
EA is File Snooping with the Origin Client - kmfrk
http://wccftech.com/ea-spying-file-snooping-origin-client-investigation/
======
Argorak
I am constantly surprised by the common reaction that this is covered by the
EULA and thus okay.

Origin is a software intended for international use, including such countries
where this behavior is:

a) actively prohibited b) probably illegal, but never came to court c) not
covered by the EULA, as EULAs are not binding

It might be okay in your country, but not in others.

~~~
jdong
That's not how EULAs work, so far the only decision about EULAs not being
binding is when they prohibit you from reselling the software. Not when you
agree that the other party is allowed to do something.

These are two wildly different scenarios.

~~~
chimeracoder
> That's not how EULAs work, so far the only decision about EULAs not being
> binding is when they prohibit you from reselling the software.

I can write a EULA that requires you to sign over the rights to your firstborn
child, your soul to the devil, and any other nonsense that I could come up
with[0].

That doesn't mean that it's actually legally enforceable. Certain clauses have
been deemed nonenforceable by law in contracts[1], so just because it's in the
EULA doesn't mean it's valid.

Also, just because it _hasn 't_ been deemed nonenforceable previously doesn't
mean that it is valid either; it has to be tested (as with all law).

That doesn't give a definitive answer either way, except to say that just
because it's in the EULA doesn't mean it's permissible, either morally
(subjective) or legally (objective, or at least "objective").

[0] [http://www.out-law.com/page-10929](http://www.out-law.com/page-10929)

[1] The ones that people on this site may be most familiar with are
noncompetes and/or invention assignments (in certain states - these particular
examples are actually more hazy than most people think, but that's a separate
matter). Other extreme examples would be contracts that make a person the
legal property of another person (e.g. in many/most countries, you cannot
enter into "consensual slavery" with a legally binding contract).

~~~
anonymousab
There's also the question of whether an unsigned post-purchase EULA
constitutes a legally binding contract at all.

~~~
jdong
Courts have agreed on them being legally binding several times.
[https://ilt.eff.org/index.php/Contracts:_Click_Wrap_Licenses](https://ilt.eff.org/index.php/Contracts:_Click_Wrap_Licenses)

When they haven't found them legally binding, they've generally either been
simply ridiculous or deceiving.

~~~
bencoder
OP was saying in some other countries these clauses would not be legally
binding, regardless. Your link only shows US court cases.

------
FatalLogic
It's quite likely to be cheat-detection scanning filenames, maybe even file
contents. Valve had an issue like this recently. (edit: the Valve issue was
actually DNS cache scanning)

edit: Gabe Newell explained Valve's reasons for scanning DNS cache -
[http://reddit.com/r/gaming/comments/1y70ej/valve_vac_and_tru...](http://reddit.com/r/gaming/comments/1y70ej/valve_vac_and_trust/)

~~~
bellerocky
Yes Steam I think tracks what websites you've been to, but they only do this
when they are already suspecting you of cheating, and they only send a hash of
the url to see if matches known cheat sites. That's just one of the things I
remember.

In a perfect world EA would just use steam and give up on Origin. I'm sure
they can pay Valve enough to get top billing on steam and it would be less
than they spend on their own anti-cheat and origin engineering. They'd also
have to cut steam in on sales, but it might still be worth it. It would
definitely be worth it to the user as the Origin software is horrible.

~~~
gabzuka
That's still a bad thing, in my opinion. If I am suspected of cheating then
they get access to my browsing history?. How is that acceptable?

~~~
aaronharnly
If you read the linked thread, they are not "accessing your browser history".
Rather, as a specific countermeasure against specific cheats, they checked the
DNS cache for access to a particular set of phone-home server addresses
embedded in some cheats. Not websites, but backend servers (ironically)
enforcing DRM for cheat software. Like all such countermeasures, it was
effective for a short while, then counter-countered by the cheat. What they
sent back to valve was only a "yes they appeared to have accessed cheat
backend server X", not a list of all accessed servers or browsing history.

I'm not saying I love it, but it's important to be accurate before turning the
outrage dial to 11.

~~~
makomk
So far as outsiders were able to tell, it sent back hashes of every DNS cache
entry. Someone stuffed their DNS cache with a larger-than-usual number of
entries and found the amount of encrypted data sent back consistently
increased by exactly the amount required to send every hash twice, then went
back to normal when they cleared their DNS cache.

~~~
aaronharnly
Ah, thanks for the clarification.

------
st3fan
This is a funny story to report for a web site (wccftech) that has 85 tracking
widgets on that one page. Thanks for blocking all of those Ghostery!

~~~
Trufa
And Ghostery is owned by an advertising company that tracks you by default.

~~~
sp332
Ghostrank? It's disabled by default.

~~~
Trufa
It may have changed recently but for sure until some time ago, an option that
clearly said they are tracking you, was activated by default.

~~~
yarrel
Just checked on a new install, it's disabled.

------
higherpurpose
Basically everything Cory Doctorow has predicted [1] would happen with DRM,
and of course what Richard Stallman said many years before that.

[1]
[https://www.youtube.com/watch?v=HUEvRyemKSg](https://www.youtube.com/watch?v=HUEvRyemKSg)

And now we're going to get OS level DRM that works through all of our
browsers, thanks to Netflix, Google, Microsoft, Apple, and last, but not
least, the W3C. Terrific.

~~~
kabdib
The issue goes deeper than DRM. Online games like Rust, CS:GO and so forth
attract cheaters.

Often the intent of a cheater is to ruin the game for everyone else, with
patches that give them super-powers (aimbots and wall hacks are pretty common)
and the ability to unfairly dominate the other players. Sometimes there are
cheaters in official tournaments (a high-profile player in Germany was
recently found to be cheating).

Scanning a whole system for "DRM cracking tools" seems very, very bad to me.
If this is what EA is doing then they had better have a really good
explanation.

Scanning a the running environment of an online game, under the umbrella of a
EULA, seems fine. I'll note that if you object to this, you're free to play on
non-protected game servers.

Some games are designed to be inherently cheat resistant. One strategy is for
the server to never give the game client enough information to be useful for
cheating, so even if you've written a totally cheaty client it doesn't do you
much good. (Reductio ad absurdum, your client is just a smart video feed with
some controller input).

Cheaters suck, but they're a fact of life and if your online game doesn't
prevent them then you'll be overrun by the scum and honest players will stop
playing.

~~~
Sae5waip
> If this is what EA is doing then they had better have a really good
> explanation.

Or?

~~~
kabdib
... or we'll get mad? Again? Good question.

"I'm going to pout and not pre-order Battlefield 5 until a week before it
comes out. That'll show them!"

------
sgy
This has been a pretty old issue [2011] with EA, which they have tried to deny
many times.

[http://www.gamespot.com/forums/pc-mac-
discussion-1000004/ea-...](http://www.gamespot.com/forums/pc-mac-
discussion-1000004/ea-is-spying-on-us-through-origin-28825397/)

------
Artemis2
To compare with Valve's reaction when an user discovered that kind of data
collection in VAC, EA representatives don't seem to know a thing, while, for
VAC, Valve's CEO Gabe Newell immediately explained publicly the situation and
demonstrated that Valve did think their system quite thoroughly for their
users' privacy:
[http://reddit.com/r/gaming/comments/1y70ej/valve_vac_and_tru...](http://reddit.com/r/gaming/comments/1y70ej/valve_vac_and_trust/).

------
Qualman
Is there any proof of this actually being packaged up and sent to EA? It seems
to me that this is probably like Blizzard's Warden process, which actively
scans for hacks while the client is open. I'll save my outrage until there is
proof that they are phoning home with these file scans.

------
gamesnotblames
Wow... people seem to be ok with this - saying this is in the EULA, therefore
it's all cool?

"Errrm, I couldn't help but notice that the videogames company representative
just let himself into your house, fucked your dog up the arse, killed your
goldfish and pissed in your coffee"

"Oh yes, it's all in the EULA, it's perfectly fair, I am playing the game I
bought from them, don't you know!"

------
johansch
As one of the comments there mention, the Origin client is only enumerating
the list of recently run applications.

The app name in that list is ROT13-"encrypted" by explorer.exe for some odd
reason; see:

[http://blog.didierstevens.com/2006/07/24/rot13-is-used-in-
wi...](http://blog.didierstevens.com/2006/07/24/rot13-is-used-in-windows-
you%E2%80%99re-joking/)

~~~
raverbashing
So, how it behaves with non-ASCII data?

------
kmfrk
This reminds me of when Blizzard did the same thing to us Diablo 2 players
almost ten years ago:
[https://en.wikipedia.org/wiki/Warden_(software)](https://en.wikipedia.org/wiki/Warden_\(software\)).

They did so very openly, although you clearly couldn't play the game without
submitting to the requirements.

Of course, this was back when things like having the government surveil our
library history was considered a big deal in privacy. Culture's changed quite
a bit since.

------
mabbo
Snooping my files? Ugh, jackasses. But using ROT13 to hide your activities?
That's downright offensive. Who the hell uses a Caesar cipher in the 21st
century?

~~~
bringking
Actually the UserAssist reg key is meant for windows explorer usage tracking
and does the ROT13 encoding automatically. You can turn off the encoding or
tracking in general. Source-[http://www.aldeid.com/wiki/Windows-userassist-
keys](http://www.aldeid.com/wiki/Windows-userassist-keys)

------
greggman
This is what scares me about Steam at little. My understanding (though not
sure) is this is what Apple's OSX store and Microsoft's windows app store are
trying to solve. Basically sandbox native apps so you can install them and not
worry they can do stuff like this.

I'm not saying they succeed at that. I have no idea how secure their sandboxes
are and what limits they place. But, that is arguably the intent (or at least
one of the intents).

Steam on the other hand has no such intent AFAIK. Of course in all those
cases, including Steam, there is the threat to the publisher they'll be banned
from the store if they do this kind of thing. I don't know if there is any
example of Steam removing an app because of "unethical behavior". I would
guess if it was an indie they'd ban first, question later whereas if it was a
big publisher like EA they'd probably talk first, try to get them to address
the issue.

I'd be curious to know if Steam Box makes any effort in this direction. I was
similarly worried about Boxee apps (the PC/OSX/Linux version), XBMC scripts.
etc...

------
bringking
The UserAssist registry key was meant for tracking Explorer stats. EA is just
reading a reg area that windows is already tracking. Also, you can turn it
off. Source- [http://www.aldeid.com/wiki/Windows-userassist-
keys](http://www.aldeid.com/wiki/Windows-userassist-keys)

------
rmrfrmrf
People need to be educated on what software/websites is/are doing by default.
I would assume that most people familiar with today's tracking boilerplate
would know better than to install Origin in an unsandboxed environment in the
first place. Unfortunately, this doesn't seem to be the case.

------
beloch
The worst thing is that Origin is compulsory for many EA distributed games
now. e.g. If you played Mass Effect 3, you had to go online with Origin
running every time you played the game to get past the DRM, even if you bought
a physical disk to install the game. There were no other options for acquiring
the game legally.

Besides being intrusive, Origin is spectacularly unfriendly to user mods. The
mod community has made some nice texture upgrades for ME3, but to use them
with an uncracked ME3 executable requires you to shuffle files around while
Origin is running so that it never sees the modified executable (Origin scans
and validates executables when you start up a game).

I'm not much of a gamer, but Bioware games are a weakness of mine. I look
forward to the day when they're no longer infested with EA's spyware.

------
bastawhiz
So wait...these allegations are based entirely on the fact that Windows
registry keys exist with ROT13-ed process names?

Let's just check the scorecard:

\- Outbound packet captures showing that Origin is capturing this information?
Nope. \- Proof that the Origin client is making a targeted effort to steal
information about the user? Nope. \- Indications that Origin is accessing the
processes of Firefox or Chrome in any way beyond getting their names? Nope. \-
Indications that Origin is _potentially_ capturing any information at all
beyond the names of some running processes? Nope.

Cheat detection has been named a couple of times, and that's certainly
plausible. I'd imagine ROT13 is used to prevent Origin from being spuriously
picked up by antivirus software.

~~~
Buge
Those registry entries were not created by origin. They were created with
rot13 by windows explorer. That screenshot shows origin specifically checking
whether the entries exist. So origin has a list of files that it checks if the
user has.

~~~
jcrawfordor
Do we know that it isn't enumerating the whole hive? that seems more likely to
me.

~~~
Buge
I guess I don't really know. But the way it says either "SUCCESS" or "NAME
NO..." makes it look like it either found the registry entry or it failed to
find the registry entry. The second case would probably only happen if it was
looking for specific keys.

------
libraryatnight
I didn't use Origin much, but it's uninstalled and gone for good, now.

------
cookiecaper
We need a new hardware architecture to elegantly enable containment and
sandboxing. Every application should have its own isolated virtual environment
and OS for execution. Like Qubes, but with every environment capable of
utilizing the full hardware simultaneously (that is, managed by the
hypervisor).

Direct access to the video hardware is the main thing that holds back the
virtualization of gaming or other graphics-heavy activities. We desperately
need a solution to that.

~~~
jlawer
This is kind of already available for VDI if your willing to accept the
overhead of multiple OS instance. Nvidia GRID and similar GPU / Compute boards
can handle multiple simultaneous users.

The problem is COST. These are designed for VDI servers supporting 25/50/100
desktop users not 1 gamer and are priced as enterprise equipment.

------
z3t4
The program is probably hooking into the web browser, because you need to
start some Origin games (BF 3) via the browser! Yeh, I'm not joking.

A similar thing happened for me with Googleupdate.exe it scanned all my hard
drives ... They don't do it any more but I still remove googleupdate.exe every
time it magically gets installed on my system.

~~~
cyanbane
That is my guess also, it's actually probably just looking for their specific
plug-in.

See slide 21 [http://www.slideshare.net/DICEStudio/battlelog-building-
scal...](http://www.slideshare.net/DICEStudio/battlelog-building-scalable-web-
sites-with-tight-game-integration)

That doesn't mean there isn't any leakage they technically can/can't see. No
clue if any of that info gets phoned home.

~~~
z3t4
One of the problems with encrypting almost everything, even pictures of your
dog, is that it no longer brings suspicion ... And programs like these can
send any information without you knowing about it. Encrypted data is not a
security protection, it's a security risk! Because you have no idea what
information they send. Probably a lot more then they tell you, because there's
no way you can find out.

------
lnanek2
Kind of crappy sensationalist article. This is common behavior for game
clients which do this sort of thing to detect cheating and bots. E.g. World of
Warcraft trying to detect automated gold farming, etc.. I can think of at
least four programs that do this sort of thing and it would only be news if it
didn't, honestly.

~~~
thefreeman
While I am aware that warden and things like it can scan the memory of
processes, I don't think they are granted full access to read everything on
your system. I believe their are restrictions like the file must actively be
reading / writing your processes memory before you can scan it.

There is definitely 0 reason that they should be scanning all of the files on
your computer and storing them in some sketchy gibberish registry settings.
Who knows what else they are looking at.

This is no different then Sony putting rootkits on their audio CD's in order
to "prevent piracy".
[http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootki...](http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal)

~~~
nobotty
Hahaeha, no, warden can and does scan EVERY SINGLE THING on your system. Good
luck with fixing that whole "trusting companies that release games I like"
thing.

~~~
thefreeman
I actually don't even play any blizzard games, but I thought I remembered them
being sued over warden overstepping its bounds back in the day. I tried to
search for it though and cannot find any evidence, so I guess I must have been
wrong.

Edit: I did find mention of it on the Wikipedia article about Warden:
[http://en.wikipedia.org/wiki/Warden_(software)](http://en.wikipedia.org/wiki/Warden_\(software\))

 _On 23 June 2010 Blizzard updated the Warden Anti-Cheat Platform to version 2
- named Warden 2.0 - with World of Warcraft Patch 3.3.5.

Warden now scans Warcraft II and III game memory space only, with exception of
a few tools._

Obviously it's a Wikipedia article, and no source listed for that claim, so
who knows if it's accurate.

------
A_COMPUTER
Even if you think this sort of thing is OK because of EULAs or explicit
consumer buy-in (I know multiple people that are OK with it because they are
bigtime gamers and appreciate its reduction of cheating,) this is one more NSA
attack vector. How's the security on this backdoor? Does EA ever service NSLs?

------
onewaystreet
From reading newer comments in the Reddit thread it looks like the OP was
wrong.

------
szatkus
wccftech.com on Hacker News? My world just collapsed. It's most unreliable
tech website in the world.

