Hello,

I am hoping to raise this issue for general awareness and input from the developer/product groups from FGU.

I encountered a bug in one of the rulesets and proceeded to post in its relevant forum when I went to attach the logs generated from the script window in the "Compile Logs" feature.

Before I attached I decided to inspect the files in the ZIP and noticed:

- my game's IP and port
- my GM name
- my game's password

This means that unless anyone has looked in them before and explicitly removed them, other attached logs have this information (and I've already seen it just in looking at other attachments here in the forums).

It should be made transparent to users here that they are potentially exposing themselves by including these logs in forum posts.

Additionally, I'd like to understand why that information (specifically in the campaign xml file) is required for support requests?

Thank you for posting this (and in the Discord). I have not posted any logs here publicly so this is good to know before hand. I did see the response to not posting publicly and sending them to the developers privately.

I wonder how easy it is for a user to edit out the IP, port and PW info when posting a log. Or how often that the PII is relevant.

I fully expect that this is a case of sweeping up all potential data that might be needed for the devs having been done historically this way. Perhaps it is just getting in the habit of saying email your log to support instead of saying to post it in the forums.

"I wonder how easy it is for a user to edit out the IP, port and PW info when posting a log. Or how often that the PII is relevant. "

In my case I just uploaded files that I felt were relevant, but I have a developer's background and as such it's pretty easy to figure out what's relevant, on the face of it. I imagine anyone else paying attention, regardless of background, can figure this out too.

A tangentially related issue is the version of vBulletin used for these forums. It's a full major version behind and well past EoL support on its current version (4.2.1). It is not a difficult stretch to imagine there are potential vulnerabilities, especially given the PHP version that the old version of vBulletin supports. You can see where the scenario potentially unfolds, hence my concern with these logs all being posted in Forums, and the inclusion of this information that the average FG user may not have filtered out when asked by a content creator or support to attach their logs.

I'm surprised the password is included in the logs, and agree that should be removed. But you do know your IP address is revealed everytime you post of a web forum like this one right? And that everytime someone either posts on the forums or launches a public game, their GM name is posted as well? So those really are not PII. As well, I would hope that a FG game password would not be used by a GM as a password for anything sensitive, but as I said, I agree it should be removed as you never know if someone would use an FG game password for something else.

As mentioned (apparently in Discord?) anyone who is concerned with posting their log files can always submit a link to a shared location directly to SmiteWorks via the support request. https://fantasygroundsunity.atlassian.net/servicedesk/customer/portals

Yes, I know how IPs operate. That isn't the point, and frankly this "whataboutism" type reply is frustrating and misleading. This was the same type of reply when I raised it in Discord, and the "well you know how IPs work right derp" is only tangentially related to the issue at hand.

IPs are indeed PII. They are not always sensitive PII but yes, they are PII in many countries. They are specified as PII in GDPR requirements, for example, according to the EU. I live in the US. I work with GDPR related concerns on an almost daily basis. In the US there are state laws that cite IPs specifically as PII in, for example, the CCPA and COPPA.

Read about it here if you are so inclined:
https://gdpr.eu/article-4-definitions/

i will take my VTT business elsewhere. It is FG's responsibility to protect this information. If it is not excluded from software, the solution isn't "just email it" to avoid people seeing it in forums. Again, that misses the entire point.

This information is already disseminated throughout the forums, and it is not stated in software or forums that using the tool as well as posting logs includes information that someone may not want to make public and yes, is considered PII. Anyone with a registered account can download attached ZIP files and review this information. This is not in compliance with GDPR laws related to PII in the EU or the US.

If the issue does not seem obvious, then I can't invest in this product. This should absolutely be a concern for FG, given that this information has proliferated throughout the forums without user knowledge most likely, and that the log tool includes information such as usernames and game passwords, none of which is related to troubleshooting ruleset bugs, for example.

While I don't think this is a deal breaker for me, I agree that IPs/Zips information should be explicitly opt-in instead of the implicit, and that GM password should absolutely be removed asap, even when files are shared "privately".

While I don't think this is a deal breaker for me, I agree that IPs/Zips information should be explicitly opt-in instead of the implicit, and that GM password should absolutely be removed asap, even when files are shared "privately".
It is opt in. A user has to manually create the log files, and they have to manually chose to share those files publically.

@TeamRdriguez, you are certainly free to take your business elsewhere. If you wish to discuss this issue with SmiteWorks and not just another user like you (i.e. me), Then you need to use the Contact form I linked earlier. Otherwise you are just going to have discussions with other users who are entitled to express their opinions, even when you don't like them. Assuming everyone does so civilly and with respect.

It is opt in. A user has to manually create the log files, and they have to manually chose to share those files publically.

As a user I cannot opt-in to deciding whether or not to include this info unless I know it's in the files I am going to attach. This is not the same as explicitly saying "I do not want to have my username/server pass/IP address included in my files".



@TeamRdriguez, you are certainly free to take your business elsewhere. If you wish to discuss this issue with SmiteWorks and not just another user like you (i.e. me), Then you need to use the Contact form I linked earlier. Otherwise you are just going to have discussions with other users who are entitled to express their opinions, even when you don't like them. Assuming everyone does so civilly and with respect.

Going to go out on a limb and say I think you mistake my attempt at conveying urgency with hostility. This isn't an argument, at least from my perspective, so I don't know what you mean regarding opinions. It's pretty clear what is and isn't PII; this is not subject to opinion as far as GDPR and CCPA are concerned.

I also mistakenly assumed that many repliers here and in Discord were actual FG representatives. Now that I know that they are not, I am hopeful an FG developer, community manager, or other member of leadership will step in to address this.

Thank you for listening to my feedback. I love using FGU, and if I wasn't concerned I would not have mentioned it.

GDPR and CCPA do not apply to SmiteWorks. Most states courts and federal law in the US do not deem IP addresses to be PII. It is necessary for common administration of the Internet and is useful for diagnostic purposes.

I don’t see any reason why the campaign password would be required in the logs, so we will discuss that in our meeting Monday.

You can read about our view of the information we track on the Help > Privacy Policy page. There is an email address available there for any questions about the policy.

https://fantasygroundsunity.atlassian.net/wiki/spaces/FGCP/pages/996638902/Privacy+Policy

GDPR and CCPA do not apply to SmiteWorks. Most states courts and federal law in the US do not deem IP addresses to be PII. It is necessary for common administration of the Internet and is useful for diagnostic purposes.

I don’t see any reason why the campaign password would be required in the logs, so we will discuss that in our meeting Monday.

You can read about our view of the information we track on the Help > Privacy Policy page. There is an email address available there for any questions about the policy.

https://fantasygroundsunity.atlassian.net/wiki/spaces/FGCP/pages/996638902/Privacy+Policy

Thank you for replying to this thread, clarifying the position on GDPR, and acknowledging concerns regarding the other game info in the logs. I appreciate you taking the time to reply.

GDPR and CCPA do not apply to SmiteWorksGDPR does apply to "A company not based in the EU offers (a) products or services to EU citizens and residents...". Is FG not available to EU citizens and residents?

GDPR does apply to "A company not based in the EU offers (a) products or services to EU citizens and residents...". Is FG not available to EU citizens and residents?

It is government overreach. There is no enforcement of GDPR on US based companies who don't also have a physical presence in EU countries under the GDPR. Large US companies such as Twitter, Google, Apple, etc. will have to interact with GDPR, but small US based companies can ignore it. This can always change in the future, but IP address refers to a device (at best) and not to a person, and often not even to a device. Anyone who is concerned with using the same IP address over and over can and should employ a VPN to mask this.

I personally think it is a stupid law written by people who don't understand the Internet and how it works. For instance, our relay server records and uses the Host's IP address to facilitate easy connections between players and GMs without requiring the host to configure port forwarding on their router. That would not work without the IP address. The FG Classic system did something similar with the alias system. VPN's themselves need to record the IP address. Server logs are full of IP addresses. Our Privacy policy clearly states that we use IP addresses. Every single company that has an online presence should also declare this and therefore would make that part of the GDPR completely useless. Any company that doesn't declare that they are recording IP addresses is almost guaranteed to be violating the GDPR unknowingly.

*Edit*
I want to add that I think GDPR is not all bad. In general, companies should retain only the minimal amount of information in order to properly service the customer.

yeah, there's one's opinion of GDPR and there's what is required regardless of opinion. What you are describing is not a fully accurate representation of GDPR in relation to the information being collected.

It is about _my right as a consumer/user of services to request my personal information be deleted upon my request_. It's the service's responsibility to comply with the laws. You're right, everyone collects IPs in some form or another in order to deliver the services you are describing. If you need to keep doing that, great. The problem is that if I request my information be deleted, it doesn't seem like FG can comply with this request with the way software and service requests are handled, nor is it handling it correctly because this PII (again whether you agree with IPs being PII is irrelevant, or whether those who included it understand the internet, it has already been designated as PII) is potentially posted in a public forum.

If we were posting logs with diagnostic information that didn't have PII this becomes a non-issue. So maybe that is something that can be clarified - if the current log process includes things that under the law are considered PII (again, regardless of opinion, this is the law), what processes are in place to ensure that if I wanted to stop using FG and requested my personal info be deleted, that this would be completed in full compliance with GDPR? Because now that this has surfaced there are potentially users who have, or may continue to, post their logs here without realizing there is information they may not want to share. Yes, there are narrow scopes around when a company does NOT need to comply with this but again this is a narrower definition; GDPR/CCPA/COPPA is intentionally broad.

SmiteWorks is incorporated in Florida. I don't understand the reasoning behind why CCPA/GDPR would not apply to it. I work for a global organization with corporate headquarters in a US state and I have worked on numerous projects surrounding GDPR compliance.

This isn't meant to be a debate or argument over whether GDPR/COPPA/CCPA are relevant or useful. This is about a discovery I made that sensitive information is included in logs and there doesnt seem to be any transparency around what is included in those logs so that users can decide whether to post them in a public forum. And GDPR/CCPA mandate this. i have "a right to be forgotten". That means users have to have a clear transparent understanding of what is logged when using the service and how that information is handled when I choose to make it available.

Again thank you for your input and attention on this.

Others may find this useful.
https://gdpr.eu/right-to-be-forgotten/

I think what Doug is saying is that a EU individual can certainly go to whatever body enforces the GDPR and that body can make a ruling to punish SmiteWorks but since SmiteWorks has no physical presence in the EU it would be impossible for that body to enforce any ruling.

Edit:
I imagine you could take that ruling and attempt to have it certified by a US court but that seems unlikely.


Jason

We occasionally have users who request that their information be deleted from our system. We let them know that they cannot use the software without this information, but if they choose, we can delete them entirely from our system. This only really happens if someone is leaving the platform fully. It's rare, but it happens and we assist the user in their request. If someone posts a log file to the public forums, they can delete that attachment or ask us to delete it for them. Any request for account deletion can be sent to support.fantasygrounds.com.

GDPR cannot impose any requirements on our business based in Florida. We did not vote for anyone who wrote those laws, and they have no power whatsoever to enforce it upon us. The GDPR is silent upon any sort of enforcement for foreign businesses that do not have a presence in the EU. This is because they know they can't enforce it. This goes back to the very founding of the United States and it is not something that the GDPR will ever be able to accomplish unless they convince the US federal government to also adopt it. We follow any and all federal and state laws that we are required to, but we would join the lobby against such laws if they were proposed. It would have to be voted into US law and we would have a say on whether or not the law passed. Then, win or lose, we would be obligated to follow whatever was passed.

COPPA is handled differently and any COPPA users have to submit a COPPA form before they are allowed to access our forums. They are kept in a different group called COPPA users as well.

I think what Doug is saying is that a EU individual can certainly go to whatever body enforces the GDPR and that body can make a ruling to punish SmiteWorks but since SmiteWorks has no physical presence in the EU it would be impossible for that body to enforce any ruling.

Edit:
I imagine you could take that ruling and attempt to have it certified by a US court but that seems unlikely.


Jason

Thanks, I follow what you're saying.

We occasionally have users who request that their information be deleted from our system. We let them know that they cannot use the software without this information, but if they choose, we can delete them entirely from our system. This only really happens if someone is leaving the platform fully. It's rare, but it happens and we assist the user in their request. If someone posts a log file to the public forums, they can delete that attachment or ask us to delete it for them. Any request for account deletion can be sent to support.fantasygrounds.com.

GDPR cannot impose any requirements on our business based in Florida. We did not vote for anyone who wrote those laws, and they have no power whatsoever to enforce it upon us. The GDPR is silent upon any sort of enforcement for foreign businesses that do not have a presence in the EU. This is because they know they can't enforce it. This goes back to the very founding of the United States and it is not something that the GDPR will ever be able to accomplish unless they convince the US federal government to also adopt it. We follow any and all federal and state laws that we are required to, but we would join the lobby against such laws if they were proposed. It would have to be voted into US law and we would have a say on whether or not the law passed. Then, win or lose, we would be obligated to follow whatever was passed.

COPPA is handled differently and any COPPA users have to submit a COPPA form before they are allowed to access our forums. They are kept in a different group called COPPA users as well.

Thank you for describing this process. Sounds like there is no formal FG presence in EU.

Thank you for describing this process. Sounds like there is no formal FG presence in EU.
This is the key part. Any company that does not have a presence in the EU can not be held accountable to EU laws. It is the simple definition of sovereignty. Even "International Law" is only recognized by those countries that sign up to be held accountable to those various laws (like human rights, navigation of the seas, etc) and in those cases are generally handled by the UN or other agency as agreed to by all parties who opt-in to be subject to the law. (Note, there are often such laws that are imposed by a majority upon small nations that do not agree to such, but that is a whole other issue of international politics and influence.)

Think of it this way, if any nation could pass a law and hold entities (businesses or people) who reside outside that nation to those laws, then North Korea could pass a tax on EU citizens, or a small country could outlaw equal rights, or any other such preposterous idea.

International companies (like yours and mine), often comply with various national laws (like GPDR) because either they want to do direct business with companies that do fall under those laws, or have a presence themselves in those countries and therefore are subject to penalties if they do not comply.

GDPR cannot impose any requirements on our business based in Florida. We did not vote for anyone who wrote those laws, and they have no power whatsoever to enforce it upon us.Those laws are for protecting consumers and those consumers live and shop in the jurisdiction of the EU.
If you want to do business with EU customers you should follow the consumer protection laws they have opted to enact. You don't have to do business abroad if you don't feel like complying.

/s

Those laws are for protecting consumers and those consumers live and shop in the jurisdiction of the EU.
If you want to do business with EU customers you should follow the consumer protection laws they have opted to enact. You don't have to do business abroad if you don't feel like complying.

/s

That is not how that works. Again, our Privacy Policy is clearly stated and publicly available. Customers can read this and determine whether or not that works for them. I'm locking the thread though because the original post has been addressed.