{"id":43323,"date":"2018-07-24T06:00:59","date_gmt":"2018-07-24T10:00:59","guid":{"rendered":"http:\/\/shamusyoung.com\/twentysidedtale\/?p=43323"},"modified":"2018-07-24T08:01:43","modified_gmt":"2018-07-24T12:01:43","slug":"this-dumb-industry-red-shell","status":"publish","type":"post","link":"https:\/\/www.shamusyoung.com\/twentysidedtale\/?p=43323","title":{"rendered":"This Dumb Industry: Red Shell"},"content":{"rendered":"<p>This is a crazy story right out of a (admittedly dull) cyberpunk novel. <a href=\"https:\/\/www.reddit.com\/r\/Steam\/comments\/8pud8b\/psa_red_shell_spyware_holy_potatoes_were_in_space\/\">Someone discovered that a bunch of PC games were using third-party &#8220;spyware&#8221;<\/a> called <a href=\"https:\/\/redshell.io\/home\">Red Shell<\/a>. There&#8217;s no way to know what information Red Shell was sharing, but it it had evidently been running inside of a lot of games for some time without being noticed. <\/p>\n<p>People made a fuss on Reddit, the story gained some traction, and many developers began patching Red Shell out of their games. Some of them did so without comment, while others downplayed the move. The patch notes either failed to mention Red Shell at all, or they simply said &#8220;Removed Red Shell&#8221; without elaborating on what Red Shell was or what it was doing. <\/p>\n<p>A few companies made official statements. A ridiculous number of them claimed that while Red Shell was included in the install, it had never been active and don&#8217;t worry about it we&#8217;re getting rid of it anyway you can trust us we&#8217;re dedicated to security etc etc etc.<\/p>\n<p>This story has been simmering for <a href=\"https:\/\/www.reddit.com\/r\/Steam\/comments\/8pud8b\/psa_red_shell_spyware_holy_potatoes_were_in_space\/\">a month<\/a> or so. It was quickly picked up by <a href=\"https:\/\/www.polygon.com\/2018\/6\/20\/17485762\/red-shell-spyware-pc-games-controversy-steam\">Polygon<\/a>, <a href=\"https:\/\/www.wired.co.uk\/article\/red-shell-game-tracking-gdpr\">Wired<\/a>, and <a href=\"https:\/\/www.pcgamer.com\/red-shell-analytics-software-causes-privacy-uproar-over-a-dozen-developers-vow-to-drop-it\/\">PC Gamer<\/a>, but it didn&#8217;t seem to make many waves at the time. I didn&#8217;t hear about it until 2 days ago. <\/p>\n<p>As of this writing, the story is still developing. New games are being discovered to include Red Shell, and previously discovered games are patching it out and doing PR damage control. A few games got ahead of the curve and patched it out before being noticed.<\/p>\n<p><!--more-->I can&#8217;t find a single canonical list of all known Red Shell games. The closest thing we have is <a href=\"https:\/\/www.reddit.com\/r\/Steam\/comments\/8pud8b\/psa_red_shell_spyware_holy_potatoes_were_in_space\/\">the Reddit thread that seems to have started it all<\/a>, and that&#8217;s a patchwork of daily updates rather than an organized list. A lot of impacted games are small-time \/ obscure titles, but the list does include a fair share of big names:<\/p>\n<ul>\n<li>Dead by Daylight\n<li>Civilisation 6\n<li>Elder Scrolls Online\n<li>Conan Exiles\n<li>Secret World Legends\n<li>Vermintide\n<li>Quake Champions\n<li>Kerbal Space Program<\/ul>\n<p>In some cases, the developers have already patched out Red Shell. In others, they&#8217;ve pledged to patch it out the next time they push an update. <\/p>\n<h3>In Defense of Red Shell<\/h3>\n<p><div class='imagefull'><img src='https:\/\/www.shamusyoung.com\/twentysidedtale\/images\/stock_cameras2.jpg' width=100% alt='Big Brother is watching you. However, Big Brother is watching a LOT of people and sometimes he has trouble keeping up.' title='Big Brother is watching you. However, Big Brother is watching a LOT of people and sometimes he has trouble keeping up.'\/><\/div><div class='mouseover-alt'>Big Brother is watching you. However, Big Brother is watching a LOT of people and sometimes he has trouble keeping up.<\/div><\/p>\n<p>The developers of <a href=\"https:\/\/store.steampowered.com\/app\/531640\/Eternal_Card_Game\/\">Eternal Card Game<\/a> have actually taken a stand and <a href=\"https:\/\/steamcommunity.com\/app\/531640\/discussions\/0\/1729827777344786856\/\">defended<\/a> the practice. I think their position offers important context for why some developers have adopted Red Shell and I&#8217;m glad they spoke up rather than quietly removing it. I object to the use of Red Shell because I see this as a rather dangerous slippery slope, but I think the key to sorting this out is having an honest discussion about it. So I really appreciate the ECG devs being candid. <\/p>\n<p>In the interest of making sure their viewpoint is heard, I&#8217;m going to reprint their talking points here. However, I encourage you to read their <a href=\"https:\/\/steamcommunity.com\/app\/531640\/discussions\/0\/1729827777344786856\/\">entire post<\/a> for the full context.<\/p>\n<blockquote>\n<ul>\n<li>From February 1, 2018 to March 23, 2018, we used Red Shell to help us measure the effectiveness of advertising campaigns promoting Eternal on Steam.\n<li>Despite a few loud claims to the contrary, Red Shell is NOT Spyware &#8211; they have not collected, stored, or sold any personally identifying information at any time, and they are compliant with the GDPR.\n<li>See the Red Shell FAQ <a href=\"https:\/\/redshell.io\/gamers\">here<\/a>, which offers a GDPR-compliant opt-out option on this page.\n<li>Their FAQ explicitly rebuts many of the claims made in these threads about tracking browser history, correlating multiple games played, etc.\n<li>To reiterate: Red Shell collects nothing.\n<li>Red Shell lets us compare a list of devices that click on an ad link to a list of devices that install Eternal to create a non-personally-identifying link between ads, and installs. See the link to their FAQ above on how this works without compromising personally identifying information.\n<li>This usage (by both DWD and Red Shell) is compliant with both the GDPR and all applicable laws.<br \/>\n(You&#8217;re likely to find that the ads and ad-tracking software embedded on your favorite gaming news websites are far more intrusive. A couple of those sites have written about this topic and about us without bothering to dig into the facts of the issue, or to ask us for comment.)<\/p>\n<li>Since March 23, 2018, Red Shell has not been part of any Eternal advertising efforts.\n<li>The decision to temporarily suspend the usage of Red Shell was in no way related to the present conversation.\n<li>The Red Shell integration has remained in the game since that time. We have always intended to resume using Red Shell to better-inform our advertising efforts.\n<li>On June 10, 2018, this Reddit thread began to stir up conversation rooted in wild speculation, unfounded accusations, and near-total misinformation about the realities of digital advertising, game publishing, and the law.\n<li>We responded the same day we became aware of the conversation, hoping to clear up the confusion and put an end to the misinformation being spread.\n<li>Since that time, a small number of users have continued to spread misinformation on this subject, and have chosen to ignore repeated explanations and any actual evidence of how this all works.\n<li>It&#8217;s worth noting that Red Shell is far from the only service to offer this kind of attribution solution &#8211; it&#8217;s just the one that a handful of users have turned into a bogeyman of imagined privacy violations. There are many other similar services helping a huge range of games and game developers overcome the data gap for games published on Steam and with ad performance on other platforms.\n<\/ul>\n<p>Here are some additional notes:<\/p>\n<ul>\n<li>Eternal is one of the most genuinely free-to-play card games on the market, and we care very much about the type of experience we are providing for our customers. We want to be respectful of you guys, your time and your support, and we try to be as careful and ethical as we can be about our business model and how we use data.\n<li>We have never, would never, do anything improper to compromise player privacy.\n<li>We have never bought or sold any personally identifying information about players or potential players.\n<li>We are, and always have been, compliant with the GDPR and all applicable regulations.\n<li>We have never hidden or misrepresented any of this &#8211; we&#8217;ve got nothing to hide.\n<li>We do (and will continue to) advertise our products in ways that are ethical, transparent, and above the bar in terms of standards and practices used by just about every game publisher and website in the world. (And the list of similar software that is used in nearly every mobile game you might play is pretty long).\n<\/ul>\n<\/blockquote>\n<p>I notice that a lot of the games on this list are Free-To-Play, which is often supported through in-game advertising. One of the problems you face in these situations is that if you&#8217;re funding your game through advertisements, you need to be able to assure prospective advertisers that real people will be clicking on their advertisements. Advertisers want to know how many people will see the ad, how often they&#8217;ll see it, and how likely they are to click on something. The developer needs this information so they can sell the ad space, and the advertiser needs this information so they can appraise how their ad is doing.<\/p>\n<p>In these situations, neither party is really interested in mining your PC for personal information. They just want to know if the system is working the way it&#8217;s supposed to. <\/p>\n<p>There&#8217;s a distinction to be made here between &#8220;personal information&#8221; and &#8220;uniquely identifiable information&#8221;. If the system says 10,000 people clicked on an advertisement, we want to know if that was actually 10,000 different people or if it was just one guy with an auto-clicker bot. To figure this out, we need some way to tell one person from another. We don&#8217;t actually care WHO you are, we just want to know you&#8217;re a different person than the last person to click on this ad.<\/p>\n<p>To make this work, you need to give everyone a unique ID number \/ string. This ID can be anything, but Red Shell suggests you to use the user&#8217;s Steam ID.<\/p>\n<p>The problem people have at this point is that you can use that ID to look up the user. The ID itself might be impersonal, but it can be used to gain personal information. The supposed anonymity of the system is fragile and can easily become a Facebook-style data-harvesting machine. I&#8217;m willing to believe that the ECG developers are really earnest about what they&#8217;re trying to do, but I&#8217;ve been watching this industry for long enough to know that not everyone takes user privacy so seriously. I know other companies (and I&#8217;m talking about <a href=\"https:\/\/en.wikipedia.org\/wiki\/Electronic_Arts\">really big companies<\/a> that love the <a href=\"https:\/\/en.wikipedia.org\/wiki\/Dungeon_Keeper_(2014_video_game)#Controversies\">free-to-play<\/a> model) are willing to do anything they can get away with. Both companies are saying &#8220;trust me&#8221;, and unless you&#8217;re an expert at reverse-engineering and packet sniffing, you can&#8217;t tell what either one is doing.<\/p>\n<p>It&#8217;s totally possible to use Red Shell in a benign way. For example, you could assign each account a randomly-generated hash to use as the Red Shell ID, which would make it basically impossible to turn the ID into personally identifying information. The service can just collect information relevant to advertising. In this way, a game using Red Shell is no more invasive than a website that uses cookies. Yes, your user information might be compromised if the developer suffers a catastrophic data breach, but that&#8217;s already true in the case of an online game. You already entrusted them with your personal information when you created your account, and Red Shell doesn&#8217;t offer any <em>additional<\/em> security or privacy risks.<\/p>\n<p>On the other hand, it&#8217;s also possible for a developer to use Red Shell in an aggressive way. They could, if they wanted, plunder your hard drive for secrets and sell those secrets to whoever was willing to pay for them<span class='snote' title='1'>Ignoring the fact that this would be illegal in many places.<\/span>. <\/p>\n<h3>This Is Nothing New<\/h3>\n<p><div class='imagefull'><img src='https:\/\/www.shamusyoung.com\/twentysidedtale\/images\/stock_cameras.jpg' width=100% alt='Big Brother says: I&apos;M BORED. DO SOMETHING INTERESTING ALREADY.' title='Big Brother says: I&apos;M BORED. DO SOMETHING INTERESTING ALREADY.'\/><\/div><div class='mouseover-alt'>Big Brother says: I&apos;M BORED. DO SOMETHING INTERESTING ALREADY.<\/div><\/p>\n<p>The thing is, Red Shell doesn&#8217;t create any <em>new<\/em> privacy threats. If you&#8217;re running a game on your computer, that game has access to all kinds of information about you. The game could, if the developer wanted, begin uploading the contents of your entire \/Documents folder<span class='snote' title='2'>Ha! The joke&#8217;s on them. I don&#8217;t use \/Documents. I keep all my info on Google Docs where no corporation can ever touch it. Oh wait.<\/span>. Red Shell doesn&#8217;t enable developers to do anything they couldn&#8217;t do before. It simply offers a turnkey solution for devs who don&#8217;t want to hand-code their own tracking software. If Red Shell gets driven out of the industry by the public outcry, it&#8217;s not going to make our machines impervious to prying developers. It just means they&#8217;ll have to come up with a homebrew solution to the problem.<\/p>\n<p>In fact, you could make the case that Red Shell actually makes things easier for us to keep an eye on developers. People are already figuring out how to detect Red Shell and monitor its behavior. We can use this to watch and see what kinds of information it&#8217;s sending back to the mothership. If Red Shell goes away and every developer writes their own custom version, then we&#8217;ll never be able to catch them all. Their implementations might be buggy, dangerous, poorly designed, or insecure, and we wouldn&#8217;t know it. If their tracking info was even slightly encrypted and mixed in with all the other networking code you find in the typical online game then it would take a lot of effort to reverse-engineer the whole thing and figure out what the developer is up to. It could be done, but it&#8217;s much easier if all developers are using the same easily-detectable package and the same set of known protocols.<\/p>\n<h3>A New Frontier in Worry<\/h3>\n<p><div class='imagefull'><img src='https:\/\/www.shamusyoung.com\/twentysidedtale\/images\/stock_security.jpg' width=100% alt='Maybe Big Brother wouldn&apos;t steal your information if you weren&apos;t so crap at securing it. That chain isn&apos;t even the right size!' title='Maybe Big Brother wouldn&apos;t steal your information if you weren&apos;t so crap at securing it. That chain isn&apos;t even the right size!'\/><\/div><div class='mouseover-alt'>Maybe Big Brother wouldn&apos;t steal your information if you weren&apos;t so crap at securing it. That chain isn&apos;t even the right size!<\/div><\/p>\n<p>I am not saying that Red Shell is a good thing. I&#8217;m just saying that Red Shell is a symptom, not the source of the problem. Going by the number of games on the list, tracking users is something a lot of developers \/ publishers want to do, and that desire isn&#8217;t going to go away just because Red Shell gets a bad reputation. The public needs to understand the difference between &#8220;unique information&#8221; and &#8220;personal information&#8221;, and we need to come to some sort of rough agreement on what is &#8220;reasonable&#8221; information and what is &#8220;too much&#8221;. <\/p>\n<p>Some people will take the hardline approach that they never want to share anything with any developer ever. That&#8217;s fine, although the vast majority of people would probably be willing to share a little information if it means they can play a free game. We&#8217;re going to have to deal with this one way or another. If our opposition is too apathetic, then the whole industry could slide into some sort of dystopic privacy-destroying nightmare, like has already happened in most of social media. On the other hand, overzealous and uninformed opposition will just push developers towards being more clever with obfuscating their tracking software. <\/p>\n<p>The games that really perplex me are the single-player games with no in-game advertising. A lot of developers claimed that Red Shell wasn&#8217;t even active. Okay, let&#8217;s just assume we choose to believe that. If that&#8217;s the case, then why install it at all? What was Kerbal Space Program doing with it? What value could Red Shell possibly offer to KSP? Is this something a publisher is imposing on developers? Integrating third-party libraries takes some modest effort, whether that library is Speed Tree, a multiplayer networking solution, or Red Shell. Why would any developer put in the hours to add something that wasn&#8217;t useful to them? <\/p>\n<p>I think there must be another dimension to this story that we&#8217;re not hearing yet. We&#8217;ll see how things develop over the next few weeks.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This is a crazy story right out of a (admittedly dull) cyberpunk novel. Someone discovered that a bunch of PC games were using third-party &#8220;spyware&#8221; called Red Shell. There&#8217;s no way to know what information Red Shell was sharing, but it it had evidently been running inside of a lot of games for some time [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[102],"tags":[],"class_list":["post-43323","post","type-post","status-publish","format-standard","hentry","category-weekly-column"],"_links":{"self":[{"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=\/wp\/v2\/posts\/43323","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=43323"}],"version-history":[{"count":13,"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=\/wp\/v2\/posts\/43323\/revisions"}],"predecessor-version":[{"id":43337,"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=\/wp\/v2\/posts\/43323\/revisions\/43337"}],"wp:attachment":[{"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=43323"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=43323"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=43323"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}