The responses from the game companies have been absolutely pathetic so far. They amount to "Blah blah blah, bbbbbut marketing!!" No apologies for what they were doing, just "sorry we got caught". No shame at all, and no recognition that they were shipping malware to their customers. Some have promised to remove it but find some other way of using my computer against their users. My computer is not a free resource for your marketing department.
If the software is so benign, offer it to users as totally optional install or a separate download, and see how many agree to that offer.
EDIT: For example, see the official response from the Quake Champions team [1]. Summary: This data vacuum is actually for your own good. That said, we’re busted! So we will remove it for now, and we will tell you about it when we add it later, when everyone chills out.
EDIT2: Wow, so much garbage the further you get through the article:
> [Adam Lieb] expressed his frustration with the response online, which he says painted a false picture of Red Shell as a spyware programme trying to sell data for malicious purposes.
spy·ware
noun
software that enables a user to obtain covert information about another's computer activities by transmitting data covertly from their hard drive.
While they may not be selling the data for malicious purposes, it is, by definition, spyware.
There needs to be some kind of codified Consumer Bill of Rights that says, in effect, "We paid for your product. You do not get to monetize us further after the point of sale."
Companies could then signal whether they agree to adhere to that code of conduct or not, and use it as a selling point for consumers to tell, at a glance, whether they want to support said company or not.
I would settle for aggressive sandboxing built into the OS. Something that tells me, "This application has permission to run full-screen, play audio, and contact the network. You may revoke these permissions individually. It cannot run invisibly in the background. It cannot read your files."
The tracking from Red Shell would be very hard to stop at the OS-level, because the things they're gathering are all stuff that has legitimate relevance to the game (e.g. the game may want to know what CPU, RAM, and videocard you have for recommended settings). Further, an internet connected game needs an internet connection to work.
So it would be very hard for the OS to tell the game, "You can send packets about the player's current position in the gameserver, but you can't send packets back to the software developer that contain fingerprint information." The developer would just encrypt the info and send it all to the same destination to make all packets look the same.
I think people are less concerned about hardware specs and more concerned about cataloging of software installed, logging DNS traffic, and capturing PII.
What do you do when the OS itself is spyware? There's a reason vendors like requires all Android vendors to install Google apps on phones, because all their apps (especially Play Services) has every possible permissions enabled by default and it's not possible for consumers to disable it. Windows 10 too is ridden with telemetry and all the 'spyware options' (ex. send my keystrokes to the cloud) are enabled by default.
Calling it a "codified Consumer Bill of Rights" makes it sound like you want it to be a law, but the second half of your statement makes it sound like you want it to be like the "certified humane" label on the eggs that I buy.
I have no problem with it being an optional label, but I see no reason it should be enforced legally.
Yeah, maybe not the best naming convention. It might be easier to call it a "reverse privacy policy": what we want you to do with our data.
I envision the agreement would be non-binding--it would simply be a list of things we the Consumers want our companies to agree to. The companies can then say yes, we agree to follow your guidelines (perhaps introduce some third party to "certify" that the guidelines have been followed if companies start lying about it).
Companies will keep installing Spyware on peoples computers because they never receive any negative consequences of doing so. Sony installed rootkits on millions of computers and nothing happened, nothing will happen here. The law needs to catch up and actually defend our privacy, principles aren't going to cut it.
I don't believe it is accurate to say that nothing happened in the Sony case. They were sued by state governments, the FTC, and faced class action lawsuits. They also incurred the cost of recalling the affected CDs.
If you're privacy conscious and weren't aware, you can virtualize your gaming OS of choice with near native performance using VFIO. With this, you can contain Windows telemetry and unwanted spyware into a disposable VM (if it weren't infringing, I'd vote a community created Windows gaming container be called "gladware"), freeing your host from unwanted reporting, data collection, and general "Microsoft has root" fuckery.
All you need is a Linux host, some capable entry-level hardware, and two hours in the morning before the house is awake for the initial setup.
This only works if you have two graphics cards, no? Either onboard graphics + dedicated GPU, or dual GPU. And some CPUs, such as first gen Ryzen (e.g. 1700), do not have built in graphics. And that assumes you always want your better GPU to run Windows rather than Linux.
Just SSH in, then after you've done the other configurations and added the GPU's PCI ids to vfio-pci, create the VM with virsh, attaching the GPU. Run "virsh autostart [vmname]", and it'll spawn automatically at each boot.
If you need a host with graphics, you can always unbind the GPU from the host and allow it to be re-attached to VMs if you don't need a headless hypervisor. I know I've seen a few small bash scripts on github for reference.
VFIO relies on IOMMU capability to allow devices to be passed through to guests, but it isn't just IOMMU. The common modern arrangement for VFIO is to use KVM+qemu with libvirt.
Of practical concern is finding out which devices are in which IOMMU groups, because devices within the same group can't be split. For instance, if you had an ethernet controller with two ports, they'd both likely be in the same group, so you couldn't give one to the host and one to a VM.
People do it because they effectively have a choice between accepting spying or not playing at all; we don't have a perfect market with infinite number of choices, there are just few major game makers and all of them want to have tracking.
In nothing changes then tomorrow companies might be copying your whole disk content to their servers. This way they would earn more profit than without disk image analysis.
>"People can have their own opinions on it but our data is not personally identifiable information (PII),"
Err..isn't the point of this exercise to have enough data to identify who bought the game and why? I feel the exact kind of computer I use and the various customizations that lead to it being a unique machine are very personal and identifiable.
They "just" have a profile of "a person" that happens to match you to the last tiny detail. They don't put your name as a label onto that data, so it's "not" identifiable. Makes no difference for marketing purposes if they don't want to address you by name. But yeah, once linked to your name by one of those manymany data points they collected, it is very personal....
Because the people who work in the heath industry understand all usually all it takes is a name and some tiny fact like your adresss to unmask the dataset after the fact.
I don’t think it’s about availability of money, companies don’t spend money they don’t have to. INAL but I believe it’s about HIPAA and related legislation making it their liability.
Regarding the GDPR this is PII. They can squeel and wiggle. But as the use a thing called the internet to transfer this data, they receive something like an IP address. And that is PII.
It wouldn't be a problem to collect that. If I am informed as well as have the (easy) ability to opt out.
Did they collect after 25. of May? Wouldn't they be liable regarding GDPR?
The GDPR uses the term "personal data" rather than PII. Any data can become personal data if it could be related to an individual by any practical means. Whether or not you collect my name, address or social security number is largely immaterial - if you can figure out who I am based on the data you collect, then it's personal data.
That's the whole game, pretend that the information is not personally identifiable but it's just one lookup away when the person uses his credit card on any website that is part of the net.
A famous experiment was when Yahoo (I think) released a dump of anonymised search queries, however, they had a user identifier for each query so it was simple enough to combine the queries and find the person.
For the EU, the definition in the GDPR should cover this. From Article 4(1):
> ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an
identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an
identifier such as a name, an identification number, location data, an online identifier or to one or more factors
specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
I'm a fun example here too. Through a quirk of how addresses are assigned in my city, and how postal codes are assigned in Canada, my house has a unique postal code. Given our postal code, you have 100% certainty, and 50% probability between me or my partner.
What contexts are you thinking of? I’d agree in the context of discussing de-anonymizing data. But all the policy, e.g., GDPR, and licenses that I’ve seen so far mean specifically 100% directly identifiable (such as name & address or SSN) when they say “personally identifiable information”, and especially when they use the acronym PII.
> ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
[...]
> ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
> ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
To layer on some interpretation:
* Red Shell is collecting information
* which relates to "an identifiable natural person"
* who "can be identified [...] by reference to [...] one or more factors specific to the physical [...] identity of that natural person"
* where these factors are the information Red Shell is collecting about the software and hardware of their physical devices
* and thus are "personal data", as regulated by the GDPR.
Given that their primary purpose is identifying users, they're going to have a hard time arguing that they don't fall under the GDPR's jurisdiction.
One of the various "protecting personal information" trainings I had to do for a US Govt job made mention of multiple non-identifiable pieces of information that combined could identify a person falling under PII, but how many is ok to put together was left purposely ambiguous.
Just the fact that I browse exclusively in private mode from Australia, don't accept third party cookies, apparently have Ghostery installed and use Safari vX.Y is enough to narrow down my identity to about one person give or take.
The information collected in this program is more than enough to identify me personally, and probably enough to start making some kind of psychological profile to help them predict how to convince me to vote for Donald Trump (or in my case, a Liberal Party member).
If the data isn't at least somewhat identifiable, then how is it actionable?
This is why I roll my eyes back into my head every time some marketing suit says "well we anonymize the information" and it's just flat out ridiculous if you think about it, if the information was properly anonymized, then IT COULDN'T BE USED FOR AD TARGETING. Full. Stop.
So if the data collection is for ad targeting, then it's identifiable because it can't not be otherwise it would be useless for the thing it's collected for.
No, the point is to collect enough info to link a user who launched the game to someone who clicked an ad.
The problem Red Shell is trying to solve is the "download divide" -- You can track clicks/users on the web before they download, and you can track them after they launch your product, but you can't easily connect the two.
As for why devs want this, if you know ad campaign 1 cost $1 and had 2000 clicks, and ad campaign 2 cost #1 had 1000 clicks, that is helpul but what you really want to know is "what is the lifetime value (LTV) vs cost of acquisition of users from campaign 1 vs 2" because if LTV is significantly different then despite higher cost it may clearly be worth it. But if you can't connect a user from before the download to after you can't do this sort of calculation.
Devs really don't care who the users are, we just want to know how effective a campaign is compared to one another.
Source: Was planning on integrating Red Shell ourselves before this (false) outrage made us cancel our plans.
While I agree that is what they officially say they do, the means employed go beyond that. From the article:
> "These are generally data points about the user’s device, such as its operating system, installed fonts, browsers (and versions) used, timezone, language, the user’s in-game ID, and screen resolution. This is what Red Shell calls a ‘fingerprint’, which can also be made on games consoles as well as PCs."
Such a fingerprint is very unique and can easily be connected to a person with very little effort down the line, even if now nobody does that (yeah, right).
Personally, I do not trust any company that collects such detailed information without my informed consent and without a clear (i.e. verifiable and legally enforceable) pledge to delete that information when the original purpose has been served. This is exactly the overshooting behaviour that was rightfully targeted by the Europeans with their recent data protection law.
That is correct. Red Shell also specifies to devs you should configure it to report some of those and not all should be reported. It provides guidelines for how many to report based on how many unique users you have/are expecting.
All of these factors are available to web browsers (which is why they were chosen, so they can be matched up to web clicks). These are tracked in most web analytics suites today by default.
Based on my research I don't believe that these (even all of them together) are PII.
No, I don't trust Google either. But at least Google is somewhat open about the fact that they collect the data. I can have a look at it and I have settings to influence and even delete (probably) what is being collected.
That is vastly different from a spyware module installed clandestinely together with a software I paid for that sends data about me to somewhere and somebody then does something with it that I don't know about.
No, they don't, and they are just as subject to the GDPR as anybody else is, in fact, probably more given the EU decisions lately and because they're a huge big, fat target.
The distinction here is that they have been doing it a very long time, and user privacy actually is a core tenet of what they worry about at Google.
You can install browser extensions to block that kind of tracking, or you can go nuclear (as I have) by disabling JavaScript altogether. When I buy a game, I do not have this freedom.
How is this false outrage? Even if a particular dev doesn't care about who the users are, the data is being tracked and can be used by anyone with access to that data to track people. Consumers do not want to pay money for a product and then also have their data harvested to be used to make even more money off of them.
If you really think this is false outrage you need to work on seeing things from other people's viewpoints
Many reddit posts have outright stated that Red Shell was "spyware" with no indication that 1) they were misusing data 2) no data that is harmful was being collected.
> Consumers do not want to pay money for a product and then also have their data harvested to be used to make even more money off of them.
Agreed. And both the game devs and Red Shell as far as I can see aren't selling this data. The devs are spending money to use Red Shell to try to have better / more cost effective advertising campaigns.
The fact that the actors involved are not _currrently_ selling the data does not mean that can't change in an instant. Many other company's have pulled the "we're not selling your data" card only to switch later. Consumers do not trust companies to harvest this data anymore because as a class, company's have proven themselves untrustworthy.
They are outraged because the data is being collected at all, not what you are using it for
If you want better/more cost effective campaigns, do what was done in the past: just fucking ask!
The nature of marketing hasn't changed at all over the years. Show an impression, ask what the user was influenced by. Surreptitiously stealing data off of someone's computer as a means of answering the question is flat out the wrong way to do it.
You don't get to decide what data I need to share with you or your advertising partners, or what constitutes a misuse of my data. That's up to me. I get to make that decision.
If you take my personal data without my consent, I will consider that an intrusion upon my privacy.
Yes, but if you solve that problem, it implicitly means that you have a fingerprint of me that can be correlated across the web. So, next time I access a different game, someone can know that I'm the same person who bought the original, and perhaps try to persuade me based on that. Whether anyone does so or not is irrelevant - the only way I can try to ensure it doesn't happen is to try to never leak this data about myself.
Everything involved in targetted advertising is a social liability. Advertising companies owe nothing to consumers and disrespect them like it's their duty.so people rightfully hate intrusions by advertisers. Sorry your business model apparently depends on that but it's a shitty model of commerce that deserves to die.
Steam (and others) really should scan for that kind of spyware in the files they provide to the players. Add a warning maybe (Contains a known spyware) or flat out refuse the editor to bundle that file with their game/app/whatever.
Great suggestion. I agree that the distributor (Steam) should have to answer why they are allowing this malware to be distributed over their platform. They would reject a game that contained a virus or ransomware, but spyware is OK?
I'd be surprised if Valve didn't have their own fingerprinting tech, e.g. for tracking users across multiple accounts (practical, benign use case: banning cheaters who were VAC banned but make new accounts).
One of the ways malicious people circumvent that is to leverage the scripting that many of the games support. I have dug into many games that use LUA scripting and have appalling security practices. The worse offender is Garry's Mod. Trivial to dox players and fairly trivial in some cases to take over the players machines.
I'd rather have the operating system provide this protection. Mobile OS, especially iOS really seems like the optimal model.
Give apps a secure sandbox by default, and require them to prompt for any external or 'dangerous' permissions. This gives ultimate control to the user.
Why don't these game companies use a promotion code in their ads to track the ad to a sale? That way the customer feels like they're getting a deal and there is no need to fingerprint their machine. This seems like a fairly common practice in other industries.
Since what they check against is a fingerprint, couldn't Red Shell just hash the data they create that fingerprint from, making it so they can guarantee that they don't really know anything about the player's data, just that it fits the one that saw the ad?
This seems so simple I almost feel like they would have some reason not to do it. Do they make money selling the data aswell as the fingerprint matching?
Or am I completely misunderstanding it all?
The problem with hashing it, from their perspective, is probably that they would like to be able to do analysis on the shared traits of the individuals whose data they harvested.
If you mean hashing the whole blob of data, one issue could be that if they ever wanted to add a new tracking data point, they would lose backward compatibility with their previously collected values. I guess they could fix that by making the hash of the added stuff separate, but that would be pretty weak when there isn't a ton of possibilities for the new data points.
The article wonders, why people got upset about Red Shell on Conan Exiles for example, but not on Civilization VI...
I think it is related to two very important details.
First, Red Shell purpose, as stated by Red Shell themselves, is to create a "fingerprint" of the computer, yes, each tidbit of info separately is not "identifiable" but the purpose of the software is build indentifiable information in first place.
And second... the game where people found Red Shell first, and went nuts about it, Conan Exiles, is a game that lots of people don't want anyone to know they play it, the game has lots of very politically incorrect themes (slavery for example), and is very popular to use for Erotic Roleplay... People of course get paranoid when there tracking software in their porn!
Also, the other article on the HN front page right now is about Civilization VI removing Red Shell after a backlash. (I suspect that article is what lead to someone submitting this older one about the other games it was removed from.) The article's claim that there was no backlash against Civ VI just doesn't stand up. It reads like Wired is uncritically regurgitating the publishers' PR spin justifying spying on their customers.
Interesting things people are saying in that forum thread.
Claims that deleting the related file causes the game to no longer launch. Why is that necessary for marketing tracking or were they just too lazy to skip over that particular file not found error?
That the SteamID can be transmitted. Seems like identifiable information to me despite the claims otherwise.
There is a way to opt out of the tracking. Going to the opt out page I see a request for your gamer ID for the game in question. Which goes back to that being identifiable information. It also states a game could have opt out options in place so I'm wondering why those seem to not be available in the game?
At this point I say I'm surprised that their actually is surprise from developers at this backlash. This sort of things gets attempted every few years that comes to the same result.
As a general rule, if the data can be used to identify some users, it falls under the GDPR. From Article 4(1):
> ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
The "contact us" link on the tracker's website appears to be broken: https://www.redshell.io
Not sure if that is deliberate or not, but I'd like to submit a GDPR subject access request! Coincidence? perhaps.
Edit: privacy@redshell.io Looks like their webpage might be trying to do a "mailto:" link? For me it just opens a blank window and I cant be bothered to try and pick apart their javascript.
> "Google tracks a lot more things than Red Shell, but people never complain about it."
Sorry Abid, but that's not true. I avoid Google products and services because I am uncomfortable with how invasive their tracking program is. I've worked in advertising tech, and I have a good idea of what goes on inside these companies. I do not ever want to participate in that ecosystem again. I even browse the web with JavaScript disabled in order to avoid tracking.
That said, I don't blame Abid. I know it can be hard to bootstrap a small games studio. In fact, I played one of his studio's games (the weapon shop one) and it was fun. I wish him and his company luck, but I hope he doesn't go back to tracking customers without consent. I avoid purchasing products that include this kind of tracking.
I don't get why this would stir controversy while Google Analytics would not - it appears they collect the same type of information. Are game devs not allowed the same type of tools that web devs are?
Perhaps it's because this tracking software is installed onto your machine without your consent, allowing it to be considered spyware. I agree that Google Analytics is just as bad, if not worse, but the fact that it's contained within webpages makes it harder to claim that it's spyware.
On the web, you can at least use a tracking blocker. That's much harder to do in games (unless you're blocking on the DNS level, which is at least a bit more involved than installing uBlock Origin).
You'd be surprised. Even though ublock origin and uMatrix are blocking most things, they're still able to build a unique fingerprint based on installed fonts, hash of canvas fingerprint, webGL fingerprint, etc.
Red Shell could theoretically do whatever the hell it wants on your machine. And if it uses online updates, then you really never know what it could be tracking at any given time.
To me this looks like deceiving the customer. The advertisement for the game doesn't say that it would spy on you. People buy software thinking that it is just a game. There should not be such type of hidden functionality.
This should not be normal. If the company wants to use tracking and analytics then they should at least disclose it in advertising materials, and on the game store page. Or maybe make two versions of the game, with and without tracking, so that anyone would be free to chose whatever they prefer.
And who cares about marketing or ad performance? That is not a consumer's problem.
it likely have a different vendor with the exact same issues, but will take longer to be noticed.
there is absolutely no game on steam without DRM and anti-cheat rootkits. none. zero. All games there have either or. including steam itself. It's all a matter of how far they go.
Despite their claims, I've never seen any opt out options like that. Games simply always collect data and send it "home". And really this should be opt-in.
If the software is so benign, offer it to users as totally optional install or a separate download, and see how many agree to that offer.
EDIT: For example, see the official response from the Quake Champions team [1]. Summary: This data vacuum is actually for your own good. That said, we’re busted! So we will remove it for now, and we will tell you about it when we add it later, when everyone chills out.
EDIT2: Wow, so much garbage the further you get through the article:
> [Adam Lieb] expressed his frustration with the response online, which he says painted a false picture of Red Shell as a spyware programme trying to sell data for malicious purposes.
spy·ware
noun
software that enables a user to obtain covert information about another's computer activities by transmitting data covertly from their hard drive.
While they may not be selling the data for malicious purposes, it is, by definition, spyware.
1: https://steamcommunity.com/games/611500/announcements/detail...