Would it be allowed to get simple data from a user such as screen size etc and assign an ID to that information and save it somewhere, sorta like RbxFingerprint to easily detect alts?
What kind of data would you use to build the fingerprint? I didn’t figure Roblox provided enough to begin with
Well, there are many things, something I have figured out is that roblox now saves your roblox settings across accounts so I could use that along with something like the Players region and device start time (though it wouldn’t rely on this due to them just being able to restart their pc)
That is the worst possible way of doing so. There’s only a number of possible setting combinations that one can have on their profiles and there’d be a lot of false positives.
Also, it’s not true.
like with the device start time it will not rely on this, it’ll simply be another bit of info gathered to make it possibly more accurate, after all who is going to have the same screen size, region, roblox setting etc
Many people would have the same information. Roblox either way doesn’t hand over enough device information to create a fingerprint student for one specific user.
1 Like
there is alot of data you can collect, you just have to find out where to collect it
Note section 10 of the TOS (“Privacy”), it specifically lists device as a property you should not do record-building around. It depends on what is considered User PII.
The real answer here is you would need to discuss through with a legally knowledgeable person to find out for sure if whatever you are planning is fine to implement.
1 Like
Surely it must be allowed, there is already something like this called RbxFingerprint
By that logic, surely shoplifting must be legal as well since it happens all the time, right?
2 Likes
I’m not a lawyer: cross-reference your sources of information.
Why do you need to fingerprint a user?
Information posted to the web is in public domain, and therefore, as far as I know, accessible to all, though that doesn’t mean you should use that information.
Alongside questioning ToS, I would ask:
- Is the way you’re storing & checking each user’s data secure?
- Is your methodology and rationale privacy-respecting?
- Is there a different way of approaching what you’re trying to do?
- Perhaps handling join dates & other non-identifiable information to blacklist users is a better approach?
- Does your data storage comply with GDPR?
- I’ve covered the dangers of that here.
It is possible to estimate a fingerprint of a user. Even with HWID, there’s no guarantee that the user you’re fingerprinting is the same user as the one you’re trying to identify.
Even if you can; doesn’t mean you should.
1 Like
so I would need to encrypt the data I save to a datastore and remove it if the player hasn’t played in X days also it’s because I’m trying to make an accurate anti-alt system
I don’t think you should jump to conclusions.
If I didn’t make it clear in my last post: I think this is a terrible idea.
The questions I listed above are but a few of the things you need to consider when handling personally identifiable information. ROBLOX, unfortunately, provides a lot of data on users through API endpoints.
That’s how spam recruitment messages appeared in players’ inboxes back when groups were still novel.
To approach what you’re making, why not simply restrict players from joining if their accounts are less than a month old?
1 Like
because I see this as an inaccurate method of detecting alts, there are probably many new roblox players trying to join games with account age restriction but with this I won’t have to worry about it.
Even with the method you’ve described, there are going to be false positives. There isn’t a practical way to blacklist exploiters from playing your game; nor alts.
I know there will be false positives but I will try gather as much information as possible that isn’t able to be used as identifiable information so that there will be a very small amount of false positives.
Are you asking for help or trying to justify yourself here?
I mentioned extensively here how data, unidentifiable individually, can be dangerous when leaked as an entity. It’s worth reading.
I have read through it, I just wanna know what I’d need to do if I were to do this, like do I need to encrypt the data I save or is there certain information I can’t save?
I don’t recommend fingerprinting a user. It’s inevitable that there will be false positives. You should just have a simple admin or vote-kick system and be done with it (depending on the type of game).