Slashdot Mirror
Gaming Companies Remove Analytics App After Massive User Outcry (bleepingcomputer.com)
An anonymous reader writes: "Several gaming companies have announced plans to remove support for an analytics app they have bundled with their games," reports Bleeping Computer. "The decision to remove the app came after several Reddit and Steam users noticed that many game publishers have recently embedded a controversial analytics SDK (software development kit) part of recent updates to their games. The program bundled with all these games, and at the heart of all the recent controversy, is RedShell, an analytics package provided by Innervate, Inc., to game publishers."
The app is intended to collect information about the source of new game installs, and details about the gamer. Following a massive user outcry in the past two weeks, several game makers have given in to pressure and are removing this SDK. Game makers and games who announced they were removing RedShell include Bethesda (Elder Scrolls), All Total War games, Warhammer games, Magic the Gathering Arena, and more. [This Google Docs spreadsheet and Reddit thread have a list of games containing RedShell.]
The app is intended to collect information about the source of new game installs, and details about the gamer. Following a massive user outcry in the past two weeks, several game makers have given in to pressure and are removing this SDK. Game makers and games who announced they were removing RedShell include Bethesda (Elder Scrolls), All Total War games, Warhammer games, Magic the Gathering Arena, and more. [This Google Docs spreadsheet and Reddit thread have a list of games containing RedShell.]
The third party akamai EULA also allows them to tracking you. This shouldnt be a separate install with separate EULA.
STFU CREIMER
What is your real name, address, and phone number?
* You're not scared, are you?
If you're not scared, don't run from my question.
APK
P.S.=> I seem to be the only real man here, who isn't afraid of being accountable... apk
Lots of shitty devs have been sending usage data back for years.
Even Volition, which is otherwise a pretty cool dev, have openly admitted tracking stuff that happens in SINGLE PLAYER games, boasting about kill counts and miles driven in Saints Row games.
This is why I've never connected my xbox to the internet, and always turn my wifi off when playing games.
Fuck any developer who sends data from my computer to their servers without my consent.
Volition recently had to fire 100 employees because their last game tanked: good. I hope they go out of business.
Not RedShell, but the Unity engine also offers integrated analytics:
https://unity.com/solutions/analytics
Try to find a mobile game that isnâ(TM)t using Game Analytics SDK or the like. It wonâ(TM)t be as easy as you think.
In case you didn't want to RTFA.
Be aware that Unity, a popular game engine, bakes analytics into the game at compile time.
More bullshit from unidentifiable anonymous trolls. Don't you have anything better to do?
What is your real name, address, and phone number?
* You're not scared, are you?
If you're not scared, don't run from my question.
APK
P.S.=> I seem to be the only real man here, who isn't afraid of being accountable... apk
They'll just do this again when people aren't paying attention. Maybe next time they'll hide it well enough that it won't be discovered.
Anons need not reply. Questions end with a question mark.
When did the moment of the internet pass from becoming an evil tool to be used for controlling/observing& taking advantage of our fellow humans from the early promise of sharing and connecting each other? Was the whole point from the onset for it to be used to 1984 us all? I don't like or agree with this constant surveillance thing that the internet has become. I'm both impressed and disgusted with how our lives have changed in only the last 10 years. Future wars will be fought with the press of a few buttons by those who have the ability to turn off electric grids of entire countries by a select few.
When a simple app can be the conduit to destroy an individual's life entirely, it'll already be too late for the freedom of our race. (Captcha is apropos, "standoff".)
Registered slashdot posters like and use apk's hosts engine in Windows model and states his Linux model is better https://news.slashdot.org/comments.pl?sid=12242172&cid=56800816/
How does this mo-fo report? Can I screw it up with pi-hole or other DNS tweaks?
I'm planning to sue APK for taking my comment out of context and using my name and likeness to promote his product. I am entitled to royalties for every time APK has posted a product using my words and user name.
APK can either cease and desist from posting that comment or pay me a royalty for each time he posts it.
HDHomeRun calls home every 10 minutes uploading a complete list of available channels and device information including internal IP address of HDHomeRun devices.
All data is unencrypted and transmitted entirely in the clear.
HDHomeRun operates an API ipv4-api.hdhomerun.com that is not in any way encrypted, secured or CSRF protected. It can be called by any website to fingerprint owners of HDHomeRun devices on their network.
Attempting to block HDHomeRun from calling home by blackholing DNS entries results in HDHomeRun switching to Google DNS server 8.8.8.8 BYPASSING the ACCESS CONTROL users have put in place. It is necessary to also block access to 8.8.8.8 to stop the behavior in its entirety.
A simple call to http://ipv4-api.hdhomerun.com/... by anything on your network.
Provides a JSON formatted list of HDHomeRun devices on your network. The call includes unique device ID and internal URLs that again with no CSRF protection of any kind can be trivially leveraged by malicious websites to get additional information including device AUTHORIZATION CODE, set internal parameters, gather current shows being watched and transmit verbs stored persistently and which modify device behavior all without any protection or authentication of any kind whatsoever.
There was no clickwrap agreement of any kind or any indication that HDHomeRun would be calling home and doing so in such a ridiculously insecure manner.
If you own an HDHomeRun device for your own security and privacy please take the following steps immediately:
Blackhole DNS access to ipv4-api.hdhomerun.com
Block access to Google public DNS servers @ 8.8.8.8
There is a difference in analytics when it is about personally identifiable information, about other apps/games, and when it is about how a user/player is using this particular app/game. The later is legit, what available features / weapons are being used, what player mechanics are being used, etc. That helps better design future features and apps/games. Also legit would be non-identifiable information about the hardware, what generation CPU, what generation GPU, how much RAM, what operating system ... basically the system requirement type information. This helps designers anticipate when they can update content, graphics, etc to take advantage of more advanced hardware. Again, all this collected in a non-personally identifiable way.
Ok since he failed to first shit post this article I am going to help him out albeit a bit late:
Trump! I hate Trump! Trump ai going to prison because he broke the law against collusion even though no such law exists! Auuuuggh! Trump! And his family too! They are going to jail just for being related! And people he never met but didnt vote For Her! Jail! Incel! Wah!
I think I got the general theme right even if a few words might be off a bit.
Apologies for any errors.
Carry on.
Isnâ(TM)t this behavior constrained by GDPR?
I remember back in the day DOOM from ID software (the one with the flashlight problem), came with starforce (the usual DRM back in the day) along with checking to see if cloneCD or other cd cloning software was installed. Long story short, damn game had lighting problems, DRM backdoors, and was harassing me about legitimate software on MY OWN MACHINE. The gall, the absolute gall for some goddamn game to tell ME what I can install or not install on my own machine....That did not go over well, that put me on the path of becoming a nemesis fighting them for the wrong they had visited upon me and my precious machine.
20 years later and I am only now just starting to purchase games again. For those 20 years though, I was only using the piratebay to get my games as copies, ironically because a legitimately purchased game had put odious restrictions on (like needing the physical cd, cd key, drm installed, etc etc) whereas the pirates had produced a superior version that loaded faster, had the lighting problem fixed, did not require a cd or cd key and did not install DRM modules or check what software I had installed.
If these companies really want to create a legion of people like me who righteously tell game companies to go fuck themselves, then they are on the correct path to a gamer revolution where the outcry and loss of sales will hurt them pretty badly.
I see cable companies as doing relatively the same thing, they had a monopoly more or less for so long and it was so profitable that they became total assholes, putting in advertisements after we already paid for the cable, bundling shit, etc etc etc. The end result? We now have a 27% decline in tv viewership and the term 'cord cutter' has entered the popular vernacular. Game companies seem dead set on copying those results.
All the useless non productive losers playing games in their mums basement have such boring useless lives no one actually gives a fuck about them.
Stop playing games like a 5 year old playing with toys and grow up and act like real adults.
when it pretends to be a windows process and uses other malware tricks...
Prevent all games from going online at all.
Both are absolutely essential for spotting 1) problems in the software and 2) identifying features not used. I've consulted across Australia and not one company allowed PID to leak into the logs. I was an expert implementer but not beyond that. It may have been PCI compliance which was under the whole thing. It's not as nefarious as the tin foil hats would would lead you to believe.
It has often been said of the free games 'If you're not the customer you are the product.' Well, looks like now we're both. You pay for the game, then get sold out anyway, and usually without even being properly informed about it. Worse, it might come in an update, which means you paid for one thing and now it has become spyware.
This is why there should be laws, backed by heavy fines, prohibiting this sort of anti-consumer behavior. You can't trust the companies to just do the right thing; they'll keep doing it until they get caught, time after time. This should be illegal.
The OP claims,
"The app is intended to collect information about the source of new game installs, and details about the gamer."
But hang on a moment... if the game is being installed via Steam [and, it has to be packaged up by Steam for delivery from their infrastructure], all of that information - and more - is available directly back to the game developer via Steam themselves. Those of us who play games via Steam know this "going in".
And as this page shows, one of the ways that RedShell works is to link your web browsing identity with your gaming identity and then have the ability to use that to back-track your activity across the internet.
There is absolutely zero justification for this.
The second part of the lie concerns not that this is being done, but the way that it is happening. If a game studio wanted to use this sort of technology to monitor activities associated with their game [which I do not believe is inherently wrong], then it would not be difficult for them to create a folder in the game's installed file tree designated "Uploaded Data" and to place in this folder a complete and true copy of data sent to back to them. It would have to be done after the upload - or at least, done in such a way that the gamer could not alter the data before it was sent - but at least this would be honest.
If a game manufacturer put a clear warning in their packaging: "This game will send telemetry to us when you play it. For details of the data elements sent, and instructions on how to verify this for yourself, please see the Appendix of this User Guide", I dare say that this scandal would not have happened.
It is the fact that companies think that they can "get away with this" by not telling people that pours fuel on the fire that this could easily be used for much more malicious purposes than are being discussed here.
One final thought/question: are there patterns in the data here? Are these sorts of underhand activities associated more with game studios or with publishers? It seems to me that although the studio rightly gets the bad reputation, the choice to add this sort of spyware - and let's make no mistake, that's what this is - could easily be "encouraged" by a publisher. After all, it's the publisher in this sordid tale that tends to be the one most interested in understanding games sales. If there is such a pattern, is it time to start vocal boycotts?
It seems to me that the only way to get through to these companies is to hit them where it hurts: their wallets.
Not really. Forums are unreliable, plus it is a self selected sampling.
And research has often shown that people poorly articulate, or in fact understand, what it is that they like. In a product development class you might learn that a rather poor way to learn of a potential customer's likes is to ask them directly, ask their favorites, or to rank a list 1 to 10. More effective may be give them a long'ish series of questions asking them if they prefer [pick one of those ten items] to [pick another one of those ten items] in [such and such a context]. Repeat to until you have direct or indirect rankings of all ten and redundant confirmations of those rankings. The sorted list produced by this method is usually better than the sorted list from direct questioning.
Also what they like, vehicle/weapon X, is not necessarily reflective of what they do or use, vehicle/weapon Y, that contributes to victories in a game. Victories may be more important than the liked vehicel/weapon X. An example, in World of Warships my favorite ships are Fletcher, Cleveland and Des Moines. However I have a much higher win rate in Farragut. I like Farragut but it would be number four in terms of favorites. Yet it is probably the most important in terms of long term game satisfaction because if can feed my psychological cravings for victories with it and its a great money maker to buy other ships I will briefly give a try, which also indirectly contributes to game longevity. I like Farragut enough that I don't feel like I am grinding, but in truth I sort of am. Yet if you asked me on a forum for my favorites I would not mention it, and it probably does more to contribute to game longevity than anything else. So recording gameplay stats, like what ships I play, gives the developer more meaningful information than any forum conversation or in-game survey.
Actions speak louder than words.
FUCK YOU. You're suck a total piece of shit. I hope they find your kiddie porn stash you pederast scum.
Prior to the gross commercialization of the internet this was an egalitarian place of thought and genuine human connection. Once MONEY entered into the picture it became as big a shithole as the USA.
You're the reason developers say "why should we even listen to people like this"?
Telemetry: I think as developer I need to gather this metric to make sure I didn't make this level to difficult and deter users in the future.
3rd party Analytics SDK: You want to know about your users? We can tell you about your users. We collect all the things and serve it up to you. Want to know what they named their first born? We got that! Want to know if users passed that difficult level? We got that too!
I remember installing Google analytics a few years ago to find out some information about a new page we added to a customer's website. We had our suspicions that the customers weren't seeing it. I was not at all interested in the intricate details of every browser, screen resolution, operating system, how long they stayed, and what they clicked it. It was all given to me anyway.
See my subject: You're DAMN RIGHT I'd kick YOUR FUCKING ASS for stalking & harassing me you unidentifiable little cowardly cunt - tell me your REAL name, address, & phone # so I can verify it's REALLY you & we can settle this once & for all, fucker...
APK
P.S.=> Everyone SEES you constantly stalking & harassing me bitch, so WHO ARE YOU FOOLING but yourself - & IF I ever get to you? You'll WISH you were dead cocksucker... I shit you not! apk
You should listen as to a clue about the anger that is building up.
As you can see from the comments here, you do not need to send out a survey to your clients to realize, we have fucking had enough. We have been through the ringer of being spied on, advertised to, manipulated as children, we have been the target of scummy advertisers and algorithms for some of us since the day we first took our breath in this world.
So instead of saying 'lets just ignore the angry people' how about you listen to us because we are your customers and we are saying something very blatantly clear, we are screaming it at the top of our lungs, we are ranting and ranting and getting more and more angry.
NO MORE SPYING, RESPECT US, RESPECT OUR PRIVACY, RESPECT OUR RIGHTS
See subject & here PUSSY liar you are https://it.slashdot.org/commen... BIG bad "soulja BOY" you fucking puss ass bitch punk!
... apk
* YOU MAKE ME LAUGH bitch!
APK
P.S.=> That's RIGHT cocksucker - I am LAUGHING @ YOU pussy boy & I'd put your BONY ASS into a hospital with ease - come on OVER "big talker" bitch so I can
See subject SOYBoy (rotflmao) in your UNIDENTIFIABLE anonymous "courageous" trolling you "not man" - LMAO!
(You know - I understand your SOYMilk & Bisphenol A "notman" SOYBoy formulas have addled your brains but that takes the cake for "illogic logic" from "your kind", lol!)
* The other poster's not I but they are making you get all "triggered" when you see your addled thinking fools nobody but your sick in the head chemically NEUTERED (lol) selves, lmao!
APK
P.S.=> Classic - one for my bookmarks... apk
* The check is in the mail
* I'll respect you in the morning
* It's just a cold sore
Quite the illiterate tantrum. This is the drivel that moderators ignore on game forums. Hyperbolic whining is counterproductive. The dev here is describing diagnostics specific to his in-development game, and nothing else. He's not spying on the pr0n you have stashed in that hidden partition, spamming you with ads, or sussing out other devious ways to twist your already mobius-like grey matter. Seriously, quit pissing and moaning, and have the balls to post under your own log-in, and not as an AC.
Prior to the gross commercialization of the internet this was an egalitarian place of thought and genuine human connection.
The majority of Usenet posts disagree with your assertion.
Heat maps don't need to know who died [...] As a developer you'd want to know if a particular part of your game is too hard and kills the majority of players trying to get past it.
Sometimes people who died at position A also died at position B. This may help the level designer identify a pattern of elements that impose an unduly steep skill gradient for players with a particular play style. In order to track this, the developer needs to at least associate an identifier with each loss.
Then you install and run that shit during testing.
I'm curious as to how a 1-, 2-, or 3-man team developing a video game without access to venture capital can make large-scale testing of system compatibility and game balance practical. Do you have any suggestions?
the user perceives it to see you using their resources that they've paid for to to help your business at their expense by siphoning off data without them knowing.
To address "at their expense" and "without them knowing": Does an offer to license the game at half price if the user opts into analytics make sense?
My view: good software is clean software, it does nothing without your knowledge
A strict interpretation of that view would require the video game to be distributed as source code, so that the end user has access to knowledge about what the program does. Though Id Software has released its games' engines as free software five years later, I haven't seen a workable business model for funding the development of a game larger than hobby-scale for distribution under a free software license from day one.
That means no DRM
All current video game console platforms have digital restrictions management, as does Apple iOS, and will ordinarily not execute a DRM-free program at all. Offline DRM is still DRM. How should a game be distributed DRM-free? Are you trying to imply, for example, that developers should no longer develop for Nintendo, PlayStation, Xbox, or iOS platforms at all, or alternatively develop unlicensed games for retro consoles (more than 20 years old)? And even if so, what should a developer do to deter mass casual copyright infringement in order to sell more than one copy?
HDHomeRun calls home every 10 minutes uploading a complete list of available channels and device information including internal IP address of HDHomeRun devices.
In a well-engineered system, this would be excusable. In order to obtain an HTTPS certificate for a device on a LAN that the web browser on each of the end user's devices will trust, an internal device needs its own fully qualified domain name (FQDN). To obtain a FQDN, a device would need to upload its internal IP address to some DNS service, be it a dynamic DNS service operated by the device's manufacturer or the zone host of a domain that the end user owns. The latter may cost $15 per year, or $75 over the 5-year expected service life of a device. I imagine that most end users, especially non-technical ones, don't already own a domain and aren't willing to pay an extra $75 just to skip the manufacturer's dynamic DNS service.
I agree with you that sending it in cleartext is not excusable. Nor are some of the other intrusions that you describe. But sending the IP address in some (reversibly encrypted) form is necessary as a step toward allowing the user to access the device as "https://some.internal.device.example".
He says he's not. When's the last time a studio told the truth?
If they were deceptive enough to add spyware to our games without telling us how can you trust them to remove it?
"Performance of a contract" is explicitly one of the six bases listed in Article 6 of the GDPR for holding and processing personal data. In this case, the contract would involve the user providing pseudonymous daily usage logs in exchange for access to the game at a discount off full retail or before the general availability date. The user can request a copy of these logs at any time by choosing "Download Your Replays" from the game's menu.