Don’t forget we moved!
https://brandmu.day/
On the utility of Logs, Receipts, and Proof
-
@Pavel said in On the utility of Logs, Receipts, and Proof:
I think, at least partially, this is an ‘every problem looks like a nail’ issue.
You’re a coder. So you’re going to approach solving the problem in a coderly way. That’s just not how the majority of us think.
I can’t lie, I absolutely said the same thing:
tyranny of tezzes — Today at 10:46 AM
big coder energyI don’t think it’s a solution that code can solve for, myself, and one that it is in fact extremely minimally helpful for actually doing anything. But maybe if I had more coder energy!!
So much of the things that can create bad game energy can happen off-game – discord, etc. – or even be innocuous on a log. (Please stop standing outside of my house. Even if you aren’t codedly peering into all of my windows and breathing heavily, it’s really weird.)
I do think that the way Arx handles these kind of issues is worth examination, to bring back a point made in another thread that I am too lazy to find. They have been consistent about the kind of behavior they want to see and emphasize it in their banning posts. Some people believe in silent bannings. I SURE DON’T!!!
-
@Istus said in Witcher MUSH Design:
@bear_necessities Off the top of my head, having a list of potentially problematic keywords that get flagged up is easy enough.
My experience with “bad word filters” resulted in 99% false flags. No exagerration, 99%. We eventually turned the gd thing off. People mistype, and what was originally “spicy” or “like” has turned into an embarrassing but certainly unintended slur. As I think others have pointed out much more eloquently: context matters, and logs don’t give you that, players do.
-
One thing that anyone doing logging should consider is how it interacts with their obligations under the GDPR and associated data protection legislation.
No, you are not exempt from the GDPR if you are in the USA, If you have a server that European players use, you are required to meet its obligations.
Any collection of personal data (yes, including IP addresses, which are considered personal data) requires consideration of why you need to collect and store that data. You’re now a data collector. Proper operation of the service counts, so it is entirely correct and fine for Ares to store pages in the database, for example, as it’s part of the operation of being able to serve your pages via the web portal.
Auditing also can be a valid reason to store data, server access logs for example can come under this. So lets say you want to store all the logs so that you can audit people’s use of the service so that you can ban them if they turn out to be a creeper.
Ah, but you want to read the logs? Now you’re a data processor, that has obligations too.
What happens when someone pages a friend about an operation they’ve just had on their spleen? Now you’re storing medical data, with all the obligations that come with that. If you made your users consent to having all their messages stored, that’s fine, but that doesn’t lift your legal obligations to handle that data appropriately.
What happens when someone leaves the game? Do you keep all of those logs? Unfortunately under the right to erasure, once your need to store their personal data goes away - they’ve left the game, your stated purpose for keeping their data was to ban them if they turned out to be a creeper, it’s no longer valid - you no longer have the right to keep any of it and you must get rid of it without delay.
Now I think it’s incredibly unlikely that the ICO (or other authority) would go after a MU - unless a particularly egregious complaint was made - and with the right considerations, risk assessments, advice, and yes even technology, you can probably make things fit within the correct legal frameworks.
But it’s a consideration that I don’t think many people think about, so it’s probably worth spending some time looking over the relevant legislation.
-
@Pax said in On the utility of Logs, Receipts, and Proof:
@Istus said in Witcher MUSH Design:
@bear_necessities Off the top of my head, having a list of potentially problematic keywords that get flagged up is easy enough.
My experience with “bad word filters” resulted in 99% false flags. No exagerration, 99%. We eventually turned the gd thing off. People mistype, and what was originally “spicy” or “like” has turned into an embarrassing but certainly unintended slur. As I think others have pointed out much more eloquently: context matters, and logs don’t give you that, players do.
You also get the Penistone/Scunthorpe problem.
-
@Pax I am not surprised. Definitely a short-sighted thought on my part.
-
@spiriferida said in On the utility of Logs, Receipts, and Proof:
Talk openly about the atmosphere you want to create
When people are acting shitty casually, don’t let it slide in the moment - call it out. “We don’t do that here” is a good phrase.
Don’t wait for people to report things to remove someone> demonstrate your own patterns of behavior to your players.I cannot give better advice on creating an atmosphere of trust than these points. I also like “that’s not acceptable here” when calling out shitty behavior.
Also, and perhaps most importantly, if someone does report something to you, follow up on it and get back to them afterwards. Even if it’s just to say, “I’ve heard you, I understand that you have concerns, I’m going to be watching this person extra closely, please use the report function if they contact you at all for any reasons, I’ve told them not to.” Letting people know that they’ve been heard and that you appreciate their report and have taken it seriously will be spread to their friends, and their friends will feel more comfortable coming forward too.
Also also, if you remove someone from the game for bad behavior, be public about it. You don’t have to (and shouldn’t) include all of the gory details, but a general description of the unacceptable behavior and the fact that the person has been removed, posted to a public place, will make it clear what is not allowed.
-
@Rathenhope They /could/ keep that data for a reasonable time after departure of a player if they had a data policy with reasonable retention periods and justification…but I can’t say I’ve ever seen a data policy on any game really, or any attempt at gathering informed active consent, which is very much the GDPR standard (they really hated passive consent, and opt out)
-
Now you’ve got me concerned whether this board is GDPR compliant…
-
-
Since Arx was brought up, I should mention that the game doesn’t log RP outside of posted events, or (IC) messengers. No pages, no private or public scenes, no ooc chat. We can see journals, obviously, and things like the little messages that go with clues sharing, first impressions, rs comments. I presume that mail has to be stored somewhere, but I doubt anyone but Tehom can access it. We don’t have the ability to go dark.
I’ve been on games that logged everything, had dark flags, etc, and frankly we catch more folks being creepy shitheads on Arx than I ever saw being caught on those other games (and I staffed on a number of them). I’m not saying any of this to toot Arx’s horn, just to add to the argument that cultivating trust from your players (and also trusting your players in turn), is the most effective way to handle this kind of thing. In my personal opinion, any code involved should serve the purpose of better facilitating trust and the ability for players to report problems (and the easy ability to keep track of their reports, I stress, as someone with a terrible memory for anything useful), rather than cutting players out of the process as much as possible.
-
@kalakh Sorry, but I’ve gotta correct you here. Arx does do partial logging of Evennia “messages”, of which only pages are relevant. You can opt out of this behavior with the
@setting/private_mode
command, but I need to make sure it’s clear that this is a thing.The
@view_log
command will demonstrate what’s maintained, which is, again, mostly pages sent to you, and you can make a report of those pages using this command to send to staff in the event of questionable content. -
-
@Rathenhope As a US citizen operating in the US, with no presence or operations in the European Union, actually no, the EU has no jurisdiction over me to enforce its GDPR.
The EU only has effect on US companies when they also have operations in the EU, which is common for very large businesses.
But a lone individual living outside the EU has no legal obligation at all to abide by EU law, and will suffer no consequences for doing so.
-
-
@Polk said in On the utility of Logs, Receipts, and Proof:
But a lone individual living outside the US has no legal obligation at all to abide by EU law, and will suffer no consequences for doing so.
This is probably true, but is something that will likely require a ruling from a court. Since a MU could be argued to be a product or service that is offered to EU citizens, the law technically does apply.
-
@Pavel No, it doesn’t. The European Union does not have extraterritorial jurisdiction on individuals who are not EU nationals.
They have no legal recourse to touch if you if they don’t like what you’re doing. If you were using a server in the EU, they could go after your server provider.
But if you have no EU presence whatsoever this is your answer to Brussels:
-
MU*s and forums and such would be excluded from GDPR under article 2c; “purely personal activity” which is further clarified in Recital 18 hope that helps.
-
@shit-piss-love said in On the utility of Logs, Receipts, and Proof:
MU*s and forums and such would be excluded from GDPR under article 2c; “purely personal activity” which is further clarified in Recital 18 hope that helps.
That’s highly debatable.
-
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62001CJ0101 paragraph 47:
That exception must therefore be interpreted as relating only to activities which are carried out in the course of private or family life of individuals, which is clearly not the case with the processing of personal data consisting in publication on the internet so that those data are made accessible to an indefinite number of people.
While this related to the Data Protection Directive, the wording of the exception was the same and so should a similar case arise for the GDPR we might find the limits of what is considered a ‘purely personal’ activity.
Also yes while the EU has no jurisdiction over a US citizen, there are similar regulations in America, the California Consumer Privacy Act for example.
I’m fairly sure no one’s tested if a MU would count as an entity under any of these situations, especially as one of the distinguishing requirements is often ‘for profit’ which many MUs are not. My point was that by moving from a ‘log the access stuff’ to a ‘log everything my players type’ model has the potential, imperceptibly small as it may be, to fall foul of one of a million data protection regulations if someone was unhappy about how their data was used.
God, I hope no one takes a MU to court I don’t want my hobby splashed across the newspapers.
-
@Rathenhope said in On the utility of Logs, Receipts, and Proof:
God, I hope no one takes a MU to court I don’t want my hobby splashed across the newspapers.
I look forward to explaining exactly what I do online to my mother.