Weaponizing The GDPR: Gamers Want To Use It To Flood Blizzard With Requests As Protest Over China Appeasement

from the what-exciting-times dept

We live in such fascinating times. We’ve had some posts concerning people getting (rightly) angry about Blizzard banning a top player who supported the protests in Hong Kong. In order to make the company feel more heat, apparently some pissed off players have been plotting to weaponize the GDPR and flood the company with data requests. This started with a Reddit post directly telling users that if they’re upset about Blizzard’s decisions regarding Hong Kong, to hit back with a GDPR request:

I know a lot of people, myself included, are upset by Blizzard/Activisions spineless decision to ban Blitxchung. After personally uninstalling all of my Blizzard games, I thought, “what else can I do?”. The answer, is GDPR requests. Let me explain.

Under EU law, you’re allowed to request all information a company has on you, along with the purpose of this information collection. What most people don’t know, is that these requests are VERY hard to comply with, and can often take a companies legal group 2-7 days to complete PER REQUEST. If a company doesn’t get you the information back in 30 days, they face fines and additional issues. In extreme cases, a company can request an additional 2 months to complete the requests if there is a large volume, but suffice to say, if a company gets a significant amount of requests, it can be incredibly expensive to deal with, as inevitably they will have to hire outside firms/lawyers to help out. So, if you want to submit a GDPR request, and live in the EU, you can use the following form letter….

I’ve actually been in the middle of investigating a different story about a possible weaponizing of the GDPR, but the details there have been a bit murkier, so it’s fascinating to see things laid out so clearly here. To be clear, there does appear to be some cleverness here, though, it’s true that such requests are a pain in the ass to comply with and can be costly and resource intensive. And while it may be fun and cathartic to use that power against a company like Blizzard as a way to punish it for its ridiculous stance, be clear that these kinds of weaponized GDPR requests are likely to be used against many others as well, including companies you might actually like.

This is yet one more reason why, even if you support the overall goals of the GDPR, you should be very, very concerned with how the law is actually implemented.

Filed Under: , , , , , ,
Companies: blizzard

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Weaponizing The GDPR: Gamers Want To Use It To Flood Blizzard With Requests As Protest Over China Appeasement”

Subscribe: RSS Leave a comment
MathFox says:


I do expect that a company that has its administration in order can comply with standard GDPR requests in a few minutes of actual work. It should not be too hard to make a database printout. The first requests might take more time to find out in which databases to search and to get decent formatting.
For companies that collect more data than they should, a selective database dump might result in filling several CD-writeables.

This comment has been deemed insightful by the community.
Anonymous Coward says:

Re: Re: Re:

"I do expect that a company that has its administration in order can comply with standard GDPR requests in a few minutes of actual work."

This is absolutely wrong. It’s a ton of work because you have to comb through every single system used within a company to identify, and extract the data requested by a person. Every request is a huge pain the ass and ties up resources from the IT, Legal, and HR departments. Maybe each individual doing a small part is only spending a few minutes, but cumulatively it’s a major project. Every. Fucking. Time.

The worst part about weaponizing these requests? You’re not fucking the company over. You’re fucking over a bunch of low level employees who end up doing the work. The CEO gives zero fucks about your request. Meanwhile a contractor making $12-$15 an hour is wasting their day working on tedious shit because some fuckhead wants to circle-jerk about how terribly Blizzard handled the situation. It costs these "protestors" nothing, and they ruin someone else’s day. Someone whose only involvement was taking a job at a company these fuck heads are pissed at, over some shit which has zero impact on the lives of these fuck heads.

Fuck everyone who weaponizes GDPR requests.

Anonymous Coward says:

Re: Re: Re:3 Re:

"The CEO may not care, but the C-Suite cares a heck of a lot when call center employees are going into overtime, work loads spike, and new software is needed to manage the request since you have so many moving parts no human could walk this through a firm of this size easily."

Bonuses will be protected at all costs. What will actually happen is the spike in GDPR compliance costs will hit business/function/department budgets.

Anonymous Coward says:

Re: Re: Re: Re:

It’s a ton of work because you have to comb through every single system used within a company to identify, and extract the data requested by a person. … You’re fucking over a bunch of low level employees who end up doing the work. The CEO gives zero fucks about your request.

There’s the problem. If the CEO cared, they’d have someone automate the work. And I think this was an intended effect of the GDPR: if the company can’t quickly identify why they’re collecting and storing data about you, what they’re storing, where they got it from, they need to improve their processes and maybe stop collecting so much. It’s only difficult if there’s lots of ad-hoc data handling, which is exactly what GDPR meant to stop.

The GDPR doesn’t let requesters arbitrarily define the scope of work to be performed. They can request a dump of data held about them, along with some standard answers about why it’s collected and how. And they can request deletion. That’s it. They can’t make a company run custom reports or analyze the data. The datadump is automatable, and determining why data is collected and how it’s processed is something companies were supposed to do, once, when the GDPR became law.

Paul B says:

Re: Re: Re: Re:

I work in this area, for some firms, a GDPR request is fairly easy to respond to as they only store customer contact information for shipping and purchase history. Think a small business selling products.

At the other end of the business spectrim is a conglomerate like Bank of New York Mellon. 21 distinct business entities covering everything from bank accounts to investments to call centers. A single request could impact over 100 people, has subjective rules, and even legal limits to what data can be provided. The CEO may not care, but the C-Suite cares a heck of a lot when call center employees are going into overtime, work loads spike, and new software is needed to manage the request since you have so many moving parts no human could walk this through a firm of this size easily.

Never mind internal politics and firewalls that prevent communication also need to be breached or the entire firm is on the hook for huge fines.

I do suspect a judge would be not as crazy as to tell a firm getting hit by 100k requests in a single week that up to then was getting perhaps 10 to 20 requests that they should be fined for not clearing the backlog fast enough when the entire business is shut down more or less just to respond to requests.

Yes the GDPR is that bad for large firms.

MathFox says:

Re: Re: Re:2

As I said, if each business entity has its administration in order, it should be just one query against the customer-id or name-address to check whether some data is stored and a few more queries to get the data out of the database. You only have to collect the data that is stored about the requester.
If these requests are routine a central office would distribute requests once a week and combine the responses for mailing two weeks later. I would expect that a call center also stores its information in a way that data related to a specific customer can be easily retrieved.

Anonymous Coward says:

Re: Re: Re:2 Re:

The EUs GDPR makes no leeway for the number of requests. It simply says "do it, and hire more people if necessary".

There’s only TWO reasons you can deny GDPR. National security (requesting data about you held by the military during ongoing conflicts) and massive ongoing data loss.

But the data has to be a complete loss. i.e. for blizzard they’d have to lose ALL character and subscription data for everyone on every server. i.e. WoW would have to be shut down permanently.

just saying "we had a virus" isn’t sufficient.

Anonymous Coward says:

Re: Re: Re:3 Re:

GDPR requires you have CHECKED every server for any possible customer data,

Because customer data just roams around your network on its own? If you don’t know what’s being done with data in your company, that’s exactly what GDPR is meant to fix. With proper controls, you’d have a record of where you stored the data (or didn’t) without having to go check.

Anonymous Coward says:

Re: Re:

And so it begins. The next step will be automating the process.

The script:
1) Creates a free email account (any of various places)
2) Uses a free "make an account" web site to seed the account
3) (optionally) creates some nominal traffic using the free account
4) fires off GDPR request to legal department
5) ???
6) profit!

You don’t care about the response (though you may tweak the script if the response blows you off), so you don’t even have to look at the email account.

ECA (profile) says:

This would be fun, IF..

They created tons of data on each individual person..including WHO they sold your data to..
But could be as simple as your name, address, CC#….

My old doctors have a stack of Paper 2" high on all the procedures done. But if you ever goto read it, its paper that says Simple things.. THEY dont give a blow by blow, of what they did.. WE did this surgery(insert name) and thats about it.. NOT even followup info..

A data base extract is just a long list of games you have signed up to own. GDPR, what info can you demand????
Saying all of it, is to restrictive, as YOU dont know what they have, or have done with your data..

NOW if you went to an advert agency, you might get a list of the adverts sent to you.

Anonymous Coward says:

Yeah, this is cute and all, but it’s completely ignorant of how corporations on the scale of Blizzard/Activision actually operate. GDPR compliance has already been figured out and automated, that shit is easy now.

At worst Blizzard will just have to hire an outside vendor to help their regular agents until things calm down again. They already have external auditors and consultants to help with GDPR.

Paul B says:

Re: Re:

Compliance for Blizzard is 100% manual today. Most firms who setup compliance software assume a small flow of ongoing requests and skimp on automation as it’s cheaper to let a human run the script and sanity check the results.

Everything works fine when the load is like 10 requests per month. The systems often list risk factors for large amounts of requests breaking things or driving up huge compliance costs because automating the response can be super difficult.

Anonymous Coward says:

Re: Re: Re:

Compliance for Blizzard is absolutely not 100% manual, are you insane? They are a MASSIVE multi-billion dollar multinational corporation owned by an even bigger multi-national corporation, they have offices and do business on every continent, and you think they handle compliance manually? What are you basing that assumption on, a fever dream?

Paul B says:

Re: Re: Re: Re:

Based on personal experience with calls from clients for building GDPR compliance systems. The most common system we build right now is one where get a GDPR request, send an email or system notification to each of the relevant staff members, some poor guy stitches all the results together, legal does a review, and the response goes out to the requester. Banks and other places often add a step for confirming Identity.

The bigger the firm the more likely a process like this is followed as a request for data often goes across firm lines of business, which means more databases, and more locations to search, and more limited available IT staff to build the needed connections for automation till 2025.

Big multi-billion dollar firms are the most likely firms to be manual or a bunch of locally done scripts with minimal central control.

Anonymous Coward says:

Re: Re: Re:2 Re:

I call BS. I’ve been through several compliance audits at a much, much smaller software company than Blizzard, our processes literally take minutes and requires only the customer ID.

For Blizzard it’s extremely simple. If a request is valid it has to be tied to a user ID, and based on that they’ll already be able to tell exactly where all of the customer’s data is that they are required to provide.

The most time-consuming part of the entire process would be sifting out the fake requests.

bob says:

Re: Re: Re:3 Re:

You have experience with smaller companies, the other guy has experience with big companies. But neither of you have experience with Blizzard. And if you did I’m sure you would have had to sign an NDA. So im calling BS on you knowing exactly how easy it is for Blizzard to comply.

Why dont we just wait and see what happens with Blizzard and a flood of GDPR requests if they actually happen.

Paul B says:

Re: Re: Re:

If you do the minimum (geo blocking) you can always send a written response that you do not do business in that location and thus do not follow laws of that country. The person would then have to admit he’s bypassing your filter (VPN) or did business with you while in the US and thus US laws apply.

This is because sometimes IP addresses are the only bit of tracking info you have but they can easily be to broad due to shared IP ranges. So you can just as easily get in trouble over sharing information which gets you in hot water under other laws.

Paul (profile) says:

Re: Re: GDPR already has defences against this.


"wanted to receive a further copy of information they have requested previously. In this situation a controller can charge a reasonable fee for the administrative costs of providing this information again and it is unlikely that this would be an excessive request;"

There are also rules for requests that are part of a campaign of harrassment.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...