Slashdot Mirror
Gaming Companies Remove Analytics App After Massive User Outcry (bleepingcomputer.com)
An anonymous reader writes: "Several gaming companies have announced plans to remove support for an analytics app they have bundled with their games," reports Bleeping Computer. "The decision to remove the app came after several Reddit and Steam users noticed that many game publishers have recently embedded a controversial analytics SDK (software development kit) part of recent updates to their games. The program bundled with all these games, and at the heart of all the recent controversy, is RedShell, an analytics package provided by Innervate, Inc., to game publishers."
The app is intended to collect information about the source of new game installs, and details about the gamer. Following a massive user outcry in the past two weeks, several game makers have given in to pressure and are removing this SDK. Game makers and games who announced they were removing RedShell include Bethesda (Elder Scrolls), All Total War games, Warhammer games, Magic the Gathering Arena, and more. [This Google Docs spreadsheet and Reddit thread have a list of games containing RedShell.]
The app is intended to collect information about the source of new game installs, and details about the gamer. Following a massive user outcry in the past two weeks, several game makers have given in to pressure and are removing this SDK. Game makers and games who announced they were removing RedShell include Bethesda (Elder Scrolls), All Total War games, Warhammer games, Magic the Gathering Arena, and more. [This Google Docs spreadsheet and Reddit thread have a list of games containing RedShell.]
As a game developer myself, gameplay-related analytics are incredibly valuable. That is, metrics that tell game designers about how the player progressed through the game in various ways. I'm currently writing my own system that measures this data in pre-release versions of the game. Done correctly, this only identifies the users as an opaque and anonymous GUID, and doesn't store any personally identifiable information. That is, it has nothing to do with marketable information, but is just used to help improve the game during development.
But seriously, to hell with all these companies that think they have a right to slurp up all your personal information, just because. I think a lot of them seem to believe it doesn't hurt the user, so why not try to earn a few extra bucks via some hidden API. But every time something like this happens, it erodes the trust of users. It's just not worth it.
Irony: Agile development has too much intertia to be abandoned now.
Then you install and run that shit during testing. There's no good enough reason to let automated collection of exploitable information continue outside the explicit control of a development environment. "Just trust us, this information won't be misused" is bullshit you'd do well to leave behind.
Yes, that's why I said it would only be used in pre-release version of the game - meaning copies of the game that are distributed only for testing purposes. At least read the post in full before you rant at me.
Irony: Agile development has too much intertia to be abandoned now.
I remember back in the day DOOM from ID software (the one with the flashlight problem), came with starforce (the usual DRM back in the day) along with checking to see if cloneCD or other cd cloning software was installed. Long story short, damn game had lighting problems, DRM backdoors, and was harassing me about legitimate software on MY OWN MACHINE. The gall, the absolute gall for some goddamn game to tell ME what I can install or not install on my own machine....That did not go over well, that put me on the path of becoming a nemesis fighting them for the wrong they had visited upon me and my precious machine.
20 years later and I am only now just starting to purchase games again. For those 20 years though, I was only using the piratebay to get my games as copies, ironically because a legitimately purchased game had put odious restrictions on (like needing the physical cd, cd key, drm installed, etc etc) whereas the pirates had produced a superior version that loaded faster, had the lighting problem fixed, did not require a cd or cd key and did not install DRM modules or check what software I had installed.
If these companies really want to create a legion of people like me who righteously tell game companies to go fuck themselves, then they are on the correct path to a gamer revolution where the outcry and loss of sales will hurt them pretty badly.
I see cable companies as doing relatively the same thing, they had a monopoly more or less for so long and it was so profitable that they became total assholes, putting in advertisements after we already paid for the cable, bundling shit, etc etc etc. The end result? We now have a 27% decline in tv viewership and the term 'cord cutter' has entered the popular vernacular. Game companies seem dead set on copying those results.
Analytics might be valuable to YOU. A developer. But that doesn't make it okay. If you are are gathering data server-side for a multiplayer game that's one thing. But if you are gathering ANY data AT ALL from user's PCs, that represents an unacceptable risk to end users for no benefit to them. It's customer-hostile. You've only been getting away with it because people don't know you are doing it. Don't do it.
I haven't done anything yet, because my game isn't in beta yet. Beta testers will be informed that I'm collecting information about their gameplay sessions, because this is more reliable than having them try to remember and describe their experiences. Of course, that feedback will be welcome too.
Just to be 100% clear, I'm talking about in-game metrics. That is "how often does the player die". "Which weapons do they prefer to use?" "Are they getting stuck anywhere?" And so on. Not personal information about anything on their computer system. This is 100% for gameplay tuning, and is ONLY for beta copies of the game, which are released in order to help polish the game before release.
See, this is why I'm pissed at game companies that are poisoning the well for developers like me. I can't even discuss the matter without getting modded as a troll.
Irony: Agile development has too much intertia to be abandoned now.
If the data is not associated with any personally identifiable information there is no "you" in "your information". This was pre-GDPR but when I did game analytics in the sense of CPU and GPU generation, installed RAM, operating system version I worked closely with the company lawyers to ensure it was all non-personally identifiable information. IP addresses were not recorded, neither were account names or anything else. Just the raw data. The client side of these online games ensured the data was only sent once per "survey" period. I could not have connected the data to a particular person if I wanted to. If a GDPR request came in asking for a particular person's data I would have no such data to report.
I don't really care about any of that sort of hardware profiling. If I want to look at general hardware tends, I just look up the Steam Hardware Survey.
Rather I'm talking about recording and analyzing data-points about the gameplay itself. For instance, I log every significant event as the player goes through the game. The player's location in the world over time, enemies killed, times died, when they switched weapons out, and so on.
The point of all that is to help me to balance the game better. For instance, if I see a huge spike of deaths at the third boss in the game, I know that maybe it's a bit too difficult, and should be toned down a bit, or perhaps I need to telegraph hints about how to beat it more clearly.
And again, this is only really useful in beta versions, while I can still make adjustments to the game's balance before the game's final release.
Irony: Agile development has too much intertia to be abandoned now.
I think you're perhaps missing the crux of why this sort of thing annoys people. The issue is not that what you say is wrong, I absolutely agree that such analytics are useful regardless of whether it's a game or any other piece of software, and you're right they can be anonymised (though this is all too often reversible, but that's a different subject for a different day) .
The problem is that each and every time an application sends data from your system it's punching a hole out of your firewall to the wider net, and with so many applications doing this now it makes it hard for people to assure security - so whilst you say it's just anonymised data being sent out, anyone observing network traffic from their systems will see your application leaking data out to the internet even if it may only be a single player game for which there should be no reason to do this.
My personal preference therefore is if you are going to do things like this, is that you make it optional and turn it off by default. Too much software nowadays connects to the net for the benefit of the company and without the consumer's consent, and it makes it all too easy for Malware authors to mask data extraction from systems. There was a time where you would know exactly what was coming and going from your PC, and I get that that time is gone, but that doesn't mean that it's okay to keep making the problem worse.
So whilst you perceive it to be useful analytics (because it really is), the user perceives it to see you using their resources that they've paid for to to help your business at their expense by siphoning off data without them knowing.
My view: good software is clean software, it does nothing without your knowledge, installs no 3rd party components that do anything other than the bare minimum to let your piece of software run, and does not try to meddle with your system at an OS level. That means no DRM, no analytics, no forced registering an online account (unless it's part of online play in a game for example), no installing anything other than in it's own installation directory. If your software does anything more than that then it's right that users are going to be suspicious.
This is a classic case of "The road to hell is paved with good intentions". I get from your point of view that what you're doing you perceive to be harmless, but that's because you're writing it, you get to see the source code, and know what's collected. All the user sees is encrypted data being siphoned off their hard drive and being sent to an unknown server on the internet from a compiled, potentially obfuscated binary whose operations are protected by DRM that blocks any attempts to evaluate the applications operation at runtime.
You see how that might piss a user off even if it's harmless?
The Unity analytics track your progress through the game. How long you play for, where you get stuck, and for relevant games, when you decide to pay to progress.
Redshell spies on your web browser. That's a different game.
It's not that I don't hear what you're saying, it's that I'm not sure how we make it a practical reality.
This is a classic scenario of if you leave the door unlocked does that make it okay to rob someone? Sure it means the home owner is asking for it, but it doesn't make the act of theft in itself legal or something that's acceptable. We should still act against people committing theft regardless.
So what you're effectively arguing is that rather than dealing with people acting illegaly, or at least in an anti-consumer manner, that it's upto every single internet user to become a technical expert in configuring and managing their firewall such that they explicitly whitelist every bit of outbound comms no? Even if we make that easy with a simple Allow/Deny dialog, then surely you realise companies will just exploit it with confusing names like "Important Windows System Analytics needs to access the internet." right?
That's really my point here - that yes, we need to get users back in control of their systems, but how do we do that in a practical way? and whilst we're trying to do that, I don't think that means that we shouldn't try and make vendors themselves more responsible.
At the end of the day a router blocking unsolicited inbound comms is still a firewall and people moving to this kind of firewall as standard was one of the single most important improvements in internet security in the history of the internet. The days of people being directly exploitable as is the case now were far worse, and even here we at least have anti-malware software to try and block the circumstances you describe. The biggest problem with it is the combined refusal of anti-malware vendors to treat analytics and/or spyware from "respectable" companies as malware which is really the problem here - if Redshell was reasonably flagged up as malware by anti-malware vendors because it's at least as intrusive as some of the things that real actual flagged malware like various tracking cookies that do get flagged track, we wouldn't even need to have this discussion as games developers wouldn't use it due to their software being permanently flagged as malware when a user attempts to install it.
If you do have a practical proposal that involves your average joe being both able and willing to whitelist or block all outbound comms I'd genuinely be interested to hear it, but otherwise the best we've got is to call out companies doing bad things with software and to pressure them to change.
* The check is in the mail
* I'll respect you in the morning
* It's just a cold sore