Friday, July 9, 2010

second hands that minds have slowed are moving even faster

I wanted to talk a little bit more about the RealID situation, pursuant to information uncovered completely by happenstance on a British blog. Now, I will grant you, Blizzard is an American company, and, by and large, it plays by American laws. How'ver, I know there are international players of World of Warcraft, if not other games. And there's something in Britain called the Data Protection Act of 1998.

Part I of the act states:
1 Basic interpretative provisions

(1) In this Act, unless the context otherwise requires—
"data" means information which—
(a) is being processed by means of equipment operating automatically
in response to instructions given for that purpose,
(b) is recorded with the intention that it should be processed by means
of such equipment,
(c) is recorded as part of a relevant filing system or with the intention
that it should form part of a relevant filing system, or
(d) does not fall within paragraph (a), (b) or (c) but forms part of an
accessible record as defined by section 68;

"data controller" means, subject to subsection (4), a person who (either
alone or jointly or in common with other persons) determines the purposes
for which and the manner in which any personal data are, or are to be,

"data processor", in relation to personal data, means any person (other than
an employee of the data controller) who processes the data on behalf of the
data controller;

"data subject" means an individual who is the subject of personal data;

"personal data" means data which relate to a living individual who can be

(a) from those data, or
(b) from those data and other information which is in the possession of, or
is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any
indication of the intentions of the data controller or any other person in
respect of the individual;

"processing", in relation to information or data, means obtaining, recording
or holding the information or data or carrying out any operation or set of
operations on the information or data, including—

(a) organisation, adaptation or alteration of the information or data,
retrieval, consultation or use of the information or data,
(c) disclosure of the information or data by transmission, dissemination
or otherwise making available, or
(d) alignment, combination, blocking, erasure or destruction of the
information or data;

"relevant filing system" means any set of information relating to individuals
to the extent that, although the information is not processed by means of
equipment operating automatically in response to instructions given for
that purpose, the set is structured, either by reference to individuals or by
reference to criteria relating to individuals, in such a way that specific
information relating to a particular individual is readily accessible.
Does this begin to make sense?

There's a .pdf guide to data protection that the UK government offers; it has tips that are of course pursuant to English law, and as a legal guide it's rather needlessly overstated and cumbersome, but for the curious, it's well worth a read-through.

For our purposes, I'm going to quote a small bit found in section B, on page 42:
This is the first data protection principle. In practice, it means
that you must:

• have legitimate grounds for collecting and using the personal data;
• not use the data in ways that have unjustified adverse effects on the
individuals concerned;
• be transparent about how you intend to use the data, and give individuals
appropriate privacy notices when collecting their personal data;
• handle people’s personal data only in ways they would reasonably
expect; and
• make sure you do not do anything unlawful with the data.
What would this mean for Blizzard RealID provisions when dealing with British citizens? I would interpret it thusly:
  • Blizzard needs to first ensure that they have legitimate grounds for collecting the personal data of each of their subscriptors;
  • Blizzard needs to then ensure that they do not use the data in ways that have unjustified adverse effects on the individuals thus identified. Like, for instance, releasing this collected data to the public at large;
  • Blizzard needs to then ensure such personal data is kept securely and safely (which I would take to mean, "not release it to the viewing public at large"), and use it only in ways subscriptors would reasonably expect, such as to tie individuals to their individual account. (I believe Blizzard, btw, already does this; it's called "setting up Blizzard accounts");
  • Blizzard finally needs to do nothing unlawful with the personal data; like, oh, say, release it wideband to the viewing public.
I think that's clear enough, don't you? Blizzard cannot legally do what they're doing, at least in England. Have they even considered this?

Does any English player of WoW who might be reading along want to call up the relevant portions and say whether I'm on the right track or not? Because if so, I think every single British citizen who's playing anything that Blizzard currently has out, has full legal grounds to refuse the RealID system, with full expectations of being allowed to use the service completely--which would mean no restriction from posting on the forums.

This could be interesting. Do any other countries which have citizens using the WoW subscription service, or other current gaming services that Blizzard offers, have similar laws?

I'd look, were I you.

Unfortunately, I'm fairly sure America has no such legislation. People can--and do--demand Social Security numbers to be used to tie people to telephone services, cable, furniture rental and medical treatment here, for instance, even though such is stated to be illegal and completely within our rights as citizens to refuse.

Linden Labs even demanded Social Security numbers for age verification. Even though legally, Social Security numbers cannot by law be used as any form of ID.

But for everyone living in saner lands--look up your laws. Think of the class-action suit you could put together, internationally, if even a quarter of all active players signed on. 250,000 voices of complaint, legally backed--think that might make a difference?


[Update: Blizzard's backing down for now. Guess something finally sunk in that this was an insanely unsafe idea. Let's hope it stays that way.]


Lalo Telling said...

[font=Emily Litella] "What's all this fuss about RealID?" [/font]

If we're talking about the Internet service called "RealID", I have one of those. I picked it up at some point in order to reply to someone's blog. It's in the name of Lalo Telling, of course. It was as easy to obtain as any other pseudonymous subscription, because Lalo Telling already had a Gmail account.

Mind you, I no more support divulging a person's "official" personal information than anyone else upset over Blizzard's stupid move. My advice is to game the system: If you do not yet have an email address in the name of your avatar/character (whatever they call them in WoW; I don't play), get one. Use it to get a "RealID".

Pseudonymity preserved.

Rhianon Jameson said...

Mr. Telling raises an interesting point, although one wonders what happens when Blizzard requires payment, and said payment comes from someone pointedly not named "Lalo Telling." (This, in fact, is why Linden Lab knows who I am, even though I do have a gmail account in my avatar name.)

But with the disclaimer that I'm not a lawyer, much less an expert on British law, let me play devil's advocate for a moment. Legitimate grounds for collecting personal data? They certainly get a pass on that one, as they need the data for billing purposes. Nothing unlawful? I presume that the meaning of that phrase is "nothing beyond the language of the present law that would be unlawful" - otherwise the phrase is meaningless. And if Blizzard tells users what it plans to do with the data, subscribers could certainly "reasonably expect" the company to do what they say.

So now we're down to two issues: are there "unjustified" adverse effects and are the data kept securely and safely? The first one strikes me as a tough call. (Mind you, I completely agree that the policy is outrageous, and you'll get no argument from me about the stalkers and nut cases out there. But bear with me.) The word "unjustified" has to have meaning. I assume the meaning is to say that, sure, any data release may have bad consequences, but sometimes the good effects outweigh the bad. The company presumably will say that the point of releasing real names is to provide a gaming experience free from the misbehavior that can arise when one deals with pseudonyms only. The adverse affect is that the player may be harassed in some form in real life, away from the game. I'd think those two competing interests would require some balancing. You and I would come down firmly on the side of saying the adverse effects outweigh the justification, but others may analyze it differently, especially when the user has the choice of not playing the game.

That leaves keeping the data secure. Again, maybe this is clear in British jurisprudence, but if you grant that giving real names to other players is justified - again, we don't think so, but if we turn out to be wrong - then I would think "secure" means "cannot be accessed by someone who is not a player of WoW."

I'll note that the U.S. has a variety of state and federal consumer protection laws that, in at least some cases, create a legal responsibility for firms to limit the use of customer data; for example, Linden Lab can't post your credit card number on its web site in some unsecured location. I'll guess that disclosing a name is not, by itself, a violation, but it's an evolving area of public interest. Congress could change the law to prohibit such a disclosure.

Sanity is an evolving standard. :)

Rhianon Jameson said...
This comment has been removed by the author.
Rhianon Jameson said...

Frack. Darn thing posted twice, even though I only hit the button once, so I removed the clutter.

Lalo Telling said...

As an outsider -- not a player of Blizzard games, but concerned about Internet privacy in general -- I may not be reading the situation clearly... but it is my impression that the requirement for "RealID" is tied to posting in their forums, and not cross-linked to business dealings with Blizzard itself (i.e., paying for membership). Am I incorrect?

Second Life had no problem associating a payment coming from my "real" name with an email in a different name, neither of which, at first, were "Lalo Telling". Nor did they balk at re-associating it with Lalo Telling once that email account was opened, nor did they when the first pseudonymous email became point-of-contact for "Altschuler Hoffnung", my alt nicknamed Alt.

I.e., as long as they get their money, they're not terribly concerned about the name on the bank account that transfers it to them. Whether that also applies in Blizzard's case, I don't know - but I suspect it does, as they are, like Linden Lab, a business based in the US.

To Ms Jameson's point: Also not being a subject of the Queen, I'm guessing... but I would suspect that HM Gov't. would bring prosecution, if (as it seems) violation of the Act in question is a criminal offense, not a civil one. It would be up to them to make the case that Blizzard's single-point claim of "more civil discourse" outweighs the multi-point potential harm of identity revelation.

Emilly Orr said...

Mr. Telling,

No, that's a blog verification service, that's been around for years. They don't care whether you register under your 'real' name, strictly as "Lalo Telling" or "the Great Googly Moogly"--that service wants one email and one password tied to a verification service to make it easier to post on different blogs and still show up as non-anonymous.

Blizzard's RealID is an opt-in system--for now--used internally on the Blizzard forums--every post made on the forums will thus be made under the real, verified name on the account, because to get a Blizzard account on (Blizzard's in-house MMO hub) one must tie a real account to real verifiable forms of ID. It's not as simple as setting up an account under "Emilly Orr" on Gmail, and giving them that; I have to provide credit card number, full legal name ON that credit card, legal name and address to which that card delivers statements, et cetera.

Emilly Orr said...

Miss Jameson,

Legitimate grounds for needing the data: they have the data already; people needed to use their real names to sign up for accounts in the first place.

Blizzard informing people what it plans to do with the data: again, that's what's causing all the controversy, because user name data was never before expected to be released to the general public. Hence, the outcry from the population.

Security of data: In this case, "secure" likely should mean "cannot be accessed by members of the general public"; I will heartily agree. Unfortunately, the RealID provision only prevents people from posting if they do not have a RealID verification stamp.

Anyone can read the forums; in fact, nothing stops searching the forums for specific topics. Which means that people who don't have accounts have no problem whatsoever seeing individual forum posts.

Emilly Orr said...

Mr. Telling,

Again, see the first reply, but additionally, currently there are two forms of RealID verification: first, to post anything on the forums, but second, to friend anyone in-game in WoW or StarCraft. Though the discussion's been heavy on making RealID compliance mandatory with all future game releases, as far as I know.

Lalo Telling said...

I stand corrected -- thank you, Miss Emilly.

I wonder, however, about possible trademark infringement... or, at the very least, how many others beside me had the same confusion, owing to the identical name for entirely different "services"?

Alexandra Rucker said...

Yea, I found a note here that Blizzard is backing down too:

Glad they're finally seeing SOME sense. :)

Emilly Orr said...

Mr. Telling,

I admit, when you first mentioned it, I gave you the first general answer I had, but when I got home from the hospital I wanted to know if they actually had the same name.

They don't. There is a separate "Real ID" program, but it's one instituted by the Department of Homeland Security. The multiple-blog registry service to which you (and I) referred is called Open ID.


Indeed. Though the "for now" clause in their statements worries me deeply.

Rhianon Jameson said...

The DHS RealID system actually makes sense to me. Some find it Big Brother-ish, but, really, my Maryland driver's license is valid countrywide, so it's useful to have a verified, centralized system for such. Not to mention that, if the driver's license is going to be used as ID for boarding a commercial plane, I'd just as soon limit the things to legitimate users and not, say, terrorists.

Emilly Orr said...

Miss Jameson,

I heartily agree. Though those restrictions the DHS placed on folks delayed my acquisition of an ID when I moved to Oregon for three full years--because, not having a passport or an acceptable form of ID (at that point, IDs from other states that had expired weren't, exactly, looked on favorably), it took me those many months to gather the five proofs of ID they required.

It's still ongoing, btw--when Miss Neome moved to the state from Utah, her ID was still current. Still couldn't just get an ID, she had to provide a notarized copy of her birth certificate, her Social Security card, and one other verified proof of identification before they would allow her to get Oregon ID.

Generally, this is forcing people into noncompliance, and not because any of us want to hide our identity--but just in my case, five forms of ID meant paying $18 for California to send out a notarized birth certificate, running down state-level proofs for $12 and $10 respectively, and then batchfiling everything up and paying $35 to actually buy the ID. I don't know about you, but $75 is a little steep for most people.