This Dumb Industry: Red Shell

By Shamus Posted Tuesday Jul 24, 2018

Filed under: Column 132 comments

This is a crazy story right out of a (admittedly dull) cyberpunk novel. Someone discovered that a bunch of PC games were using third-party “spyware” called Red Shell. There’s no way to know what information Red Shell was sharing, but it it had evidently been running inside of a lot of games for some time without being noticed.

People made a fuss on Reddit, the story gained some traction, and many developers began patching Red Shell out of their games. Some of them did so without comment, while others downplayed the move. The patch notes either failed to mention Red Shell at all, or they simply said “Removed Red Shell” without elaborating on what Red Shell was or what it was doing.

A few companies made official statements. A ridiculous number of them claimed that while Red Shell was included in the install, it had never been active and don’t worry about it we’re getting rid of it anyway you can trust us we’re dedicated to security etc etc etc.

This story has been simmering for a month or so. It was quickly picked up by Polygon, Wired, and PC Gamer, but it didn’t seem to make many waves at the time. I didn’t hear about it until 2 days ago.

As of this writing, the story is still developing. New games are being discovered to include Red Shell, and previously discovered games are patching it out and doing PR damage control. A few games got ahead of the curve and patched it out before being noticed.

I can’t find a single canonical list of all known Red Shell games. The closest thing we have is the Reddit thread that seems to have started it all, and that’s a patchwork of daily updates rather than an organized list. A lot of impacted games are small-time / obscure titles, but the list does include a fair share of big names:

  • Dead by Daylight
  • Civilisation 6
  • Elder Scrolls Online
  • Conan Exiles
  • Secret World Legends
  • Vermintide
  • Quake Champions
  • Kerbal Space Program

In some cases, the developers have already patched out Red Shell. In others, they’ve pledged to patch it out the next time they push an update.

In Defense of Red Shell

Big Brother is watching you. However, Big Brother is watching a LOT of people and sometimes he has trouble keeping up.
Big Brother is watching you. However, Big Brother is watching a LOT of people and sometimes he has trouble keeping up.

The developers of Eternal Card Game have actually taken a stand and defended the practice. I think their position offers important context for why some developers have adopted Red Shell and I’m glad they spoke up rather than quietly removing it. I object to the use of Red Shell because I see this as a rather dangerous slippery slope, but I think the key to sorting this out is having an honest discussion about it. So I really appreciate the ECG devs being candid.

In the interest of making sure their viewpoint is heard, I’m going to reprint their talking points here. However, I encourage you to read their entire post for the full context.

  • From February 1, 2018 to March 23, 2018, we used Red Shell to help us measure the effectiveness of advertising campaigns promoting Eternal on Steam.
  • Despite a few loud claims to the contrary, Red Shell is NOT Spyware – they have not collected, stored, or sold any personally identifying information at any time, and they are compliant with the GDPR.
  • See the Red Shell FAQ here, which offers a GDPR-compliant opt-out option on this page.
  • Their FAQ explicitly rebuts many of the claims made in these threads about tracking browser history, correlating multiple games played, etc.
  • To reiterate: Red Shell collects nothing.
  • Red Shell lets us compare a list of devices that click on an ad link to a list of devices that install Eternal to create a non-personally-identifying link between ads, and installs. See the link to their FAQ above on how this works without compromising personally identifying information.
  • This usage (by both DWD and Red Shell) is compliant with both the GDPR and all applicable laws.
    (You’re likely to find that the ads and ad-tracking software embedded on your favorite gaming news websites are far more intrusive. A couple of those sites have written about this topic and about us without bothering to dig into the facts of the issue, or to ask us for comment.)

  • Since March 23, 2018, Red Shell has not been part of any Eternal advertising efforts.
  • The decision to temporarily suspend the usage of Red Shell was in no way related to the present conversation.
  • The Red Shell integration has remained in the game since that time. We have always intended to resume using Red Shell to better-inform our advertising efforts.
  • On June 10, 2018, this Reddit thread began to stir up conversation rooted in wild speculation, unfounded accusations, and near-total misinformation about the realities of digital advertising, game publishing, and the law.
  • We responded the same day we became aware of the conversation, hoping to clear up the confusion and put an end to the misinformation being spread.
  • Since that time, a small number of users have continued to spread misinformation on this subject, and have chosen to ignore repeated explanations and any actual evidence of how this all works.
  • It’s worth noting that Red Shell is far from the only service to offer this kind of attribution solution – it’s just the one that a handful of users have turned into a bogeyman of imagined privacy violations. There are many other similar services helping a huge range of games and game developers overcome the data gap for games published on Steam and with ad performance on other platforms.

Here are some additional notes:

  • Eternal is one of the most genuinely free-to-play card games on the market, and we care very much about the type of experience we are providing for our customers. We want to be respectful of you guys, your time and your support, and we try to be as careful and ethical as we can be about our business model and how we use data.
  • We have never, would never, do anything improper to compromise player privacy.
  • We have never bought or sold any personally identifying information about players or potential players.
  • We are, and always have been, compliant with the GDPR and all applicable regulations.
  • We have never hidden or misrepresented any of this – we’ve got nothing to hide.
  • We do (and will continue to) advertise our products in ways that are ethical, transparent, and above the bar in terms of standards and practices used by just about every game publisher and website in the world. (And the list of similar software that is used in nearly every mobile game you might play is pretty long).

I notice that a lot of the games on this list are Free-To-Play, which is often supported through in-game advertising. One of the problems you face in these situations is that if you’re funding your game through advertisements, you need to be able to assure prospective advertisers that real people will be clicking on their advertisements. Advertisers want to know how many people will see the ad, how often they’ll see it, and how likely they are to click on something. The developer needs this information so they can sell the ad space, and the advertiser needs this information so they can appraise how their ad is doing.

In these situations, neither party is really interested in mining your PC for personal information. They just want to know if the system is working the way it’s supposed to.

There’s a distinction to be made here between “personal information” and “uniquely identifiable information”. If the system says 10,000 people clicked on an advertisement, we want to know if that was actually 10,000 different people or if it was just one guy with an auto-clicker bot. To figure this out, we need some way to tell one person from another. We don’t actually care WHO you are, we just want to know you’re a different person than the last person to click on this ad.

To make this work, you need to give everyone a unique ID number / string. This ID can be anything, but Red Shell suggests you to use the user’s Steam ID.

The problem people have at this point is that you can use that ID to look up the user. The ID itself might be impersonal, but it can be used to gain personal information. The supposed anonymity of the system is fragile and can easily become a Facebook-style data-harvesting machine. I’m willing to believe that the ECG developers are really earnest about what they’re trying to do, but I’ve been watching this industry for long enough to know that not everyone takes user privacy so seriously. I know other companies (and I’m talking about really big companies that love the free-to-play model) are willing to do anything they can get away with. Both companies are saying “trust me”, and unless you’re an expert at reverse-engineering and packet sniffing, you can’t tell what either one is doing.

It’s totally possible to use Red Shell in a benign way. For example, you could assign each account a randomly-generated hash to use as the Red Shell ID, which would make it basically impossible to turn the ID into personally identifying information. The service can just collect information relevant to advertising. In this way, a game using Red Shell is no more invasive than a website that uses cookies. Yes, your user information might be compromised if the developer suffers a catastrophic data breach, but that’s already true in the case of an online game. You already entrusted them with your personal information when you created your account, and Red Shell doesn’t offer any additional security or privacy risks.

On the other hand, it’s also possible for a developer to use Red Shell in an aggressive way. They could, if they wanted, plunder your hard drive for secrets and sell those secrets to whoever was willing to pay for themIgnoring the fact that this would be illegal in many places..

This Is Nothing New

Big Brother says: I'M BORED. DO SOMETHING INTERESTING ALREADY.
Big Brother says: I'M BORED. DO SOMETHING INTERESTING ALREADY.

The thing is, Red Shell doesn’t create any new privacy threats. If you’re running a game on your computer, that game has access to all kinds of information about you. The game could, if the developer wanted, begin uploading the contents of your entire /Documents folderHa! The joke’s on them. I don’t use /Documents. I keep all my info on Google Docs where no corporation can ever touch it. Oh wait.. Red Shell doesn’t enable developers to do anything they couldn’t do before. It simply offers a turnkey solution for devs who don’t want to hand-code their own tracking software. If Red Shell gets driven out of the industry by the public outcry, it’s not going to make our machines impervious to prying developers. It just means they’ll have to come up with a homebrew solution to the problem.

In fact, you could make the case that Red Shell actually makes things easier for us to keep an eye on developers. People are already figuring out how to detect Red Shell and monitor its behavior. We can use this to watch and see what kinds of information it’s sending back to the mothership. If Red Shell goes away and every developer writes their own custom version, then we’ll never be able to catch them all. Their implementations might be buggy, dangerous, poorly designed, or insecure, and we wouldn’t know it. If their tracking info was even slightly encrypted and mixed in with all the other networking code you find in the typical online game then it would take a lot of effort to reverse-engineer the whole thing and figure out what the developer is up to. It could be done, but it’s much easier if all developers are using the same easily-detectable package and the same set of known protocols.

A New Frontier in Worry

Maybe Big Brother wouldn't steal your information if you weren't so crap at securing it. That chain isn't even the right size!
Maybe Big Brother wouldn't steal your information if you weren't so crap at securing it. That chain isn't even the right size!

I am not saying that Red Shell is a good thing. I’m just saying that Red Shell is a symptom, not the source of the problem. Going by the number of games on the list, tracking users is something a lot of developers / publishers want to do, and that desire isn’t going to go away just because Red Shell gets a bad reputation. The public needs to understand the difference between “unique information” and “personal information”, and we need to come to some sort of rough agreement on what is “reasonable” information and what is “too much”.

Some people will take the hardline approach that they never want to share anything with any developer ever. That’s fine, although the vast majority of people would probably be willing to share a little information if it means they can play a free game. We’re going to have to deal with this one way or another. If our opposition is too apathetic, then the whole industry could slide into some sort of dystopic privacy-destroying nightmare, like has already happened in most of social media. On the other hand, overzealous and uninformed opposition will just push developers towards being more clever with obfuscating their tracking software.

The games that really perplex me are the single-player games with no in-game advertising. A lot of developers claimed that Red Shell wasn’t even active. Okay, let’s just assume we choose to believe that. If that’s the case, then why install it at all? What was Kerbal Space Program doing with it? What value could Red Shell possibly offer to KSP? Is this something a publisher is imposing on developers? Integrating third-party libraries takes some modest effort, whether that library is Speed Tree, a multiplayer networking solution, or Red Shell. Why would any developer put in the hours to add something that wasn’t useful to them?

I think there must be another dimension to this story that we’re not hearing yet. We’ll see how things develop over the next few weeks.

 

Footnotes:

[1] Ignoring the fact that this would be illegal in many places.

[2] Ha! The joke’s on them. I don’t use /Documents. I keep all my info on Google Docs where no corporation can ever touch it. Oh wait.



From The Archives:
 

132 thoughts on “This Dumb Industry: Red Shell

  1. Daemian Lucifer says:

    Despite a few loud claims to the contrary, Red Shell is NOT Spyware – they have not collected, stored, or sold any personally identifying information at any time, and they are compliant with the GDPR.

    Um,from the very page they linked:

    Our service basically says “this computer clicked on a link from this YouTube video and the same computer played your game.”

    Yeah,that IS spyware.If it were an opt IN thing,then fine.Plenty of games ask you if you would like to send info to them,and no one objects to that.But to have it automatically run,without the players knowledge,thats a big no no.

    1. Fizban says:

      But the magical EULA says you already opted into it. Speaking of which, where’s that firstborn you signed over?

      Seriously, every eula I skim over does seem to include a form of “we’ll be collecting data about things for things.” If it’s just doing that about the game then it’s not so annoying, but that’s not how they phrase it.

      1. SeekerOfThePath says:

        But the magical EULA says you already opted into it.

        Talking about collecting, processing, sharing… personal (!) data, having the consent hidden in EULA or any small print is in violation of GDPR. An explicit opt-in is required; in ideal situation, the user sees what information is collected, why it is collected, and has to take action (check a checkbox) to indicate consent.

        1. Decius says:

          Except no personal data is collected.

          1. Hector says:

            That is the claim now, *after* they got caught. It may not be true from the limited information available. But even if it is true, they installed dangerously unsecured backdoors on millions of computers. This kind of software can be manipulated or tampered with even under the best circumstances; and there’s no guarantee that other information was not lifted, too.

            I have also some pretty pointed questions about the intentions behind the use of this software, but that’s a different question. Suffice it to say that I have some real suspicions about devs using this kind of tracking.

            1. Decius says:

              “Backdoor”?

              That’s entirely unsupported by any evidence whatsoever, unless you also consider the software with which it was included as a “backdoor” that could be compromised by nefarious individuals.

              You can think they are lying, and if you bring up any evidence that the are, that would be a discussion. But accusing them of lying because you distrust their motives, and validating your mistrust of their motives with accusations that they are lying, is not going to convince me of anything.

              1. ThejungerLudendorff says:

                Maybe not a backdoor, but definitely a misuse (or even abuse) of their access rights. They were given writing permissions to install their game, not their unmentioned third party monitoring software.

          2. Moridin says:

            And you know that how? Because a developer with a vested interested in saying that claims it’s true?

        2. FluffySquirrel says:

          Yeah, as someone who recently had to look into GDPR, all of the claims of meeting it are entirely bullshit

          1. Zak McKracken says:

            +1
            Same here. “GDPR-compliant opt-out” is bullshit. the GDPR requires explicit, informed consent. That’s why us Europeans (also other people? not sure!) have these deliberately-annoying-on-purpose “agree to all the cookies, or go through this complicated menu” nag-screen on almost any website these days.

            Also, with websites, I know there may be cookies, and I can deactivate them in the browser. If I don’t even know about the (supposedly cookie-like) functions of Red Shell, I can’t disagree meaningfully, and definitely can’t give meaningful consent, either.

            The least the game would have to do is to show a menu asking for permission to send the dat in question, before sending anything. And it would need to offer a human-readable explanation of what’s being sent and for what purpose, in language which a non-lawyer can understand. And if I then say no, it would have to respect that.

      2. Shas'ui says:

        Ah, EULA’s. The modern, constant reminder of a certain scene from The Hitchhiker’s Guide to the Galaxy.

        “The plans have been on display, for the past 9 months!”
        “Yes, well, you hadn’t exactly gone out of your way to call much attention to them, had you?”

    2. Steve C says:

      Yeah the Eternal Card Game people really really don’t get it. Creating a link between ads and installs is not acceptable in and of itself to many people.

      You’re likely to find that the ads and ad-tracking software embedded on your favorite gaming news websites are far more intrusive.

      That doesn’t make what they are doing acceptable in the slightest. It is the logical fallacy of Tu quoque. It also ignores people who take steps to block all that intrusive website software embedded in ads. I run four different browser addons to block that kind of software. It is not acceptable. I can at least do something to block that because it isn’t baked into a product I purchased.

      1. DavidJCobb says:

        Creating a link between ads and installs is not acceptable in and of itself to many people.

        Sometimes, I turn on the radio and I hear an advertisement for a store. It’ll have something like, “Tell them Suzie sent you and you’ll get a 20% discount,” or “Use the code ‘evergreen’ to get 15% off your purchase!”

        That’s the exact same thing as this. Those offers are blatantly intended to measure how ads generate purchases, to compare radio, newspapers, and so on.

        There are plenty of fair objections to have here — to advertisers’ ability to generate these IDs instead of relying on surveys and user reporting, for example — but simply wanting to measure an ad’s efficacy is not itself villainous.

        1. Zak McKracken says:

          Wanting it is not the bad thing. Doing it in a way that ignores the user’s reasonable expectations of privacy, in secret, is villainous.

          They want to know if I click on something, but I maybe don’t want them to track my behaviour? Maybe I just want to play the game? There are laws about privacy, but no laws about me owing some ad company x amounts of data, so whose wishes do you think should have priority here?

        2. Daemian Lucifer says:

          What you are describing is the opt in method.User wants the discount,they opt in to use a specific code they got from a specific ad.Opt out in the case youve described would be someone hearing your listening to an ad,then stalking you until you buy sad product and then going to the boss to say “Yup,that ad made someone buy the product”.The result may be the same,but the method to get the result is VERY different.

    3. Decius says:

      Now we’re arguing about definitions. Windows 10 Automatic Updates is Spyware, by the definition you propose (and there’s a lot wrong with it, but “Spyware” isn’t one of them.

      It doesn’t provide any information about *you*. It provides information about *the ads that interacted with you*.

      1. Daemian Lucifer says:

        Windows 10 has a literal keylog functionality in it(thankfully,that one is not on by default,but many others are).Windows 10 IS spyware.Often even a malicious one,not allowing you to install things simply because they arent microsoft approved.The only reason they managed to get away with it is money and having a huge chunk of the market.

        It provides information about *the ads that interacted with you*.

        And subsequently the information about which ads you interacted with.With enough data,this can lead to backtracing your browsing history pretty thoroughly,as people have already pointed out.

        1. Decius says:

          No, it CAN”T be used to find your browsing history. (except to the infinitesimal degree that it might reveal which ads you clicked on).

          If Big Brother already has browsing history in the form of “The person who clicked on this ad at this time then visited this page” they ALREADY HAD that, and it STILL can’t be tracked to you or any PII.

      2. Shas'Ui says:

        Apologies if I’m assuming here, but you seem to know more about this then I do, so some extra explanation would be helpful.
        What does”ads that interacted with you” mean? Is it saying ads that you clicked on or otherwise interaced directly with, or is it ads that were shown to you, regardless of your click/no click, or is it some other criteria?
        Thanks

        1. Decius says:

          Ads that ran the specific Red Shell javascript package that give the server a one-way hash of certain system information. Essentially, those that were clicked on.

  2. Fizban says:

    All this crap is really making want to just stop bothering with games. I’ve essentially been PC only for quite a while now since buying a whole separate pile of computers to do things this one can do is bullshit, but if the only way to actually secure anything is to literally run it all on separate computers that are fortified to the gills, why even bother? Though it was denuvo that was pissing me off- steam tells you it’s in some games, but apparently other games just don’t mention it and the good ‘ol patch it in after you’ve paid for it trick is laughably legal. I liked Prey, I liked it a lot, and now I just want to bleach my computer and refund games I was looking forward to playing.

    Edit: apparently botched my email since that’s not my usual icon, oh well.

  3. Mr. Wolf says:

    If it weren’t for MarioKart, “Red Shell” would sound kind of sinister. As it is it just sounds kind of annoying.

      1. SKD says:

        That banner has some really sinister connotations.

      2. Mr. Wolf says:

        You’d be right, though now I’m completely lost as to where they were going with that analogy.

        1. Thejungerludendorff says:

          Letting you home in on the steam userbase/data I guess? I’m not sure what the hills represent though.

          It’s a pretty confusing message.

          1. Droid says:

            “Our UI is so ugly even Steam is running to the hills when it catches sight of us.”

  4. Vinsomer says:

    For me, and this is the issue with all big data, there are 2 big problems:

    1. The lack of transparency. When people had to essentially datamine this themselves, it proves that these companies didn’t do the bare minimum to earn player’s trust in this matter (Yes, I know EULAs exist, but burying this in a bunch of jargon and text you know nobody reads is, if anything, an attempt to obscure the truth, not reveal it). And if you weren’t honest enough to be upfront about collecting data, then why should anyone trust you to be honest now that you’ve been caught?

    2. The lack of assurances. We live in a world where data breaches happen almost daily. While developers can promise that Red Shell isn’t going to be used for anything nefarious, you can bet your bottom dollar hackers are right now trying to see if it gives them a window into your data.

    1. Matt Downie says:

      So, let’s say I have a game out. I want to know if you’ve seen/clicked any of my adverts, and if so, which, so I know which ads are most effective. I have multiple advertising campaigns with different images (angry face, big car, attractive woman) and distribution. If it’s a Free To Play game, I want to remember who you are so I can see whether which adverts brought in the biggest spenders – after all, my ability to survive is dependent on “revenue per user” exceeding “advertising cost per user”.

      I have probably already got your permission to do this because most users just click ‘yes’ on everything when installing. What message would you like to see to reassure you that my intrusion on your privacy is just the minimum necessary? Bear in mind that every other company wants to do the same thing so you’ll be seeing this message a lot.

      1. Echo Tango says:

        The reason that “most users just click ‘yes’ on everything” is because those agreements are essentially unreadable. For example, I used this website to measure the readability of Kerbal Space Program’s (KSP) various legal documents that users must agree to. Their EULA came out to around the level of a completed Master’s degree, their privacy policy came out to around half-way through a Bachelor’s, and their terms of service came to half-way through a Master’s degree. Given that the minimum requirements for education in the United States (it’s nearly the same up here in Canada) is roughly the completion of high-school (Wikipedia says it varies by state), then that means that many people who play that game literally cannot read those agreements. It’s also worth noting that KSP’s agreements are actually more readable, compared to most that I’ve seen. So, to answer your question of (paraphrased) “Where should this additional piece of agreement go?”, my answer is that it should be in an agreement which is actually readable by the target audience, written in plain language.

        1. SeekerOfThePath says:

          Which is where GDPR steps in. It requires, in spirit if not in letter, to be using easy-to-understand language for these exact reasons.

          1. Echo Tango says:

            Luckily that works in cases like Red Shell here; I’m hoping for similar changes to start being made to non-data-privacy agreements, like End User License Agreements and Terms Of Service in general. :)

        2. TheJungerLudendorff says:

          Something as simple as a checkbox during installation saying “I grant permission to gather such-and-such information for supporting the advertisements which help fund this game” or something. Make it checked by default if you’re unsure about getting enough coverage.

          That makes it clear you’re doing this, and now you have express permission from the user, which means people who get outraged only have themselves to blame.

          1. Steve C says:

            Uhh no. That is unacceptable. That is the reason why laws like the GDPR had to be created in the first place.

            1. TheJungerLudendorff says:

              I Am Not A Lawyer, but doesn’t that fulfill the “Explicit opt-in” clause? Especially if you leave it unchecked by default.

              1. FluffySquirrel says:

                Yeah but you said you could have it pre-checked. That right there is already absolutely against GDPR, not allowed at all anymore

                The rest of what you said isn’t far off, but they not only have to disclose what they’re doing with your information, but who they’re sharing it with typically and for what reason yeah

        3. Blork32 says:

          I’m a lawyer and I don’t read EULAs. I do generally understand what they are saying, but they also aren’t actually meant to be read. In the US there are actually a bunch of legal protections that limit what can be in the EULA and how the EULA has to be written (font size, bold, etc.) and any terms that are outside of these standards are unenforceable in court.

          That said, there are currently no laws governing consent to data collection (other than the generally applicable rules).

          I personally just don’t care much about data mining as long as it doesn’t include my SS number or bank information and the like. Most of the laws protecting privileged information really functions by preventing it’s <i.use. Stealing bank information is illegal, but the key is that using bank information is also a crime. This is just one example, but basically, the idea is that the theft is hard to catch, but the use can be dealt with.

          I could be crazy though and paranoia may indeed be warranted (no sarcasm intended there, I genuinely realize that paranoia is maybe the less crazy reaction).

          1. Richard says:

            In US federal law, maybe – the State of California does have such laws.

            In the EU, the GDPR is exactly this. The penalties were also specifically designed to destroy a repeat offender.

            It is a law specifically written to prohibit this type of data collection. Data collection must be opt-in, and only done if

            So this “See the Red Shell FAQ here, which offers a GDPR-compliant opt-out option on this page” is illegal, because GDPR specifically requires Opt-IN consent to be given before any data is collected, except for data that is reasonable to state as being actively required to provide the good or service.

            Furthermore, GDPR requires the data controller to delete all such data upon request, should the data subject decide to revoke that consent at any time in the future.

            1. Blork32 says:

              It’s not exactly Federal law since it is contract law and contract law is state law, but it is judge made law for the most part. I don’t know if you’re from the British Commonwealth (or if you just know about Common Law anyway), so without trying to insult your intelligence, I’ll tell you that we have a different legal format than Europe does. This sort of thing doesn’t have to be written down in statute here (although it certainly can be), so I think a lot of legislators don’t think about it. In the US, in particular, we also have the challenge of having 50 states, many of which aren’t very up to date on tech issues. California makes sense to have already dealt with the issue because tech is huge in California. Washington, I’d expect, would be next. Wyoming? Alabama? They might take a while.

              I do think that your general description of GDPR sounds like a good idea though, so maybe we can just adopt a modified version of that.

            2. Decius says:

              Red Shell doesn’t collect information that it CAN tie to a particular user, or even to a particular computer or IP address. What it does collect is data that can be tied to specific ads.

              Consider it to be like a road traffic counter- Sure, they can see your car, and people sitting at major intersections looking at cars could track how people are moving, but they aren’t tracking how you are moving, they are just looking at how which routes more people use.

              And they’ve gone through serious math to ensure that they don’t have any personal information, even accidentally.

              1. Hector says:

                You’ve been defending this company to the hilt here, and I question your statements. UNless you have some information you’re not sharing, your statements don’t seem to be accurate. It absolutely could tie information to specific users – certainly through profiles, although we don’t know to what extent it was used.

                1. Decius says:

                  People have been lying about the company more than I’ve been pointing out that they’re lying.

                  Would you consider everyone with an identical computer to be the same person?

                  1. Shas'ui says:

                    Again, you appear to have more information, so my assumptions may be invalid, but given that we don’t know what level of data they are collecting, we can’t assume that the systems will appear identical.

                    The EFF have a tool that is designed to assess tracking vulnerabilities in your browser, and one of the things they check is “Fingerprinting”, where things like what fonts are installed, what javascript version is running, and a host of other things are collected together to identify a browser. (EFF explanation of fingerprinting). Because while each individual thing may not be unique, the combined narrowing of each adds up.

                    Depending on what data is being collected about the computer, it could be a similar situation. If I told you that my computer has both English and Japanese language packs installed, that narrows the field a bit. If I also add that I have a rare font installed, that narrows it further. If I also say that I have a oddball, hard to find .DLL installed, you could probably ID it specifically, if you can check for those three pieces of information. Even if you couldn’t from those 3, there’s many other things that you could check to narrow the possibilities down.

                    Admittedly, I’m not the best example, as I’m not an average user. Factory fresh computers probably do seem identical. But over time, even normal users will slowly diverge from the norm. If that deviation is enough to be identifiable given what is looked at is unknowable without knowing what is being looked at, which we don’t know. It’s unlikely that Red Shell would bother, but other companies may have different motives.

              2. Richard says:

                No, we’re just looking at what Red Shell themselves are publicly claiming to do.

                From the Red Shell site:

                Red Shell logs a gamer’s fingerprint on clicking custom link

                Then logs a gamer’s fingerprint when launching the game for the first time.

                Fingerprints are matched and gamers are attributed

                Now, either they are lying to their customers (which would be fraud), or they are breaching the GDPR because the two acts of collecting a gamer fingerprint and “attributing” a gamer are collecting protected information.

                The EU does not mess about – they’re fining Google several billion USD.

              3. Sartharina says:

                From my understanding, it’s more like a traffic counter that notices License Plates, but has no access to any database that references the licence plate, and just uses the digital image of the plate as a unique identifier, and it’s impossible for any human to see/translate the plate’s image into something a human can understand.

                For example – Redshell would use my ip address as a unique identifier. But it doesn’t use my actual steamid – istead, when a system using my ip clicks on a link, it creates a hash based on my ip. If that then goes and buys the game, Redshell can link that.

                But, if I go into a frothing rage about Redshell, and demand they delete all references to my IP address in their files, in addition to invoking the Streisand Effect (I just gave them my IP address directly), they’ll be completely clueless, because there is absolutely no reference to my actual IP address transmitted back to them – it’s just a gibberish hash.

      2. Vinsomer says:

        This is the kind of problematic mentality which needs to end.

        I want, I want, I want, and then maybe the user is OK with it. No consideration for the consumer or their desires.

        It’s very obvious that the reason companies are not open about the amount of data they collect, where, why and how is that users would be uncomfortable with it. That itself tells you enough. They know users would hate it if they knew about it so there goes any argument of presumptive consent. And they don’t do nearly enough to explain it in plain terms. That is why it always feels like a violation. Because, on some level, it is.

        At the very least, users didn’t have to find Red Shell for themselves. Companies could have been open about ‘hey, there’s this software which collects data using your steam ID. Nothing fishy, it’s just for personalised ads and data to help us improve the game’ and offered an opt-out for players uncomfortable with that idea. But they lied by not telling us and now expect to be taken at their word and given the benefit of the doubt.

        And by saying ‘yes to everything’, that just proves how inadequate EULAs are at actually helping consumers understand exactly what they say. Obviously nobody is going to read an EULA all the way through. Very few have the patience or the knowledge. That’s why I said putting things in there is a way of obscuring the truth, not revealing it. If you only technically get consent based on consumer ignorance, is that really consent? By most definitions, no.

        There needs to be a better approach from the beginning. Not just ‘well I want data because it makes me money through some convoluted advertising process, and I presume most users consent even though I know they wouldn’t’. Ultimately, as a user I don’t particularly care if a frequently unethical, often deceptive and exploitative business model dies. I’m really struggling to see that as a bad thing.

        I would have thought the advent of adblock would have taught companies that they can’t just dictate everything on their terms and expect consumers to eat it up, but here we are.

        And it’s not like putting up a billboard or an ad in a newspaper needs advanced data collection metrics to be useful or valuable. This level of data collection is lucrative but not actually necessary.

        1. Cubic says:

          I’ve never known an EULA or consent form to adequately explain what information is collected or how it may be used. Perhaps because knowing the details quickly gets very invasive and creepy and the information thus gathered can be used however the collector wants it, including holding it forever and/or sharing or selling it to third parties (which may further track and aggregate your activities), financial parties, government, etc. Not to mention losing it to hackers, no recourse possible, sorry.

          I think/hope GDPR can potentially evolve to a way for tracking companies to limit tracking and sharing to ‘reasonable’ standard levels that consumers can accept. At least if properly formulated. Basically like being PCI-DSS compliant for managing payments and related data.

      3. boz says:

        Good Old Games has a good approach
        https://support.gog.com/hc/en-us/articles/212632109-Privacy-Policy
        https://support.gog.com/hc/en-us/articles/115000498685-Cookie-Policy

        I read that and I can see that they are trying to explain what they are doing and why they are doing it.

        1. Echo Tango says:

          Not surprisingly, this website tool ranks them at around a grade 11 – 12 reading level. This stuff really is easy to read (if a bit long). :)

        2. Viktor says:

          It’s been a while since I checked(and I will NOT log in at work), but IIRC Tumblr has a really good setup too. Basically, the TOS is in legalese on one side, with a paragraph-by-paragraph translation next to it. As long as they match up, that’s really the best option IMO for keeping the lawyers happy while still actually informing your users.

  5. 4th Dimension says:

    The games that really perplex me are the single-player games with no in-game advertising.

    To me it seems you missunderstood this paragraph:

    Red Shell lets us compare a list of devices that click on an ad link to a list of devices that install Eternal to create a non-personally-identifying link between ads, and installs.

    To me it seems that RS allows to assign an id to any add displayed on the internet or at least any time someone arrives on a page by clicking an add AND actual installs.
    This isn’t for thw in game advertisers but the game makers want to know how many of the clicks on adds result in installation of the game. Basically how efficient was their marketing.

    1. default_ex says:

      This has absolutely nothing to do with tracking ad clicks at all, other technologies that are far superior to that exist already called server side logging. This software is all about tracking what users are doing in your game, look at the example on Red Shell’s website. It’s next to the big caption that says “Dead simple integration”. It’s none of your damn business if I reach level 10 unless I chose to share that information with you. I don’t care how much you think it will help you develop your game, if you really think that then ask the players for permission to collect the information or post a voluntary survey.

      I bet dildo makers filling their dildos with sensors and monitoring their usage would really help them make better products. How do you feel about that?

      1. Geebs says:

        I dunno. Are these, like, uh…active sensors?

      2. TheJungerLudendorff says:

        To be somewhat fair, information like when players reach certain level is probably something developers have by default. If only in a log file somewhere.
        And I don’t think that’s particularly personal information in many games, since it’s usually open and out there for for everyone to see whenever you so much as join a game with them.

        More personal things like financial transactions, chat logs and whatnot are definitely off-limits to me though.

        1. Kylroy says:

          Player levels and similar information are *not* something developers have by default – the whole appeal of Red Shell is that it lets developers get this data without programming their own method to do so. Shamus points out in his last header that companies can replicate the effects of Red Shell in their own net code, and that it if they do it won’t be obvious without folks wading into the data.

          1. TheJungerLudendorff says:

            Ah, for some reason I was only thinking of multiplayer games and modes, and forgot that single-player games have those too…

            Yeah, you’re correct that a company wouldn’t have that data for single-player by default.

            1. Decius says:

              Steam Achievements don’t do that?

              1. TheJungerLudendorff says:

                Only if they specifically make achievements for them, and I’m not sure if they can see the data for achievements in progress (like “4/10 bears snuggled”).

                So that information would be pretty limited. They might put one in for level 10, but definitely not for every level in the game. And that’s for a pretty important game statistic.

      3. Primogenitor says:

        I know you said that as a joke, but I’m like 99% sure there was a news story about connected sex toys (or maybe it was a fertility tracker?) and the manufacturer storing the information. Yay, dystopia (!)

        1. RFS-81 says:

          Yes, sex toys have been part of the internet-of-things-that-shouldn’t-be-on-the-internet for over a year now: Guardian article

      4. Rob says:

        The “internet of sex toys” phone home scenario has already played out:
        Engadget article – sex toy sends intimate data

        And didn’t end too well for the company…
        independent.co.uk article – company pays out $10000 per customer compensation

        Edit: beaten to it by the posts above!

  6. Ninety-Three says:

    That Reddit post documenting all the companies which axed Redshell instead of taking a moment to explain like Eternal did is pretty depressing. There’s apparently no reason except stubbornness to correct an angry misinformed mob, easier to just do what they want. Heck, even Eternal axed it despite their defense.

    1. TheJungerLudendorff says:

      From a PR perspective, it’s probably the right thing to do.

      The internet mob is already pretty angry and suspicious of you, so unless you have a really good excuse they’re not going to let you off easy if you try to defend what many will consider indefensible. And your answers will probably get scrutinized to hell and back.

      Far less risky to try tosalvage your image and just dump the data collection tool (for now).

      1. Decius says:

        Green Shell integration will include obfuscation to prevent identification.

        1. DerJungerLudendorff says:

          Blue Shell integration will explode the harddrive of the first computer that finds out, for maximum ragequit potential.

        2. Shas'ui says:

          Is this obfuscation to prevent identification of the user/data, or obfuscation to prevent identification of the use of the service?

          1. Decius says:

            My intent was to say that it would hide the transmission of the fingerprint and data metrics.

            1. Shas'Ui says:

              “What we are doing is legal and ethical, which is why we are hiding it from you”

              Obviously, there has to be some secrecy in the exact method, in order to prevent people misusing/manipulating the system (1 view of our ad resulted in multiple sales of the game!). On the other hand, the more you hide, the more people will want to find out what it is you are hiding.

              As the child of a state prosecutor, one of the early life lessons was that, no matter how small or big the issue, it sounds better being told straight off, and much worse when it’s dragged out via an hour of cross-examination because you tried to hide it. This is what’s happening with Red Shell. If the info was provided to someone ahead of time, most people wouldn’t care. Hide the information, people might not notice for a while, but when they do, they will be suspicious. Hide it very successfully, and when it does leak out, it looks like a conspiracy, and people love yelling about them. That’s what’s happened here.

              Hiding it better is not a solution: it’s assuring that the next time they get found out, it’ll be even worse.

              1. Decius says:

                If the public don’t find out until the next CEO, it’s just following the incentives that exist.

  7. Infinitron says:

    Those articles you say are from 4-5 days ago are all from last month.

    1. Shamus says:

      Damn it.

      It’s JULY, Shamus. Not June.

      I looked right at the date on the post and thought, “Yup. four days ago. Checks out.” I can’t believe I made that mistake. I’m going to edit the post.

  8. Naman Dixit says:

    Shamus, I think you have mistaken the nature of the beast. Red Shell doesn’t track in-game ads. It tracks which internet ads were converted to sale.

    When a developer publishes an ad on the interweb, they bundle a little Red Shell javascript with it. Since our browsers are more than willing to let trackers fingerprint us, the Red Shell javascript (upon clicking the ad) uses things like installed fonts to create a unique ID of your computer. If then you buy the game and launch it, the Red Shell DLL recreates the same fingerprint and send it to Red Shell. Then, they can match the two fingerprints and mark it as a successful sale.

    The problem, of course, is that there is no guarantee as to what they are actually storing. The opaque nature of Javascript means that what they do today and what they would do tomorrow (or after an ad agency acquires them) have no relation. And since they also have a DLL on your PC, they now have broken out of the browser sandbox. That’s the real scary part, that your online and offline activity can now be associated with each other on a third party server owned by gods-know-whom.

    1. Shas'Ui says:

      And once you have a unique marker, you are golden…

      The big issue with privacy is that the worst threat comes via “death of a thousand cuts”: many small, collect just a tiny bit of data, things that then get added together into far more data than you would ever allow anyone to collect all at once. This becomes even more problematic when we don’t have a clear idea of what data is and isn’t acceptable for collection, and information that seems harmless can quickly become worrying when added to other bits.
      (What’s the last 4 digits of your social security number? What’s the first 4? How about the 2 middle ones? Ask on three unrelated websites, with a few months of time separation. Who would notice?)

      The best way to prevent this is to ensure that data is not associated with a unique marker, so that the data can’t be pieced together. The problem with this, is that it is very easy to make or find something unique about your data that can then be used to tie everything together.

      To cap it all off, the companies most invested in this (google, facebook) are almost at full on shadowrun-megacorp levels of beyond the law: they get cited/sued all the time, but they just throw a few billion dollars at the issue until it goes away. Even if someone decided to take a stand, what could they do? Prevent google from operating in that country? Good luck with that…

    2. Decius says:

      If the scary part is that there’s a .dll on your PC that can in principle be used as an attack source, why is Red Shell the problem and not the actual program that you intentionally run? It has many .dll s.

      The direct attack isn’t going to piece together data about you by correlation. The direct attack is going to skim your payment information and identity.

      1. Shas'Ui says:

        I should clarify my statement: I was speaking more broadly, rather then about this latest controversy. Furthermore, my worry is not that of a direct attack. You are correct that the method would be different. My concern instead is that large companies, like those I mentioned later, could easly gather and correlate data to a troubling degree. For instance, your google ads profile already predicts your age, gender, and interests. It would be quite easy for them to expand into other things, like political beliefs, sexuality, religion, ethnicity,& location. Now imagine that the campaign manager of the “definitely not evil” party of Despot-istan pays for an ad to run via google, targeting the opposition party. And said ad is actually just malware. And that during the period of time that all those affected are unable to use their computers, it is announced, online only, that all of the polling locations are being changed. That is what worries me.

        1. Decius says:

          That scenario is the same as one where the malware hits everyone, but looks at the browsing history of the browser and only shuts down those with a profile that matches the opposition party, and possibly additionally targeting those who don’t have a browsing history.

          That problem is best addressed by means other than making it slightly harder to advertise to people.

          1. Shas'ui says:

            In one of those scenarios, the person attempting the attack need to be able to both distribute the malware themselves, and gain the targeting information themselves, the “look at the browser history” part.
            In the other, they just have to pay a company that already has that information, to host a suspicious ad. Other then that, you are correct.

            I agree that my example(s) didn’t properly explain my concerns. After further thought, some slap-dash studying, several caffeinated drinks, (and waiting for the website to go back online) I present my third attempt to describe what it is that worries me.

            The problem isn’t the data itself; it is that we, the person generating the data, want to control how it is distributed. There is some data that we do not want to share, for a variety of reasons. There is some data we do want to share, to specific people only, or for a specific reason only. There is some data that we share with anyone, for any reason.

            The first threat is theft, or “spyware” in this setting. Someone accesses data we don’t want shared without our consent, and possibly without our knowledge. This could lead to theft of things kept secure by the restricted nature of the data (aka bank passwords), social harm by the revealing of things that are considered against the norm, or it could be completely harmless, but still against our will to keep that data private.

            The secondary threat is when data is given for use in a specific context, but it is instead used in other contexts. The example here would be if you gave a website your email so that they could email you the product you bought, but they also use it to send you advertisements, or sell it to a spammer. While we gave the data to the entity, we associated a specific use to it, and feel betrayed when it is used outside of that use.

            The third threat, is that as the ability to study patterns and trends, and the amount of freely accessible data upon which to base such predictions, has increased to the degree that data I do not wish to share can be predicted/inferred by data I have shared. Given that public data is used, it is hard to object to such practices, as they are not stealing/accessing the data, nor are they taking data given for a use and using out of that context, yet the data that I did not want shared is still being shared, with all the possible consequences of that sharing. The example here is when someone, by knowing your birth-date, is able to guess your pin number. Security questions meant to allow you to access things even if you forget an obscure piece of data are now a threat, because the easily remember-able data they ask for is also easily obtained via publicly shared data.

            A secondary layer to this threat, or perhaps a completely separate, but similar threat, is when data is combined into more dangerous data. For instance, I publicly share my name. The street address of my house is also public knowledge, in the vein of “there is a house with this address”. However, the data of “this Name lives at this Address” is not data I want to share, because the combined information is more “dangerous”. There are businesses that now exist who collect as much public data as possible, to associate it together, to share the now more-restricted data. Wikipedia article about Spokeo, a business who collects and aggregates data.It advertises knowing, based on a name: the person’s address, email, phone number, marital status, religion, family members, income, location history, and a satellite photo of their home. As with the above threat, they are now sharing data that you wish to keep private, even though they have generated this data using publicly available data.

            With the amount of data being collected, either publicly, or through the first two threats, and the accessibility and longevity of data in the digital age, it is becoming less and less possible to prevent the types of threat described in the previous two paragraphs. This is what worries me.

            Hopefully I’ve managed to communicate my thoughts as clearly as I can this time.

            TLDR; Data privacy is hard.

            1. Decius says:

              Suppose that literally anyone who knew your full name and city could look up your phone number and address.

              What bad thing happens?

              There’s no plausible reason that anyone but Amazon would be able to associate your address with Amazon purchases, because that trade secret is too valuable for Amazon to sell or allow to be leaked (unlike your credit card information, which has a cost less than going out of business and need only be secured by ‘industry standard’ levels).

              1. Viktor says:

                “Suppose that literally anyone who knew your full name and city could look up your phone number and address.

                What bad thing happens?”

                Stalker ex shows up at your house. The retail worker you complained about and got fired gets your name from the complaint and slashes your tires. Sales rep that you were polite to spams the hell out of your physical address trying to make a sale. Bigots decide to stage a protest that you’re living in the wrong part of town.

                Privacy may not matter to you, but there’s people for whom it is literally life and death, and you seem to be ignoring that.

                1. Decius says:

                  Indeed, but how often did those things happen when phone books did exactly that, and how much rarer did they become as phone books became less universal when millennials killed landline phones?

                  1. Daemian Lucifer says:

                    If they became even 0.1% less common(and they most certainly have)its a good thing.

              2. Shas'Ui says:

                If someone could find my address by knowing my name and city, there’s a good chance I, or more likely, my parents, would be dead. As noted above, my parent was a prosecutor for state criminal court. Turns out, if your job is to tell juries why they should put criminal gang members in jail, the rest of the gang doesn’t like you. We lived on the far outskirts of town for a reason.

                1. Decius says:

                  Having an unlisted phone number is a standard precaution in that case, but frankly if gangs wanted to know where a prosecutor lived they would. Organized crime knows not to fuck too directly with Law Enforcement or Judicial officers, and the police know not to fuck too directly with the gangs. If Capone was killing cops who were just busting up or shaking down speakeasies, he would have ended up dead by cop raid, not arrested and jailed for tax evasion.

                  It was, and remains, easy, if not trivial, to find, steal, or social engineer an address from a name via various means; the easiest of which that comes to my mind is by finding someone with access to the electric company billing records and bribing or threatening them.

                  1. Daemian Lucifer says:

                    The point of security is not to dissuade determined capable criminals,its to prevent the less skilled ones.You dont lock your house to prevent a master thief who can pick any lock in less than 5 seconds,you do it to prevent the crackhead from waltzing in and walking out with your tv.And the number of the first ones is vastly lower than the number of the later ones.

                    Not to mention that when doing something bad is hard,people who are willing to put in time to do it are also more likely to get caught before they do it.The more steps it takes to break security the more times you are likely to screw up and be found out.

              3. Daemian Lucifer says:

                What bad thing happens?

                Funny you mention this,because thats how land line phones worked in my country before cell phones started becoming a thing.The reasons why cell phones were decided to be opt in* instead of opt out range from mild annoyances(telemarketers and spam mail),to fraudulent(there were a few who used ones name to try the scams of “Mr and mrs X?You won BLAH BLAH”),to outright dangerous(there were* news stories about people finding their exes in this fashion and beating them up).So yes,automatically giving out someones information is a demonstrably bad thing.

                *Opt in only to finding someones name via number and vice versa,not finding out ones address,as is the case with land line phones.
                **Still are actually,though not that often,because people prefer mobile phones these days.

                1. Decius says:

                  Phone books were precisely my point.

                  1. Viktor says:

                    And as DL said, phone books were too invasive and only persisted through inertia. When an alternative came along that didn’t have the history, people decided not to repeat the mistakes of phone books and instead made everyone unlisted by default.

  9. Bill says:

    See the Red Shell FAQ here, which offers a GDPR-compliant opt-out option on this page.

    How can you opt-out of something when you don’t know it exists?
    And doesn’t GDPR require explicit consent of the user aka opt-in?

    Was there a single company that pointed at Red Shell’s opt-out page before this story?

    1. TheJungerLudendorff says:

      Yes, I think they do.

      And no, I don’t think any did. Or told people about Red Shell at all.

    2. Shas'Ui says:

      Added irony: the way you opt out is by having them put a cookie on your browser to prevent them from putting cookies on your browser. That makes sense.

      1. TheJungerLudendorff says:

        Sums up the whole debacle pretty well.

        Technically it works fine, although it’s a bit iffy.

        Ethically or security-wise it’s kind of a clustertruck with little regard to what the consumer actually wants.

      2. Decius says:

        That’s literally the only way they CAN opt-out. They can’t delete all information that has your name or email, because they don’t collect that.

        1. Shas'Ui says:

          I understand why it is necessary; it’s the problem with opt-out rather then opt-in, that you have to identify those who do not consent, which is problematic if the issue to start with is privacy.

          The bigger issue is that, while this company is probably honoring the opt-out as best it can, the internet is full of people/companies that are quite happy to take advantage of people, and this is an absurdly easy way to do so.

        2. Zak McKracken says:

          That’s not a technical necessity.
          When you install a Red-Shell-enabled game, the game (still offline, before activating Red Shell) could pop up a dialogue whether you agree to activate Red Shell, and if you disagree, it would just never use Red Shell, or just remove it from the install. Your dissent is stored locally and never transmitted because nobody even needs to know about it.

          This would not just be GDPR-compatible, it would also be respectful and not backhanded. But of course, if it were implemented, lots more people would not agree to have their data sent, or at least Marketing would be nervous that if given a fair choice, people might not opt to give away their data, and so it must be done sneakily. And so people like me then get angry at companies for being so sneaky.

          1. Shas'ui says:

            This would work for part of it, but part of the Red Shell system lives in ads on the internet, so these would also need to be changed to explicit opt-in.

  10. Thomas says:

    Theoretically GDPR should be a good legal framework to stop abuse of this – I doubt ‘we put it in the EULA’ is going to be enough for GDPRs level of strictness.

    But that doesn’t matter if people aren’t aware that companies are doing this in the first place to make the complaint.

    1. Zak McKracken says:

      Pretty sure it’s not GDPR-compatible, and I hope there’ll be some legal repercussions.

      I extra-hope that those repercussions will not hit some naive indy-game-makers too hard but rather some global internet companies…

      And that then also solves the problem Shamus brought up, that in absence of Red Shell, there might be sneakier and worse ways of exfiltrating that information: Those ways are also likely to be illegal, unless they’re asking for and respecting a meaningful choice from users. Of course you don’t need to ask if nobody knows you’re doing it, but it’ll take very few IP-literate people to expose such goings-on, and the prospective legal penalty might be significant, or at least that’s what I hope for. You can’t make anything watertight, but if there’s a real chance of getting caught, and if getting caught carries a real penalty, then I that should help to make sure that most games don’t do this sort of bullshit.

      …but I do realize that that might also be just wishful thinking, because some rules are also very very selectively enforced…

  11. Darren says:

    I had assumed that the point of the software for single player titles was to track what players were doing in the game. How many players are selecting Wizard as their class? How many people are winning the game through the Science Victory? How many people actually beat the game? There are obvious uses for this information, and I can see why developers would want it.

    Developers sometimes talk about these metrics, but we rarely question how they acquire them.

    1. BlueBlazeSpear says:

      Yeah – it really surprised me to learn how much metric data that Bioware had from the first two Mass Effect games that they were using when designing the third one. They knew how many players played male/female Shepard, who romanced who, which classes were the most popular, etc.

      It didn’t seem like they were doing anything sinister with that data, but it still surprised me that they were tracking it and I certainly didn’t recall agreeing to it. To some degree, I wonder if it’s something we’re just implicitly agreeing to when playing any game that’s connected to the Internet.

    2. Karma The Alligator says:

      That’s a very good point. And that also means it’s been going on for a few years, considering how long those metrics have been around for.

    3. Thomas says:

      We know they didn’t always have good tracking methods, because developers talked previously about using achievements as their source. I think that’s why so many games have you an achievement for starting the game – it gives developers starting and completion data.

  12. BlueBlazeSpear says:

    You rightly point out that any time we let a company have our data, we’ve already taken a risk seeing as how companies get hacked and customer data currently gets stolen to an alarming degree.

    But – paranoid as I am – I have another long-term concern. I would look at any company that has my data and ask “Who’s going to own you in five years?” It seems a reasonable question to ask, especially for video game studios. Will the next company’s management be as scrupulous with our data as the current one? Or will they sell it all to someone on Madison Avenue? And should anyone care?

    I have to assume that some sort of law or process is in place to protect against that sort of thing (even if it’s agreeing to a new, opaque and arcane privacy agreement), but I’ve yet to see it -at least in regard to data that’s personal but not private.

    1. thejungerludendorff says:

      And some of the least scrupulous companies have a habit of buying succesfull smaller companies cough EA cough

  13. LessRight says:

    For the record, Eternal is a ridiculously good game that I found very generous in its F2P model. If you’re up on card games, it’s like Magic but with the rules streamlined for a slicker computer experience like Hearthstone. And also just better design than Magic these days. I’d be kinda surprised if they did all these other things good but then went full bad guy on privacy. (Edit – On purpose, at least.)

  14. TheCheerfulPessimist says:

    I’m guessing you linked to that wiki article on Dungeon Keeper mainly to humblebrag about your fifteen minutes of fame? Being cited (twice!) in a wikipedia artice? ;)

    1. Shamus says:

      I am stunned. I know this sounds incredible, but I had no idea that article cited me.

      What are the odds that I’d randomly choose a wikipedia article that cited me? (There aren’t many!) That’s crazy.

      1. Thejungerludendorff says:

        You even have your own TVTropes page!

        Pretty sure you only need a golden Youtube plaque to officially join the ranks of the Famous Internet People!

  15. Redrock says:

    I’m really torn on the whole privacy issue. On the one hand, the whole situation is the textbook definition of “slippery slope”. On the other, well, there are two questions that always come to my mind. The first is “Who do you think you are?”. While some authoritarian governments might be interested in collecting personalized data to prosecute specific citizens, in most cases no one cares about you personally. Honestly, I think for many people the privacy outrage stems from a slightly narcissistic desire to matter. But chances are, no one from EA is going to call you and say “Buy Battlefront 3 or the missus learns all about your weird porn searches” in a Hugo Weaving voice. No, the corps want big data and all the data collection can’t really hurt you.

    But maybe you’re worried about the fact that the data might leak to some bad guys who’d actually want to use it to hurt you directly. Well, that brings us to my second question, “How consistent are you in your struggle to maintain privacy?”. If you’re outraged about Red Shell, I assume you don’t use social media? What about banking? What about online shopping? How carefully do you make sure that the cashier doesn’t see your CVV code? Do you check every ATM for third-party swipe scanners? How carefully do you keep track of which of your myriad accounts has what information on you? And passwords, how many unique complex passwords do you have? What about fitness trackers, smart home devices, smart cars? And that’s just the high-tech stuff. How many businesses and government agencies have your data? Your medical history, your job CV. Don’t forget webcams and mics on every goddamn device you own. Sorry, I just went back to watching Person of Interest, I can go on for ages and I’m ranting a bit. You get the idea. Most people don’t really pay attention to this stuff, but then they read a hysterical article on the Internet about Red Shell and decide to straighten their shoulders and in their best John Hurt impression proclaim “No more!”? That’s kinda cute, but hardly useful.

    That said, I don’t condone or endorse Red Shell or any data-collecting software. But I also maintain that singling it out is pretty silly.

    1. Cubic says:

      For better or worse, I passed most of your checklist (no social media, no IoT, hard passwords, …). Haven’t destroyed the cameras and mikes on my devices yet, but it seems obvious they will be used for pervasive spying sooner or later. I wouldn’t be surprised to see a Malware Sharing Protocol to handle the jostling to get access.

      Some people already claim they get ‘relevant ads’ after talking about stuff near their Android phones. Paranoia or just being ahead of the competition? Who knows?

      We already know Alexa by design listens for your commands. Who knows what that entails? Law enforcement has already subpoenaed information from Alexa installs present at crimes, though I don’t know if that was useful or not.

      (Indeed, we also know Alexa, Siri, Google Home can be subverted to run third party commands by ultrasound, a “Dolphin attack”.)

    2. Viktor says:

      The problem is, how exactly do you expect people to stay safe? Sure, I can avoid social media, but FB(and probably every other share link) can track your usage anyway. I run adblockers, but I can’t stop everything, and some adblockers have started doing data collection too. I can refuse to turn over my DNA to anyone, but a relative can post their info publicly and suddenly my genes are out there too. Half the appliances sold now(plus every console, pre-built computer, tablet, etc) have mikes, and I don’t have the tech skill to cut them out. Cell phones have trackers, cameras are everywhere, and my local PD have drones flying overhead now.

      Individuals cannot be expected to protect their own data at this point, it’s just not feasible. That sort of protection will only come with strong govt regs(GDPR is a good start). Until those come down, you can’t blame people for only being outraged at new intrusions. Being outraged at every misuse of your data would give anyone a heart attack.

      As for the harm it could cause, Facebook has outed gay people to their relatives through targeted ads. Companies have used analytics to specifically avoid any disabled people or black people learning they had open apts for rent. Plus everything the US govt has done with the internet for the past 20 years. The danger is real.

      1. Redrock says:

        Honestly, I don’t believe this Djinn is getting back in its bottle. The only thing government regulations will achieve is give the government a monopoly on all that data. I confess to being a bit biased here, though. Being from a post-soviet country, my distrust of government, any government, is much greater than my distrust of corporations. In the end, I believe that corps mostly want to sell you stuff and while they don’t care who they hurt in the process, they usually don’t deliberately set out to hurt specific people. Governments often do. I don’t want to go deeper into this to avoid breaking the “No politics” rule, but what it boils down to is if obtaining actual privacy isn’t an option anymore (and I believe it isn’t), I’d prefer is the main driving force behind data collection were businesses and not governments.

        1. Viktor says:

          Yeah, it’s partly a regional thing. Anything that Facebook or Google has, I assume the US govt will get from them. Your intel services probably don’t have that scope, but ours absolutely do. So for me, allowing a corporation to gather the data is the same as letting the NSA do it, except that Facebook will also tell everyone else what they find. That is absolutely a worse option.

        2. Michael Miller says:

          I agree In principle, but one of the things that corporations might want to sell IS your data. The government is much more likely to tell us to keep it for itself, but Facebook and Google and the like are happy to sell it to the highest bidder.

    3. Daemian Lucifer says:

      As the appearance of ransomware and the social security number scandal have shown,you dont have to be somebody in order to be harmed by the big companies not preserving your privacy.You just need to have a few moneys that can be stolen from you in whatever way possible.

  16. Agammamon says:

    I like how the Eternal devs swear Red Shell is not spyware and then point out that yes, it actually does collect information (your hardware config) and send it back.

    Which is spyware – no matter how ‘compliant’ it is with the shitty GDPR.

    GDPR compiance doesn’t make you not spyware, it just sets forth limits on what your spyware can legally do.

    And, frankly, the idea that I shouldn’t be upset that you’re collecting *any* info without my express permission. ‘Hey, I don’t know what you’re so upset about, I only came into your yard to look in ypur car’s windows. Its not like I was peeping into your bedroom’ is not a good justification.

    1. Olivier FAURE says:

      It doesn’t send your hardware config, it sends a hash of your hardware config.

      The difference is that, if the NSA asks Red Shell “Did Olivier Faure play Terrorist Simulator 2?”, Red Shell doesn’t have enough information to answer one way or another (unless the NSA also steals my laptop to recreate the hash).

  17. Jeff says:

    Hi Shamus, you asked “Is this something a publisher is imposing on developers?”, and I noticed this in that long reddit post:

    Indygo – The small indie game listed today has already responded and pledged to remove red shell with the next patch. They stated “Our publisher Fat Dog Games made us to implement this and they gathered all data. Their other games probably will have it too.”

    So it looks like “yes”.

  18. RFS-81 says:

    The thing is, Red Shell doesn’t create any new privacy threats. If you’re running a game on your computer, that game has access to all kinds of information about you. The game could, if the developer wanted, begin uploading the contents of your entire /Documents folder.

    You know, I find it bizarre that personal computers still pretend that they’re mainframes where you need to prevent multiple users from messing each other’s stuff up or gaining unauthorized admin privileges. Phones seem much more sensible in that respect: Apps have to tell you what kinds of data they want to use.

    And if you’re running a non-standard Android distribution like LineageOS (or the late CyanogenMod), you can even run apps and tell them no when they try to access something you think they don’t need.

  19. Richard says:

    See the Red Shell FAQ here, which offers a GDPR-compliant opt-out option on this page.

    No it doesn’t, because the GDPR requires “unambiguous consent” to be given prior to any collection of personally-identifiable data, and “explicit” consent in the case of “sensitive” data.

    In this case, it would seem that “unambiguous consent” is required.

    An “Opt-Out” cannot comply with the GDPR.

    While that page is required by the GDPR, it’s needed because you must be able to revoke that consent afterwards.

    But the consent must be requested and freely given in the first place.
    What Red Shell have done is like apologizing after feeling us up. They still assaulted us.

    If they asked beforehand maybe many of us would be ok with it.

    1. Decius says:

      “personally identifiable” data means data that can be identified as coming from a particular computer or person.

      They don’t collect any of that (according to their self-description).

      1. Daemian Lucifer says:

        On its own,its true,you cant.But together with the data collected by the publisher who sold you the game,you most definitely can.

        1. Decius says:

          And the PUBLISHER, to be GPDR-compliant, must have the opt-in. Even if they don’t use Red Shell, if they collect account information that they could link.

        2. Richard says:

          Red Shell explicitly state that the fingerprints are sufficiently unique as to be attributable to a specific “gamer”.

          If their words are true, then Red Shell is a Data Processor who’s entire business is explicitly designed to breach the GDPR.

          They may not be a Data Controller in the legal sense as that depends on how their contracts are worded, but to some extent that doesn’t matter because Data Processors are also held liable.

      2. Mephane says:

        “personally identifiable” data means data that can be identified as coming from a particular computer or person.

        They don’t collect any of that (according to their self-description).

        Actually, they do. That “fingerprinting” is exactly that, collecting a bunch of individually benign technical details which together usually is sufficient to uniquely identify a particular machine.

        1. Olivier FAURE says:

          Yeah, but they hash that information before sending it. They can tell that user #14366 who played Shootman 4 is the same user #14366 who clicked the Shootman ad, but they don’t know who that user is, what’s their name, or what machine they use.

  20. Greg says:

    a rather dangerous slippery slope

    This is Pittsburgh, Shamus. It’s ‘a rather dangerous slippy slope’.

  21. Sardonic says:

    Serious question: To those of you who say “They shouldn’t be sending data about my in-game progression to a server without my explicit opt-in!”, why are you outraged about this now? Kotaku wrote an article 5 years ago showing the ME3 player statistics, including PC gender, Paragon/Renegade proportions, and how often different teammates were being used, and no one batted an eye. How did you think they gathered these stats? It’s clearly been industry standard practice to track in-game events for years, maybe decades. What changed that makes this outrageous but made that completely innocuous?

    1. Richard says:

      A lot of people have hated this kind of data collection ever since it was first discovered.

      That’s why the GDPR was written – the EU don’t write Regulations unless a majority of governments ask for them, and they need unanimous agreement.

      Within the EU, the law changed in 2016 and came into force on the Glorious 25th of May 2018 – this was to give companies time to come into compliance.

      Prior to that the privacy laws and legal precedent were relatively ineffective – far better than (most of) the US, but still poor.

      – Most of the law was along the lines of “don’t lose it, correct it if it’s wrong”.
      – Companies could legally refuse service if users didn’t provide this kind of unnecessary information.
      – Consent could be assumed

      Worse, the penalties for breaches were purely financial, and so low as to be considered a “cost of doing business” by a lot of firms.

      Now the maximum penalty is at a level where very few companies could afford to pay it twice.

  22. Dragmire says:

    Awww, guess my comment was missed a month ago. I thought you just didn’t care about the Redshell thing.

    My experience with this Steam sale is seeing a notification of a game that’s on sale, looking at my wishlist and deleting half the games that were on there. Lack of interest in certain genres was a part of it and the other part was games using Redshell. Redshell looks sketchy to me so I’m avoiding games that use it[1]. I really would like to play Civ 6 though…

    [1]Looking up info about it gave conflicting info so I can’t say exactly what it does. The way people talk about it makes it sound like spyware while the company talks about checking advertising effectiveness.

    1. Richard says:

      Well, both of those things are true.

      The purpose is to check advertising effectiveness, and that makes it spyware pretty much by definition.

      The moment activity is logged against a near-unique set of identifiers, it’s spyware.

      Doing that can be legal, if the spying is “opt-in”, stated up-front and has an in-game method to disable it later on, a method to download all the associated data, and also to delete all the data they have assigned to your set of near-unique identifiers.

      But it’s illegal if it’s buried on page 98564 of the EULA in 0.004 point type under the title “Toiletry Facilities”, and having to visit some apparently unrelated website to “opt-out”.

  23. Joe says:

    You’ve gone soft in your old age. Where’s the Shamus who railed against Steam when it forced itself onto your PC because you installed Half Life 2? Where is the man who called out Uplay and it’s harvesting of useless (but identifying) data? Our DRM crusader, consumer advocate and grouchy-old-man, yelling at these young developers to stop mistreating their customers and get off his dang lawn?

    All seriousness, this was most illuminating. I admit I hadn’t looked into Red Shell before now but had a knee-jerk reaction against it on principle. If it’s so harmless don’t know why devs were hiding it in the first place.

    I guess because it has the capability to cause harm, that’s enough for it to get a collective red-flag from the people who didn’t know it was already installed on their computers. For me personally, that’s what stinks, and I’d rather the devs behind it had informed everyone without having to react to it’s discovery and subsequently be on the defensive once found. Like they were caught with their hand in the cookie jar (spot the sorta-pun).

  24. Jimmy Jones says:

    I don’t have any objection to a game offering me adverts that I have to view to play as that is only sending me one product at a time. I do object to them mining my behavioral data as that is both very valuable to advertising firms (I expect to be compensated fairly if I willingly provide it) and could also be exploited by many companies.

Thanks for joining the discussion. Be nice, don't post angry, and enjoy yourself. This is supposed to be fun. Your email address will not be published. Required fields are marked*

You can enclose spoilers in <strike> tags like so:
<strike>Darth Vader is Luke's father!</strike>

You can make things italics like this:
Can you imagine having Darth Vader as your <i>father</i>?

You can make things bold like this:
I'm <b>very</b> glad Darth Vader isn't my father.

You can make links like this:
I'm reading about <a href="http://en.wikipedia.org/wiki/Darth_Vader">Darth Vader</a> on Wikipedia!

You can quote someone like this:
Darth Vader said <blockquote>Luke, I am your father.</blockquote>

Leave a Reply

Your email address will not be published. Required fields are marked *