Page 2 of 2

Re: Minetest 2-factor Authentication Service[mt2fa]

PostPosted: Wed Dec 19, 2018 05:32
by sofar
Linuxdirk wrote:
sofar wrote:What I want to know is whether I should make changes to the code or not.

Consenting and withdrawing have to be equally easy (Article 7, Paragraph 3). So when it is enough to enter a mail address then withdrawing the consent should be a button press.


This seems easy enough. It's actually complex in code, but the user interface shouldn't be so complex, and, I can actually implement 2 or 3 ways to do this. Most likely, we can do this from a linked server, and through a simple webpage form. There's going to be some extra code work though, it needs another SQL table for instance.

Linuxdirk wrote:If you process the data any further or collect any personal data that has not been provided by the user (as stated in the Privacy Policy you “[…] may publish usage reports that include service usage statistics, such as player count and server count”) you need to provide some information to the user about this as described in Article 14, Paragraph 1 a-f.

Article 14 is actually pretty horrible but I tend to say that Article 14, Paragraph 5, letter b applies (“Paragraphs 1 to 4 shall not apply where and insofar as: […] the provision of such information proves impossible or would involve a disproportionate effort, in particular [for] statistical purposes”).


Seems not applicable. The player does not provide player count data, therefore it isn't personal information. Player count information isn't even "aggregate" information (that would be, something like, "321 players using gmail.com as domain name for their email"). Same for server count. So, I tend to lean to the side that this whole section isn't even required for me to do simple non-aggregate non-personal information statistics.

Linuxdirk wrote:Not quite sure about the consent of minors. Maybe add another field for the birthday and leave profiles out of usage tracking when the user is under 16. Article 8, Paragraph 2 mentions “reasonable efforts to verify” the age. So a date input field should be enough.


The regulation would require me to track an additional piece of personal information about the person. I'm not going to, there is no benefit other than legal circling. People are safer if nobody knows your age. I don't need this information and it doesn't do anyone any good.

FWIW because we require an email address to begin with, we can reasonably argue that since most if not all email providers require users to provide consent AND verify that they are legally able to enter into a contract and this may not be minors directly in most jurisdictions, that it is equally valid to assume that most people have already verified that they are of a reasonable adult age that this requirement has been met, and for those that have found ways to avoid fulfilling this requirement, that they are just going to falsely claim that they fulfill this age requirement. The net result is that it's useless to ask for the age of a player.

So, I'm taking a pass at this for now for sure.

now if only someone wants to help me do some code to write some of these features ;)