Slashdot Mirror
Gaming Companies Remove Analytics App After Massive User Outcry (bleepingcomputer.com)
An anonymous reader writes: "Several gaming companies have announced plans to remove support for an analytics app they have bundled with their games," reports Bleeping Computer. "The decision to remove the app came after several Reddit and Steam users noticed that many game publishers have recently embedded a controversial analytics SDK (software development kit) part of recent updates to their games. The program bundled with all these games, and at the heart of all the recent controversy, is RedShell, an analytics package provided by Innervate, Inc., to game publishers."
The app is intended to collect information about the source of new game installs, and details about the gamer. Following a massive user outcry in the past two weeks, several game makers have given in to pressure and are removing this SDK. Game makers and games who announced they were removing RedShell include Bethesda (Elder Scrolls), All Total War games, Warhammer games, Magic the Gathering Arena, and more. [This Google Docs spreadsheet and Reddit thread have a list of games containing RedShell.]
The app is intended to collect information about the source of new game installs, and details about the gamer. Following a massive user outcry in the past two weeks, several game makers have given in to pressure and are removing this SDK. Game makers and games who announced they were removing RedShell include Bethesda (Elder Scrolls), All Total War games, Warhammer games, Magic the Gathering Arena, and more. [This Google Docs spreadsheet and Reddit thread have a list of games containing RedShell.]
Lots of shitty devs have been sending usage data back for years.
Even Volition, which is otherwise a pretty cool dev, have openly admitted tracking stuff that happens in SINGLE PLAYER games, boasting about kill counts and miles driven in Saints Row games.
This is why I've never connected my xbox to the internet, and always turn my wifi off when playing games.
Fuck any developer who sends data from my computer to their servers without my consent.
Volition recently had to fire 100 employees because their last game tanked: good. I hope they go out of business.
Not RedShell, but the Unity engine also offers integrated analytics:
https://unity.com/solutions/analytics
Try to find a mobile game that isnâ(TM)t using Game Analytics SDK or the like. It wonâ(TM)t be as easy as you think.
In case you didn't want to RTFA.
Be aware that Unity, a popular game engine, bakes analytics into the game at compile time.
They'll just do this again when people aren't paying attention. Maybe next time they'll hide it well enough that it won't be discovered.
Anons need not reply. Questions end with a question mark.
HDHomeRun calls home every 10 minutes uploading a complete list of available channels and device information including internal IP address of HDHomeRun devices.
All data is unencrypted and transmitted entirely in the clear.
HDHomeRun operates an API ipv4-api.hdhomerun.com that is not in any way encrypted, secured or CSRF protected. It can be called by any website to fingerprint owners of HDHomeRun devices on their network.
Attempting to block HDHomeRun from calling home by blackholing DNS entries results in HDHomeRun switching to Google DNS server 8.8.8.8 BYPASSING the ACCESS CONTROL users have put in place. It is necessary to also block access to 8.8.8.8 to stop the behavior in its entirety.
A simple call to http://ipv4-api.hdhomerun.com/... by anything on your network.
Provides a JSON formatted list of HDHomeRun devices on your network. The call includes unique device ID and internal URLs that again with no CSRF protection of any kind can be trivially leveraged by malicious websites to get additional information including device AUTHORIZATION CODE, set internal parameters, gather current shows being watched and transmit verbs stored persistently and which modify device behavior all without any protection or authentication of any kind whatsoever.
There was no clickwrap agreement of any kind or any indication that HDHomeRun would be calling home and doing so in such a ridiculously insecure manner.
If you own an HDHomeRun device for your own security and privacy please take the following steps immediately:
Blackhole DNS access to ipv4-api.hdhomerun.com
Block access to Google public DNS servers @ 8.8.8.8
There is a difference in analytics when it is about personally identifiable information, about other apps/games, and when it is about how a user/player is using this particular app/game. The later is legit, what available features / weapons are being used, what player mechanics are being used, etc. That helps better design future features and apps/games. Also legit would be non-identifiable information about the hardware, what generation CPU, what generation GPU, how much RAM, what operating system ... basically the system requirement type information. This helps designers anticipate when they can update content, graphics, etc to take advantage of more advanced hardware. Again, all this collected in a non-personally identifiable way.
I remember back in the day DOOM from ID software (the one with the flashlight problem), came with starforce (the usual DRM back in the day) along with checking to see if cloneCD or other cd cloning software was installed. Long story short, damn game had lighting problems, DRM backdoors, and was harassing me about legitimate software on MY OWN MACHINE. The gall, the absolute gall for some goddamn game to tell ME what I can install or not install on my own machine....That did not go over well, that put me on the path of becoming a nemesis fighting them for the wrong they had visited upon me and my precious machine.
20 years later and I am only now just starting to purchase games again. For those 20 years though, I was only using the piratebay to get my games as copies, ironically because a legitimately purchased game had put odious restrictions on (like needing the physical cd, cd key, drm installed, etc etc) whereas the pirates had produced a superior version that loaded faster, had the lighting problem fixed, did not require a cd or cd key and did not install DRM modules or check what software I had installed.
If these companies really want to create a legion of people like me who righteously tell game companies to go fuck themselves, then they are on the correct path to a gamer revolution where the outcry and loss of sales will hurt them pretty badly.
I see cable companies as doing relatively the same thing, they had a monopoly more or less for so long and it was so profitable that they became total assholes, putting in advertisements after we already paid for the cable, bundling shit, etc etc etc. The end result? We now have a 27% decline in tv viewership and the term 'cord cutter' has entered the popular vernacular. Game companies seem dead set on copying those results.
If the data is not associated with any personally identifiable information there is no "you" in "your information". This was pre-GDPR but when I did game analytics in the sense of CPU and GPU generation, installed RAM, operating system version I worked closely with the company lawyers to ensure it was all non-personally identifiable information. IP addresses were not recorded, neither were account names or anything else. Just the raw data. The client side of these online games ensured the data was only sent once per "survey" period. I could not have connected the data to a particular person if I wanted to. If a GDPR request came in asking for a particular person's data I would have no such data to report.
By far the worst is the hamburger lady
Prevent all games from going online at all.
Both are absolutely essential for spotting 1) problems in the software and 2) identifying features not used. I've consulted across Australia and not one company allowed PID to leak into the logs. I was an expert implementer but not beyond that. It may have been PCI compliance which was under the whole thing. It's not as nefarious as the tin foil hats would would lead you to believe.
It has often been said of the free games 'If you're not the customer you are the product.' Well, looks like now we're both. You pay for the game, then get sold out anyway, and usually without even being properly informed about it. Worse, it might come in an update, which means you paid for one thing and now it has become spyware.
This is why there should be laws, backed by heavy fines, prohibiting this sort of anti-consumer behavior. You can't trust the companies to just do the right thing; they'll keep doing it until they get caught, time after time. This should be illegal.
In 1984 ram and cpu parts where limited and the OS was limited... displays only had so many colors. The tape and storage media for the home media was limited. Games had to look good and sell within a set of limitations.
Now we have 4K and 5K and 8K and advanced gpu and cpu. The wonders of Windows 10 to help games get created.
As for the other 1984, thats the just big gov doing collect it all.
Domestic spying is now "Benign Information Gathering"
The OP claims,
"The app is intended to collect information about the source of new game installs, and details about the gamer."
But hang on a moment... if the game is being installed via Steam [and, it has to be packaged up by Steam for delivery from their infrastructure], all of that information - and more - is available directly back to the game developer via Steam themselves. Those of us who play games via Steam know this "going in".
And as this page shows, one of the ways that RedShell works is to link your web browsing identity with your gaming identity and then have the ability to use that to back-track your activity across the internet.
There is absolutely zero justification for this.
The second part of the lie concerns not that this is being done, but the way that it is happening. If a game studio wanted to use this sort of technology to monitor activities associated with their game [which I do not believe is inherently wrong], then it would not be difficult for them to create a folder in the game's installed file tree designated "Uploaded Data" and to place in this folder a complete and true copy of data sent to back to them. It would have to be done after the upload - or at least, done in such a way that the gamer could not alter the data before it was sent - but at least this would be honest.
If a game manufacturer put a clear warning in their packaging: "This game will send telemetry to us when you play it. For details of the data elements sent, and instructions on how to verify this for yourself, please see the Appendix of this User Guide", I dare say that this scandal would not have happened.
It is the fact that companies think that they can "get away with this" by not telling people that pours fuel on the fire that this could easily be used for much more malicious purposes than are being discussed here.
One final thought/question: are there patterns in the data here? Are these sorts of underhand activities associated more with game studios or with publishers? It seems to me that although the studio rightly gets the bad reputation, the choice to add this sort of spyware - and let's make no mistake, that's what this is - could easily be "encouraged" by a publisher. After all, it's the publisher in this sordid tale that tends to be the one most interested in understanding games sales. If there is such a pattern, is it time to start vocal boycotts?
It seems to me that the only way to get through to these companies is to hit them where it hurts: their wallets.
As soon as human beings proved they didn't understand how technology worked
Well done, you've managed to prove you don't know how humans work.
I know how technology works. I don't monitor every packet leaving my PC, I don't MITM the encrypted data streams, I don't reverse engineer data formats and I don't correlate data structures to the activity, software and configuration on my PC.
Just what the fuck would an informed capable technical person do to understand the data being sent back to a game developer - especially for a game with online elements - that doesn't mean it's now their full time fucking job?
As for using MMOs as an example, it's been very obvious right from the moment people encountered them that they're sending a shit ton of data back to the server, which then shares elements of that data with other members of the public. What the fuck do you think MMO stands for?
It's not that the smart half of the public wanted it. The only way to have put a stop to it to prevent stupid consumers from robbing the smart half of society would be to have portal technology or ideological revolution.
Sorry but no, nobody is forcing any software or services onto you. If you really think there's a dumb/smart divide and you're too stupid to reject the software and services you deem malicious, guess which side of the divide on which you fall.
Well done, you've managed to prove you don't know how humans work.
I know how technology works. I don't monitor every packet leaving my PC, I don't MITM the encrypted data streams, I don't reverse engineer data formats and I don't correlate data structures to the activity, software and configuration on my PC.
If you bought an mmo game you told the corporate world explicitly that you'd bend over to be exploited - aka it's not in your rational interest to pay for videogames you don't own or control and pay monthly at that. Private wow servers proved that they just took RPG's and stuck the mmo label on it to get that monthly fee from the stupid and irrational membres of the species. That was the big mmo scam for those of us who PC gamed during the 90's when EA was pushing ultima online to the bottom feeders of the RPG community. We knew the writing was on the wall for single player RPG's as companies re-branded their single player rpg's /w multiplayer as mmo's. Which is what happened to guild wars.
The reality is the reason loot boxes and all modern exploitative game practices exist is because ignorant people and stupid irrational people like yourself gave up your right to privacy and ownership of game software. Now most games are aimed at kids and stupid parents who don't have a fucking clue how computers work. Those who do and bought the corporate PR to have games stolen and held hostage on servers across the pond to pay for the privilege are just dumb and they ended up ruining gaming.
Sorry to tell ya, loot boxes exist because the average gamer and human being is ignorant and irrational.
If you bought an mmo game you told the corporate world explicitly that you'd bend over to be exploited
Really? So by wanting to play on a server with several hundred other players I'm begging to be exploited, instead of, I don't know, wanting to play on a server with several hundred other players?
You're a fucking idiot.
Actually, I'll add to that.
We knew the writing was on the wall for single player RPG's
Like KOTOR, like the Elder Scrolls series, like the Divinity series, like Fallout, like the Witcher series. Oh, wait.
You're a fucking idiot.
The reality is the reason loot boxes and all modern exploitative game practices exist is because ignorant people and stupid irrational people like yourself gave up your right to privacy and ownership of game software.
Loot boxes and data mining have fuck all to do with MMOs. You're making a non-causal link and providing no evidence to support it.
You're a fucking idiot.
Sorry to tell ya, loot boxes exist because the average gamer and human being is ignorant and irrational.
So when I put several hundred hours into theHunter:COTW and can't find a loot box, play through 100 hours of story in The Witcher III and can't find a loot box, enjoy a long dynamic and very replayable story in Divinity Original Sin 2 and can't find a loot box, play through multiple campaigns in Total Warhammer 2 and can't find a loot box, spend several seasons trying to win the premiership with Wrexham in the latest Football Manager and can't find a loot box, is it possible, just maybe, that there are plenty of gaming choices available for people that don't want loot boxes?
You're a fucking idiot.
If you bought an mmo game you told the corporate world explicitly that you'd bend over to be exploited
Why do you now think lootboxes and microtransactions exist in "single player" AAA games? Why do think they are being shoved into every game and every game is now being drm'd up the wazoo and given the corporate propaganda moniker "online game"? Team fortress 2 with hats? Paid mods from bethesda? Lootboxes where you might get the chance to get a skin in a game you already paid for? We live in a full blown videogame idiocracy.
MMO's were the trial balloon to get people to accept paying for software they don't control so all that other stuff was possible.
Why do you now think lootboxes and microtransactions exist in "single player" AAA games?
Not the games I buy and play.
Why do think they are being shoved into every game and every game is now being drm'd up the wazoo
Games have less DRM now than they did in the 80s. Less now than they did in the 90s. Probably a comparable amount now to the 00s, but that's the post-MMO era.
and given the corporate propaganda moniker "online game"?
Sometimes the game includes online features. Sometimes the online connection is used as a more robust form of DRM. Sometimes the game is an online game. Many games work perfectly well with no network connection at all.
Team fortress 2 with hats?
Free game with cosmetic feature players can optional choose to embrace? Oh no, you mean I can actually play the game for free and never pay for it? Shit, if someone else wearing a hat upsets you that much, adopt plan B: Don't fucking play it.
Lootboxes where you might get the chance to get a skin in a game you already paid for?
You paid for the game. You didn't pay for the artistic creations that are available via the lootbox. Those are only available to people that pay additional money. I don't pay for those as I dislike the gambling aspect and I'm too sensible. I have historically paid for digitally created works to enhance my enjoyment of a game, but that's because I wanted to wear a Japanese schoolgirl sailor outfit while playing golf. I looked damn good in it too.
We live in a full blown videogame idiocracy.
That's an interesting way to spell "diverse and comprehensive market meeting a range of needs and providing opportunities to consumers with varied desires, preferences and financial options".
MMO's were the trial balloon to get people to accept paying for software they don't control so all that other stuff was possible.
Oh for fucks sake. No, they were not. MMOs have a substantial ongoing cost base that needs to be paid for and early MMOs used a subscription model to assure the continued income required to cover those costs.
You remain a fucking idiot.
Games have less DRM now than they did in the 80s.
You're delusional if you believe this, DRM didn't exist in the 80's and 90's, drm is breaking the software code into pieces so part of the software is never released so the game breaks when the code at the server at corporate HQ is turned off. Copyright protection is not drm. DRM is where companies control the software. Even copyright protected 80's and 90's games you had the complete code. Good luck trying to preserve modern drm infested games where the server exe is not included with the game like quake 3 in the 90's.
Strange, I recall code wheels, text written in hard to read colours, use of manuals as code books, corrupt sectors on disks, 'CD must be present' checks and actual fucking rootkits in the 80s and 90s.
Maybe you were playing Rogue all that time. Good game.
Strange, I recall code wheels, text written in hard to read colours, use of manuals as code books, corrupt sectors on disks, 'CD must be present' checks and actual fucking rootkits in the 80s and 90s.
Maybe you were playing Rogue all that time. Good game.
Everything you mentioned has nothing to do with incomplete software - aka drm, there was no high speed internet in the 80's you got the entire game, there was no code missing from the game like modern drm laden games. Modern games like mmo's and games like war for cybertron DO NOT release the server exe with the game, part of the game is running on some corpoately owned server in order for its multiplayer to function. That's a far cry from quake 3 where the server exe is built into the exe. Modern games are fraudulent and broken by design products where the functionality only exists as long as the server at the other end is operational.
Telemetry: I think as developer I need to gather this metric to make sure I didn't make this level to difficult and deter users in the future.
3rd party Analytics SDK: You want to know about your users? We can tell you about your users. We collect all the things and serve it up to you. Want to know what they named their first born? We got that! Want to know if users passed that difficult level? We got that too!
I remember installing Google analytics a few years ago to find out some information about a new page we added to a customer's website. We had our suspicions that the customers weren't seeing it. I was not at all interested in the intricate details of every browser, screen resolution, operating system, how long they stayed, and what they clicked it. It was all given to me anyway.
* The check is in the mail
* I'll respect you in the morning
* It's just a cold sore
Heat maps don't need to know who died [...] As a developer you'd want to know if a particular part of your game is too hard and kills the majority of players trying to get past it.
Sometimes people who died at position A also died at position B. This may help the level designer identify a pattern of elements that impose an unduly steep skill gradient for players with a particular play style. In order to track this, the developer needs to at least associate an identifier with each loss.
Then you install and run that shit during testing.
I'm curious as to how a 1-, 2-, or 3-man team developing a video game without access to venture capital can make large-scale testing of system compatibility and game balance practical. Do you have any suggestions?
the user perceives it to see you using their resources that they've paid for to to help your business at their expense by siphoning off data without them knowing.
To address "at their expense" and "without them knowing": Does an offer to license the game at half price if the user opts into analytics make sense?
My view: good software is clean software, it does nothing without your knowledge
A strict interpretation of that view would require the video game to be distributed as source code, so that the end user has access to knowledge about what the program does. Though Id Software has released its games' engines as free software five years later, I haven't seen a workable business model for funding the development of a game larger than hobby-scale for distribution under a free software license from day one.
That means no DRM
All current video game console platforms have digital restrictions management, as does Apple iOS, and will ordinarily not execute a DRM-free program at all. Offline DRM is still DRM. How should a game be distributed DRM-free? Are you trying to imply, for example, that developers should no longer develop for Nintendo, PlayStation, Xbox, or iOS platforms at all, or alternatively develop unlicensed games for retro consoles (more than 20 years old)? And even if so, what should a developer do to deter mass casual copyright infringement in order to sell more than one copy?
. If a GDPR request came in asking for a particular person's data I would have no such data to report.
A common mistake people (and lawyers) make is thinking it only matters whether YOU could associate that data to someone (you seem to have made that mistake). As has been demonstrated many times before such detailed data even when it doesn't have someones names is often quite easily attributed to someone through cross matching of data from other sources. The more detailed the information the easier it is narrow it down as It makes for a very unique identifier that may actually be revealing far more than you think.
Not in my case. The data was not detailed enough, not unique enough. Too many collisions with the limited number of permutations of CPU, GPU, installed RAM and OS ver. I did not send all info available, just enough to get generational information. For example for OS ver I would only send major and minor version, but not build number, service pack info, etc. For GPU I would only send the vendor and device IDs, but not subsystem and revision IDs. In the later case I would know you had an AMD Radeon 550/560 but I would not know if it was made by ASUS, Gigabyte, etc nor would I know the revision.
I wonder how unique the entire set of that data is... The problem with anonymous data is that enough of it means it can be traced back, if not by you then perhaps by someone else.
See my response to a similar question. I only sent the details I needed to recognize CPU, GPU, and OS ver in a generational sense and the amount of installed RAM. I did not send all information available on these components. There were too many collisions to "fingerprint" a particular user.
"Digital restrictions management" has a broader definition than the sense you're using, which would be more widely understood as "online-only DRM".
HDHomeRun calls home every 10 minutes uploading a complete list of available channels and device information including internal IP address of HDHomeRun devices.
In a well-engineered system, this would be excusable. In order to obtain an HTTPS certificate for a device on a LAN that the web browser on each of the end user's devices will trust, an internal device needs its own fully qualified domain name (FQDN). To obtain a FQDN, a device would need to upload its internal IP address to some DNS service, be it a dynamic DNS service operated by the device's manufacturer or the zone host of a domain that the end user owns. The latter may cost $15 per year, or $75 over the 5-year expected service life of a device. I imagine that most end users, especially non-technical ones, don't already own a domain and aren't willing to pay an extra $75 just to skip the manufacturer's dynamic DNS service.
I agree with you that sending it in cleartext is not excusable. Nor are some of the other intrusions that you describe. But sending the IP address in some (reversibly encrypted) form is necessary as a step toward allowing the user to access the device as "https://some.internal.device.example".
The world isn't as conspiracy-ish as you think.
Not because the world is a 'good' place, but because conspiracies are a sort of work, and not the sort people do for free.
You do understand the concept of a persistent multiplayer world, yes? MMOs are nothing like FPS shooters. In an FPS the "world" starts over with every new game.
A subscription-based MMO... of fucking course they're not going to give you the server software so that you can run your own and not pay them.
"Oh my God. This is terrible. This is the end of my Presidency. I'm fucked."; ~ Donald J. Trump
You do understand the concept of a persistent multiplayer world, yes? MMOs are nothing like FPS shooters. In an FPS the "world" starts over with every new game.
A subscription-based MMO... of fucking course they're not going to give you the server software so that you can run your own and not pay them.
You do understand the concept that "persistant multiplayer world" is PR speak to con gullible people like you right? Oh wait theres some private wow servers over here to disprove your notion that you can't have an "mmo" (pr speak for rpg with multiplayer with dedicated server) you buy as a one off purchase.
Private servers:
https://news.ycombinator.com/i...
"MMO" is a PR speak term for idiots who don't think logically, otherwise private wow servers would be impossible. The fact that private wow servers exists, prove you and the gaming public are idiots.
Here's what the game industry did during the 90's, during the 90's PC rpg's were growing in cost to produce and CEO's floated the idea of conning the gullible public out of its money by rebranding the single player PC rpgs /w multiplayer component and rebranding them mmo's. That's all the term mmo is - a PR shell game to get you to pay monthly to what have would been a fully normal game with multiplayer in the 90's. They realized they could make much more money and steal the software from a gullible public by just shifting words around because you reason by emotion not truth.
See the science, your brain does not reason nor see reality as it is:
On reason
"Digital restrictions management" has a broader definition than the sense you're using, which would be more widely understood as "online-only DRM".
The very concept of DRM didn't exist in the 80's and 90's, drm is a term invented in the 2000's and post 2000 era sorry to tell ya, I lived it. You're trying to read the future back into the past.
The very concept of DRM didn't exist in the 80's and 90's
Not under that name, but what's CSS on DVD Video?
"Performance of a contract" is explicitly one of the six bases listed in Article 6 of the GDPR for holding and processing personal data. In this case, the contract would involve the user providing pseudonymous daily usage logs in exchange for access to the game at a discount off full retail or before the general availability date. The user can request a copy of these logs at any time by choosing "Download Your Replays" from the game's menu.
The very concept of DRM didn't exist in the 80's and 90's
Not under that name, but what's CSS on DVD Video?
You're confused, copyright protection is different from drm. DRM is literally breaking the product in a way that companies have control of the product. CSS on DVD means you have the entire DVD files even if they are encrypted.
And yet, developers were still able to deliver games that were fun to play before all this analytics nonsense.
Games weren't necessarily more fun back in the day, but I certainly appreciated and enjoyed them (and the Internet in general) a lot more.