BBO Discussion Forums: The GDPR - BBO Discussion Forums

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

The GDPR

#1 User is offline   hrothgar 

  • PipPipPipPipPipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 15,372
  • Joined: 2003-February-13
  • Gender:Male
  • Location:Natick, MA
  • Interests:Travel
    Cooking
    Brewing
    Hiking

Posted 2020-October-28, 06:03

So, looks like BBO screwed the pooch with respect to the General Data Protection Regulations and some cheating cases had to be tossed as a result.

Nice job!
Pity you didn't choose to listen when folks pointed these issues out to you years back.

FWIW, I'm going to offer some free legal which is worth every penny you're paying for it.

Please note: I am not a lawyer, however, Akamai spends a lot of time / effort dealing with GDPR related issues and my team is the one that gets to deal with a who bunch of this so we get to spend lots and lots of time getting training on this front.

Moreover, Akamai sells services like "Client Reputation"
https://www.akamai.c...-reputation.jsp

We profile IP addresses on the internet and make determinations whether they are "good" or "bad" which is directly analogous to a lot of what's going on with BBO and Personally identifiable Information.

The critical issue here is making sure that BBO establishes that they have legitimate purpose for collecting and sharing Personally Identifiable Information and this purpose requires the ability to share information with Data Processors.


Once you go and do this, build the appropriate disclosure into your privacy statements, and provide appropriate controls over the information in question, you're golden.

You can collect all sorts of information and use this for any one of a variety of purposes.

Hopefully, BBO won't overreact and stop collecting any of this information.
Alderaan delenda est
0

#2 User is offline   thepossum 

  • PipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 2,362
  • Joined: 2018-July-04
  • Gender:Male
  • Location:Australia

Posted 2020-October-28, 17:44

Hi Richard

Can you please clarify for the layman like me whether this means I should find a different Bridge Site to play on

It doesnt sound good for those of us involved in the serious data ad privacy game ourselves if people are prying and sharing our information

Also, by clarification is the free legal advice for us the users or Bridgebase :) Its much appreciated

regards P

SORRY. Following stuff is being edited
0

#3 User is offline   paulg 

  • PipPipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 5,052
  • Joined: 2003-April-26
  • Gender:Male
  • Location:Scottish Borders

Posted 2020-October-29, 04:45

View Postthepossum, on 2020-October-28, 17:44, said:

Can you please clarify for the layman like me whether this means I should find a different Bridge Site to play on

I think it is fair to say that any good bridge site will be collecting personal information more than is sufficient to let you play and pay. If you want a site that seeks to detect and prevent various forms of cheating, deal with abusive behaviour, or award master points from your NBO, then this will be impossible unless additional information is also collected.

Richard is not complaining about the collection. It is the processes and procedures that are required, especially by the European Union, when collecting personal information of its citizens where BBO needs to be diligent and, it seems, like many American companies they may not be robust; or sufficiently robust to contest a lawyer's assertion that they are not robust.

It is highly likely that BBO's processes and procedures are sufficiently robust for US citizens since it is an American company and the USA doesn't have the equivalent of GDPR, rather a mosaic of state and federal regulations governing aspects of data protection (perhaps more importantly, there is no central enforcement authority).

I have no idea what constraints the Australian parliament puts on foreign companies dealing with its citizen's personal data.


The Beer Card

I don't work for BBO and any advice is based on my BBO experience over the decades
0

#4 User is offline   hrothgar 

  • PipPipPipPipPipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 15,372
  • Joined: 2003-February-13
  • Gender:Male
  • Location:Natick, MA
  • Interests:Travel
    Cooking
    Brewing
    Hiking

Posted 2020-October-29, 05:44

View Postpaulg, on 2020-October-29, 04:45, said:


It is highly likely that BBO's processes and procedures are sufficiently robust for US citizens since it is an American company and the USA doesn't have the equivalent of GDPR, rather a mosaic of state and federal regulations governing aspects of data protection (perhaps more importantly, there is no central enforcement authority).



BBO start out life as a Canadian company, then it was based in the US when Fred moved to Vegas.
However, once it got sold to FunBridge, it became a French based company and the GDPR comes into play.

Some people, myself included, pointed this out at the time.
Alderaan delenda est
0

#5 User is offline   hrothgar 

  • PipPipPipPipPipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 15,372
  • Joined: 2003-February-13
  • Gender:Male
  • Location:Natick, MA
  • Interests:Travel
    Cooking
    Brewing
    Hiking

Posted 2020-October-29, 06:19

View Postthepossum, on 2020-October-28, 17:44, said:

Hi Richard

Can you please clarify for the layman like me whether this means I should find a different Bridge Site to play on

It doesnt sound good for those of us involved in the serious data ad privacy game ourselves if people are prying and sharing our information

Also, by clarification is the free legal advice for us the users or Bridgebase :) Its much appreciated

regards P

SORRY. Following stuff is being edited


Few quick comments here: The advice that I was providing was intended for BBO management rather than the folks using the site.

Here's a bit more information

The BBO servers record a couple different type of information about hands.

The first is information that is directly related to play.

1. Who is sitting at the table
2. What cards have been dealt
3. What was the bidding, the play, etc.
4. What was the score
5. What other tables played the hand
6. What is the timing with which various bids are being made

Most of this information is pretty much always publically available when you are playing in a bridge game (especially online). And as technology such as Bridgemates had become available, more and more of this information is recorded for F2F games as well.

The second type of information is metadata about related to the hand. Here, the most relevant information is stuff like:

1. What IP addresses do the various players / kibitzers use?
2. What type of device are the players / kibitzers using?
3. What cookies has the BBO client placed onto these machines?

Both types of information could be considered Personally Identifiable Information and run afoul of the GDPR.

What's important to understand is that the GDPR does not ban web sites from collecting PII. Rather, they need to demonstrate that they have a legitimate purpose in collecting and sharing this information.

I think that it is important for BBO to have a privacy policy that describes how it is handling both of these types of PII.

If it were me, I would have a privacy statement that says that BBO has a legitimate purpose in collecting and sharing the first type of information with (essentially) anyone and that this information with be collected and shared in perpetuity. Part of BBO's mission is promoting the game of bridge and providing public records is part and parcel of this. Moreover, BBO needs to protect the integrity of the games that are run on its platform and this requires sharing hand records with external data processors.

I would also have a separate part of the privacy statement that deals with the second set of information. This information would still be collected and stored but there would be much more specific controls over who is able to access this data and how it is shared.
Alderaan delenda est
1

#6 User is offline   paulg 

  • PipPipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 5,052
  • Joined: 2003-April-26
  • Gender:Male
  • Location:Scottish Borders

Posted 2020-October-29, 12:41

View Posthrothgar, on 2020-October-29, 05:44, said:

BBO start out life as a Canadian company, then it was based in the US when Fred moved to Vegas.
However, once it got sold to FunBridge, it became a French based company and the GDPR comes into play.

Some people, myself included, pointed this out at the time.

GDPR came into play on 25 May 2018 and has nothing to do with 52 Entertainment Group acquiring BBO and FunBridge. Article 3 of the GDPR, which defines the law's territorial scope, states that it not only applies to companies in the EU/EEA, but also to companies outside of the EU/EEA that serve (or track the data of) EU/EEA residents.


All US companies who deal with personal data of European citizens are required to comply with GDPR although enforcement is easier when you are based in Europe or have significant business in Europe.

BBO made a token effort of addressing the GDPR requirements with its policy revisions in 2018. I suspect they wish they'd done more at the time, including many of the things you've mentioned.
The Beer Card

I don't work for BBO and any advice is based on my BBO experience over the decades
0

#7 User is offline   hrothgar 

  • PipPipPipPipPipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 15,372
  • Joined: 2003-February-13
  • Gender:Male
  • Location:Natick, MA
  • Interests:Travel
    Cooking
    Brewing
    Hiking

Posted 2020-October-29, 14:58

View Postpaulg, on 2020-October-29, 12:41, said:

GDPR came into play on 25 May 2018 and has nothing to do with 52 Entertainment Group acquiring BBO and FunBridge. Article 3 of the GDPR, which defines the law's territorial scope, states that it not only applies to companies in the EU/EEA, but also to companies outside of the EU/EEA that serve (or track the data of) EU/EEA residents.


All US companies who deal with personal data of European citizens are required to comply with GDPR although enforcement is easier when you are based in Europe or have significant business in Europe.



Yes, just like individuals and government officials in the US are required to comply with the edicts of the International Criminal Court in the Hague. Oh wait, no one in the US actually gives a damn about the ICC because they have no power of enforcement over anything that actually matters.

You're crazy if you think any US based company is going to pay even the slightest bit of attention to the GDPR unless they absolutely have to

Akamai (where I am employed) is scrupulous about following the GDPR.
However, Akamai does lots of business in the EU.

I suspect that companies with less of an interest would simply ignore it.
Alderaan delenda est
0

#8 User is offline   mycroft 

  • Secretary Bird
  • PipPipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 7,059
  • Joined: 2003-July-12
  • Gender:Male
  • Location:Calgary, D18; Chapala, D16

Posted 2020-October-29, 15:09

"enforcement is easier" As I mentioned last time, standard US attitudes to other countries' regulations are the same as Imperial England's attitude always was: "ya gonna make me, big boy?"

And without a way to "make me", it's cheaper and easier to just ignore the regulation. Cheaper and easier always wins, especially in the US.

Now, "high level matches will find another platform, because it's impossible to convict Euro-cheaters because of lack of GDPR compliance" might well be a good way to "make me". But it requires another platform...

I would guess that a large part of hrothgar's job is explaining to companies how ignoring the GDPR may not in fact be cheaper, and I'm sure he's as used to being ignored as I am when I speak as an SME (in either of my jobs).

As a moonbat leftie, it surprises me when others are shocked that the "but it's the Law" gambit works as well as history has shown it to work for generations.
When I go to sea, don't fear for me, Fear For The Storm -- Birdie and the Swansong (tSCoSI)
0

#9 User is offline   hrothgar 

  • PipPipPipPipPipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 15,372
  • Joined: 2003-February-13
  • Gender:Male
  • Location:Natick, MA
  • Interests:Travel
    Cooking
    Brewing
    Hiking

Posted 2020-October-29, 15:18

View Postmycroft, on 2020-October-29, 15:09, said:


I would guess that a large part of hrothgar's job is explaining to companies how ignoring the GDPR may not in fact be cheaper, and I'm sure he's as used to being ignored as I am when I speak as an SME (in either of my jobs).



Luckily, Akamai executives are quite good about wanting to comply with various laws and the GDPR is actually quite reasonable about granting exceptions about legitimate business purposes. And better yet, we have lawyers who make all the important decisions. All I need to worry about is helping to amke sure that various technical designs that engineering and marketing come up with maintain compliance with said regulations.

Where life gets complicated is when there isn't a good understand of what the GDPR does / does not say.

For example, there was one period a couple years back where the German courts were claiming that IP addresses constitute PII and other courts in Europe were claiming the opposite.
Alderaan delenda est
0

#10 User is offline   mycroft 

  • Secretary Bird
  • PipPipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 7,059
  • Joined: 2003-July-12
  • Gender:Male
  • Location:Calgary, D18; Chapala, D16

Posted 2020-October-29, 16:04

Ah, it's internal. That's easier. I got the impression you spent a lot of time explaining this to Akimai's customers. Apologies.
When I go to sea, don't fear for me, Fear For The Storm -- Birdie and the Swansong (tSCoSI)
0

#11 User is offline   NickRW 

  • PipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 1,951
  • Joined: 2008-April-30
  • Gender:Male
  • Location:Sussex, England

Posted 2020-October-29, 16:46

View Posthrothgar, on 2020-October-29, 15:18, said:

Where life gets complicated is when there isn't a good understand of what the GDPR does / does not say.

For example, there was one period a couple years back where the German courts were claiming that IP addresses constitute PII and other courts in Europe were claiming the opposite.


IANAL, but I do work for a UK based company ultimately owned in the Republic of Ireland. We handle millions of records of personal information and substantial card transactions on behalf of clients. My employer is, quite rightly, ***** scared of falling foul of the law relating to GDPR and the somewhat similar (and arguably even more draconian) PCI DSS (payment card industry data security standards) as, ultimately, the company could effectively be closed without so much as a court case. So we all get regularly trained and retrained in what it all means. IMO an "id number", in and of itself, is not PII. However as soon as you (or a third party) can tie up that "id number" with who or where you are or anything personal to you, then you are on dodgy ground assuming said "id number" is not personal. IP addresses very much come in that category.

One might think that "where you are" isn't all that personal as hundreds or thousands or more may live in your town, but add in a slightly unusual surname for example and suddenly you can be identified in detail by someone determined to find out.

It isn't that you can't store such data, it is that you have to be able to demonstrate a need to do so and that you delete it when it is no longer needed and that your networks and databases are secure and so on. In other words you have shifted heaven and earth to make sure things are as safe as they can be.

Nick
"Pass is your friend" - my brother in law - who likes to bid a lot.
0

#12 User is offline   mycroft 

  • Secretary Bird
  • PipPipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 7,059
  • Joined: 2003-July-12
  • Gender:Male
  • Location:Calgary, D18; Chapala, D16

Posted 2020-October-29, 17:11

Heh. As far as "make me" is concerned, I've noticed in my field that companies will mention HIPAA, ADA, FERPA, ... but the only rules that will drive companies to actually do anything are PCI or SEC. "We'll take away your ability to accept credit cards" and "we'll delist you from the stock exchange" are threats the money people understand.

And, with a name that is almost unique across the internet (assuming you know I never played Cricket, or am not 100 years old and, you know, *dead*, I am unique) you don't need to tell me anything about "slightly unusual surname". Why do you think I'm "mycroft" online? (and yes, I realize it's futile. But I don't have to make it *easy*)
When I go to sea, don't fear for me, Fear For The Storm -- Birdie and the Swansong (tSCoSI)
0

#13 User is offline   thepossum 

  • PipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 2,362
  • Joined: 2018-July-04
  • Gender:Male
  • Location:Australia

Posted 2020-October-29, 19:44

View Postpaulg, on 2020-October-29, 04:45, said:

I think it is fair to say that any good bridge site will be collecting personal information more than is sufficient to let you play and pay. If you want a site that seeks to detect and prevent various forms of cheating, deal with abusive behaviour, or award master points from your NBO, then this will be impossible unless additional information is also collected.


I quite appreciate all sites collect information, and any Bridge site with accredited tournaments etc etc. are within their rights to whatever etc etc Thats not my concern at all.



View Postpaulg, on 2020-October-29, 04:45, said:

Richard is not complaining about the collection. It is the processes and procedures that are required, especially by the European Union, when collecting personal information of its citizens where BBO needs to be diligent and, it seems, like many American companies they may not be robust; or sufficiently robust to contest a lawyer's assertion that they are not robust.



My concern in everything these days with data collection and rather impersonal assessment and adjudication by a combination of impersonal algorithms and often even worse people, is how that data will be used, issues of justice, issues of overreach, potential errors, limitations on any form of data analytic approach to anything and possibly most important of all how any such assessments are used in relation to sharing and linking of data to anything else etc

I was starting to write some of my concerns in my original replay. But they are extensive on a global scale, and I am sure (in fact I know) there are many people including experts who share many of those concerns etc

I hate to say it but with someone with extensive experience of knowledge of many of the issues and different levels of expertise in various areas, there are a relativey small number of people who I trust internationally to have a clue about much


View Postpaulg, on 2020-October-29, 04:45, said:


It is highly likely that BBO's processes and procedures are sufficiently robust for US citizens since it is an American company and the USA doesn't have the equivalent of GDPR, rather a mosaic of state and federal regulations governing aspects of data protection (perhaps more importantly, there is no central enforcement authority).

I have no idea what constraints the Australian parliament puts on foreign companies dealing with its citizen's personal data.


Who knows about this place. I cant really comment. I hope that isnt taken the wrong way. Just I'm used to dealing with professionals. And much as it may not seem like the right thing to say I personally pay a lot less attention to extensive buraurcratic legal documentation and kind of assume that I and they just tend to the right thing almost all (if not all) the time EDIT I think by definition we should say essentially all the time :)
0

#14 User is offline   thepossum 

  • PipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 2,362
  • Joined: 2018-July-04
  • Gender:Male
  • Location:Australia

Posted 2020-October-29, 20:02

View Posthrothgar, on 2020-October-29, 06:19, said:

Few quick comments here: The advice that I was providing was intended for BBO management rather than the folks using the site.

Here's a bit more information

.......



Thanks for all the extra information Richard

I will try and think up more about what my concerns are. I'm sure I've already expressed enough about them. I don't exactly have much authority or reason to question anything in the Bridge world, especially for an accredited site. But it does relate to the potential overreach into many people's lives, most of whom are just playing it as a game etc - and it could be terrible for any misunderstood action at some random online table, use of limited models, strange time delays, unusual bids (that would cause an incident in a club), being labelled as abusive player when simply responding to abuse, technical and other professional and ethical knoweldge, use of behavioural or other models, competence and values of anyne and everyone involved in use of the data, how many different ways such data could be used, potential profiling of people, IP numbers, ISPs, etc. I will try and writie something up as my replies on the forum are often untidy and need edits, and may contain errors etc. I am sure all my concerns are understood by those I trust to be involved somewhere. It would be sad if they were not involved and/or were ignored etc

EDIT I am editing the rest. As usual its starting to sprawl and getting untidy
0

#15 User is online   Gerardo 

  • PipPipPipPipPipPip
  • Group: Admin
  • Posts: 2,482
  • Joined: 2003-February-12
  • Gender:Male
  • Location:Dartmouth, NS, Canada

Posted 2020-October-30, 12:40

View Postmycroft, on 2020-October-29, 17:11, said:


And, with a name that is almost unique across the internet (assuming you know I never played Cricket, or am not 100 years old and, you know, *dead*, I am unique) you don't need to tell me anything about "slightly unusual surname". Why do you think I'm "mycroft" online? (and yes, I realize it's futile. But I don't have to make it *easy*)


I see your "quite unusual surname" and raise you a "unusual first name, really unique when paired" :). I think there is at least a match if you translate my first name, but if not, it would take a few steps to repeat.

#16 User is offline   hrothgar 

  • PipPipPipPipPipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 15,372
  • Joined: 2003-February-13
  • Gender:Male
  • Location:Natick, MA
  • Interests:Travel
    Cooking
    Brewing
    Hiking

Posted 2020-October-30, 13:38

View Postthepossum, on 2020-October-29, 20:02, said:

Thanks for all the extra information Richard

I will try and think up more about what my concerns are. I'm sure I've already expressed enough about them. I don't exactly have much authority or reason to question anything in the Bridge world, especially for an accredited site. But it does relate to the potential overreach into many people's lives, most of whom are just playing it as a game etc - and it could be terrible for any misunderstood action at some random online table, use of limited models, strange time delays, unusual bids (that would cause an incident in a club), being labelled as abusive player when simply responding to abuse, technical and other professional and ethical knoweldge, use of behavioural or other models, competence and values of anyne and everyone involved in use of the data, how many different ways such data could be used, potential profiling of people, IP numbers, ISPs, etc. I will try and writie something up as my replies on the forum are often untidy and need edits, and may contain errors etc. I am sure all my concerns are understood by those I trust to be involved somewhere. It would be sad if they were not involved and/or were ignored etc

EDIT I am editing the rest. As usual its starting to sprawl and getting untidy



FWIW, my impression is that BBO had done a good job controlling access to this sort of information


The meta data and information about delays and the like isn't provided to random individuals, rather, access is restricted (and it seems to be restricted to a reasonable set of people). For example, Tournaments Directors sometimes need access to information about delays in bidding so they can make reasonable decisions about Unauthorized Information. NBO's who are prosecuting accusations around cheating might need information about the IP addresses that are kibitzing hands.

Where I think the BBO has failed is in not doing a good enough job documenting its privacy policies and describing legitimate purposes for collecting and sharing data.
Alderaan delenda est
0

#17 User is offline   johnu 

  • PipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 4,833
  • Joined: 2008-September-10
  • Gender:Male

Posted 2020-October-31, 00:42

View Posthrothgar, on 2020-October-30, 13:38, said:

The meta data and information about delays and the like isn't provided to random individuals, rather, access is restricted (and it seems to be restricted to a reasonable set of people). For example, Tournaments Directors sometimes need access to information about delays in bidding so they can make reasonable decisions about Unauthorized Information. NBO's who are prosecuting accusations around cheating might need information about the IP addresses that are kibitzing hands.

I don't know why delays need to be restricted. It seems they are already a matter of public record, having been part of up to 3 other players' real time experience, and any player at the table could "record" the game on video so the exact delay times can easily be determined. Even more public record would be the cards in each players' hands, the bidding, and the play, as well as the board results and the overall tournament results.
0

#18 User is offline   barmar 

  • PipPipPipPipPipPipPipPipPipPipPipPip
  • Group: Admin
  • Posts: 21,398
  • Joined: 2004-August-21
  • Gender:Male

Posted 2020-November-01, 17:35

View Posthrothgar, on 2020-October-29, 05:44, said:

BBO start out life as a Canadian company, then it was based in the US when Fred moved to Vegas.
However, once it got sold to FunBridge, it became a French based company and the GDPR comes into play.

Some people, myself included, pointed this out at the time.

I think we're an American company that's owned by a French company. When the sale happened, FunBridge, BBO, and Le Bridgeur magazine all became subsidiaries of 52 Entertainment (a new holding company that was formed for this purpose).

IANAL, so I don't know what that means in terms of legal jurisdiction.

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users