GDPR Compliance

No. IDFV is not the same even between vendor much less on the same device.

Declaration

var identifierForVendor: UUID? { get }

Discussion

The value of this property is the same for apps that come from the same vendor running on the same device. A different value is returned for apps on the same device that come from different vendors, and for apps on different devices regardless of vendor.

Again the intent is not a part of the definition or what you think or don’t think it is used for. A username is considered personal data. Agramonte that I use to log into these forums is on the list of personal data and needs to be protected as such. If Agramonte is leaked what possibly could you use with that? It isn’t my last name. How exactly can you track me with Agramonte? The law defines personal data separate from intent.

Regardless of the law, I think very few of us need to worry about it. How it is going to go down is exactly what @sgs said. At first, they will go after Google, Apple, Facebook and other large vendors: “these apps are not asking for consent”. Then we will be applied pressure from the vendors where we will have to send in the consent. They probably institute some random audit of our apps or as part of the review, they will reject an app that doesn’t ask for consent. Somebody will create a service where we can capture consent for a fee or for free if we are indy.

You deviceId, hand crafted id or IDVF (which I plan to use) will never be bothered with. I even doubt that they will come after Corona for whatever crappy data they are capturing.

In an ideal world the apple and google or which ever venders app stores should take care of this. A simple check box in the developer consoles stating that our apps use services which may collect p.i. if enabled, a simple popup asking for consent from the user before downloading, ‘like the download over wifi popup’, Then we should and the app stores would have access to this data, 2 birds with one stone. Would make life so much more simple for everyone involved.

@chris, genius idea but it’s never gonna happen.

Agreed I don’t think “they” (as in the platform owners or big corporations etc) will go after smaller devs.

But you still have to respond to GDPR requests from users. If I as a EU user of your game would email you a GDPR request asking about what data you’re storing and if i can see it / opt out. How would you respond? There’s a 30 day limit in GDPR to respond to these user requests.

Also if corona is gathering device ids I think there’s a risk Google Play and/or App Store might do something about it - similar to crashlytics in march 

https://www.reddit.com/r/androiddev/comments/868ie7/google_play_violation_about_disclosure_of_crash/

Corona: Any updates on this now? It’s time for us to start building out new version of our apps (if we have to), to make sure they are all approved and live before 25 may.

Btw, Unity updated the GDPR section on how they are planning to get consent for analytics and ads a couple of days ago https://unity3d.com/legal/gdpr 

Thank you for the rededit link. I guess I’ll remove Crashalytics. Both the Crash Traces and the id for vender are collected and considered personal data and since Google owns them and can check if you are asking for consent they can kick you out of the Google store at any time.

Crashlytics Personal Data collected:

  • Installation UUID - iOS and Android.
  • Crash traces
    How data helps provide the service:
  • Helping a customer associate crash data with specific instances of their app.
    Retention:
  • Crash traces and their associated identifiers are kept for 90 day
    Answers Personal Data collected:
  • Mobile ad IDs
  • Installation UUID
  • Android IDs
  • IP Addresses
    How data helps provide the service:
  • Provides customers with analytics information based on segmented device data. IP addresses are used to provide geolocation information to customers.
    Retention:
  • Answers retains identifier data for 180 days.

 

In some ways GDPR is great - stop large companies profiting from personal data without the customers approval. 

But in other ways it royally sucks for us indies :frowning:

Is there any update from Corona Labs?  Are any ETA on when we should hear?  This law goes into effect this month, if we need to make changes to our apps we need to know ASAP.

A handy read for us all https://medium.com/@cennydd/a-techies-rough-guide-to-gdpr-c8d4b4eb2b3b

Still no input from Corona?

Common guys this post started in March… it is now May.  Completely unacceptable.

Vlad posted an update two weeks ago. We are still working on this. I’ll see if there are any updates.

Rob

I’m sorry Rob but (and I am sure I speak for us all here) “we are still working on this” is not unacceptable especially when this is 6+ weeks after the OP. I find it real hard to comprehend that no one in your team has any idea of the ramifications of this?!

We’ve only got a couple weeks left to get compliant and a lot of devs have many apps to update (if required).

Or keep the services up but write nothing. This could be a temporary solution.

I’ve looked a little bit at the network connections for some Corona games. Would have much preferred if Corona could tell us about this instead. 

I’ve looked at about 8 games made with corona, some premium some free and some with ads plugins. Some are a bit older and some are newer - including 2 games that are currently featured in the App Store. I’ve used an iphone 7 running ios11.3 , and a HTTP proxy with an SSL cert to look at the requests. (https://www.charlesproxy.com/). In the data pasted here i’ve changed the numbers and identifiers to not call out anyones game, but i’ve kept the form/length of the id’s etc

First, on startup every game sends a request to https://stats.coronalabs.com/analytics/device/v1 and it looks like this:

{“tm”:1525258131,“pl”:“iOS11.3”,“id”:“81bc20ca49a881908d7d11372a9b2ad1”,“bi”:“com.company.appname”}

I’m not 100% sure what id is being sent here - but i think it’s the IDFV because the id is same for apps from the same publisher but differs otherwise. Would be interesting to test this on Android as well.

And secondly, there are requests being made to monetize-api.coronalabs.com. I’ve only seen this in games using the Appodeal plugin so far. But might be true for more games using different ad plugins? Worth mentioning is that there’s still calls being made to Appodeals servers as well as the different ad networks being used. These calls are then repeated with different event statuses when an ad is shown / requested etc. 

monetize-api.coronalabs.com

{

“status”: “success”,

“message”: null,

“data”: {

“device_manufacturer”: “apple”,

“device_resolution”: “750x1334”,

“os_name”: “iOS”,

“app_name”: “APP NAME”,

“version”: “VERSION NUMBER”,

“app_version”: “APP VERSION NUMBER”,

“sdk_version”: “1.0”,

“app_bundle_id”: “com.company.appname”,

“sdk_platform”: “corona”,

“os_version”: “11.3”,

“ios_idfv”: “71LII240-7122-44B8-A0D2-384B5020B94F”,

“device_model”: “iPhone9,3”,

“name”: “plugin.appodeal”,

“ios_idfa”: “71LII240-7122-44B8-A0D2-384B5020B94F”,

“open_udid”: “71LII240-7122-44B8-A0D2-384B5020B94F”,

“device_id”: “71LII240-7122-44B8-A0D2-384B5020B94F”,

“lat”: 0,

“long”: 0,

“dnt”: 0,

“event”: “request”,

“placement”: “rewardedVideo”,

“timestamp”: 1525258731

}

}

@Chribbe, re https://stats.coronalabs.com/analytics/device/v1 

there used to be a supported setting in config.lua “launchPad = false” that would disable this startup collection.  can’t find any reference to it today though, seems to have been removed from the docs.

i had been using it, one, because I don’t want or need Corona tracking my users in the first place; and two, because it helped me solve a crash it was causing at one time.  guess they’re tracking now regardless of that setting. (have you attempted to network trace an app built with that setting in effect?)

if they’d simply reinstate that feature that they apparently removed (I have to wonder when?) then it might address Corona’s own internal issues.  (separate libs would still be separate problems)

@davebollinger Interesting! Didn’t know about that launchPad=false option. Would be interesting to try a game that uses that setting. Do you know any live on the app store? Otherwise i’ll try and make a new build with one of our games.

@Chribbe, i think you’d want to test a new build with a current daily (since we don’t know for sure if the missing docs really mean the feature was disabled or as of which build)

btw here’s a wayback of the old docs

@Chribbe Wow. Great info, in that case, it doesn’t matter what we do to our apps if it is sending IDFV (considered personal data by Google and others) none of our iOS apps are GDPR compliant. 

Also if you have the time can you have quick instructions on how to set this up, so I can test my own apps?

Just to be clear, IP address is considered “personal data” according to GDPR as well. Like any network connection provides IP address of client to server, this is how networks work. GDPR is not about data transmitted, it is about how it is used. From what I see we use IDs only to aggregate data over them right now. Aggregated data over many users isn’t considered personal.

GDPR is not about what data is sent, it is about what and how data is collected, stored and processed from what I understand. We’re working with lawyers to figure exactly what is to be done so your apps would be GDPR compliant.

Thank you for the update Vlads!  A solution that doesn’t force us to update our apps is ideal and that sounds like what you’re working towards.

The key thing is to be able to give a valid business case for why a particular piece of data needs to be stored, and acquire explicit consent on that basis.

A developer will know what data they collect and why, and make a call as to whether they can reasonably justify it, but right now can’t make that same justification for anything Corona is sending/collecting.

Seems strange to differentiate between is sent and what is collected/used - I’d have thought a user will assume that anything their device is sending is intended to be stored and used, otherwise why send it in the first place?