Weaponizing The GDPR: Gamers Want To Use It To Flood Blizzard With Requests As Protest Over China Appeasement
from the what-exciting-times dept
We live in such fascinating times. We've had some posts concerning people getting (rightly) angry about Blizzard banning a top player who supported the protests in Hong Kong. In order to make the company feel more heat, apparently some pissed off players have been plotting to weaponize the GDPR and flood the company with data requests. This started with a Reddit post directly telling users that if they're upset about Blizzard's decisions regarding Hong Kong, to hit back with a GDPR request:
I know a lot of people, myself included, are upset by Blizzard/Activisions spineless decision to ban Blitxchung. After personally uninstalling all of my Blizzard games, I thought, "what else can I do?". The answer, is GDPR requests. Let me explain.
Under EU law, you're allowed to request all information a company has on you, along with the purpose of this information collection. What most people don't know, is that these requests are VERY hard to comply with, and can often take a companies legal group 2-7 days to complete PER REQUEST. If a company doesn't get you the information back in 30 days, they face fines and additional issues. In extreme cases, a company can request an additional 2 months to complete the requests if there is a large volume, but suffice to say, if a company gets a significant amount of requests, it can be incredibly expensive to deal with, as inevitably they will have to hire outside firms/lawyers to help out. So, if you want to submit a GDPR request, and live in the EU, you can use the following form letter....
I've actually been in the middle of investigating a different story about a possible weaponizing of the GDPR, but the details there have been a bit murkier, so it's fascinating to see things laid out so clearly here. To be clear, there does appear to be some cleverness here, though, it's true that such requests are a pain in the ass to comply with and can be costly and resource intensive. And while it may be fun and cathartic to use that power against a company like Blizzard as a way to punish it for its ridiculous stance, be clear that these kinds of weaponized GDPR requests are likely to be used against many others as well, including companies you might actually like.
This is yet one more reason why, even if you support the overall goals of the GDPR, you should be very, very concerned with how the law is actually implemented.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: appeasement, china, costs, data requests, gdpr, protest, weaponizing
Companies: blizzard
Reader Comments
Subscribe: RSS
View by: Time | Thread
What most people don't know, is that these requests are VERY hard to comply with, and can often take a companies legal group 2-7 days to complete PER REQUEST.
Is this an accurate description of the process? How can a smaller company comply with such a request - that kind of legal work isn't cheap.
[ link to this | view in chronology ]
Re:
Yes, it's an accurate description of the process. Ain't the GDPR grand?
[ link to this | view in chronology ]
Re: Re:
No, but it will end up costing the business several grand just trying to comply.
[ link to this | view in chronology ]
I do expect that a company that has its administration in order can comply with standard GDPR requests in a few minutes of actual work. It should not be too hard to make a database printout. The first requests might take more time to find out in which databases to search and to get decent formatting.
For companies that collect more data than they should, a selective database dump might result in filling several CD-writeables.
[ link to this | view in chronology ]
Re:
For an online games company, keeping session logs, they should probably not let you have more than the screen names of anybody you played with/against, less they accidentally dox someone. Complying with that request now becomes somewhat more complicated.
[ link to this | view in chronology ]
Re: Re:
GDPR doesn't say you can get data on other people, and any sane database schema will use references rather than copying their data into your records.
[ link to this | view in chronology ]
Re:
"I do expect that a company that has its administration in order can comply with standard GDPR requests in a few minutes of actual work."
This is absolutely wrong. It's a ton of work because you have to comb through every single system used within a company to identify, and extract the data requested by a person. Every request is a huge pain the ass and ties up resources from the IT, Legal, and HR departments. Maybe each individual doing a small part is only spending a few minutes, but cumulatively it's a major project. Every. Fucking. Time.
The worst part about weaponizing these requests? You're not fucking the company over. You're fucking over a bunch of low level employees who end up doing the work. The CEO gives zero fucks about your request. Meanwhile a contractor making $12-$15 an hour is wasting their day working on tedious shit because some fuckhead wants to circle-jerk about how terribly Blizzard handled the situation. It costs these "protestors" nothing, and they ruin someone else's day. Someone whose only involvement was taking a job at a company these fuck heads are pissed at, over some shit which has zero impact on the lives of these fuck heads.
Fuck everyone who weaponizes GDPR requests.
[ link to this | view in chronology ]
Re: Re:
These employees are being paid to do this work. How, exactly, is this fucking them over?
[ link to this | view in chronology ]
Re: Re: Re:
Taking that thought a step further, the collection activity being paid for won't do anything positive for the bottom line, thereby having a negative impact on the CEO's potential bonus.
[ link to this | view in chronology ]
Re: Re: Re: Re:
"The CEO may not care, but the C-Suite cares a heck of a lot when call center employees are going into overtime, work loads spike, and new software is needed to manage the request since you have so many moving parts no human could walk this through a firm of this size easily."
Bonuses will be protected at all costs. What will actually happen is the spike in GDPR compliance costs will hit business/function/department budgets.
[ link to this | view in chronology ]
Re: Re: Re:
Because there's likely more interesting work they used to do before the GDPR, then this got dumped on them. Not all work is equal. Even at drone level some tasks are better quality than others.
[ link to this | view in chronology ]
Re: Re:
There's the problem. If the CEO cared, they'd have someone automate the work. And I think this was an intended effect of the GDPR: if the company can't quickly identify why they're collecting and storing data about you, what they're storing, where they got it from, they need to improve their processes and maybe stop collecting so much. It's only difficult if there's lots of ad-hoc data handling, which is exactly what GDPR meant to stop.
The GDPR doesn't let requesters arbitrarily define the scope of work to be performed. They can request a dump of data held about them, along with some standard answers about why it's collected and how. And they can request deletion. That's it. They can't make a company run custom reports or analyze the data. The datadump is automatable, and determining why data is collected and how it's processed is something companies were supposed to do, once, when the GDPR became law.
[ link to this | view in chronology ]
Re: Re:
I work in this area, for some firms, a GDPR request is fairly easy to respond to as they only store customer contact information for shipping and purchase history. Think a small business selling products.
At the other end of the business spectrim is a conglomerate like Bank of New York Mellon. 21 distinct business entities covering everything from bank accounts to investments to call centers. A single request could impact over 100 people, has subjective rules, and even legal limits to what data can be provided. The CEO may not care, but the C-Suite cares a heck of a lot when call center employees are going into overtime, work loads spike, and new software is needed to manage the request since you have so many moving parts no human could walk this through a firm of this size easily.
Never mind internal politics and firewalls that prevent communication also need to be breached or the entire firm is on the hook for huge fines.
I do suspect a judge would be not as crazy as to tell a firm getting hit by 100k requests in a single week that up to then was getting perhaps 10 to 20 requests that they should be fined for not clearing the backlog fast enough when the entire business is shut down more or less just to respond to requests.
Yes the GDPR is that bad for large firms.
[ link to this | view in chronology ]
As I said, if each business entity has its administration in order, it should be just one query against the customer-id or name-address to check whether some data is stored and a few more queries to get the data out of the database. You only have to collect the data that is stored about the requester.
If these requests are routine a central office would distribute requests once a week and combine the responses for mailing two weeks later. I would expect that a call center also stores its information in a way that data related to a specific customer can be easily retrieved.
[ link to this | view in chronology ]
Re:
"if each business entity has its administration in order"
hahahahahahahahahahahahahahaha
[ link to this | view in chronology ]
Re: Re:
Funny enough, GDPR has been a huge motivator for a lot of companies to get their administration in order.
[ link to this | view in chronology ]
Re: Re: Re:
Even if Blizzard doesn't comply, each requester would have to file a complaint individually to the proper agency and see it through for an actual penalty to be assessed. How likely is that, do you think?
[ link to this | view in chronology ]
Re: Re: Re:
The EUs GDPR makes no leeway for the number of requests. It simply says "do it, and hire more people if necessary".
There's only TWO reasons you can deny GDPR. National security (requesting data about you held by the military during ongoing conflicts) and massive ongoing data loss.
But the data has to be a complete loss. i.e. for blizzard they'd have to lose ALL character and subscription data for everyone on every server. i.e. WoW would have to be shut down permanently.
just saying "we had a virus" isn't sufficient.
[ link to this | view in chronology ]
Re: Re:
You only have to comb through systems that hold customer data, not every system the company uses. It's not quite that ridiculous. For companies with only a few hundred or thousand customer records, GDPR compliance can be done in a few minutes and answered with a form letter.
[ link to this | view in chronology ]
Re: Re: Re:
GDPR requires you have CHECKED every server for any possible customer data, and not just assumed that there will be no data. And you have to also provide evidence of such a search.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[Citation requested]
[ link to this | view in chronology ]
Re: Re: Re: Re:
Because customer data just roams around your network on its own? If you don't know what's being done with data in your company, that's exactly what GDPR is meant to fix. With proper controls, you'd have a record of where you stored the data (or didn't) without having to go check.
[ link to this | view in chronology ]
Re: Re:
If it takes a long time to find someone's personal data spread across every single system used within a company, maybe they shouldn't spread people's personal data across every single system used within a company?
[ link to this | view in chronology ]
Re: Re: Re:
Which is why most companies don't do that. Customer data is usually kept in separate databases on different servers than company data.
[ link to this | view in chronology ]
Re: Re:
Realistically, has there been a method of protest where consequences - violent, bureaucratic, economic - couldn't be passed on by CEOs to their workers?
[ link to this | view in chronology ]
Re:
And so it begins. The next step will be automating the process.
The script:
1) Creates a free email account (any of various places)
2) Uses a free "make an account" web site to seed the account
3) (optionally) creates some nominal traffic using the free account
4) fires off GDPR request to legal department
5) ???
6) profit!
You don't care about the response (though you may tweak the script if the response blows you off), so you don't even have to look at the email account.
[ link to this | view in chronology ]
Re: Re:
GDPR responses can already be automated, so... Have fun wasting time with your scripting, I guess.
[ link to this | view in chronology ]
Re: Re: Re:
This makes it all a one-person, all astroturf endeavor.
[ link to this | view in chronology ]
Re: Re:
you can make multiple GDPR requests one after the other without penalty.
This is because the day after you send a request, your data may change. so you request everything including today....etc...
Could do it hourly and they STILL have to comply.
[ link to this | view in chronology ]
This would be fun, IF..
They created tons of data on each individual person..including WHO they sold your data to..
But could be as simple as your name, address, CC#....
My old doctors have a stack of Paper 2" high on all the procedures done. But if you ever goto read it, its paper that says Simple things.. THEY dont give a blow by blow, of what they did.. WE did this surgery(insert name) and thats about it.. NOT even followup info..
A data base extract is just a long list of games you have signed up to own. GDPR, what info can you demand????
Saying all of it, is to restrictive, as YOU dont know what they have, or have done with your data..
NOW if you went to an advert agency, you might get a list of the adverts sent to you.
[ link to this | view in chronology ]
Why doesn’t this fall afoul of the “manifestly unfounded” provision?
[ link to this | view in chronology ]
Hrm
I would have thought this article was about reporting blizzard for not allowing you to delete your account w/o seeing a/an photo ID.
which would make sense (if that runs afowl of the gdpr)
[ link to this | view in chronology ]
Two Birds, One Stone
Mass abuse of the GDPR is a sure way to get it amended. Using it to punish a company that deserves it is just icing on the cake. Is there any way to go after the NBA as well?
[ link to this | view in chronology ]
in other news...
Blizzard has requested all news articles regarding its banning of a Hearthstone player be removed from the EU under a RTBF request after seeing that their company actions had real world consequences.
I can see it now.
[ link to this | view in chronology ]
"This is yet one more reason why, even if you support the overall goals of the GDPR, you should be very, very concerned with how the law is actually implemented."
Abuse it and lose it. Or fix it.
[ link to this | view in chronology ]
Re:
How many laws are left to Prosecutorial Discretion? Do those laws get fixed when a 16 year old is prosecuted for distribution of her own picture?
[ link to this | view in chronology ]
Yeah, this is cute and all, but it's completely ignorant of how corporations on the scale of Blizzard/Activision actually operate. GDPR compliance has already been figured out and automated, that shit is easy now.
At worst Blizzard will just have to hire an outside vendor to help their regular agents until things calm down again. They already have external auditors and consultants to help with GDPR.
[ link to this | view in chronology ]
Re:
Compliance for Blizzard is 100% manual today. Most firms who setup compliance software assume a small flow of ongoing requests and skimp on automation as it's cheaper to let a human run the script and sanity check the results.
Everything works fine when the load is like 10 requests per month. The systems often list risk factors for large amounts of requests breaking things or driving up huge compliance costs because automating the response can be super difficult.
[ link to this | view in chronology ]
Re: Re:
Compliance for Blizzard is absolutely not 100% manual, are you insane? They are a MASSIVE multi-billion dollar multinational corporation owned by an even bigger multi-national corporation, they have offices and do business on every continent, and you think they handle compliance manually? What are you basing that assumption on, a fever dream?
[ link to this | view in chronology ]
Re: Re: Re:
Based on personal experience with calls from clients for building GDPR compliance systems. The most common system we build right now is one where get a GDPR request, send an email or system notification to each of the relevant staff members, some poor guy stitches all the results together, legal does a review, and the response goes out to the requester. Banks and other places often add a step for confirming Identity.
The bigger the firm the more likely a process like this is followed as a request for data often goes across firm lines of business, which means more databases, and more locations to search, and more limited available IT staff to build the needed connections for automation till 2025.
Big multi-billion dollar firms are the most likely firms to be manual or a bunch of locally done scripts with minimal central control.
[ link to this | view in chronology ]
Re: Re: Re: Re:
I call BS. I've been through several compliance audits at a much, much smaller software company than Blizzard, our processes literally take minutes and requires only the customer ID.
For Blizzard it's extremely simple. If a request is valid it has to be tied to a user ID, and based on that they'll already be able to tell exactly where all of the customer's data is that they are required to provide.
The most time-consuming part of the entire process would be sifting out the fake requests.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
You have experience with smaller companies, the other guy has experience with big companies. But neither of you have experience with Blizzard. And if you did I'm sure you would have had to sign an NDA. So im calling BS on you knowing exactly how easy it is for Blizzard to comply.
Why dont we just wait and see what happens with Blizzard and a flood of GDPR requests if they actually happen.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
or someone make a GDPR request and report back. :)
[ link to this | view in chronology ]
Re:
You should see how the biggest companies such as Apple have basically done NOTHING towards making GDPR easier. they just assume it will always be a slow trickle of requests......
[ link to this | view in chronology ]
Re:
And yet there are STILL news websites who Geo-Block the EU because of the GDPR.
[ link to this | view in chronology ]
Re: Re:
If you do the minimum (geo blocking) you can always send a written response that you do not do business in that location and thus do not follow laws of that country. The person would then have to admit he's bypassing your filter (VPN) or did business with you while in the US and thus US laws apply.
This is because sometimes IP addresses are the only bit of tracking info you have but they can easily be to broad due to shared IP ranges. So you can just as easily get in trouble over sharing information which gets you in hot water under other laws.
[ link to this | view in chronology ]
GDPR already has defences against this.
The GDPR requires that fufiling requests like this is normally free, but if they are unreasonable or vexatious then a reasonable fee can be charged. This kind of campaign is exactly the kind of scenario that they had in mind.
[ link to this | view in chronology ]
Re: GDPR already has defences against this.
Which part of the GDPR is this? because I couldn't find anything about fee charging.
In fact the GDPR even clearly states MULTIPLE requests are possible as customer data may change from day to day or hour to hour......
[ link to this | view in chronology ]
Re: Re: GDPR already has defences against this.
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-r egulation-gdpr/individual-rights/right-of-access/
"wanted to receive a further copy of information they have requested previously. In this situation a controller can charge a reasonable fee for the administrative costs of providing this information again and it is unlikely that this would be an excessive request;"
There are also rules for requests that are part of a campaign of harrassment.
[ link to this | view in chronology ]
I'm the one who actually submitted a article request for this.
[ link to this | view in chronology ]