GDPR Compliance

anon63346430 · May 1, 2018, 11:39pm

A handy read for us all https://medium.com/@cennydd/a-techies-rough-guide-to-gdpr-c8d4b4eb2b3b

Still no input from Corona?

Common guys this post started in March… it is now May. Completely unacceptable.

rob · May 2, 2018, 12:06am

Vlad posted an update two weeks ago. We are still working on this. I’ll see if there are any updates.

Rob

anon63346430 · May 2, 2018, 12:31am

I’m sorry Rob but (and I am sure I speak for us all here) “we are still working on this” is not unacceptable especially when this is 6+ weeks after the OP. I find it real hard to comprehend that no one in your team has any idea of the ramifications of this?!

We’ve only got a couple weeks left to get compliant and a lot of devs have many apps to update (if required).

agramonte · May 2, 2018, 12:45am

Or keep the services up but write nothing. This could be a temporary solution.

Chribbe · May 2, 2018, 12:10pm

I’ve looked a little bit at the network connections for some Corona games. Would have much preferred if Corona could tell us about this instead.

I’ve looked at about 8 games made with corona, some premium some free and some with ads plugins. Some are a bit older and some are newer - including 2 games that are currently featured in the App Store. I’ve used an iphone 7 running ios11.3 , and a HTTP proxy with an SSL cert to look at the requests. (https://www.charlesproxy.com/). In the data pasted here i’ve changed the numbers and identifiers to not call out anyones game, but i’ve kept the form/length of the id’s etc

First, on startup every game sends a request to https://stats.coronalabs.com/analytics/device/v1 and it looks like this:

{“tm”:1525258131,“pl”:“iOS11.3”,“id”:“81bc20ca49a881908d7d11372a9b2ad1”,“bi”:“com.company.appname”}

I’m not 100% sure what id is being sent here - but i think it’s the IDFV because the id is same for apps from the same publisher but differs otherwise. Would be interesting to test this on Android as well.

And secondly, there are requests being made to monetize-api.coronalabs.com. I’ve only seen this in games using the Appodeal plugin so far. But might be true for more games using different ad plugins? Worth mentioning is that there’s still calls being made to Appodeals servers as well as the different ad networks being used. These calls are then repeated with different event statuses when an ad is shown / requested etc.

monetize-api.coronalabs.com

{

“status”: “success”,

“message”: null,

“data”: {

“device_manufacturer”: “apple”,

“device_resolution”: “750x1334”,

“os_name”: “iOS”,

“app_name”: “APP NAME”,

“version”: “VERSION NUMBER”,

“app_version”: “APP VERSION NUMBER”,

“sdk_version”: “1.0”,

“app_bundle_id”: “com.company.appname”,

“sdk_platform”: “corona”,

“os_version”: “11.3”,

“ios_idfv”: “71LII240-7122-44B8-A0D2-384B5020B94F”,

“device_model”: “iPhone9,3”,

“name”: “plugin.appodeal”,

“ios_idfa”: “71LII240-7122-44B8-A0D2-384B5020B94F”,

“open_udid”: “71LII240-7122-44B8-A0D2-384B5020B94F”,

“device_id”: “71LII240-7122-44B8-A0D2-384B5020B94F”,

“lat”: 0,

“long”: 0,

“dnt”: 0,

“event”: “request”,

“placement”: “rewardedVideo”,

“timestamp”: 1525258731

}

davebollinger · May 2, 2018, 12:41pm

@Chribbe, re https://stats.coronalabs.com/analytics/device/v1

there used to be a supported setting in config.lua “launchPad = false” that would disable this startup collection. can’t find any reference to it today though, seems to have been removed from the docs.

i had been using it, one, because I don’t want or need Corona tracking my users in the first place; and two, because it helped me solve a crash it was causing at one time. guess they’re tracking now regardless of that setting. (have you attempted to network trace an app built with that setting in effect?)

if they’d simply reinstate that feature that they apparently removed (I have to wonder when?) then it might address Corona’s own internal issues. (separate libs would still be separate problems)

Chribbe · May 2, 2018, 12:54pm

@davebollinger Interesting! Didn’t know about that launchPad=false option. Would be interesting to try a game that uses that setting. Do you know any live on the app store? Otherwise i’ll try and make a new build with one of our games.

davebollinger · May 2, 2018, 1:28pm

@Chribbe, i think you’d want to test a new build with a current daily (since we don’t know for sure if the missing docs really mean the feature was disabled or as of which build)

btw here’s a wayback of the old docs

agramonte · May 2, 2018, 2:05pm

@Chribbe Wow. Great info, in that case, it doesn’t matter what we do to our apps if it is sending IDFV (considered personal data by Google and others) none of our iOS apps are GDPR compliant.

Also if you have the time can you have quick instructions on how to set this up, so I can test my own apps?

vlads · May 2, 2018, 2:35pm

Just to be clear, IP address is considered “personal data” according to GDPR as well. Like any network connection provides IP address of client to server, this is how networks work. GDPR is not about data transmitted, it is about how it is used. From what I see we use IDs only to aggregate data over them right now. Aggregated data over many users isn’t considered personal.

GDPR is not about what data is sent, it is about what and how data is collected, stored and processed from what I understand. We’re working with lawyers to figure exactly what is to be done so your apps would be GDPR compliant.

kbradford · May 2, 2018, 2:43pm

Thank you for the update Vlads! A solution that doesn’t force us to update our apps is ideal and that sounds like what you’re working towards.

nick_sherman · May 2, 2018, 2:54pm

The key thing is to be able to give a valid business case for why a particular piece of data needs to be stored, and acquire explicit consent on that basis.

A developer will know what data they collect and why, and make a call as to whether they can reasonably justify it, but right now can’t make that same justification for anything Corona is sending/collecting.

Seems strange to differentiate between is sent and what is collected/used - I’d have thought a user will assume that anything their device is sending is intended to be stored and used, otherwise why send it in the first place?

vlads · May 2, 2018, 3:12pm

This is why I provided example of IP address: it is used to establish any network connection. It is private identifiable data, but as long as it isn’t stored it is OK to send it. Also, some data a necessary to be sent to calculate simple stats, like how many different users app has or how many times on average users start the app daily. This is important to us to understand 1. how corona is used 2. to keep checks on our monetization partners (ad networks corona developers choose to use).

We do actively work to make sure data is stored and handled in accordance with GDPR.

nick_sherman · May 2, 2018, 3:29pm

Well you must collect some form of unique identifier in order to calculate how often a user starts the app daily. Developers need to know what that is so they can add it to their consent notice.

I would think there would be a distinction between:

A developer collecting deviceID or similar to analyse user behaviour in order to improve the user experience in their app, or to be able to restore purchases/progress.
A developer collecting deviceID or similar on behalf of the company who made the engine they use so they can analyse the performance/popularity of the engine and their advertising partners.

Number 2 is a lot more difficult to justify to an end user because it doesn’t benefit them and their use of the app.

davebollinger · May 2, 2018, 3:40pm

@Vlad (and as per nick_sherman)

if we are unable to stop you (Corona Labs) from collecting data via “the tool” (Corona API), then what we (the dev) need from you (Corona Labs) is a public statement/policy re GDPR that we can refer them (the users) to.

so that we (the devs) could (at the very least) post a “redirected policy” something like:

"This app was constructed with a tool named Corona SDK, developed by Corona Labs, which collects usage data on its own according to the following policy: http://www.coronalabs.com/gdprpolicy"

that public policy page must formally support your statement: “We do actively work to make sure data is stored and handled in accordance with GDPR.” because we (the devs) have no control over it otherwise, and that won’t fly.

rob · May 2, 2018, 4:04pm

@davebollinger we are working with our lawyers to draft that new privacy policy.

Rob

anon63346430 · May 2, 2018, 4:17pm

Surely if the id element is removed then Corona gets its stats and “we” pass no PII?

bgmadclown · May 2, 2018, 9:06pm

Just to make sure noone misses that: https://coronalabs.com/blog/2018/05/02/corona-and-gdpr/

Chribbe · May 6, 2018, 9:01pm

So @corona:

Appodeal updated the privacy policy a couple of days ago and makes it clear that we need to get consent from users to use the SDK. We’re working on figuring out if and how we can do this now. As a temp solution we’re thinking of disabling appodeal (and all ads) for EU users for now. We really need to know if Corona will keep gathering device id stats (please don’t or at least give us a way to turn it off) ASAP or risk not getting all our apps updated and live in time.

Studycat2 · May 7, 2018, 2:58am

@corona

We make apps for kids with Corona, and we don’t monetize with ads. We are 100% IAPs. We don’t need your advertising SDKs. Can you give us an option to opt-out of all data collection within build.settings? We have already removed all other plugins that transmit or collect data.

We need to release 35 Corona apps to various app stores within 18 days. The sooner we get help from you, the sooner we can get past this and get on with making games.