ur-gothmom

your goth mom

  • she/her

nex3
@nex3

is that it shines a huge light on the risk to users and intermediaries of having any telemetry at all in their infrastructure. The only reason they can conceivably enforce this for older Unity versions is if the software distributions are already phoning home every time they run an install process. Presumably, when a Unity game was made five years ago, no one (including Unity!) expected the telemetry to be used to extort devs down the line. But times changed and heels turned and now it is.

Which makes this a pretty dire case study for anyone else who's looking at infrastructure that has, or wants to add, some kind of telemetry. Sure you say it's just for collecting error reports now, but what happens five years later when your company gets bought by a hedge fund that starts sending out bills per user install?


You must log in to comment.

in reply to @nex3's post:

Yeah Firefox's (sorely needed and very important) telemetry infrastructure is another good example here - some jackass decided to use Firefox telemetry for a marketing co-promotion years ago and permanently damaged user trust. Wouldn't have been possible without telemetry

Sure you say it's just for collecting error reports now, but what happens five years later

There is a framework for dealing with this! Believe it or not, in many places it's actually against the rules to collect data for a stated purpose and then use it for something else. It's called "Purpose Limitation," and it's one of the fundamental principles of GDPR (E.g. Article 5 § 1.c, Article 13 § 1.c and 3, Article 14 § 1.c and 4).

Meanwhile in the US the ol' switcheroo is a fundamental practice and it's totally fine because we don't have data privacy except for medical insurance, college transcripts, and Blockbuster video rental history (long story). Purpose Limitation is one of the things that occasionally makes its way into the long-awaited Proposed Federal Data Privacy Law that's been six months away since 2018, and if it were actually passed it would be a tidal shift in the whole computer sector.

Unity claims they're being GDPR compliant, but they're not giving details. Let me tell you: I've never seen a company claiming GDPR compliance actually be GDPR compliant if they're not showing receipts.

This is an interesting corner case. Even if data that has already been collected is off-limits, could they say "okay now our telemetry is also for billing" and use all new data that the program reports for that purpose?

I'd hardly call it a corner case. That part of GDPR was written very much in mind with the secondary-purposes bullshit that US companies do on the regular.

So first, to answer your question: a company can update its Privacy Policy and have it apply to data collected in the future. This is generally seen as OK to the extent that the data subject can decide to stop using the service if they don't like those terms. For a game, probably allowed.

But there's the thing: Unity doesn't directly control the Privacy Policy! The game dev interacts with the data subject (player), and is in theory the one responsible for putting a privacy policy in front of them. If the game dev is compliant, they mention they transfer data to Unity and link to the policy. But Unity has no way of pushing that terms have been updated. And the game dev sure as fuck isn't going to do that now.

In theory historical data is allowed to be processed for new purposes BUT Unity must inform the data subject they intend to do so. That will, uh, blow their cover. They've been trying to hide under the radar about their data collection.

Now aside from all this, there's a mighty issue involved that in the US would be called "standing." These are all rights of the data subject, i.e. the player. The game dev doesn't actually have these rights. Even if Unity is in the wrong here, the dev has not been wronged.

What the dev has is a claim that they are being billed based on data that was collected unlawfully, and they have to work towards claiming that the bill itself is therefore unlawful. That will be difficult to the extent that the dev is themselves complicit in the data collection, especially since a lot of them didn't put in "proper" privacy notices to their game.

One saving grace is that EU regulators tend to factor in the legal sophistication and power disparities between parties when figuring out who's responsible for this, in a way that the US assuredly dose not.

The funny thing is that as far as I can tell, Unity hasn't even officially copped to using telemetry to do this. They have claimed that they will figure out the install numbers for games based on a "proprietary model" derived from "multiple sources". One of those sources is presumably telemetry, but they won't officially say so! It's farcical.

Id just like to point out that we have explicitly stated that game installs are not phoning home with telemetry which is now being used for billing. They do have telemetry products, but they are optional and not used in a lot of games. We always turn off all forms of telemetry when we build. Furthermore, on platforms like consoles, it would actually cause certification issues, as your game is not allowed to just randomly hit out to the internet.

What unity is actually planning to do, to the best of my knowledge (I’m not an imposter I aware im the real Unity3d but this stuff is made ups and changing all the time) is to just estimate. Based on what you ask? Mostly 3rd part data and customer data apparently. Like.. I guess they are implying they are going to scrape data from places like steam db, plug it into a magic ai black box (sorry, a ‘proprietary model’) and then bill based on that. I’m guessing the customer data reference is when there’s pricing disputes? You can contact sales and provide actual numbers (?) somehow (??) to get more accurate (???) billing.

Just so you know like, how unworkable this idea is, this actually seems to be the plan!