The responses from the game companies have been absolutely pathetic so far. They amount to "Blah blah blah, bbbbbut marketing!!" No apologies for what they were doing, just "sorry we got caught". No shame at all, and no recognition that they were shipping malware to their customers. Some have promised to remove it but find some other way of using my computer against their users. My computer is not a free resource for your marketing department.
If the software is so benign, offer it to users as totally optional install or a separate download, and see how many agree to that offer.
EDIT: For example, see the official response from the Quake Champions team [1]. Summary: This data vacuum is actually for your own good. That said, we’re busted! So we will remove it for now, and we will tell you about it when we add it later, when everyone chills out.
EDIT2: Wow, so much garbage the further you get through the article:
> [Adam Lieb] expressed his frustration with the response online, which he says painted a false picture of Red Shell as a spyware programme trying to sell data for malicious purposes.
spy·ware
noun
software that enables a user to obtain covert information about another's computer activities by transmitting data covertly from their hard drive.
While they may not be selling the data for malicious purposes, it is, by definition, spyware.
There needs to be some kind of codified Consumer Bill of Rights that says, in effect, "We paid for your product. You do not get to monetize us further after the point of sale."
Companies could then signal whether they agree to adhere to that code of conduct or not, and use it as a selling point for consumers to tell, at a glance, whether they want to support said company or not.
I would settle for aggressive sandboxing built into the OS. Something that tells me, "This application has permission to run full-screen, play audio, and contact the network. You may revoke these permissions individually. It cannot run invisibly in the background. It cannot read your files."
The tracking from Red Shell would be very hard to stop at the OS-level, because the things they're gathering are all stuff that has legitimate relevance to the game (e.g. the game may want to know what CPU, RAM, and videocard you have for recommended settings). Further, an internet connected game needs an internet connection to work.
So it would be very hard for the OS to tell the game, "You can send packets about the player's current position in the gameserver, but you can't send packets back to the software developer that contain fingerprint information." The developer would just encrypt the info and send it all to the same destination to make all packets look the same.
I think people are less concerned about hardware specs and more concerned about cataloging of software installed, logging DNS traffic, and capturing PII.
What do you do when the OS itself is spyware? There's a reason vendors like requires all Android vendors to install Google apps on phones, because all their apps (especially Play Services) has every possible permissions enabled by default and it's not possible for consumers to disable it. Windows 10 too is ridden with telemetry and all the 'spyware options' (ex. send my keystrokes to the cloud) are enabled by default.
Calling it a "codified Consumer Bill of Rights" makes it sound like you want it to be a law, but the second half of your statement makes it sound like you want it to be like the "certified humane" label on the eggs that I buy.
I have no problem with it being an optional label, but I see no reason it should be enforced legally.
Yeah, maybe not the best naming convention. It might be easier to call it a "reverse privacy policy": what we want you to do with our data.
I envision the agreement would be non-binding--it would simply be a list of things we the Consumers want our companies to agree to. The companies can then say yes, we agree to follow your guidelines (perhaps introduce some third party to "certify" that the guidelines have been followed if companies start lying about it).
Companies will keep installing Spyware on peoples computers because they never receive any negative consequences of doing so. Sony installed rootkits on millions of computers and nothing happened, nothing will happen here. The law needs to catch up and actually defend our privacy, principles aren't going to cut it.
I don't believe it is accurate to say that nothing happened in the Sony case. They were sued by state governments, the FTC, and faced class action lawsuits. They also incurred the cost of recalling the affected CDs.
If you're privacy conscious and weren't aware, you can virtualize your gaming OS of choice with near native performance using VFIO. With this, you can contain Windows telemetry and unwanted spyware into a disposable VM (if it weren't infringing, I'd vote a community created Windows gaming container be called "gladware"), freeing your host from unwanted reporting, data collection, and general "Microsoft has root" fuckery.
All you need is a Linux host, some capable entry-level hardware, and two hours in the morning before the house is awake for the initial setup.
This only works if you have two graphics cards, no? Either onboard graphics + dedicated GPU, or dual GPU. And some CPUs, such as first gen Ryzen (e.g. 1700), do not have built in graphics. And that assumes you always want your better GPU to run Windows rather than Linux.
Just SSH in, then after you've done the other configurations and added the GPU's PCI ids to vfio-pci, create the VM with virsh, attaching the GPU. Run "virsh autostart [vmname]", and it'll spawn automatically at each boot.
If you need a host with graphics, you can always unbind the GPU from the host and allow it to be re-attached to VMs if you don't need a headless hypervisor. I know I've seen a few small bash scripts on github for reference.
VFIO relies on IOMMU capability to allow devices to be passed through to guests, but it isn't just IOMMU. The common modern arrangement for VFIO is to use KVM+qemu with libvirt.
Of practical concern is finding out which devices are in which IOMMU groups, because devices within the same group can't be split. For instance, if you had an ethernet controller with two ports, they'd both likely be in the same group, so you couldn't give one to the host and one to a VM.
People do it because they effectively have a choice between accepting spying or not playing at all; we don't have a perfect market with infinite number of choices, there are just few major game makers and all of them want to have tracking.
In nothing changes then tomorrow companies might be copying your whole disk content to their servers. This way they would earn more profit than without disk image analysis.
If the software is so benign, offer it to users as totally optional install or a separate download, and see how many agree to that offer.
EDIT: For example, see the official response from the Quake Champions team [1]. Summary: This data vacuum is actually for your own good. That said, we’re busted! So we will remove it for now, and we will tell you about it when we add it later, when everyone chills out.
EDIT2: Wow, so much garbage the further you get through the article:
> [Adam Lieb] expressed his frustration with the response online, which he says painted a false picture of Red Shell as a spyware programme trying to sell data for malicious purposes.
spy·ware
noun
software that enables a user to obtain covert information about another's computer activities by transmitting data covertly from their hard drive.
While they may not be selling the data for malicious purposes, it is, by definition, spyware.
1: https://steamcommunity.com/games/611500/announcements/detail...