
Civilization VI removes Red Shell ad-tracking software - smacktoward
https://www.rockpapershotgun.com/2018/07/20/civilization-vi-removes-red-shell/
======
red_admiral
Can someone confirm if I've understood this right?

When you view a red shell enabled ad, a script on the page (or perhaps the ad
server itself, based on HTTP headers) computes a fingerprint of your browser
(IP address, browser version, fonts installed, screen size etc.) and stores
(ad_id, fingerprint) in a database somewhere.

When you install and run a red shell enabled game, it computes the fingerprint
of your machine and sends (game_id, fingerprint) to the server, which stores
this in another table.

By joining these tables on the fingerprint, you can get some info on which ads
are correlated with which game purchases.

Apart from this, red shell does NOT modify your browser settings, inject code
into all pages you visit, add a browser toolbar, constantly run in the
background, MITM your TLS or anything else like that. [EDIT: not trying to
defend red shell here, just checking whether I need do a full reinstall of my
PC to get rid of this thing]

~~~
crag
Why fonts? Or do they use fonts as an ID?

~~~
drbawb
Fonts are part of the fingerprint, especially if you know the OS. You take the
set of installed fonts and subtract the set of OS default fonts, and you are
likely to arrive at a unique key.

Take my corporate domain for instance: you could identify any machine on my
domain since we'd all have a custom typeface installed (used on our company
letterhead.) You could further identify our marketing coordinator, because she
has a lot of strange typefaces used for signage and promotions. You could
probably further identify me as a web developer since I have a lot of WOFF2
packaged fonts installed.

~~~
ballenf
Side question -- do/could type foundries find pirate companies by looking at
IP addresses using paid fonts without a license? Hardest part would be linking
paid licenses to IP addresses, making individual unpaid usage harder to nail
down. But if a company with dozens or hundreds of users at a single IP address
all had a particular font installed, that IP was linkable to the company, and
company didn't have a license, wouldn't that be pretty damning evidence?

Typeface piracy is otherwise pretty difficult to detect isn't it? Is it part
of normal enterprise asset tracking / inventory systems?

------
fpgaminer
I set up a separate gaming rig specifically to isolate these kinds of
problems. That's where I run all my games and nothing else.

You'd think it'd be more expensive to have another machine specifically for
gaming. But the slowing of CPU advancements means that old systems can be
usefully repurposed. I grabbed the husk of an older desktop from a few years
ago, its CPU and memory being more than enough for gaming. Threw my GPU over
to it (not needed for work or personal desktop usage), and I had a dedicated
gaming rig for "free". Now I don't worry about scummy studios releasing
malware masquerading as games.

For those more technically inclined, you can do a gaming VM. That used to be
my setup prior to having a separate machine. GPU passthrough allows you to
give your GPU to the VM. I had it running under Ubuntu, with Windows as the
guest. Near identical performance. That was a cool setup, but kept breaking on
OS updates so I decided to just use a separate physical machine.

But these are ultimately just defenses and are no excuse for knowingly running
malware. Gamers should make it a point not to buy games or other software that
plays loose with their privacy. These studios should be ashamed of themselves.
But it's impossible to always know ahead of time what horrors lie within your
software. So at least I sleep better at night knowing these "games" at least
have their own cesspool to writhe around in.

~~~
ryandrake
Nice setup. I run all my games from a separate partition with its own copy of
Windows, but your way is even better. I’m not looking forward to the world
where we need a separate machine for each piece of software in order to ensure
privacy, but sadly we are heading there.

------
cbg0
They did get quite a few negative reviews on the Steam store page about this
issue, and there's also a large thread with users complaining (
[https://steamcommunity.com/app/289070/discussions/0/17095641...](https://steamcommunity.com/app/289070/discussions/0/1709564118762025388/)
) which probably led to this action.

As an aside, complaints might have been even more numerous if the game were
actually good, as of now Civ 5 has a peak of 30K users playing daily, while
Civ 6 a peak of only 20K.

~~~
wolfgke
> As an aside, complaints might have been even more numerous if the game were
> actually good, as of now Civ 5 has a peak of 30K users playing daily, while
> Civ 6 a peak of only 20K.

A question to the gamers on HN: What makes Civ5 in your opinion/in the opinion
of many gamers better than Civ6?

~~~
rataerix
Generally for the Civ games the new one doesn't become overly popular till a
few expansions are released. It was the same when Civ V came out, a lot of
people were saying Civ IV was better. Civ VI is a good game I think most
people will switch eventually, just takes some time.

~~~
AndyNemmity
It is more about modding outside of the general player base that already
played, and dropped it.

The sustained users are ones that have good mods that improve the AI, and
other aspects of the game. Civ 6 hasn't released the DLL, so us as modders,
are in a holding pattern. Most of the major modders have quit (as have I)
until the DLL is released.

As an AI modder, I just can't improve the AI without the DLL.

~~~
crag
// The sustained users are ones that have good mods that improve the AI, and
other aspects of the game. Civ 6 hasn't released the DLL, so us as modders,
are in a holding pattern. Most of the major modders have quit (as have I)
until the DLL is released.//

That's it right there. The Civ5 mod(s) "vox populi" is a must in any game I
play. And it changes much of the game. Not possible to do in Civ6.

Also, I don't like the cartoon graphics of Civ6.

------
stamps
Does anyone have a list of the domains these guys use?

I'm curious if these are in the DNSLB easy lists or the lists used by PiHole.

If they aren't I'd like to add them to my blacklists on Pfblocker-NG.

~~~
red_admiral
redshell.io is already in uMatrix' list of blocked domains, so it looks like
the easy lists are up to date.

------
ilitirit
Funnily enough (and not that it makes it OK) you didn't have to accept the
agreement to play the game (just click "I don't agree" or whatever the option
is). Not sure if they still continued harvesting data though...

------
comice
Does the game show adverts in-game? Is the game free or do you pay for it?
Sounds insane! I'd be upset enough about the ads nevermind the added salt of
tracking!

~~~
Bartweiss
No ads in game - this is supposed to be a campaign effectiveness tracker.

Since you buy these PC games through Steam there's no easy way to associate an
ad impression with a resulting purchase like there is on mobile. Red Shell
creates a device fingerprint for each ad and each play session and compares
the two sets to see which ads were followed by purchases.

So on one hand, no ads in game and unlike Superfish or something it's
perfectly reasonable info for devs to want. But on the other hand, it's
achieved by way of a deep fingerprint which is uniquely identifying, and which
could in theory be matched to other device fingerprints elsewhere.

I'm glad to see it gone, but I'd be fine if it came back as something fancy
like a client-side hash of the data; the ad correlation is fine with me, the
retained fingerprint isn't.

------
KaoruAoiShiho
I think something like Red Shell is obviously good for society and consumers
are hurting themselves by overreacting.

Better targeted ads == less money wasted on ads and more money spent on
development == less people annoyed by ads they're not interested in == better
games. Shame.

~~~
Bartweiss
This seems like a misunderstanding of the complaint. I know people do oppose
targeted advertising, but that's not why they're mad about Red Shell.

The _way_ Red Shell targets ads involves building and storing full device
fingerprints when you play a game. It's a privacy risk totally separate from
the targeted advertising question. And yes, individual devs could do that
also, but at least I've chosen to deal with those devs, and my data can't be
tracked across different games by different companies.

If Red Shell switches to something like a device-side hash of the fingerprint,
so that it can recognize returning users but not give out (or lose) the
underlying data, I'd feel vastly better about it. Basic targeting analytics
don't bother me, and "did this game ad work?" is vastly more justified than
most tracking. I just don't want it tied to an externally-stored device
fingerprint.

~~~
KaoruAoiShiho
I guess I don't understand in what way that's a privacy risk. They have the
device fingerprint, isn't that just the device id, like a name? This is only
meaningful if paired with another piece of information, like your personal
identity or other tracking. In this case it's game sales which I think is
definitely a positive thing. I mean if they were tracking other things or
keylogging or something I would be mad but...

~~~
foepys
They are apparently also logging the Steam ID which is unique for each Steam
account. In my eyes the Steam ID is PII as very few people with more than one
game on it will change their Steam account.

~~~
Fnoord
Although making a one way hash is the right way, having no opt-in is not in
the EU. Also, you'd be surprised at what counts as PII in the EU. I know I've
been after I read a lawyer's blog on the matter (sadly in my native language).

