Everything you need to know about risk management and our cyber safety policies for students playing in online chess events
Student sign in processWOULD THE CHESS CO-ORDINATOR CREATE ACCOUNTS FOR THE STUDENTS USING THEIR SCHOOL EMAILS?
Account Creation (User)
In order to play a game of chess on Tornelo an "account" is required. This involves creating a User record on Tornelo. This user record is a unique combination of email address and password. Nobody can ever access a password for a student account, and only the User can view any data associated with that record. Any email address can be used, as long as that email address can receive emails (eg. some school email addresses cannot receive emails from outside the domain). We recommend that students create their own accounts so that they are familiar with their own passwords and get used to "logging in" to the site. The only way they can reset a password is by receiving an email with a reset password link. Player Management
A User (ie. email address) has control over, and access to, a Player. A Player takes part in events and plays games online. The User does not need to be the player. For example, a parent might be the User and a child the Player. The User must be logged in for a Player to play online games, enter an event etc. The personal data associated with a Player is their Name, Year of Birth (date of birth is NOT available), Gender and Group Name (School). This data is accessible in a number of cases: - By the User - By the general public if that player has entered into a Rated Event (a Public Event) - By spiders or bots, and available via google searches if that player has participated in a Rated (ie. public) Event Privacy Features
A User may control the privacy features for any individual player. There are 3 options. 1) Public These names will be visible in event results, leaderboards and any event organiser. They are found by Google. 2) Community Only users logged-in to Tornelo may view these player profiles. They will not be displayed in public leaderboards, and can only be accessed from tournament results pages or with a direct link. 3) Private This player name will only be visible to other players, event organizers or spectators DURING an event. All other users will see only the initials and length of the name. Registration and PaymentHOW DO STUDENTS/PARENTS KNOW TO ENTER INDIVIDUALLY?
Schools instruct players to join a particular event. https://www.interschool.com.au/calendar-of-events.html for the current Calendar (you can play in any event/location - even out of state, but a win only qualifies you to YOUR state finals) Once a parent gets to the page there is an Enter button and it only gives them one option. WHY DON’T THEY ALL ENTER THROUGH A SCHOOL?
You are welcome to enter the same way as you have always done, a teacher can submit a full team entry on Tornelo. This process requires you to add an email address for each student - students then get an email inviting them to join and must go onto Tornelo and setup a password. Students can register individually but select an option for the school to pay for them. There isn't any verification at this stage, so teachers need to approve your player list on the morning of the event so you don't end up with players in your team that don't belong. Teachers also need to notify us of their intention to pay for the team in advance so we can enable that option. HOW DO YOU KNOW THEY ARE STUDENTS WHEN THEY ENTER INDIVIDUALLY?
We can't know during entry. We require all participants to verify their identity when they arrive at the event - they join a zoom meeting, show their face on camera to prove they are who they say they are. They also have to have the ability to turn on a video feed if needed during the event (eg. to allay suspicions, random audit etc). We are a community of chess players and the security is in the community knowing each other and looking out for each other. If someone is in the Zoom meeting "representing" Your School then it's up to the rest of the team (or a teacher if a teacher is present) to point out to the arbiters that they don't belong. Much the same way as in a real event... we don't know the children ourselves, but players in the event know each other. Payment- Is the payment for each tournament invoiced or asked to pay via credit card?
This will depend on the event organiser and the fees they choose to charge via Tornelo. Kids Unlimited provides both options. For individual events the relationship is between parents and Kids Unlimited and we require payment for each event. For interschool events we recognise that children are representing their school and the school may wish to pay via invoice for all students. This is an option chosen by each school. Players cannot enter an event and create a liability to the school. |
Online securityWhat security is in place so unknown parties can’t drop in or be invited in to the lobbies? ie "zoombombing"
Each Event on Tornelo can be either Public or Unlisted. The Event Manager has control over this feature. Group (ie. School) Managers may also setup Group Events which permit entries ONLY from players in their Group. A Public Event page will display a Player Name, Age (from which you can calculate the Year of Birth) and gender - as well as results from the event and moves of any chess games played on the site. An Unlisted Event offers Security by Obscurity. A random 32-bit URL provides the only way to access to that event, or players in that event. This takes a millennia to guess, however, once known, the URL can be shared. This allows an Event Organiser or Player to share the URL for others to access the page. This exposes a sharing risk. How do the players interact when paired? Is there video, audio or just text chat?
We built a chess game-board into Tornelo. Players sign in to Tornelo. Pairings are done and players see a "play now" button appear, they click that to join the game with their opponent. Games are played and results automatically pushed to Tornelo. All communication between players and with the arbiters takes place in a Video Conference using 3rd party software (we use Zoom). Is someone able to monitor each game and chat?
Yes, arbiters are able to see every game. Actually the games themselves are public (no private information in a game of chess) so you or anyone else can watch the games. All chat takes place in Zoom and is continually monitored and supervised. Chat is recorded and saved for 21 days in case of an incident. Video ConferenceVideo Conference on Tornelo
Tornelo provides a Video Conference integration link to any video conference platform the Event Manager wishes to use. (eg Teams, Zoom, Jitsi, GoToMeeting, Webex, Meet etc) This link becomes Clickable only when the event has Started. It is not available in advance. This provides some temporal security over the link (especially for when the link includes the password). Event organisers can easily add additional layers of security to their video conference by providing players with PIN/Passwords to access the Video Conference, by using permissions based conference software or by enabling lobby features or other privacy settings on the Conference Software of their choice. Kids Unlimited uses Zoom as our Video Conference Platform
Any events managed by the SCHOOL do not need to use Zoom. Only Interschool events, RJ Shield or evening/weekend events run entirely by Kids Unlimited will use Zoom. If a teacher is running an event they can elect to use Teams if that is the preferred school platform for video collaboration. Kids Unlimited (Interschool events) is exposed to a risk of unknown parties joining the Zoom meeting. However the risk is extremely low. a) Each meeting ID is unique (9 to 11 digits) b) There is a password on each meeting c) The only way to access the meeting is by clicking on the link from the Event Page This limits the risk to people who are within the community in some way, they must be actively and deliberately accessing Tornelo, accessing the Event page and clicking through to the Zoom Meeting - at the right time. The temporal nature of these meetings provides additional security. An unknown party needs to be in the right place at the right time. This risk is mitigated by Moderators and Supervisors who are present in the room and who verify the identity of every person in the room. These supervisors have the power to "close" a meeting and prevent further people entering. To "kick" a participant out of a meeting if they are suspected of being unwelcome. Also to mute or turn off the video if inappropriate language or images were to be presented. Is the chat function stored or moderated in case there are circumstances where we need to review what was said between players?
This will depend on the event organiser and the platform they choose to integrate with Tornelo. Kids Unlimited uses Zoom as our Video Conference Platform - Private Chat between players is banned - Public chat may be possible, or may be turned off by the Host - Zoom saves the public chat message history for later review (maximum of up to 21 days) - Public chat messages are being monitored in real-time by supervisors If chat function is storeD or moderated, are there any policies or protocols around bullying/harassment on the platform?
This will depend on the event organiser and the platform they choose to integrate with Tornelo. Kids Unlimited has a zero tolerance policy when it comes to bullying. We have a number of options available: - Prevent Public Chat - Report and share message history with parents, teachers, school |