy European bureaucracy,” sent out notices three weeks in advance asking users to agree to the new terms or have their accounts deleted.
“This condition garnered responses from many members who have not logged into the grid for a very long time,” Tangle Grid co-owner “Ballistic Pixel” — who has left for DigiWorld a few days ago — told Hypergrid Business. “The only negative responses — at times rude — were from a few customers who had not logged in over a year. They couldn’t be bothered then — they can’t be bothered now. Most customers have responded expediently with agreeing to our new TOS and privacy statements.”
One grid going even further than Tangle is 2Worlds2Go, which plans to delete all user data — everyone will need to get a new login to the web and grid all with consent.
“We only use a minimum of user info,” a grid spokesperson told Hypergrid Business. “Your email for log in and we log your IP address. No info will be used for any other purpose than newsletters and log in. No data will be transferred to any third party.”
Grids with money have more hoops to jump through
When it comes to dealing with data and information relating to money, the grids with internal monetary systems might need to do a little bit more than others.
Grids that have internal monetary systems and that deal with real money need to protect the transaction and billing information it collects, Kitely CEO Ilan Tochner told Hypergrid Business.
Kitely, for instance, uses secured networks in addition to encryption and keeping the information accessible to only a limited number of persons with special access rights to the systems and are legally contractually required to keep the information confidential.
“In compliance with the GDPR, we’ve also added encryption of various database tables that include sensitive user data, such as names, emails, and PayPal account information,” he said. “Grids that aren’t doing this are increasing the risk of personal data being stolen from their systems and may have a hard time proving their compliance with the GDPR requirements for storing such data.”
It took months of full time work to develop the tools required to handle GDPR compliance, he said.
“OpenSim and its modules store data in multiple places,” he said. “There are also logs, backups, and external tools people use to manage grids, each with its own logs and backups.”
Kitely requires children under the age of 16 to get the parents’ consent for the collection and storage of those children’s personal data before they are allowed to use Kitely. This verification step is available for local users but not for hypergrid users, so Kitely only allows people over the age of 18 to teleport in via hypergrid.
The grid is also ensuring storage of minimal amount of user data. It does not store billing information configured for the PayPal accounts. That information is kept securely by PayPal and is never shared with the grid.
“When you buy or sell items in Kitely Market you will only share your PayPal account identifiers with Kitely,” he said. “We will act as a middleman in the transaction and the other party will only ever see our own PayPal account identifiers. You can therefore securely buy and sell items on Kitely Market without sharing any part of your billing information with the other party to your transactions.”
Allowing users to agree by simply clicking “OK” in the pop-up message itself would make life easier for users, but hypergrid based-instant messages are not reliable enough, said Tochner.
And if the grid waits to ask consent until after the user has already teleported in, then it may be too late.
“OpenSim and our own systems collect data that is considered private by the GDPR and we need to inform people before we collect that data, not after it,” he said. “If people enter our grid then OpenSim has already gathered quite a lot of information about them.”
For some users, this sounds like a case of forced consent — if they don’t agree to the terms, they lose access to the grid, which is a form of blackmail. In fact, Google and Facebook are currently being sued for $8.8 billion for forcing people to agree to new terms or lose access.
That’s a different situation, said Tochner.
“No one has to visit Kitely if they object to our terms and policies,” he said. “But people have grown dependent on Gmail and Facebook and locking them out of critical services doesn’t leave people with a realistic option other than to agree.”
Podex, Gloebit and GDPR
Podex, which is a third-party currency exchange, is avoiding the GDPR compliance issue by virtue of not collecting any client unnecessary data from inception. The only data stored is the avatar name and its IP address.
“One of the main Podex principles has always been not to collect any unnecessary data of our clients,” Podex CEO Jacek Shuftan told Hypergrid Business. “We do not require creating any accounts or submitting e-mails. Of course, we do have access to some information of our clients when they make payments, such as by PayPal, but the data is stored and secured by PayPal and you can be sure that they take care of it.”
Gloebit, another popular money system in OpenSim, is already GDRP compliant.
“We have always taken our users’ data and privacy very seriously, and as such, we have no major changes planned related to GDPR,” Gloebit CEO Christopher Colosi told Hypergrid Business.
In addition to asking for user consent about data usage and storage and informing users of any breaches when it occurs, Gloebit does not store any payment information. Any other personally identifiable information is stored in encrypted form in their database. When personally identifiable information is shared with third parties, those third parties also need to be GDPR-compliant.
“We run in the cloud on top of Amazon Web Services, so our servers have the security level that Amazon provides,” said Colosi. “We make all network connections securely via HTTPS.”
HTTPS is a secure Internet communication protocol where the messages are encrypted.
However, not all OpenSim grids use secure HTTPS for their communications, instead using the less secure, unencrypted HTTP protocol.
“But we are only providing information specific to Gloebit, not any personally identifiable information back through these connections,” Colosi said. “If a world has modified OpenSim to use HTTPS for callbacks into the system, then these will be secure as well.”
The cost of failing to comply with GDPR is up to 20 million Euro or 4 percent of the company’s annual global turnover, which ever is higher. Any company that provides services to European users is vulnerable, no matter where it is located — or how big it is.
That’s been a wake-up call for many companies. Across the Internet, some media and gaming companies have shut off access to European users or closed down completely to avoid dealing with the pain of GDPR compliance.
Uber Entertainment said it’s shutting down its Monday Night Combat game, saying the cost of rewriting back-end systems was too high to warrant compliance, according to an announcement.
In OpenSim, Immersive Reality grid became the first casualty of GDPR. The grid shut down at the end of April mainly due to GDPR regulations, according to their announcement, although there were other issues causing the closure as well, including lack of interest.