
Dozens of PC games drop tracking software after surveillance fears - pferde
https://www.wired.co.uk/article/red-shell-game-tracking-gdpr
======
ryandrake
The responses from the game companies have been absolutely pathetic so far.
They amount to "Blah blah blah, bbbbbut marketing!!" No apologies for what
they were doing, just "sorry we got caught". No shame at all, and no
recognition that they were shipping malware to their customers. Some have
promised to remove it but find some other way of using my computer against
their users. My computer is not a free resource for your marketing department.

If the software is so benign, offer it to users as totally optional install or
a separate download, and see how many agree to that offer.

EDIT: For example, see the official response from the Quake Champions team
[1]. Summary: _This data vacuum is actually for your own good. That said,
we’re busted! So we will remove it for now, and we will tell you about it when
we add it later, when everyone chills out._

EDIT2: Wow, so much garbage the further you get through the article:

> [Adam Lieb] expressed his frustration with the response online, which he
> says painted a false picture of Red Shell as a spyware programme trying to
> sell data for malicious purposes.

spy·ware

 _noun_

software that enables a user to obtain covert information about another's
computer activities by transmitting data covertly from their hard drive.

While they may not be selling the data for malicious purposes, it is, by
definition, spyware.

1:
[https://steamcommunity.com/games/611500/announcements/detail...](https://steamcommunity.com/games/611500/announcements/detail/1674658681938498204)

~~~
AdmiralAsshat
There needs to be some kind of codified Consumer Bill of Rights that says, in
effect, "We paid for your product. You do not get to monetize us further after
the point of sale."

Companies could then signal whether they agree to adhere to that code of
conduct or not, and use it as a selling point for consumers to tell, at a
glance, whether they want to support said company or not.

~~~
klodolph
I would settle for aggressive sandboxing built into the OS. Something that
tells me, "This application has permission to run full-screen, play audio, and
contact the network. You may revoke these permissions individually. It cannot
run invisibly in the background. It cannot read your files."

~~~
AdmiralAsshat
The tracking from Red Shell would be very hard to stop at the OS-level,
because the things they're gathering are all stuff that has legitimate
relevance to the game (e.g. the game may want to know what CPU, RAM, and
videocard you have for recommended settings). Further, an internet connected
game _needs an internet connection_ to work.

So it would be very hard for the OS to tell the game, "You can send packets
about the player's current position in the gameserver, but you can't send
packets back to the software developer that contain fingerprint information."
The developer would just encrypt the info and send it all to the same
destination to make all packets look the same.

~~~
cptskippy
I think people are less concerned about hardware specs and more concerned
about cataloging of software installed, logging DNS traffic, and capturing
PII.

------
rostigerpudel
>"People can have their own opinions on it but our data is not personally
identifiable information (PII),"

Err..isn't the point of this exercise to have enough data to identify who
bought the game and why? I feel the exact kind of computer I use and the
various customizations that lead to it being a unique machine are _very_
personal and identifiable.

~~~
Flammy
No, the point is to collect enough info to link a user who launched the game
to someone who clicked an ad.

The problem Red Shell is trying to solve is the "download divide" \-- You can
track clicks/users on the web before they download, and you can track them
after they launch your product, but you can't easily connect the two.

As for why devs want this, if you know ad campaign 1 cost $1 and had 2000
clicks, and ad campaign 2 cost #1 had 1000 clicks, that is helpul but what you
really want to know is "what is the lifetime value (LTV) vs cost of
acquisition of users from campaign 1 vs 2" because if LTV is significantly
different then despite higher cost it may clearly be worth it. But if you
can't connect a user from before the download to after you can't do this sort
of calculation.

Devs really don't care who the users are, we just want to know how effective a
campaign is compared to one another.

Source: Was planning on integrating Red Shell ourselves before this (false)
outrage made us cancel our plans.

~~~
rostigerpudel
While I agree that is what they officially say they do, the means employed go
beyond that. From the article:

> "These are generally data points about the user’s device, such as its
> operating system, installed fonts, browsers (and versions) used, timezone,
> language, the user’s in-game ID, and screen resolution. This is what Red
> Shell calls a ‘fingerprint’, which can also be made on games consoles as
> well as PCs."

Such a fingerprint is very unique and can easily be connected to a person with
very little effort down the line, even if _now_ nobody does that (yeah,
right).

Personally, I do not trust any company that collects such detailed information
without my informed consent and without a clear (i.e. verifiable and legally
enforceable) pledge to delete that information when the original purpose has
been served. This is exactly the overshooting behaviour that was rightfully
targeted by the Europeans with their recent data protection law.

edit: formatting

~~~
legitster
Okay, I get this, but then do services like Google Analytics get a free pass?

~~~
rostigerpudel
No, I don't trust Google either. But at least Google is somewhat open about
the fact that they collect the data. I can have a look at it and I have
settings to influence and even delete (probably) what is being collected.

That is vastly different from a spyware module installed clandestinely
together with a software I paid for that sends data about me to somewhere and
somebody then does something with it that I don't know about.

------
moviuro
Steam (and others) really should scan for that kind of spyware in the files
they provide to the players. Add a warning maybe ( _Contains a known spyware_
) or flat out refuse the editor to bundle that file with their
game/app/whatever.

~~~
nerdponx
I'd be surprised if Valve didn't have their own fingerprinting tech, e.g. for
tracking users across multiple accounts (practical, benign use case: banning
cheaters who were VAC banned but make new accounts).

~~~
jrhurst
There no real benefit to any of that though. The steam client already collects
all the data they need for this.

~~~
nerdponx
Does it matter if it's in the client or in the game itself?

------
davidhyde
Why don't these game companies use a promotion code in their ads to track the
ad to a sale? That way the customer feels like they're getting a deal and
there is no need to fingerprint their machine. This seems like a fairly common
practice in other industries.

~~~
olyjohn
Why bother giving somebody a deal when they can just do whatever they want to
your computer and have no repercussions?

~~~
trophycase
Well presumably they pay Red Shell? Or they sell your data. Idk how else Red
Shell is making money.

------
olodus
Since what they check against is a fingerprint, couldn't Red Shell just hash
the data they create that fingerprint from, making it so they can guarantee
that they don't really know anything about the player's data, just that it
fits the one that saw the ad? This seems so simple I almost feel like they
would have some reason not to do it. Do they make money selling the data
aswell as the fingerprint matching? Or am I completely misunderstanding it
all?

~~~
whyever
They are hashing the data.

~~~
oehpr
Well... Yes they do. After you send the unhashed data to them.

Check redshells API docs. They turn the data the games client sends to them
into a hashed ID.

------
speeder
The article wonders, why people got upset about Red Shell on Conan Exiles for
example, but not on Civilization VI...

I think it is related to two very important details.

First, Red Shell purpose, as stated by Red Shell themselves, is to create a
"fingerprint" of the computer, yes, each tidbit of info separately is not
"identifiable" but the purpose of the software is build indentifiable
information in first place.

And second... the game where people found Red Shell first, and went nuts about
it, Conan Exiles, is a game that lots of people don't want anyone to know they
play it, the game has lots of very politically incorrect themes (slavery for
example), and is very popular to use for Erotic Roleplay... People of course
get paranoid when there tracking software in their porn!

~~~
cbg0
> The article wonders, why people got upset about Red Shell on Conan Exiles
> for example, but not on Civilization VI...

Actually there has been quite a bit of backlash, there's a thread with around
2000 comments about it in the forums:
[https://steamcommunity.com/app/289070/discussions/0/17095641...](https://steamcommunity.com/app/289070/discussions/0/1709564118762025388/)

Also, the recent reviews have been negative because of Red Shell.

> Conan Exiles, is a game that lots of people don't want anyone to know they
> play it [...] and is very popular to use for Erotic Roleplay

Citation required?

~~~
MaxBarraclough
I wonder if the top comment in that thread is accurate in saying it's against
the GDPR. I suppose the real answer is that time will tell.

~~~
mrmr1993
As a general rule, if the data can be used to identify some users, it falls
under the GDPR. From Article 4(1):

> ‘personal data’ means any information relating to an identified or
> identifiable natural person (‘data subject’); an identifiable natural person
> is one who can be identified, directly or indirectly, in particular by
> reference to an identifier such as a name, an identification number,
> location data, an online identifier or to one or more factors specific to
> the physical, physiological, genetic, mental, economic, cultural or social
> identity of that natural person;

------
mattlondon
The "contact us" link on the tracker's website appears to be broken:
[https://www.redshell.io](https://www.redshell.io)

Not sure if that is deliberate or not, but I'd like to submit a GDPR subject
access request! Coincidence? perhaps.

Edit: privacy@redshell.io Looks like their webpage might be trying to do a
"mailto:" link? For me it just opens a blank window and I cant be bothered to
try and pick apart their javascript.

~~~
agentdrtran
It's not broken, it's just a mailto. It works fine for me.

------
jstanley
I'm glad (some proportion of) the public at large is becoming as paranoid
about being tracked as I have become. I never thought it would happen.

~~~
jasonkostempski
Maybe one day it will be enough people that it's libre or GTFO for everything.

------
actsasbuffoon
> "Google tracks a lot more things than Red Shell, but people never complain
> about it."

Sorry Abid, but that's not true. I avoid Google products and services because
I am uncomfortable with how invasive their tracking program is. I've worked in
advertising tech, and I have a good idea of what goes on inside these
companies. I do not ever want to participate in that ecosystem again. I even
browse the web with JavaScript disabled in order to avoid tracking.

That said, I don't blame Abid. I know it can be hard to bootstrap a small
games studio. In fact, I played one of his studio's games (the weapon shop
one) and it was fun. I wish him and his company luck, but I hope he doesn't go
back to tracking customers without consent. I avoid purchasing products that
include this kind of tracking.

------
legitster
I don't get why this would stir controversy while Google Analytics would not -
it appears they collect the same type of information. Are game devs not
allowed the same type of tools that web devs are?

~~~
majewsky
On the web, you can at least use a tracking blocker. That's much harder to do
in games (unless you're blocking on the DNS level, which is at least a bit
more involved than installing uBlock Origin).

~~~
legitster
Also, if you use a web-blocker, they can't create a fingerprint anyway.

~~~
swebs
You'd be surprised. Even though ublock origin and uMatrix are blocking most
things, they're still able to build a unique fingerprint based on installed
fonts, hash of canvas fingerprint, webGL fingerprint, etc.

[https://panopticlick.eff.org](https://panopticlick.eff.org)

------
greymeister
Just want to add that [https://pi-hole.net/](https://pi-hole.net/) or
something similar is a nice way to block at least DNS based traffic from this
malware.

~~~
monetus
Thanks for this.

------
ChuckMcM
If you have a product that runs on thousands of machines you will be
approached by folks that sell this kind of app. Saying no takes integrity

------
codedokode
To me this looks like deceiving the customer. The advertisement for the game
doesn't say that it would spy on you. People buy software thinking that it is
just a game. There should not be such type of hidden functionality.

This should not be normal. If the company wants to use tracking and analytics
then they should at least disclose it in advertising materials, and on the
game store page. Or maybe make two versions of the game, with and without
tracking, so that anyone would be free to chose whatever they prefer.

And who cares about marketing or ad performance? That is not a consumer's
problem.

------
beenBoutIT
Having a PS4/PS3 or a separate dedicated PC just for gaming is an easy way to
keep any game-related problems from becoming much bigger.

------
Flow
I hope this tracking software never made it into the macOS versions of any of
those games.

~~~
gcb0
it likely have a different vendor with the exact same issues, but will take
longer to be noticed.

there is absolutely no game on steam without DRM and anti-cheat rootkits.
none. zero. All games there have either or. including steam itself. It's all a
matter of how far they go.

~~~
throwaway2048
Plenty of games on steam do not use steam DRM, and don't need steam running to
launch, including most of valve's games.

Most games, and obviously all single player games, also have no form of anti-
cheat.

[https://pcgamingwiki.com/wiki/The_Big_List_of_DRM-
Free_Games...](https://pcgamingwiki.com/wiki/The_Big_List_of_DRM-
Free_Games_on_Steam)

This list is pretty incomplete, and in my experience many if not most indie
games fall into this category.

Your assertions are entirely incorrect.

~~~
gcb0
> do not have DRM

i said DRM and/or anti-cheat. 100% of valve games have anti-cheat.

Both of those run as administrator and have a great deal of opaque control of
your machine.

------
duxup
Gah, I got a full screen pop up on mobile on wired.co.uk.... anyone else?

------
shmerl
Didn't every Unity3D game insert a tracking code that's working without users'
consent?

~~~
swebs
I don't know. Why don't you look it up?

~~~
shmerl
[https://unity3d.com/legal/privacy-policy](https://unity3d.com/legal/privacy-
policy)

[https://unity3d.com/legal/gdpr](https://unity3d.com/legal/gdpr)

Despite their claims, I've never seen any opt out options like that. Games
simply always collect data and send it "home". And really this should be opt-
in.

