137 comments

[ 3.2 ms ] story [ 198 ms ] thread
Edit: the link broke shortly after I posted it, this one is working: https://www.zenimax.com/legal_privacy_us/

Bought Doom Eternal on the steam sale just recently and found this:

"Customer Records: paper and electronic customer records containing personal information, such as name, signature, physical characteristics or description, address, telephone number, education, current employment, employment history, social security number, passport number, driver’s license or state identification card number, insurance policy number, bank account number, credit card number, debit card number, or any other financial or payment information, medical information, or health insurance information."

This is explicitly listed as collected and disclosed

They also list browsing history:

"Usage Data: internet or other electronic network activity information, including, but not limited to, browsing history"

I'm glad you found and posted this. I'm surprised at how much this policy page looks like a website from 1995. How did you find this?
>I'm surprised at how much this policy page looks like a website from 1995.

It's almost as someone planned to make it hard to read!

(comment deleted)
How is it hard to read? Both versions I've seen linked here are essentially plain text with sensible use of simple styling (bold and italics), with a couple tables of text, and some borders in a couple sections to group things.

The only things that might make it a little harder for some people are one of them used green text on a black background, and for both of them if you browser window is wide the lines might be a bit too long.

It's what happens when legal gives the web team a word document and they don't feel like spending the time to make it look nice. Been there, it's awful.
I'd want to say: "Good thing they don't have access to any of that", but unfortunately, one place Steam has not innovated at all is security: It's very good at installing games on your computer, but those games can mostly do whatever they want once they're there.

Microsoft got a lot of hate (some deserved, some not) for pushing the Microsoft Store and UWP as a potential game distribution platform (originally with some exclusives from the Xbox side of the world), but for all its faults, it used sandboxing.

It's ironic you post this after Bethesda installed a root-kit anti-cheat for this very game (yes, it has since been updated, but not automatically removed if it was already there).

So, yeah, they may have very well collected that data from your hard drive.

EDIT: Brain flatulance, s/DRM/anti-cheat/g

It wasn't even DRM, it was anti-cheat that only ran when you launched the game, and it's not like it was a secret that it was added in an update. Your comment is pure FUD.
Anti-cheat is even worse. There is a peverse incentive for the publisher to spy on your computer that isn't there so much with DRM. You can imagine them thinking it would be a good idea to upload your 'suspicious' files that might be cheat-related to their servers for analysis.
It was not a secret, but it certainly caused an uproar, which prompted Bethesda to scale it back dramatically. Being in ring-0, it has access to all contents on disk, and all contents in memory. What is actually sent up to Bethesda's servers could be, quite literally, anything on your system.

It's why Sony's rootkit DRM (got it right this time) was so poorly received a decade and a half ago - because you, as the computer's owner, can't control what it does or isolate its access.

DRM is definitely a big offender, the other one off hand that is amazing is anti-cheat systems. Both types of technology for PC games basically are predicated on the concept of "if we monitor everything it's remotely possible to monitor about your PC, we can detect if you do something bad with it".

It's probable that Steam would not be remotely as successful if it interfered with DRM and anti-cheat strategies on privacy or security grounds.

I have lots of friends who play shooting games semi-competitvely (they're all in the very high ranks of overwatch/csgo/etc). They are all very, very, very excited about Valorant's ring-0 anticheat. Lots of people want features that can't be achieved with a sandbox.
I definitely understand that. Cheaters have pushed me out of most first-person shooters I'd enjoyed. But I also have significant concerns about game companies having that much access to my general-use computer.

Perhaps the solution here is not to do personal/sensitive work on gaming machines, but then we're right back to having separate game consoles...

Alternatively: Only play video games with people in your trust network. Friends, friends of friends, etc., so that you have some recourse against griefing and cheating.
This doesn't really help: I don't have a choice on whether or not my shooter of choice implements anti-cheat.

Perhaps an ideal scenario would let a player choose whether or not to enable a game's anti-cheat, but that it'd be required for certain matchmaking and (obviously) competitive features. So that I can opt out if I'm just trying the game casually or just playing with friends in a private room, but can enable it if it's something I intend to play seriously and am invested in enough to give deep access to my system?

Ring zero doesn’t prevent cheats stored in spoofed input devices

https://m.youtube.com/watch?v=d1jz8qbzfIk

And like virus scanners, it can't recognize anything it doesn't already have a signature for.

But, it could upload "suspicious" data to the home servers to be evaluated and fed into the signature database. Just like any other feedback loop in anti-cheat (and anti-virus) systems, only this one can access everything on your system.

If you implement the sandboxing very thoroughly and only permit signed code to run, you can make it even more difficult to cheat. e.g. on iOS, it would be very hard to change the client code of a multiplayer game without being detected.
How would that work on a general purpose computer?
The same way "anti-cheat" software already works today? With the addition of a sandbox running signed code, which is yet another barrier.
The technology is just about here today. If your PC has secure boot, you can theoretically lock it down to only allow booting a suitably restrictive OS, which then is responsible for restricting the apps and games that can run & the permissions they have. Lots of layers of signed code checking, really.

The main weakness (other than code vulnerabilities) is the network: it's very difficult to guarantee that a remote computer is running the allowed OS & game code, and not a hacked version. However, technologies like Intel's SGX x86 extensions can make this possible: because of the added encryption in the core CPU, one machine can send a cryptographic challenge to another one, and it can only respond correctly if the remote CPU has validated the code it is executing.

So, the tech is there. But in reality, people really don't want to lock down their PCs so securely and effectively give full control to their OS vendor.

Does it actually work though? What's stopping me from running the game in a virtual machine with GPU-passthrough and emulating inputs?
It's quite hard to hide the fact you're running in a VM, if possible at all. I think Valorant refuses to run in a VM.
Interesting. I actually have a GPU-passthrough and regularly play a japanese MMO with a similarly invasive rootkit. I haven't actually tried Valorant, but I might when I have some time out of curiosity.
I think up to now, despite how easy it is to detect, anticheat has largely ignored VMs. Valorant is noteable for being the first game widely reported to refuse running in a VM.
I don't think they've ignored VMs. In fact the very game I mentioned before refuses to run in VMWare and VirtualBox, even though I've managed to run it on Qemu out of the box. Though I'm not sure if it's incompetence or they just don't care :p
Many Asian MMOs block VM execution, namely mostly anything by GameGuard/HackShield/XIGNCODE.
Valorant doesn't even like my legit Intel CPU drivers
I did a Google for the literal phrase "or any other financial or payment information, medical information, or health insurance information", and this seems like boilerplate that many other ToS use:

https://www.google.com/search?q=%22or+any+other+financial+or...

Motel 6: https://www.motel6.com/en/app/privacy-policy.html

Ritz-Carlton: https://www.ritzcarltonclub.com/privacy-ccpa.shtml

Starz: https://www.starz.com/us/en/privacy

Papa Murphys: https://www.papamurphys.com/privacy-policy

I sure hope the law treats these cancerous contracts of adhesion with the full contempt they are due.

Somehow I doubt it does, though :/

I personally think that a single player game should not be hoovering up data to begin with. Just because they disclosed it 30 page contract almost no one reads does not make it right in any sense of the word. At best, it is legal. I am getting mildly miffed over the fact that I have to consider having my privacy raped to play a simple shooter game.

How is this normal or even in the realm of being accepted AND defended?

I think this is mostly laziness - they just say "yes" to everything, without checking if it actually happens.

They also share:

> thermal, olfactory, or similar information such as, CCTV footage, photographs, and call recordings and other audio recording (e.g., recorded meetings and webinars).

I like olfactory a lot.

This couldn't possibly be true, could it? Bad copy paste job?
Maybe consumers should have the ability to sue companies who force them into irrelevant, spurious, or onerous terms of service. It's not enough that these likely won't hold up in court, because the possibility exists that they may.
I'm not sure how this would hold up given the inability of United States congresspersons to prevent forced arbitration language being inserted into just about every contract we sign every day.
> who force them into irrelevant, spurious, or onerous terms of service

I suspect most courts would consider a video game the very height of an optional activity - which would make it hard to suggest a contract, regardless of how onerous, would be something the person was "forced" into.

"Such as" to me implies an example of the type of data that is considered "Customer Data", not necessarily that they do collect it.

I'm not as worried about them collecting that data directly from me, but rather cross referencing the data they have on me, with other paid-for data sources, which would give them that information.

Why would a gaming company have any interest in your medical records?
Speculating--they don't.

The preceding paragraph explains:

"Categories of Personal Information We Collect and Disclose. Our collection, use and disclosure of personal information about a California resident will vary depending upon the circumstances and nature of our interactions or relationship with such resident. The table below sets out generally the categories of personal information (as defined by the CCPA) about California residents that we collect, sell, and disclose to others for a business purpose. "

I wonder if this is laziness (my bet) or if it’s due to the seizure warning they show before the game starts.
Which would break GDPR laws even if you got customers to sign it.

Really sloppy work.

it's an inclusing OR defining the concept of personal information.
A quick reminder - this is the same game which had a ring-0 anti-cheat system installed and run with the game. They stepped it back a bit after the outcry (and install on people's system), but IIRC it is still installed and run if you play Doom Eternal multi-player.

So, it's entirely conceivable that this very "covered" data was collected and pushed up to their systems as a part of their "anti-cheat" detection, either from a HD sweep or from in-memory data in other applications (like the browser).

I don't understand - how do they escape from user-space to ring zero?
When it's installed, via a ubiquitous UAC dialog. It runs as a system kernel extension.
Oh right - can you not install it with only user permissions? Why does it need administrator privileges to be installed? Just for this escalation?
The installer does not allow modification to the privileges it gets by the user. You can install it or not. If not, you’ll consequently be locked out of all or part of the game it’s associated with.
When you click “allow” when its installer (or originally its store’s installer) asks for administrative privileges.
(comment deleted)
This is not something new, I don't know why people now specifically target this one game. Easy Anti Cheat, BattleEye and Vanguard are ring 0 anti cheats.
The HN post is about overreaches in Doom Eternal’s privacy policy. This is about how that privacy policy could matter in terms of data collected by Doom Eternal’s anti-cheat mechanisms.

EDIT: Also, not being new doesn’t make it right, moral, or even desired.

"Do-Not-Sell. California residents have the right to opt-out of our sale of their personal information. Opt-out rights can be exercised by going to https://bethesda.net/document/cookie-preferences. We do not sell personal information about residents who we know are younger than 16 years old." Holy sht; not that it surprises me, but, well...
The Do-Not-Sell should be the default, and maybe be incentivized somehow to turn it on if you prefer to do so.
Depending on the state you live in, write to and convince your state legislatures to pass a law.

Once > X number of states have such laws, it will be the right economic choice for companies to make it the default for everyone rather than doing it selectively by state.

Yeah, neat idea: One free loot box per month (and maybe a free novelty skin on xmas "I sold my soul and all I got was this lousy shirt").

:P

As someone who currently works in healthcare tech I can tell you that taking on health records is one of the riskiest things any company could ever do. In fact we try to keep health records as isolated as technically, and humanly, possible.

For each HIPAA violation a company will be fined $10,000 dollars per customer. If ten million records on a database are part of a breach the company can be out of business.

It boggles the mind that anyone would want to take on that liability.

https://www.hhs.gov/hipaa/for-individuals/guidance-materials...

It takes more than storing medical data to be covered by HIPAA. Usually you have to be a medical provider or have a business agreement with a medical provider. If I upload an MRI scan to imgur, imgur isn't instantly governed by HIPAA.

This means data harvesting companies can siphon up this stuff where they can find it. As long as they don't have a particular contractual relationship with an actual hospital, it's just like any other data, and they're not governed by HIPAA.

There may be some other ways to get governed by HIPAA, but that's the general rule. It's hard to do by accident.

Data brokers aren't interested in a couple of records here or there of x-rays from Imgur.

They want millions of records with some kind of identifier, and some kind of predictive value. Eg. The number of ice creams I buy might be a good predictor of if I'll be buying diabetes treatment next year.

Without all 3, your data won't be used.

We need more laws about this for financial data, surfing history, customer purchase data, location data etc.

Hoarding customer data should be a liability!

As a software developer I personally refuse to work on HIPAA compliant software, because if there is a HIPAA violation I can be held liable.
The problem with software and leaks from it is that not all software holds developers liable. It really really need to change.
I'm guessing you don't work in software. There will always be leaks, it's the nature of the beast, building things way more complicated than any single person can fully comprehend.

That's why data minimization is so important, only keeping what you absolutely need.

Every single field has figured out - sometimes forcefully - how to minimize harm to consumers. From a properly grounded toaster to a bridge, other industries manage to build complex things that don't hurt people.

The nature of the beast is that its nature can change. We need to stop thinking software is somehow special, we're just more careless and face fewer consequences following catastrophic failure.

> Every single field has figured out - sometimes forcefully - how to minimize harm to consumers.

I think it would be more accurate to say every field has figured out how to minimize liability from harm to customers. Data collection makes companies money, and there's little liability involved in most cases if you aren't in the health sector, so they grab all the data whether their core business needs it or not. The health sector needs some data because sharing it is vitally important, and they've shown that it takes a massive amount of time and money and complexity to do it to any acceptable level.

If we had some way to accurately value our data and privacy, and laws that made it the property of the individual, we would see a change very quickly.

As someone else who works in HealthTech, I'd expect someone else in HealthTech talking about HIPAA would mention that HIPAA only applies to Covered Entities.

Doom Eternal is not a Covered Entity (unless they're doing something crazy) and would not be subject to HIPAA in any capacity. This is either an overly protective lawyer or in reaction to a different, non-HIPAA data law.

But how do they get this data?

I wonder if someone just copy pasted this form without actually reading, though perhaps that is giving too much benefit of doubt.

(comment deleted)
I’m not sure how my medical records can be taken from playing this game?
I don't know about this game in particular, but many games install spyware for anticheat and DRM purposes.

For example, Blizzard's anticheat software phones home with the title bar text of every open window on the computer. If I leave a browser tab open from my doctor's portal, I can totally envision how Blizzard would end up collecting some of my medical data.

Crazy. Any more examples, details and links?
Isn't doom eternal mostly single player? what's the deal here?
I've had my gaming machine on a separate box for awhile now. Games and their DRM have been getting worse and worse. Even games like Kerbal Space Program, which I loved, harvested all your browsing data. Like, seriously, WTF?

So I've kept all that garbage on its own box. It's nicer that way anyway, since I don't use Windows as my daily driver it helps me keep a Windows machine around for other toxic software like Photoshop.

I previously did it in a VM with GPU passthrough, which worked quite well and I think is a decent option for people who can't afford the cost/space of a second machine. Nowadays, thanks to the death of Moore's Law, I had a perfectly capable older machine lying around that I could use instead. That's slightly less maintenance, since the GPU passthrough would occasionally need twiddling after qemu or kvm updates.

EDIT: I will add, for the couples years I was doing GPU passthrough, I didn't notice any difference in performance compared to when I moved the same GPU over to a physical box. In fact, there was this weird audio bug that I originally thought was because of the VM, but it persisted on the real machine and turned out to just be a bug in NVidia's audio driver. So besides the maintenance burden, GPU passthrough was great.

Yup, I do all my banking / financial stuff on an old netbook. I keep the OS up to date as best I can, it feels good to know everything is kept separate.
> I've had my gaming machine on a separate box for awhile now.

I do the same, I bought my box from Sony, it's called Playstation 4. Never had to worry about driver updates, incompatible games, sanboxing, anything. 5/5 would recommend.

Okay, but I like mods.
I don't trust random third party code that doesn't even at least have a company behind them tbh.
Run it on a sacrificial designated machine or virtual machine?
Yeah I also love playing games at half the graphical fidelity, resolution, and framerate! :P I have all current-gen consoles, but none of them compare to a high-specced PC on a 144hz monitor.
At the distances people sit from their TV, taken with the average TV sizes, going higher than 1080p is not needed. You'd need to sit closer than 2m (!) to a 55" TV to be able to observe the fidelity increase from 4K.[0]

The same goes for very fine particle effects or extremely high resolution textures. You just won't notice it. That is not to say those things don't have a place, they are amazing and definitely look amazing at the close distances one sits from a PC monitor. Its just not an apples-to-apples comparison.

I also feel that past 60Hz+FPS, the higher numbers bring very diminishing returns, especially for controllers. Although I'd much rather see modern consoles go 1080p120fps than 4k60fps.

[0] https://www.hellotech.com/blog/wp-content/uploads/2019/10/sc...

> You'd need to sit closer than 2m (!) to a 55" TV to be able to observe the fidelity increase from 4K

You do realise that not everyone lives in a mansion? 2m is a fairly common distance from eyeballs to the TV here in the UK.

When I was still in university even in the tiniest of student rooms I pretty much always sat at least at 2m distance from my/a TV. No mansions involved. Take out your measuring tape and extend it 2m from the middle of your couch, or conversely extend 2m from your TV. It is not as big a viewing distance as you think.
Unfortunately your assertions don't correlate with my experience at all. I recently swapped my 1080p 60hz 23" monitor for a larger 1440p 144hz 27" one and it makes a substantial difference, not only for gaming but also for computing in general. And yes the high-resolution textures make a difference frequently, for example when your game camera is near any game geometry or model and you see nice sharp details rather than smoothed scaling artifacts. Even in terms of the entire game experience, for instance at 5:29 in this video, this isn't even 4k vs 1080p, these are both 1080p at different graphical quality levels: https://www.youtube.com/watch?v=Wo5Nh9am3RM The difference in detail is immediately clear.
I only play on PS4 and I honestly don't have any problems with technical aspects. What you don't know can't hurt you I guess.
Yeah, I can definitely relate. I had a PS4 before and was super happy with it, especially since it was such a huge step up from the computer I had at the time. Then I got a nice PC upgrade...

It's not just the resolution, but the actual graphics/rendering capabilities are substantially better: shadows that accurately match the shape of what they're cast from, high detail even on distant objects, faster response to control input, etc. It makes such a difference in how immersive the games feel, which is a big deal for me. Going from Witcher 3 on PS4 to all-maxed-out settings at double the framerate on my PC was like night and day. IMO, you just can't go back. (comparison here for example https://www.youtube.com/watch?v=Wo5Nh9am3RM )

I spend a huge percentage of my time in games just exploring and looking at stuff, appreciating the immersive nature of the worlds people have crafted. This is even more rewarding now with a nice gaming PC setup :)

I do the same! I don't care about the minute (imho) differences in graphics between a multiple thousand dollar maxed out PC for the newest games, vs a $300ish PS4 that is pretty much guaranteed to work fine FPS wise and look great.

No driver issues though, but the frequent and sizeable updates are so bad.

After a 2 year hiatus, my Destiny 2 installation (60ish GB) needed to download updates... amounting to 60ish GB. On my current connection, that was a huge chunk of the weekend.

There is an attempt at intrusion from Sony though:

To use the YouTube app, it asks you to associate a Sony app to your YouTube account, that can track your video history (in or out of the PS4) and reserves the right to share videos to your YouTube channel, publicly.

>Even games like Kerbal Space Program, which I loved, harvested all your browsing data. Like, seriously, WTF?

Is the "Unity Analytics" thing? I'm just googling around but I can't find a good summary anywhere.

KSP included Red Shell, which is/was a 3rd party browser data collector to check on your ad prefs, yeah.
KSP was originally developed by an advertising agency, so maybe not too surprising.
Copy-paste gone wrong by lazy laywers. They will release a fixed version in a few days.
People are wondering why they would include this, but I bet accessibility settings could be considered medical information e.g. if you turn on colorblind or other assistance. If the game sends back all of your settings, they'd see you turned that on and could make a reasonable guess that you are.
Good point, but its listed as explicitly disclosed and/or sold
Bethesda seems to have conflated playing their game with applying for a job with the UAC on phobos.
It's just a table of definitions pulled straight from the California Consumer Privacy Act (CCPA), which defines 11 categories of information, and requires that you disclose if you collect it.
This just makes my blood boil. I am definitely not unbiased here. I purchased Doom on steam before it got laden with the heavy DRM. It was a fun ride, but it is now hard for me to justify the full price I paid. It is only a shame I can't attempt to return it now after they rendered it unusable from my perspective.

Still, my gaming PC is also my tax PC, and minor projects PC and since I am no longer a kid, I have a lot of information floating on it I would not want other people to know. How is this normal state of affairs?

I will submit request for refund just in case. It might get denied, but maybe they will at least get the message.

Theres only mention of medical or health records on the page that I could find is:

"Categories of personal information:"

"Customer Records: paper and electronic customer records containing personal information, such as name, signature, [...] medical information, or health insurance information"

I would give ID the benefit of doubt here and say this just boilerplate legal text.

This is nothing story.

There are categories of data per the California privacy law. This is a whole category called "Consumer Records" and because they collection some of it in this category they have to declare the whole category.

Tons of companies do the same - 4M for example:

https://www.google.com/search?q=paper+and+electronic+custome...

This is like the prop 65 warning, companies are covering their asses, which results in the law becoming effectively meaningless. Because there could potentially be some medical records that you disclosed, say in a chat message, they have to say that they collect it. By making these strict laws California has basically opted everyone into everything being collected, because to say otherwise would put companies into into unnecessary legal jeopardy.
Would this data have been disclosed without the law?
I think the point is that the data isn't being disclosed under normal circumstances. With our without the law.
They're not collecting medical information. They don't need it. There's zero chance that Doom Eternal wants to collect your medical information to sell to anyone. They just put this here likely because, like prop 65 warnings, to not put this here could put them in unnecessary legal trouble in the case of unforeseen situation where somehow someone's medical data got into their service somehow.

The statement is essentially meaningless. Which is bad, because if there is a bad actor out there collecting your medical information, they've got the cover of this law to disclose it to you and not look bad because everyone else is disclosing it just to cover their asses.

It just seems like a badly written law when a video game feels like it has to add this stupid disclaimer.

Ignoring that medical data is included in this category. Would we have known about this particular data collection without the law?
(comment deleted)
I do not accept "But everyone is doing it" defense. In fact, if anything, this is a good indication that it should not be happening. Yes, you are right. This is how things are. This is not how things should be.
I don't think the implication is "everyone is doing it" as much as "these data categories (and category descriptions) are standardized across every company."

I am not a lawyer, but I think it is reasonable to assume that this when drafting the law, law makers had to:

- Choose a set of categories that were not to broad and not too narrow, and optimized for reader interpretability/clarity

- Mandate companies to use standard descriptions of these categories in order to prevent them from obfuscating what it was that was being collected.

It's sad to me how many people here immediately assume either malicious intent by iD or incompetence by their lawyers as the only possible explanations. Making something that is widely applicable, easy to interpret, and is meaningful isn't an easy task. Thats not to say that these categories are perfect, just saying there's not an objectively "right" answer.

Sad? You’re feeling bad that a corporation might be judged unfairly? Jesus christ.
It would be sad if games couldn't have any profiles or chat anymore because of some legal BS.
I don’t think such a thing even registers with me emotionally. It’s a product, not a person.
I... think you interpreted the parent comment as referring to a profile representing the game, and a chat account on other services purporting to be the game itself?

I think the parent meant profiles within the game representing players, and chat within the game between human players.

If your understanding instead matched mine, I don't understand your comment.

I’m sad that the people like you arrogantly assume they are smarter than other people (including those for whom this is literally their job), and if something doesn’t fall into their narrow concept of “what makes sense” they default to malice or incompetence as the only explanation and deny the possibility that complexity or nuance could exist.
You're missing the point—who cares what's right? It's a corporation, not a person. Why feel sad about unfairness rather than focusing on the source of the unfairness—data collection itself, or the regulation that people need to be told and fixing that? There's no need to be sad—and to me, no impulse—if you actually have power in society to change what's wrong.
Actually you're missing the point. I'm not sad for a corporation, I'm sad that the tech mentality is still that malice/incompetence are the only possible explanations for things that on the surface don't make sense, and that they (non experts on the subject at hand) clearly know better and would do a better job. This is hubris.
"It's sad to me how many people here immediately assume either malicious intent "

In my defense, having lived on this corporate controlled earth for some time now, I do not think it is unreasonable to be at the very least mildly suspicious. Quite the contrary. The default approach should be cynical.

edit: Frankly, deeply cynical.

They could minimize the data they collect, or they could assert that they are disclosing the information. They choose the latter.
I don't think you've understood the problem.

The "Consumer Records" category of data includes things like name and credit card number. So if doom eternal wants to be able to sell DLCs (a perfectly legitimate and not privacy invasive business model) then they also have to disclose that they may collector medical records.

I doubt Id software actually collects medical records, and I have no idea how they might go about that or what a game studio would do with that information. It's just something they have to say by law since they handle credit card info.

If the policy needs to include the category, surely it can elaborate afterwards: we collect data in category X, but only data of Y sort for Z limited purpose
It's not really a "But everyone is doing it" defense, because the categories are so broad that if you are doing anything other than anonymous cash transactions you are going to end up having to say "yes" to most of them. Thus, you end up with a ton of "yes" categories even if you are not doing anything even remotely wrong or shady.

The category that includes medical information is "Customer Records", which is:

> paper and electronic customer records containing personal information, such as name, signature, physical characteristics or description, address, telephone number, education, current employment, employment history, social security number, passport number, driver’s license or state identification card number, insurance policy number, bank account number, credit card number, debit card number, or any other financial or payment information, medical information, or health insurance information

If they collect anything that falls in that category, they have to say "yes" to collecting "Customer Records".

Similar for most of the other categories they list. Your web server logs accesses? That's a "yes" on "Usage Data". You keep a list of purchases by each customer? "Yes" on "Purchase History and Tendencies". Oh, those web server logs probably have IP address, which gets you a "Yes" for the "Name, Contact Info and other Identifiers" category. Do you record support calls? "Yes" on "Audio, Video and other Electronic Data". If you use an IP to location mapping service, that might get you a "yes" on "Geolocation Data". Try to deduce things like what kind of games someone likes from their purchase history--"Profiles and Inferences" gets a "yes".

BTW, there are some categories that they have not listed: "Biometric Information", "Professional or employment-related information", "Protected Classifications", and "Education Information".

I'm kind of surprised "Protected Information" is not listed. You get a "yes" on that if you collect age. I'd have expected a gaming company to collect that.

They do list employment information elsewhere, and as for biometric, they list that they will gather and sell information about how you look or smell
So what are they collecting that qualifies as a medical record? I don’t know how you could dismiss this in such a blasé manner.
Likely nothing qualifies as a medical record. The point is that CCPA creates categories of personal information that companies must inform customers of if they collect and/or disclose of.

The CCPA requires disclosure at the "category" level (https://oag.ca.gov/privacy/ccpa#collapse1d). The categories appear to be (https://reciprocitylabs.com/resources/what-are-the-ccpa-cate...). You can see that in that table, medical records are lumped under customer records category.

Right, so why are they disclosing medical information collecting if they aren’t collecting data classified as medical information?
Thinking about this for a minute. It's got to be a matter of the DRM system. They're anticipating that they could collect any data from your PC, and are trying to cover their bases.
The submitted title breaks the site guidelines by editorializing. Normally we'd change it to the article title, but in this case every single comment in the thread would become meaningless, so I'm going to downweight the submission instead.

"Please use the original title, unless it is misleading or linkbait; don't editorialize."

https://news.ycombinator.com/newsguidelines.html

If you want to say what you think is important about an article, that's fine, but do so in the comments. Then your view will be on a level playing field with everyone else's.

https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...

Seems like it's less editorializing and more using the title to draw attention to a fact (not an opinion, it's either true or it isn't) about an existing web page that might not have been obvious to somebody clicking on a link titled 'ZENIMAX MEDIA ONLINE PRIVACY POLICY' and linking to the same.

Is this not allowed? Usually I actually appreciate it when the link goes straight to the primary source in these cases rather than some intermediate news site.

edit: maybe I'm looking at an edited title?

Cherry-picking one detail and making that the title is actually the leading form of editorializing. Titles are by far the biggest influence on threads, so this is a big deal.

On HN, being the submitter of an article doesn't confer any special rights to frame it for everyone else. That's why we ask people to express their opinions in the comments rather than the title. HN readers should make up their own minds about what parts of an article are important.

It's true that this policy can't just be applied mechanically and that there's room for nuance. In this case, though, the argument that reverting the title makes the submission a non-story is actually accurate. If the responses in the comments are correct, then indeed it is a non-story.

To be honest, I started to write a tweet to get around this rule, but it felt childish to approach it in that way and I considered a shallow blog post instead. Next time I'll write the tweet so that the submission can rise to story status like this thread: https://twitter.com/olenskae/status/1283000201993748482

or this one: https://twitter.com/paulg/status/1282052801347100675

(comment deleted)
This is exactly what I was thinking.

It's not editorializing. It's framing a discussion of a certain part of a web page that is not an article by using a title that is a factual statement about said web page. The obvious "workaround" is to publish some low-effort tweet or blog post or whatever, which further muddies the waters re: the other "guideline" which says you should submit primary sources if possible.

I get wanting to take a hard line on titles, but I think the "guideline" as written is confusing. The bit about editorializing should be taken out, to make it clear that actual editorializing isn't precisely what's prohibited.

I don't think that's right. We have a decade of experience with this, and while there are always corner cases, the HN rule and associated moderation practice works surprisingly well. It creates a relatively level playing field and lets the community consider a submission from first principles. That leads to much more diverse discussion than you get if the title is skewed and primes everybody.

If people start making tweets purely to put their spin on an article, HN users will probably notice and flag the post. I mean, who knows. People are welcome to try. We're not trying to stop anyone from expressing their view—but most of the time it's cheap and inflammatory when someone hijacks a title to do so.

Title dynamics are fascinating. It used to irritate me that people place so much importance on titles, but eventually I got it. One way of looking at it is, it's a power law: the first 1% of information in (let's call it) an article stream has 90% of the importance. Poof, now it makes sense why titles are so impactful. I suppose that many power laws seem paradoxical when not recognized as such.

I'm not making a value judgment or suggesting that you don't know how to run your website and achieve the results you want, in general, nor am I saying titles aren't impactful (including in the way you're worried about). On the contrary, I think HN is moderated well and that its community moderation features and "algorithms" in general are well thought out.

I'm simply taking issue with the word "editorialize" in this context, because that's not what this is. There is no "spin" here. This title is solving the same completely innocent problem I'd have if I wanted to submit a link to apple.com after a new $PRODUCT was announced, i.e. that the interesting thing about the linked web page isn't obvious if my title is just 'Apple'. It's fine if HN doesn't want me to title that submission e.g. 'Apple Announces New 24" MacBook Pro', but that can't be because it's a case of editorializing, because it isn't. This does not strike me as substantially different.

I feel like you think I'm saying non-neutral editorializing and framing should be allowed in titles, which is absolutely not true.

Ok, I think I understand you better now.