GDPR

[Mark Richards]

Thanks for the Nudge Andrew, I've not forgotten but the real world has taken my focus.

[Anthony Lawrence]

Any update?

[Gunnar Lindahl]

Hello Ant,

 

My apologies for the delayed response - was hoping to sit down and get this back before I went away last week, but sometimes plans don't quite work out the way we want them to.

 

OK, can I clarify then that members will be asked for their explicit consent to this public release of their data, rather than it being buried within a docomeent that you hope they've read? Article 7 of GDPR is very clear, in that consent should be clearly distinguishable, intelligible, and easily accessible in a clear and plain language.

 

My concern with the data remaining public is that by being a data controller, when you then publish that data for others to use, how are you going to handle erasure notices to anyone that has consumed that data? It'd be far better to have at least _some_ knowledge of who is using your data, to issue such notices to them too.

 

VATSIM claims 'legitimate interest' under GDPR to collect this data, and it is clearly stated in the Privacy Policy how some limited forms of this data is shown through the data feed. This means that the explicit consent you reference is not required in this instance. Of course, members have a right to object to this legitimate interest, and the process for doing so is outlined in the policy.

 

We are all very mindful of how the data feed makes some feel uncomfortable, and indeed I suspect a small minority of our members have used VATSIM for many years with a pseudonym for this exact reason. VATSIM has always been built steadfastly on the concept of using real names -- I would argue this worked well when it was a small hobby organisation with a couple of hundred members, but works less well now. We are actively looking at how those members who wish to have their names and identities protected are able to do so going forward. As you can appreciate this won't happen overnight but it's on our list of things to achieve.

 

I think you'd be somewhat surprised if you dived into some of the new GDPR publications of large organisations, such as eBay on the stance of "abandoned" accounts. Off the top of my head, Amazon's approach is 2 years of inactivity for their cloud services (Marketplace, Files, Music etc) before all data is deleted, with members being warned after 1.5 years.

 

OK, thanks - that was news to me. I will go away to the GDPR guys and check what their view is. As far as we're concerned, though, we have set out what we need to set out as per GDPR in the policy. I suspect there is no precedent (yet) either way for what is considered reasonable.

 

Age, location, email address. If we focus on age for a second, presently you only track age band which is out of date for the vast majority of individuals. I'm led to believe that under the new arrangement, you'll ask for a user's age (rather than date of birth) - this data might therefore go out of date as quickly as 1 second (if they registered 1 second to midnight on the eve of their birthday) or in 365 days - either way, the data about that individual is then incorrect and must be updated (presently, age brackets can't be updated). Location is no different, nor is email address (particularly of abandoned accounts).

 

We've no intention of tracking age at this stage - the new sign-up form asks for a prospective member's age to 'screen' them as per the policy, but that data is not stored. It's a firewall.

 

Continuing on the age front for a second, how are we handling existing members that are below 16? Are we ignoring that fact? I think, regardless of GDPR, there's a whole host of safeguarding reasons to actually want to know who our young, vulnerable members are to ensure that as an organisation, VATSIM ensures they're abreast of how to stay safe online.

 

We have a plan to retrospectively capture those members who we believe are under 16. Work is ongoing on this by our Web Services team.

 

Additionally, from a technical perspective, there's very few details about how data is stored securely - the policy outlines that access to the database is via a custom built web interface, but I know of a good number of people that have direct database access via both the command line and the DBMS UI. However it doesn't detail whether the data is encrypted at rest, or whether any backups are taken, transferred or encrypted. Does that need additional clarification?

 

I'm not a technical person (as you know, Ant!) but what I will say is that the web team are actively working on ever improving the way our data is stored and protected.

 

However, within the DP&H Policy, you've outlined that some PII is released publicly. This seems at odds with the other policy.

 

Perhaps a poorly worded para on our part - it refers to CERT, rather than the data in general. As we all know, and as per the policy also, some personally identifiable information is freely available.

 

I'm not entirely sure the policy can make this claim, although I'm happy to be proven wrong on my following point as the network doesn't use the same public copy of FSD as I have on my machine. The only p[Mod - Happy Thoughts]word we've got for VATSIM, is our network p[Mod - Happy Thoughts]word (or "CERT" p[Mod - Happy Thoughts]word). Based on the fact that FSD requires p[Mod - Happy Thoughts]words in plaintext, a user's p[Mod - Happy Thoughts]word is stored in plaintext within the CERT database and on the FSD servers within the cert.txt file. So, "wherever possible" suggests that there are instances where this isn't the case.

 

You're right - the wording was deliberately chosen because this is something Jamie Fox is working on achieving, and as someone familiar with FSD it can't happen overnight. No new systems will be implemented where p[Mod - Happy Thoughts]words are stored in plaintext, and we're working hard to ensure network p[Mod - Happy Thoughts]words are properly encrypted, as soon as possible.

 

I hope this helps.

[Mike Evans]

One point of interjection.. the copies of cert.txt on the servers have the p[Mod - Happy Thoughts]word encrypted, they are not in plain text.. that was changed several years ago.

[Andrew Chan 1312598]

Apologies for bumping an old thread, but my questions still have not been answered (save for a few that overlap with Anthony's, which were answered by Gunnar). To be frank, GDPR entered into force in 2016, VATSIM decided to implement it in March (according to the meeting minutes), and we're now two months in. How is that the case that details still haven't been hashed out?

 

Regarding Anthony's questions, I think we really need technical staff to answer the questions. While Gunnar's certainly answering them to the best of his ability (which is definitely much appreciated), it's rather difficult to get a true answer for the more technical ones, aside from some form of "we're working on it".

 

One point of interjection.. the copies of cert.txt on the servers have the p[Mod - Happy Thoughts]word encrypted, they are not in plain text.. that was changed several years ago.

 

This isn't any better than storing them in plaintext. The encryption p[Mod - Happy Thoughts]word has to be accessible by all applications that require it; if those applications are compromised, then so is the encryption p[Mod - Happy Thoughts]word. Encryption is reversible; hashing is not. Hashing and salting p[Mod - Happy Thoughts]words is the gold standard of p[Mod - Happy Thoughts]word storage, period.

 

we're working hard to ensure network p[Mod - Happy Thoughts]words are properly encrypted, as soon as possible.

 

Again, p[Mod - Happy Thoughts]words should be hashed and salted, not stored in plaintext and/or encrypted. That being said, I am aware of how FSD relies on plaintext p[Mod - Happy Thoughts]words (it may be encrypted in cert.txt, but it definitely isn't in transmission). Of course, this means that any attempt to overhaul p[Mod - Happy Thoughts]word storage (which, as a fundamental component of FSD) would unfortunately open a whole can of worms with regards to VATSIM's current use of FSD, both server and client-side. But that's probably talk for another thread.

[Zach Biesse-Fitton]

Hi Andrew,

 

I will respond to some of your queries to the best of my ability.

 

VATSIM holds data to help us to deal with members who sign up after being suspended or those who exercise their right to erasure. Can you understand, that if VATSIM did completely erase all traces of a user (both identifying and non-identifying), that user could then sign-up again and we would have no way of proving anything wrongdoing? We need to protect the network from scenarios such as this. By doing this we are protecting the integrity of the network, amongst other things.

 

Same goes for updating of data. Here's another scenario; a member get's suspended or removed from the network for a breach of policy, this breach is recorded in their CERT record. That member decides that this data in their CERT is "inaccurate" and decide to have all traces of it removed . The clause in the policy prevents this from happening.

 

The guys from the membership department may be able to comment on the provision for verifying identity, unfortunately, I am not well-versed on the procedure as it's out of my department.

 

Does that provide some insight?

 

Also, I note your comments about p[Mod - Happy Thoughts]word storage practices. It's already being worked on. Maybe you can help us since you have such good knowledge on this subject?

[Callum McLoughlin]

The challenge towards VATSIM is fine, but I want to challenge members back...

 

This is a gaming website, not a bank. You signed up and gave the following information to VATSIM to use:

 

Name, email address, p[Mod - Happy Thoughts]word reminder word, location. Like every website on the internet which has user accounts, information about the connection is collected to protect the website and the individual from mis-use. There is a privacy policy that you read and agreed to, it has always been there. Just like a membership record in any organisation, if you get into trouble (which you will know about... there is no secret police here) then it will be docomeented. It isn't rocket science nor should it be a secret.

 

Why is so much time being wasted arguing about the finer details of this?

 

Why have you not had an issue with any of this BEFORE the EU created a regulation that is predominantly aimed at the commercial sector holding large volumes of data and those seeking to commit criminal activity. It suggests to me you didn't think there was an issue.

 

So, why now is there nit-picking?

 

Complying with the law is very important, but why is compliance with this specific regulation of such concern to end users? Fly, control, enjoy... (I note one protagonist questioning VATSIM so closely last connected to the network as a pilot/controller over 16 months ago, another was 4 months ago). Being a virtual lawyer and know-it-all isn't part of the fun. Well it isn't for me, anyway

 

VATSIM is being very open responding to members so attentively about their compliance status. I would not blame VATSIM, or any other such organisation, for stating that it was to the best of its own [Mod - Happy Thoughts]essment compliant and ignore all questions/discussions. The compliance status is after all, strictly speaking, a matter between the owners and the authorities.

 

But VATSIM is trying. I think it deserves some recognition for that by letting it move on to more important matters... boosting online activity.

Edited July 20, 2018 at 09:31 PM by Guest

[Nestor Perez]

Finally someone did what I was "afraid" of doing myself.

 

Thanks Callum, and thanks to all those of you in and around the BoG who voluntarilly work on keeping the network going!

[Andrew Chan 1312598]

Thanks for the replies, Zach! Now excuse me while I address some of the points made by Callum...

 

This is a gaming website, not a bank. You signed up and gave the following information to VATSIM to use:

 

Name, email address, p[Mod - Happy Thoughts]word reminder word, location.

Yes, but that does not mean that VATSIM should have the right to wave my information out in the open (and that's without any kind of login, for starters). With a name, country, and flightsim interest alone, I can easily find even more personal information about a VATSIM member. If a volunteer organization can't responsibly collect PII and keep it private, then don't collect it in the first place.

 

Can you understand, that if VATSIM did completely erase all traces of a user (both identifying and non-identifying), that user could then sign-up again and we would have no way of proving anything wrongdoing? We need to protect the network from scenarios such as this. By doing this we are protecting the integrity of the network, amongst other things.

 

Same goes for updating of data. Here's another scenario; a member get's suspended or removed from the network for a breach of policy, this breach is recorded in their CERT record. That member decides that this data in their CERT is "inaccurate" and decide to have all traces of it removed . The clause in the policy prevents this from happening.

Like every website on the internet which has user accounts, information about the connection is collected to protect the website and the individual from mis-use.

Thanks for the reply, Zach. If this definition can be included in the DP&HP, then I have no issues. The largest issue I have is the vagueness. Stuff like "we reserve the right" and/or "the final right rests with VATSIM" is incredibly hand-wavy.

 

Why is so much time being wasted arguing about the finer details of this?

 

Why have you not had an issue with any of this BEFORE the EU created a regulation that is predominantly aimed at the commercial sector holding large volumes of data and those seeking to commit criminal activity. It suggests to me you didn't think there was an issue.

 

So, why now is there nit-picking?

Now you're just going ad hominem. Why does what I think influence the arguments being made? The fact that an unpopular politician is saying that the local roads are in horrible condition doesn't suddenly refute the fact that the roads are indeed terrible.

 

What constitutes a problem changes over time. Let's say you have an issue with Facebook after the Cambridge Analytica scandal. But you didn't bring it up before. Does that suddenly invalidate your current grievances with Facebook? Were you even aware of what CA was actually doing before it came to light? I certainly wasn't (well, not to the degree that has been reported), and neither was I aware of how "open" my PII is on VATSIM. Laws and opinions change over time. Privacy (and perceptions thereof) is no exception.

 

Furthermore, why would I have spoken out when suggestions would frequently be shot down and/or ignored, particularly in the past? I think your comment here is a apt demonstration of such. Would you have any issues if, all of a sudden, I was a member who joined in June 2018, after the GDPR implementation date? Would I be instead be branded as an inexperienced beginner who should have no say in how things are run here?

 

Complying with the law is very important, but why is compliance with this specific regulation of such concern to end users?

Because that's my personal data on the line. Perhaps you don't have any issue with exposing all your personal details online, but I do. I trust that the EU has written the GDPR to be as bulletproof as possible (well, at least more than some privacy policy that I or anyone else can come with, given the EU's track record).

 

VATSIM is being very open responding to members so attentively about their compliance status. I would not blame VATSIM, or any other such organisation, for stating that it was to the best of its own [Mod - Happy Thoughts]essment compliant and ignore all questions/discussions.

I disagree with your statement. It literally took over two months for some of my questions to get answered (thank you so much, Zach and Gunnar, by the way), and that's not counting the ones that haven't. And that's only after this post was bumped no fewer than three times over the past two months.

 

Am I expecting official responses to come days (heck, maybe even just weeks) after I post? No. I'm fully aware that many of us have other commitments. But after a certain point, it starts to look more and more like deflection, and that I'm simply being ignored and/or given the runaround.

 

Also, I note your comments about p[Mod - Happy Thoughts]word storage practices. It's already being worked on. Maybe you can help us since you have such good knowledge on this subject?

Looking at your profile (well, the one included in the announcement when you first joined the BoG anyway), I don't think I'm quite where you are knowledge-wise. To be honest, p[Mod - Happy Thoughts]word storage is a very common (and in my opinion, already solved) issue in tech. I don't think I have much else to add. Plus, I'm at a stage where I don't think I can provide any solid commitments (particularly time-wise)