We’ve seen combat logging in WoW as long as I can remember, truth be told. The names of the addons have changed here and there, as they fall in and out of popularity, and new developers rise to the occasion, get bored, and leave.
But combat logging with addons has been pretty persistently happening, with today’s more popular alternatives including Details and Warcraft Logs.
Principally, in this post I want to emphasize that the logging of combat data is being done without the users’ consent, and that Blizzard should really build a solution either to curb this trend, and/or write policy for how data should be processed by addons.
This was already a subject that bothered me before recent news of the Archon Addon
This post will get long, so I’ll add a TL;DR table.
- Combat logs are personal and better consent is required.
- Blizzard can and should write better policy for what addons are allowed to do.
- Blizzard could introduce mechanics for addons to hook into for consensual use.
- Addons do not have to be so broadly scoped, and should narrow down their scope.
GDPR
The General Data Protection Regulation, or GDPR in short, seeks to empower users to have control over how their data is collected, processed and stored. I’m sure most users have heard about it, but principally there are a few key points to take away.
- Combat logs are personal data. Personal data are any information which are related to an identified or identifiable natural person.
- Users should actively consent. It should be an informed consent; i.e. the users should understand quite casually what data is being collected, how it’s processed, for what purpose, and for how long it’s stored.
Combat logs are personal data
This is unambiguous, truth be told. Your combat data is personal data that belongs to you. Therefore under GDPR you should have some semblance of control over it.
Personal data are any information which are related to an identified or identifiable natural person.
The data subjects are identifiable if they can be directly or indirectly identified, especially by reference to an identifier such as a name, an identification number, location data, an online identifier or one of several special characteristics, which expresses the physical, physiological, genetic, mental, commercial, cultural or social identity of these natural persons. In practice, these also include all data which are or can be assigned to a person in any kind of way. For example, the telephone, credit card or personnel number of a person, account data, number plate, appearance, customer number or address are all personal data.
Source: Personal Data - General Data Protection Regulation (GDPR)
These definitions are intentionally broad, and certainly leave your combat logs included as personal data.
Users should actively consent
I’ve heard many arguments in the past that users have already consented because reasons like “you joined the group/raid”, “the information is shared with everyone”, etc. However, such an implied consent is fundamentally inadequate.
The basic requirements for the effectiveness of a valid legal consent are defined in Article 7 and specified further in recital 32 of the GDPR. Consent must be freely given, specific, informed and unambiguous. In order to obtain freely given consent, it must be given on a voluntary basis.
Source: Consent - General Data Protection Regulation (GDPR)
In World of Warcraft, we have no idea when someone is randomly harvesting our data. When we’re smacking target dummies we don’t know who around us have addons logging it. When we join a group or a raid we don’t know who around us have addons logging it. We could be logged. We could not be logged. We don’t know when logging begins or ends.
Plainly speaking, this is inadequate in describing our “consent” as freely given, specific, informed or unambiguous. It’s not meeting any of those targets!
How to improve today’s situation
Generally speaking, Blizzard have several levers available to pull. Additionally, addons have the power to fix their own overreach as well. Principally, in short, what I’d ask is this.
- Blizzard should write and enforce policy on addons’ intersection with consent.
- Blizzard should implement mechanics for competent consent w/ addons.
- Addons should reduce scope to only self by default.
- Addons for groups and raids should require opt-in consent.
What Blizzard should do?
Blizzard have taken steps to address overreaching addons in the past, and it’s really about high time we see them do so again for the sake of its customers’ data protection.
Blizzard should write and enforce policy on addons’ intersection with consent
I wouldn’t put it past Blizzard to already have a consent-driven policy for addons. If there is such a policy today, however, it’s at the least inadequate, or it is ignored.
This policy should plainly and clearly state what data is allowed to be processed and for what scope when writing addons. Furthermore, it should elaborate that the data is ultimately personal data belonging to the identified players, and that any collection of it requires their explicit consent.
Blizzard should implement mechanics for competent consent w/ addons
I’ve yet to ever see in my life of playing World of Warcraft any consent management. This seems like a feature that’s long overdue for proper consent, and I think Blizzard should empower addons to properly collect the consent in a neat and tidy way, such that addons like Warcraft Logs can preemptively and correctly address them before the data is ever harvested.
What should addon developers do?
The above obviously concerned Blizzard, but fundamentally it’s addon developers overstepping their bounds imo. To that end, there are two main steps I think addons should take.
Addons should reduce scope to only self by default
If your intent in using Warcraft Logs is only self-improvement then Details and Warcraft Logs really doesn’t need to concern itself with logging other players in your raid. All the data you need will be on your character;
- Your abilities cast are yours to log.
- Your damage taken does not need a source.
- Your healing taken does not need a source.
- The source of buffs cast on you do not need a source.
And so on and so forth. All of the data is literally on your character, and does not need to see what the hell anyone else is up to to use. If you are really just logging your own performance this is more than adequate.
Addons for groups and raids should require opt-in consent
There is one simple mechanic for actively obtaining consent: The other user has a relevant addon explicitly stating their consent. If the user does not have such an addon then their data should not be collected.