We’ve seen combat logging in WoW as long as I can remember, truth be told. The names of the addons have changed here and there, as they fall in and out of popularity, and new developers rise to the occasion, get bored, and leave.

But combat logging with addons has been pretty persistently happening, with today’s more popular alternatives including Details and Warcraft Logs.

Principally, in this post I want to emphasize that the logging of combat data is being done without the users’ consent, and that Blizzard should really build a solution either to curb this trend, and/or write policy for how data should be processed by addons.

This was already a subject that bothered me before recent news of the Archon Addon

This post will get long, so I’ll add a TL;DR table.

1. Combat logs are personal and better consent is required.
2. Blizzard can and should write better policy for what addons are allowed to do.
3. Blizzard could introduce mechanics for addons to hook into for consensual use.
4. Addons do not have to be so broadly scoped, and should narrow down their scope.

GDPR

The General Data Protection Regulation, or GDPR in short, seeks to empower users to have control over how their data is collected, processed and stored. I’m sure most users have heard about it, but principally there are a few key points to take away.

1. Combat logs are personal data. Personal data are any information which are related to an identified or identifiable natural person.
2. Users should actively consent. It should be an informed consent; i.e. the users should understand quite casually what data is being collected, how it’s processed, for what purpose, and for how long it’s stored.

Combat logs are personal data

This is unambiguous, truth be told. Your combat data is personal data that belongs to you. Therefore under GDPR you should have some semblance of control over it.

Personal data are any information which are related to an identified or identifiable natural person.

The data subjects are identifiable if they can be directly or indirectly identified, especially by reference to an identifier such as a name, an identification number, location data, an online identifier or one of several special characteristics, which expresses the physical, physiological, genetic, mental, commercial, cultural or social identity of these natural persons. In practice, these also include all data which are or can be assigned to a person in any kind of way. For example, the telephone, credit card or personnel number of a person, account data, number plate, appearance, customer number or address are all personal data.

Source: Personal Data - General Data Protection Regulation (GDPR)

These definitions are intentionally broad, and certainly leave your combat logs included as personal data.

Users should actively consent

I’ve heard many arguments in the past that users have already consented because reasons like “you joined the group/raid”, “the information is shared with everyone”, etc. However, such an implied consent is fundamentally inadequate.

The basic requirements for the effectiveness of a valid legal consent are defined in Article 7 and specified further in recital 32 of the GDPR. Consent must be freely given, specific, informed and unambiguous. In order to obtain freely given consent, it must be given on a voluntary basis.

Source: Consent - General Data Protection Regulation (GDPR)

In World of Warcraft, we have no idea when someone is randomly harvesting our data. When we’re smacking target dummies we don’t know who around us have addons logging it. When we join a group or a raid we don’t know who around us have addons logging it. We could be logged. We could not be logged. We don’t know when logging begins or ends.

Plainly speaking, this is inadequate in describing our “consent” as freely given, specific, informed or unambiguous. It’s not meeting any of those targets!

How to improve today’s situation

Generally speaking, Blizzard have several levers available to pull. Additionally, addons have the power to fix their own overreach as well. Principally, in short, what I’d ask is this.

1. Blizzard should write and enforce policy on addons’ intersection with consent.
2. Blizzard should implement mechanics for competent consent w/ addons.
3. Addons should reduce scope to only self by default.
4. Addons for groups and raids should require opt-in consent.

What Blizzard should do?

Blizzard have taken steps to address overreaching addons in the past, and it’s really about high time we see them do so again for the sake of its customers’ data protection.

Blizzard should write and enforce policy on addons’ intersection with consent

I wouldn’t put it past Blizzard to already have a consent-driven policy for addons. If there is such a policy today, however, it’s at the least inadequate, or it is ignored.

This policy should plainly and clearly state what data is allowed to be processed and for what scope when writing addons. Furthermore, it should elaborate that the data is ultimately personal data belonging to the identified players, and that any collection of it requires their explicit consent.

Blizzard should implement mechanics for competent consent w/ addons

I’ve yet to ever see in my life of playing World of Warcraft any consent management. This seems like a feature that’s long overdue for proper consent, and I think Blizzard should empower addons to properly collect the consent in a neat and tidy way, such that addons like Warcraft Logs can preemptively and correctly address them before the data is ever harvested.

What should addon developers do?

The above obviously concerned Blizzard, but fundamentally it’s addon developers overstepping their bounds imo. To that end, there are two main steps I think addons should take.

Addons should reduce scope to only self by default

If your intent in using Warcraft Logs is only self-improvement then Details and Warcraft Logs really doesn’t need to concern itself with logging other players in your raid. All the data you need will be on your character;

1. Your abilities cast are yours to log.
2. Your damage taken does not need a source.
3. Your healing taken does not need a source.
4. The source of buffs cast on you do not need a source.

And so on and so forth. All of the data is literally on your character, and does not need to see what the hell anyone else is up to to use. If you are really just logging your own performance this is more than adequate.

Addons for groups and raids should require opt-in consent

There is one simple mechanic for actively obtaining consent: The other user has a relevant addon explicitly stating their consent. If the user does not have such an addon then their data should not be collected.

Nobody knows who you are so it is not personal data.

Totally agree, that all this nonsense should be opt-in

^^ This. I think you misunderstand the meaning of personal data!

Stuff your game pixels do that belong to Blizzard is not personal data. Personal data that Blizzard holds is stuff like your real name, address, phone number etc etc.

I mean the OP posted even in his topic the definition Good luck identifying who i am based on my combat logs.

I’ve narrowed down your location to earth using your logs.

International space station, but close call!
Still do not know who i am

But people who are wanting to hide as much as possible, should be aware of these settings in your wow account.

Disable the game data from being shared. You can also opt out on various sites if it really bothers you that someone can see your logs, raider io etc etc.

I couldn’t care less about people seeing my pixel data but that’s me. If someone wants to go check out my grey logs, or look me up on Raider Io, wowprogress, check pvp etc, knock yourself out. It’s just info pertaining to game chars. Nothing personal about me.

Even my btag, twitter, etc are available on most profiles etc. No one can be your friend without you accepting the request.

All that combatlogs tell is that im another bad player in a sea if bad players

Combat logs is not personal data…lol

How is your character name not as equally identifiable as your IP address? I think you’re the one misunderstanding here imo.

And your data is certainly yours, not Blizzard’s. Why would you think the data belongs to Blizzard, yet Google can’t so much as save your browser’s agent string without your consent - even if you’re using Google Chrome?

My character name is not personal data. It’s even in all the stuff you posted.

I’m sorry you don’t get it but if you really object to anyone linking you your best bet is to hide your information. You can even create a Classic character for posting on the forums that is harder to link to any main in wow.

No one has ever found out who I am, my address, my phone number etc from my name Punyelf. And I’m one of the more unique names in wow. Though they are on the increase.

Look at their post count, and it’s Friday leading to the weekend… what do such people typically do?

Grey loggers unite!!!

Your account isn’t yours. It’s Blizzards.

My discord name in my m+ disc is 50 shades of greyparses

There’s so many of us.

I get it. I just think you’re wrong. You don’t need to be condescending or rude about this.

And don’t conflate “I think we should have control over our information” with “I want to withdraw all my information from public”. I am comfortable posting under this name. Hell, I’m not even that private of a person, most of my information is generally quite public.

But these are generally decisions I make, not because someone has harvested it but because I choose to share.

If someone wants to trace down my home address from my IP address they’ll generally require significantly more access than is regularly available.

So once more, how is my character name not personal data, but my IP address is? After all, for virtually all platforms the only thing personal about my IP address is that they can see “I am active on a single IP over a longer time.” That’s no different from me having played this character for 5 years straight.

Your IP address shows roughly where you are, you character name doesn’t.