Suggestion to the Security & Privacy concerns.

Added by arc almost 5 years ago

I think most people are concerned about the amount of player information that can be retrieved from the API with the corresponding key.
I do understand the meaning of partial and full key, but I would like to introduce another more flexible solution.

Many, if not all, of the currently developed applications needs at least one and sometimes many API keys to work properly.
In most cases it is the full key, because the partial does not deliver the data needed.
So to use those applications a player has to enter his API Key into an untrusted 3rd party application.

With the full key and the api, a player then becomes completely see-through.
Account information, character parameter, money, inventories, factions, items and skills basically everything is visible and (ab)usable.

Recreating the API key does not help either, if one for example enjoys a web application to manage inventories but does not want to expose certain data like money or character skills.
Still all of the other information is sent to the application aswell.

My solution to keep the players privacy is rather simple and used in many forums and other mmos.
Let the player decide which information should be displayed in public / with the api.

To prevent endless boolean values for every single parameter, I suggest clustering the data into larger chunks.
Like this for example:

The API should display my
[ ] Connection Data
[ ] Character Parameters
[ ] Equipment
[ ] Player Inventory
[ ] Packer / Mount Inventory
[ ] Apartment Inventory
[ ] Fame and Faction
[ ] Skills

Private data will then simply be displayed as NULL values in the XML.
Applications just need to check for NULL before using the data and in case of missing data add a note like "You have to enable the Display of your Player Inventory for this Tool to work."

I think with this everyone is perfectly in control of how much of the personal data is shared.
Most people aren't even aware of the huge amount of data a Full API Key represents, I think this should be changed and privacy strenghtend.


Replies (1)

RE: Suggestion to the Security & Privacy concerns. - Added by kregora almost 5 years ago

In my opinion you address some important issues here, but I doubt that vl will show any interest in addressing them.

My suggestion on the feedback forum to offer an option to disable ones api keys was marked as completed with the comment that I don't need to share the keys, that everyone can regenerate his keys, and that I should have trust in the security of api keys.

Until today it is still not possible to regenerate the guild api keys, so I find it very hard to believe that the 'keys are safe'.