Required reading for anyone interested in anti-cheat and its implications for data privacy (and AA5)

Yesterday I came across this master's thesis of a law and technology student who seems to be one of the first to tackle the tricky question of client side anti-cheat software and its effects on data privacy under the GDPR and ePrivacy Directive/upcoming ePrivacy Regulation.


It might be a two hour reading, but I can absolutely recommend this from start of finish! It covers all the different angles of this discussion in detail and with nuance and should be considered required literature for the community and the AA team especially.

Basically, what this means for any future AA or other videogame title: in order to be considered legal under current data privacy regulations and to be future proof for coming regulations like the ePrivacy Regulation, kernel-level client side anti-cheat measures (like Punkbuster or similar software) will not be the lawful way forward in their current form.
There will have to be new solutions in their place that conform with a higher standard of personal privacy and it is unlikely that after all these years, solutions like Punkbuster will be able to adapt to these new demands, just by virtue of their design.

Also, from a data protection perspective, community-run efforts and their unregulated use of player data (also through tools that Evenbalance offers) will be unsustainable as well, but that depends on the way these communities evolve with the new regulations in the future. In my eyes, there could be ways services like PBbans/ACI/BF4DB could become GDPR compliant, but it would take some effort to say the least.

As it stands though, both Punkbuster and services like PBbans, ACI or BF4DB are all operating in violation of EU law. And even though they are effective tools in themselves and indisputably help the community, they unfortunately will not prevail in a world where the concern for data protection and personal privacy has a evolved quite a bit since the early 2000s.


  • [soldier][soldier] Posts: 171Player
    edited March 9
    As it stands though, both Punkbuster and services like PBbans, ACI or BF4DB are all operating in violation of EU law.

    That's a pretty broad statement to make without knowing exactly what the users' rights are and what they have consented to in detail, although I might tend to agree since breathing and eating are against EU law at this point.

    I'm certain privacy issues are why PunkBuster has not been included into any new games in quite a few years now. Once people got the notion into their heads that an IP address was "personally identifiable information" the door was open to all sorts of nonsense claims.

    Perhaps when we visit a store to buy something we should demand that the employees not look at us for fear of discovering all sorts of "personally identifiable information", including my height, weight, skin tone, eye color, hair length and color, scars or tattoos, manner of speaking, etc. Never mind, I'm sure the EU already has such a law.
  • motivated2*censored*motivated2*censored* Posts: 10Player
    That's a pretty broad statement to make without knowing exactly what the users' rights are and what they have consented to in detail
    Well, the inalienable rights granted by the GDPR are all listed in chapter 3, that's quite straight forward... And what the user consented to is written in the EULA of PB, though as the thesis above points out, that consent is basically invalid because the license agreement doesn't fulfill the minimum requirements for "informed consent", as by design it is a black box :confused:

    As for the IP address being considered personal data, I think it's hard to argue why it shouldn't be anymore. Your entire online life happens behind these few digits, the same way your most private physical life occurs behind your physical address. And just like one room in your house isn't the representation of your entire personal life, just one online service isn't the entirety of your online life. But that IP address makes them all rooms of the same virtual household. Leaked IP from Amazon with first name and address + leaked IP from some naughty little online site with search history, and those are two rooms that you don't want the public to know are in the same house.

    And the store example fits quite perfectly: it's impossible to go to the store without disclosing your identity, just as it is impossible to play on a server without disclosing the IP address. But the BIG difference is: is someone is writing it down?
    At the end of the cashier line, there's that person noting down all the things you described (race, age, gender), and then at the end of the month they make that list public for all, maybe together with who bought the least healthy foods that month... Is that a store you'd go to?
    And then, maybe that's the only store in town, and you had no choice. Wouldn't you want the lawmaker to intervene and set boundaries to what a store can collect and display in public? Well, you have just discovered the need for privacy law :hurrah:
    Not the existence of data is bad in itself, but how you write it down, where you store it, how you anonymize it, where you share it and how the subject knows about it is what is important.

    As for eating and breathing, some of the strictest laws in air quality and food quality make sure I can breathe just fine here, and the food tastes great, too!
  • [soldier][soldier] Posts: 171Player
    edited March 10
    And the store example fits quite perfectly: it's impossible to go to the store without disclosing your identity, just as it is impossible to play on a server without disclosing the IP address. But the BIG difference is: is someone is writing it down?

    They don't have to write anything down, they all have cameras recording every moment you are in the store including everything you look at and buy.

    I'm not saying use of IP addresses can't be abused, but on its own an IP address shows general location and ISP, that's it. It's another story to put a name and address to an IP address through something like a store web site. PunkBuster does nothing of the kind, all you get is a player name which can be anything and a time.

    As far as laws and "informed consent", that's the way authoritarians like doing things, by making rules retroactive and ensuring that it is impossible to comply with them. I have no idea if GDPR covers government use and storage of IP addresses but I would bet even if it does those rules are not enforced.

    As far as the ACI website is concerned, we have never shown the public enough information to tie any IP address to any truly personally identifiable information such as email, real name, or address. Most of the time we don't have it anyway.
  • motivated2*censored*motivated2*censored* Posts: 10Player
    Good point about the video, but that's why there's a whole special GDPR section on that, it's strictly regulated for that exact reason. You have to have all the information about the recording like your legal grounds and duration of storage outside the shop. And most of all it's not put out in public!

    Regarding the absolute vs relative identifiability of data subjects, the GDPR is quite clear. You have one online presence, and whether or not you accept IP addresses as the key personal data to that or not, by law and in the scholarly debate they are. So I can presume your best intentions and be impressed by your technical knowledge (which I both am), but never the less, I will hold you to the standards as anyone else on the web and that's only fair...
    Since I had a formal training to become a certified data protection officer by the GDPR standards, I know that the rules are plentiful, but can hardly be called complex. I see a definite possibility for ACI to become GDPR compliant (have a privacy policy and stick to it + further anonymizing data + respecting user rights + introducing an ACI account for claiming your profile and stored data). But hey, who would have though it takes effort and innovation to stay relevant through the decades? Evenbalance certainly didn't :anguished:

    And I really want to stay away from political discussion, but this general notion is just misleading and I wanna clear that up. Privacy laws, in any capacity, are by principle the furthest away from authoritarianisms you could go. It is literally the current government passing laws to ensure that what you say and do today won't get you in trouble in the future, when there might be someone in power who doesn't share your personal views and moral compass.
    The GDPR (which btw of course applies just the same way to government) passing in China is unthinkable, state surveillance, especially through the data of "private" corporations collecting data the government uses, is the norm. It passing in the US, with organizations like the NSA having any say in it, probably not. As "free" as the US might seem, on the democracy <-> authoritarianism scale it ranks more towards authoritarianism than your average western European country. The government going "we have no interest in using your data, so I require you to collect less for your own sake" is the literal opposite of authoritarianism?!

    The age old "nothing to hide, nothing to fear" argument is sadly still being used too often and at the heart of many anti privacy debates. And trying to further that argument, after all that happened in the last decade, is just backwards thinking. EU lawmakers have realized that and soon will US ones as well (see the CCPA). When that happens, better safe than sorry, right? I mean, this debate on the DICE side already threatened ACI once, why not adapt? :smile:
    That's why I really recommend reading the thesis above! I know it's long, but many of the points just wouldn't come up if people would understand the nuanced considerations of the topic that were already made for you.
  • doogle!doogle! Posts: 733Player

    That argument against AC solutions vs GDPR is a stretch
Sign In or Register to comment.