Weaponizing The GDPR: Gamers Want To Use It To Flood Blizzard With Requests As Protest Over China Appeasement

from the what-exciting-times dept

We live in such fascinating times. We've had some posts concerning people getting (rightly) angry about Blizzard banning a top player who supported the protests in Hong Kong. In order to make the company feel more heat, apparently some pissed off players have been plotting to weaponize the GDPR and flood the company with data requests. This started with a Reddit post directly telling users that if they're upset about Blizzard's decisions regarding Hong Kong, to hit back with a GDPR request:

I know a lot of people, myself included, are upset by Blizzard/Activisions spineless decision to ban Blitxchung. After personally uninstalling all of my Blizzard games, I thought, "what else can I do?". The answer, is GDPR requests. Let me explain.

Under EU law, you're allowed to request all information a company has on you, along with the purpose of this information collection. What most people don't know, is that these requests are VERY hard to comply with, and can often take a companies legal group 2-7 days to complete PER REQUEST. If a company doesn't get you the information back in 30 days, they face fines and additional issues. In extreme cases, a company can request an additional 2 months to complete the requests if there is a large volume, but suffice to say, if a company gets a significant amount of requests, it can be incredibly expensive to deal with, as inevitably they will have to hire outside firms/lawyers to help out. So, if you want to submit a GDPR request, and live in the EU, you can use the following form letter....

I've actually been in the middle of investigating a different story about a possible weaponizing of the GDPR, but the details there have been a bit murkier, so it's fascinating to see things laid out so clearly here. To be clear, there does appear to be some cleverness here, though, it's true that such requests are a pain in the ass to comply with and can be costly and resource intensive. And while it may be fun and cathartic to use that power against a company like Blizzard as a way to punish it for its ridiculous stance, be clear that these kinds of weaponized GDPR requests are likely to be used against many others as well, including companies you might actually like.

This is yet one more reason why, even if you support the overall goals of the GDPR, you should be very, very concerned with how the law is actually implemented.

Filed Under: appeasement, china, costs, data requests, gdpr, protest, weaponizing
Companies: blizzard


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    Gary (profile), 18 Oct 2019 @ 8:44am

    What most people don't know, is that these requests are VERY hard to comply with, and can often take a companies legal group 2-7 days to complete PER REQUEST.

    Is this an accurate description of the process? How can a smaller company comply with such a request - that kind of legal work isn't cheap.

    reply to this | link to this | view in thread ]

  2. icon
    Mike Masnick (profile), 18 Oct 2019 @ 8:52am

    Re:

    Yes, it's an accurate description of the process. Ain't the GDPR grand?

    reply to this | link to this | view in thread ]

  3. identicon
    MathFox, 18 Oct 2019 @ 9:45am

    I do expect that a company that has its administration in order can comply with standard GDPR requests in a few minutes of actual work. It should not be too hard to make a database printout. The first requests might take more time to find out in which databases to search and to get decent formatting.
    For companies that collect more data than they should, a selective database dump might result in filling several CD-writeables.

    reply to this | link to this | view in thread ]

  4. icon
    ECA (profile), 18 Oct 2019 @ 9:58am

    This would be fun, IF..

    They created tons of data on each individual person..including WHO they sold your data to..
    But could be as simple as your name, address, CC#....

    My old doctors have a stack of Paper 2" high on all the procedures done. But if you ever goto read it, its paper that says Simple things.. THEY dont give a blow by blow, of what they did.. WE did this surgery(insert name) and thats about it.. NOT even followup info..

    A data base extract is just a long list of games you have signed up to own. GDPR, what info can you demand????
    Saying all of it, is to restrictive, as YOU dont know what they have, or have done with your data..

    NOW if you went to an advert agency, you might get a list of the adverts sent to you.

    reply to this | link to this | view in thread ]

  5. identicon
    Anonymous Coward, 18 Oct 2019 @ 10:09am

    Re:

    For an online games company, keeping session logs, they should probably not let you have more than the screen names of anybody you played with/against, less they accidentally dox someone. Complying with that request now becomes somewhat more complicated.

    reply to this | link to this | view in thread ]

  6. identicon
    Richard, 18 Oct 2019 @ 10:09am

    Why doesn’t this fall afoul of the “manifestly unfounded” provision?

    reply to this | link to this | view in thread ]

  7. identicon
    Anonymous Coward, 18 Oct 2019 @ 10:17am

    Re: Re:

    GDPR doesn't say you can get data on other people, and any sane database schema will use references rather than copying their data into your records.

    reply to this | link to this | view in thread ]

  8. identicon
    wouldn'tyoulike to know, 18 Oct 2019 @ 10:19am

    Hrm

    I would have thought this article was about reporting blizzard for not allowing you to delete your account w/o seeing a/an photo ID.

    which would make sense (if that runs afowl of the gdpr)

    reply to this | link to this | view in thread ]

  9. identicon
    Anonymous Coward, 18 Oct 2019 @ 10:24am

    Re:

    "I do expect that a company that has its administration in order can comply with standard GDPR requests in a few minutes of actual work."

    This is absolutely wrong. It's a ton of work because you have to comb through every single system used within a company to identify, and extract the data requested by a person. Every request is a huge pain the ass and ties up resources from the IT, Legal, and HR departments. Maybe each individual doing a small part is only spending a few minutes, but cumulatively it's a major project. Every. Fucking. Time.

    The worst part about weaponizing these requests? You're not fucking the company over. You're fucking over a bunch of low level employees who end up doing the work. The CEO gives zero fucks about your request. Meanwhile a contractor making $12-$15 an hour is wasting their day working on tedious shit because some fuckhead wants to circle-jerk about how terribly Blizzard handled the situation. It costs these "protestors" nothing, and they ruin someone else's day. Someone whose only involvement was taking a job at a company these fuck heads are pissed at, over some shit which has zero impact on the lives of these fuck heads.

    Fuck everyone who weaponizes GDPR requests.

    reply to this | link to this | view in thread ]

  10. identicon
    Comboman, 18 Oct 2019 @ 10:50am

    Two Birds, One Stone

    Mass abuse of the GDPR is a sure way to get it amended. Using it to punish a company that deserves it is just icing on the cake. Is there any way to go after the NBA as well?

    reply to this | link to this | view in thread ]

  11. identicon
    Anonymous Coward, 18 Oct 2019 @ 10:52am

    Re: Re:

    You're not fucking the company over. You're fucking over a bunch of low level employees who end up doing the work

    These employees are being paid to do this work. How, exactly, is this fucking them over?

    reply to this | link to this | view in thread ]

  12. icon
    Anonymous Anonymous Coward (profile), 18 Oct 2019 @ 11:00am

    Re: Re: Re:

    Taking that thought a step further, the collection activity being paid for won't do anything positive for the bottom line, thereby having a negative impact on the CEO's potential bonus.

    reply to this | link to this | view in thread ]

  13. icon
    PaulT (profile), 18 Oct 2019 @ 11:03am

    Re: Re: Re:

    Because there's likely more interesting work they used to do before the GDPR, then this got dumped on them. Not all work is equal. Even at drone level some tasks are better quality than others.

    reply to this | link to this | view in thread ]

  14. identicon
    Anonymous Coward, 18 Oct 2019 @ 11:03am

    Re: Re:

    It's a ton of work because you have to comb through every single system used within a company to identify, and extract the data requested by a person. … You're fucking over a bunch of low level employees who end up doing the work. The CEO gives zero fucks about your request.

    There's the problem. If the CEO cared, they'd have someone automate the work. And I think this was an intended effect of the GDPR: if the company can't quickly identify why they're collecting and storing data about you, what they're storing, where they got it from, they need to improve their processes and maybe stop collecting so much. It's only difficult if there's lots of ad-hoc data handling, which is exactly what GDPR meant to stop.

    The GDPR doesn't let requesters arbitrarily define the scope of work to be performed. They can request a dump of data held about them, along with some standard answers about why it's collected and how. And they can request deletion. That's it. They can't make a company run custom reports or analyze the data. The datadump is automatable, and determining why data is collected and how it's processed is something companies were supposed to do, once, when the GDPR became law.

    reply to this | link to this | view in thread ]

  15. identicon
    Paul B, 18 Oct 2019 @ 11:06am

    Re: Re:

    I work in this area, for some firms, a GDPR request is fairly easy to respond to as they only store customer contact information for shipping and purchase history. Think a small business selling products.

    At the other end of the business spectrim is a conglomerate like Bank of New York Mellon. 21 distinct business entities covering everything from bank accounts to investments to call centers. A single request could impact over 100 people, has subjective rules, and even legal limits to what data can be provided. The CEO may not care, but the C-Suite cares a heck of a lot when call center employees are going into overtime, work loads spike, and new software is needed to manage the request since you have so many moving parts no human could walk this through a firm of this size easily.

    Never mind internal politics and firewalls that prevent communication also need to be breached or the entire firm is on the hook for huge fines.

    I do suspect a judge would be not as crazy as to tell a firm getting hit by 100k requests in a single week that up to then was getting perhaps 10 to 20 requests that they should be fined for not clearing the backlog fast enough when the entire business is shut down more or less just to respond to requests.

    Yes the GDPR is that bad for large firms.

    reply to this | link to this | view in thread ]

  16. identicon
    bob, 18 Oct 2019 @ 11:12am

    in other news...

    Blizzard has requested all news articles regarding its banning of a Hearthstone player be removed from the EU under a RTBF request after seeing that their company actions had real world consequences.

    I can see it now.

    reply to this | link to this | view in thread ]

  17. identicon
    Anonymous Coward, 18 Oct 2019 @ 11:22am

    "This is yet one more reason why, even if you support the overall goals of the GDPR, you should be very, very concerned with how the law is actually implemented."

    Abuse it and lose it. Or fix it.

    reply to this | link to this | view in thread ]

  18. identicon
    Paul B, 18 Oct 2019 @ 11:42am

    Re:

    How many laws are left to Prosecutorial Discretion? Do those laws get fixed when a 16 year old is prosecuted for distribution of her own picture?

    reply to this | link to this | view in thread ]

  19. identicon
    Anonymous Coward, 18 Oct 2019 @ 11:46am

    Re:

    And so it begins. The next step will be automating the process.

    The script:
    1) Creates a free email account (any of various places)
    2) Uses a free "make an account" web site to seed the account
    3) (optionally) creates some nominal traffic using the free account
    4) fires off GDPR request to legal department
    5) ???
    6) profit!

    You don't care about the response (though you may tweak the script if the response blows you off), so you don't even have to look at the email account.

    reply to this | link to this | view in thread ]

  20. identicon
    Anonymous Coward, 18 Oct 2019 @ 11:57am

    Re: Re:

    You only have to comb through systems that hold customer data, not every system the company uses. It's not quite that ridiculous. For companies with only a few hundred or thousand customer records, GDPR compliance can be done in a few minutes and answered with a form letter.

    reply to this | link to this | view in thread ]

  21. identicon
    Anonymous Coward, 18 Oct 2019 @ 12:07pm

    Yeah, this is cute and all, but it's completely ignorant of how corporations on the scale of Blizzard/Activision actually operate. GDPR compliance has already been figured out and automated, that shit is easy now.

    At worst Blizzard will just have to hire an outside vendor to help their regular agents until things calm down again. They already have external auditors and consultants to help with GDPR.

    reply to this | link to this | view in thread ]

  22. identicon
    Anonymous Coward, 18 Oct 2019 @ 12:13pm

    Re: Re:

    GDPR responses can already be automated, so... Have fun wasting time with your scripting, I guess.

    reply to this | link to this | view in thread ]

  23. identicon
    MathFox, 18 Oct 2019 @ 12:14pm

    As I said, if each business entity has its administration in order, it should be just one query against the customer-id or name-address to check whether some data is stored and a few more queries to get the data out of the database. You only have to collect the data that is stored about the requester.
    If these requests are routine a central office would distribute requests once a week and combine the responses for mailing two weeks later. I would expect that a call center also stores its information in a way that data related to a specific customer can be easily retrieved.

    reply to this | link to this | view in thread ]

  24. identicon
    Anonymous Coward, 18 Oct 2019 @ 12:27pm

    Re:

    "if each business entity has its administration in order"

    hahahahahahahahahahahahahahaha

    reply to this | link to this | view in thread ]

  25. identicon
    Anonymous Coward, 18 Oct 2019 @ 12:27pm

    Re: Re: Re:

    Even if Blizzard doesn't comply, each requester would have to file a complaint individually to the proper agency and see it through for an actual penalty to be assessed. How likely is that, do you think?

    reply to this | link to this | view in thread ]

  26. identicon
    Anonymous Coward, 18 Oct 2019 @ 12:51pm

    Re: Re: Re: Re:

    "The CEO may not care, but the C-Suite cares a heck of a lot when call center employees are going into overtime, work loads spike, and new software is needed to manage the request since you have so many moving parts no human could walk this through a firm of this size easily."

    Bonuses will be protected at all costs. What will actually happen is the spike in GDPR compliance costs will hit business/function/department budgets.

    reply to this | link to this | view in thread ]

  27. identicon
    Anonymous Coward, 18 Oct 2019 @ 12:57pm

    Re: Re:

    Funny enough, GDPR has been a huge motivator for a lot of companies to get their administration in order.

    reply to this | link to this | view in thread ]

  28. identicon
    Paul B, 18 Oct 2019 @ 1:18pm

    Re:

    Compliance for Blizzard is 100% manual today. Most firms who setup compliance software assume a small flow of ongoing requests and skimp on automation as it's cheaper to let a human run the script and sanity check the results.

    Everything works fine when the load is like 10 requests per month. The systems often list risk factors for large amounts of requests breaking things or driving up huge compliance costs because automating the response can be super difficult.

    reply to this | link to this | view in thread ]

  29. identicon
    Anonymous Coward, 18 Oct 2019 @ 1:26pm

    Re: Re:

    Compliance for Blizzard is absolutely not 100% manual, are you insane? They are a MASSIVE multi-billion dollar multinational corporation owned by an even bigger multi-national corporation, they have offices and do business on every continent, and you think they handle compliance manually? What are you basing that assumption on, a fever dream?

    reply to this | link to this | view in thread ]

  30. identicon
    Paul, 18 Oct 2019 @ 2:02pm

    GDPR already has defences against this.

    The GDPR requires that fufiling requests like this is normally free, but if they are unreasonable or vexatious then a reasonable fee can be charged. This kind of campaign is exactly the kind of scenario that they had in mind.

    reply to this | link to this | view in thread ]

  31. identicon
    Bobo, 18 Oct 2019 @ 2:09pm

    Re: Re:

    If it takes a long time to find someone's personal data spread across every single system used within a company, maybe they shouldn't spread people's personal data across every single system used within a company?

    reply to this | link to this | view in thread ]

  32. identicon
    Paul B, 18 Oct 2019 @ 2:19pm

    Re: Re: Re:

    Based on personal experience with calls from clients for building GDPR compliance systems. The most common system we build right now is one where get a GDPR request, send an email or system notification to each of the relevant staff members, some poor guy stitches all the results together, legal does a review, and the response goes out to the requester. Banks and other places often add a step for confirming Identity.

    The bigger the firm the more likely a process like this is followed as a request for data often goes across firm lines of business, which means more databases, and more locations to search, and more limited available IT staff to build the needed connections for automation till 2025.

    Big multi-billion dollar firms are the most likely firms to be manual or a bunch of locally done scripts with minimal central control.

    reply to this | link to this | view in thread ]

  33. identicon
    Anonymous Coward, 18 Oct 2019 @ 2:19pm

    Re: Re: Re:

    Which is why most companies don't do that. Customer data is usually kept in separate databases on different servers than company data.

    reply to this | link to this | view in thread ]

  34. identicon
    Anonymous Coward, 18 Oct 2019 @ 2:29pm

    Re: Re: Re: Re:

    I call BS. I've been through several compliance audits at a much, much smaller software company than Blizzard, our processes literally take minutes and requires only the customer ID.

    For Blizzard it's extremely simple. If a request is valid it has to be tied to a user ID, and based on that they'll already be able to tell exactly where all of the customer's data is that they are required to provide.

    The most time-consuming part of the entire process would be sifting out the fake requests.

    reply to this | link to this | view in thread ]

  35. identicon
    Anonymous Coward, 18 Oct 2019 @ 2:41pm

    Re: Re: Re:

    This makes it all a one-person, all astroturf endeavor.

    reply to this | link to this | view in thread ]

  36. identicon
    Anonymous Coward, 18 Oct 2019 @ 3:08pm

    Re: Re: Re:

    The EUs GDPR makes no leeway for the number of requests. It simply says "do it, and hire more people if necessary".

    There's only TWO reasons you can deny GDPR. National security (requesting data about you held by the military during ongoing conflicts) and massive ongoing data loss.

    But the data has to be a complete loss. i.e. for blizzard they'd have to lose ALL character and subscription data for everyone on every server. i.e. WoW would have to be shut down permanently.

    just saying "we had a virus" isn't sufficient.

    reply to this | link to this | view in thread ]

  37. identicon
    Anonymous Coward, 18 Oct 2019 @ 3:10pm

    Re: Re: Re:

    GDPR requires you have CHECKED every server for any possible customer data, and not just assumed that there will be no data. And you have to also provide evidence of such a search.

    reply to this | link to this | view in thread ]

  38. identicon
    Anonymous Coward, 18 Oct 2019 @ 3:11pm

    Re: Re:

    you can make multiple GDPR requests one after the other without penalty.

    This is because the day after you send a request, your data may change. so you request everything including today....etc...

    Could do it hourly and they STILL have to comply.

    reply to this | link to this | view in thread ]

  39. identicon
    Anonymous Coward, 18 Oct 2019 @ 3:13pm

    Re:

    You should see how the biggest companies such as Apple have basically done NOTHING towards making GDPR easier. they just assume it will always be a slow trickle of requests......

    reply to this | link to this | view in thread ]

  40. identicon
    Anonymous Coward, 18 Oct 2019 @ 3:14pm

    Re: GDPR already has defences against this.

    Which part of the GDPR is this? because I couldn't find anything about fee charging.

    In fact the GDPR even clearly states MULTIPLE requests are possible as customer data may change from day to day or hour to hour......

    reply to this | link to this | view in thread ]

  41. identicon
    bob, 18 Oct 2019 @ 3:40pm

    Re: Re: Re: Re: Re:

    You have experience with smaller companies, the other guy has experience with big companies. But neither of you have experience with Blizzard. And if you did I'm sure you would have had to sign an NDA. So im calling BS on you knowing exactly how easy it is for Blizzard to comply.

    Why dont we just wait and see what happens with Blizzard and a flood of GDPR requests if they actually happen.

    reply to this | link to this | view in thread ]

  42. identicon
    Anonymous Coward, 18 Oct 2019 @ 5:20pm

    Re: Re: Re: Re: Re: Re:

    or someone make a GDPR request and report back. :)

    reply to this | link to this | view in thread ]

  43. icon
    blademan9999 (profile), 18 Oct 2019 @ 6:59pm

    Re:

    And yet there are STILL news websites who Geo-Block the EU because of the GDPR.

    reply to this | link to this | view in thread ]

  44. icon
    blademan9999 (profile), 18 Oct 2019 @ 7:16pm

    I'm the one who actually submitted a article request for this.

    reply to this | link to this | view in thread ]

  45. identicon
    Paul B, 18 Oct 2019 @ 9:00pm

    Re: Re:

    If you do the minimum (geo blocking) you can always send a written response that you do not do business in that location and thus do not follow laws of that country. The person would then have to admit he's bypassing your filter (VPN) or did business with you while in the US and thus US laws apply.

    This is because sometimes IP addresses are the only bit of tracking info you have but they can easily be to broad due to shared IP ranges. So you can just as easily get in trouble over sharing information which gets you in hot water under other laws.

    reply to this | link to this | view in thread ]

  46. identicon
    bob, 18 Oct 2019 @ 9:04pm

    Re: Re:

    No, but it will end up costing the business several grand just trying to comply.

    reply to this | link to this | view in thread ]

  47. identicon
    MathFox, 19 Oct 2019 @ 12:21am

    Re: Re: Re: Re:

    GDPR requires you have CHECKED every server for any possible customer data,

    [Citation requested]

    reply to this | link to this | view in thread ]

  48. identicon
    Paul, 19 Oct 2019 @ 1:11pm

    Re: Re: GDPR already has defences against this.

    https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-r egulation-gdpr/individual-rights/right-of-access/

    "wanted to receive a further copy of information they have requested previously. In this situation a controller can charge a reasonable fee for the administrative costs of providing this information again and it is unlikely that this would be an excessive request;"

    There are also rules for requests that are part of a campaign of harrassment.

    reply to this | link to this | view in thread ]

  49. identicon
    Anonymous Coward, 20 Oct 2019 @ 9:33pm

    Re: Re:

    Realistically, has there been a method of protest where consequences - violent, bureaucratic, economic - couldn't be passed on by CEOs to their workers?

    reply to this | link to this | view in thread ]

  50. identicon
    Anonymous Coward, 21 Oct 2019 @ 12:28pm

    Re: Re: Re: Re:

    GDPR requires you have CHECKED every server for any possible customer data,

    Because customer data just roams around your network on its own? If you don't know what's being done with data in your company, that's exactly what GDPR is meant to fix. With proper controls, you'd have a record of where you stored the data (or didn't) without having to go check.

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.