> Wonderful, we have found a way to silently persist a cookie for each player as they join the server.
This violates GDPR, no?
Edit: It sounds like this took place before GDPR was being enforced.
replies(2):
Fraud prevention is listed as an example of a "legitimate interest."
So no, by my layman's interpretation, they would not have been bound by GDPR to notify the user of cookies or other fingerprinting used solely for anti-cheat. They'd run into trouble if they use that same ID for marketing/advertising without consent, though.
I saw a consent form that had 72 optional, 21 “legitimate interest” cookies.
GFB
As far as I'm aware, you can get away with disclosing the fact that you are tracking "unique identifiers for the purpose of anti-cheating" in the terms and conditions, without explicitly explaining the technical details that it's a cookie.
Also, this is a server covering the Australia/New Zealand region, so it doesn't have to worry about GDPR compliance.
The UK DPA (basically a fork of GDPR) has this to say [1]: "the following purposes do constitute a legitimate interest [...] fraud prevention; ensuring network and information security; indicating possible criminal acts".
Under the Computer Misuse Act 1990 [2], there's a possible reading under which "hacking" to cheat (even if someone else does the hacking and you jsut install the program) could actually be a crime.
[1] https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-re...
Unfortunately it is lacking some teeth because normally opting out of all cookies should be as easy and straightforward as opting in to all cookies, but I've seen quite a few forms that hide 'reject all' behind a 'more info' button type of thing. Maybe I could file a complaint about that, I should look into it.