Slashdot Mirror
Another Software Spy
No, the second writer on LinuxQuake has it right when he says "It's market research." id doesn't care about current support, they want to know what cards to support in their next software release.
But the reason doesn't matter. The important part is that the software is doing something that it doesn't advertise and that isn't necessary for the operation of the software - sending information about your computer back to id software, which is mentioned nowhere in documentation, readme, EULA, website or installation. id calls it research - I call it a trojan horse program, and if I went into id's offices and installed a similar program that reported back to me on their machines, I would go to jail for it. If I convinced id to download and run it, by disguising it as, say, a video game, I'd go to jail for plain old fraud as well as the computer crime. That's 18 USC 47 section 1030, for the curious. It's been used against a number of 1337 d00dz who weren't quite 1337 enough.
So why does id think this is fine and dandy for them to do?
I like id's games, but this is not a joking matter. Software which performs functions beyond its stated activities is uncool (read: illegal), especially when those functions are spying on their users. Any sort of collection of data from user's machines, even relatively mundane data like the type of their video card, should be announced by the software and in the docs, and users should be able to opt out of it. How much bad press is it going to take before softwre companies get a clue? Or will the first hint they get be when an ambitious prosecutor serves a search warrant on them one day?
Update: 11/28 10:41 by michael : From various posts below and email received by yours truly, it looks as though id did have notification of the data-collecting activity in previous releases of the demo test; but not in the most recent one, for whatever reason. Perhaps the story should be about quality control on readme files. The basic point - companies need to be very open and upfront about things like this, even for benign purposes, and give people the option to opt-out - still stands, but it seems that id just made an error rather than tried to hide anything.
Well if such data collection is illegal why not sue 'em? Tell the judge that the program is a trojen horse just like any other and see what happens. With some lobbying you could probably win if the privacy violation was great, say in the case of lots of personal data getting tracked. Id would probably win in this case but not other companies...
I'm going to have to agree with what's going on here. I'm sure that there is something in the EULA about this, and using their software is not a right.
// getting video card information to make games cooler and know if we need to support old crappy hardware.
it's simple...
HW_VidType getVideoInformation() {
return SYSTEM_VIDEO_TYPE;
}
Justen Stepka
Personally, I believe that things like this should be allowed, as long as they are mentioned somewhere (product packaging, EULA, etc.). Sometimes data collection is over criticized, such as the original implementation of cookies in Netscape. The bad press that cookies have recieved has rendered a good thing useless; people now reject cookies because they don't understand them. Data collection is overall better for the consumer. If you don't like this policy, all one needs to do is not buy the product. Since you've paid for a product, you have to accept what's included in it (unless it's open source). There shouldn't be any reason that this type of feature should be prevented -- it benefits the consumer. As long as they are not collecting information beyond what they should (credit card numbers, etc.), it provides a way for companies to better adapt their software towards consumers needs.
This is going to get more and more frequent, I am afraid.
Unless something is done.
I think some kind of binding code of practice needs to be swiftly adopted. Specifically, users must be warned in advance if *any* information is going to be collected, generated or transmitted from their machine.
I know that there may be legitimate reasons for a company to want to send information back to their server. But if it is going to happen, then the user absolutely must be informed about it.
It's also yet another good reason to use open source software - that kind of abuse simply can't get past a well informed community based on peere review.
This simply records your OS, Video Card, driver, etc when you play. It doesn't expose your personal information.
There is no difference between this, and the User-Agent HTTP header that is sent. Oh, the User-Agent doesn't expose video card, BFD. (but you can sometimes get at screen depth/size depending on browser scripts/java) Most naive users are unaware that info is sent, and browsers don't prompt users either.
The level of paranoia on Slashdot has reached all time high. Next thing you know, ID will be charged with the high crime of recording their player's IP addresses on their central server.
Er, going by the fact that Intel may be blocked from selling the PIII in the EU due to the serial number in each one (see http://www.theregister.co.uk/991128-000002.html) couldn't that affect the release of Q3 in Europe? Though it's not a serial number that they're using, it's the fact that it could in effect be used to track what hardware people are using. If id don't put in a way of disabling this, or at least doing the same as Netscape have done with their feedback software (I forget the name), then it's feasible they could get into trouble for this.
I can't see how it can be used purely for support purposes if it's sent irrespective of a problem, and there's no way of linking the information with a helpline caller.
Just a few ramblings by someone who can't see how the saving of data could be linked to support...
I agree with the posters who say that video card info isn't really all that big of a deal, BUT (and it's a big one) Since it's not a big deal, couldn't it just pop up a window (first time only) saying I'd like to tell ID that you are using a wiz-bang 5.32 Video card, is that OK?. I'd click yes to that one personally.
Sending without asking is at least rude, and sets a bad precedent. What info will it be next time?
I have to wonder, is that video card data really worth the stink this will cause?
Hmmmm. I wonder how many of the people who bellyache about Quake are also people who use a credit card. Especially one with AirMiles. Or who participate in a grocery store discount card program. Or department store discount card program.
All these things track your purchases, providing the store with valuable information about the spending habits of your demographic.
Hopefully, most of you were clued in about what's *really* being done when you use these cards, and made a knowledgeable, active choice when signing up.
[which is, I guess, my point: iD could easily have done some sort of payback-for-information thing. Perhaps those people who said "yes" to releasing the info/letting iD track them would get a bonus level. Just like Safeway gives you a discount when you give them info about your personal spendng habits.]
--
Don't like it? Respond with words, not karma.
I wouldn't call it common knowledge, but I've known the q3tests did this for months. They've never hidden anything, and Carmack has seemed quite clear in other situations in explaining the purpose of the packets sent back to id. They're for identifying the cards so id knows how many users are using specific OpenGL library sets. If you don't want them to know, recompile Mesa to send them another string, or just don't play the game. It's not some dubious conspiracy to steal your secrets. I like it when the author of software cares enough about the product to make sure it will actually run for its users.
I'm not a big gamer, but the q3tests (and the recent demo tests) are very impressive. I'm also a fan of good software, and you can't write software if you don't care what your users want. If you write software that, for example, requires $15,000 worth of graphics hardware to operate, or comes without source code, or only runs on embedded ARM systems, your software is of little use people. If you ignore what your users need, they'll find someone else's software to use. If you're a proprietary software company, you might get all worked up about this, but if you just want better software as a computer user, you end up getting just as little.
--
So what IS a violation of privacy then? What type of processor you have? How much diskspace you have left? How about all of those "innocent" things together?
We have here a group of people who say, "yeah, well, it's not such a big problem." What they are doing is giving up a small part of their privacy. Instead of protesting against this, the have the idea that it's okay to lose a little of your privacy because you get to play a nice game instead. Remember that whenever you lose some of your freedom or your privacy, you always get something in return, some small thing which you get to have, or get to know. What we must do is resist the urge to say "well, it's not so bad after all," and really stand up to tell them that this is unacceptable behaviour and that we would rather not play their games than lose parts of our privacy.
Personally, I hate it. It's a slippery slope. Once we stop bitching about just sending video card info, then next it will be more personal info.
I can see the need for market research. Pine (the e-mail program) collects information over the net, but it ASKS YOU FOR PERMISSION FIRST. I have no problem with this kind of action. It's stuff going on behind my back without my knowledge that spooks me. I should be able to choose to be counted.
I'm sure if, for example, Id wanted to know how many quakers were using each OS, most of us would be damn eager to be counted. Just ask first. Is that so difficult?
I saw something just like this the other day! I went to this website, and my browser told the server what Web browser, version, and operating system I was using! Then I sent an e-mail and it said what mail program and my domain name!!! And sometimes, when I connect to a Quake server somewhere, it tells the server the exact IP address that I'm playing from!
Programs that just bandy about my personal information like this have to be stopped. Let's all sue iD, Netscape, Microsoft, Real Networks, and any other company that writes programs that send any non-arbitrary information of any kind over the InterNet.
-lx
"Another Software Spy"
Really should be "Another iD software spy" because they had jepordized security and privacy before.
IIRC, certain versions of Quake 2 for Linux would let anyone from the 192.246.0.0 IP block have remote shell capabilities. If you ran the server as root, you gave someone at iD software your computer on a platter. I read this on a page that listed possible remote exploits and security concerns for Linux a while back, and can't find the link at the moment (it was back in April that I read it).
If true, then iD, while good gaming wise, is certainly not to be trusted. Time to recheck the firewall rules, as having a CM makes it far too easy to let lots of data through.
---
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
BOOM! Those packets no longer go to id! They are stopped dead in their tracks. Problem solved, end of discussion, battle over, your privacy is (in this case) secure.
If you are looking to take legal action and you sue id first, they can drown you with legal defense money. Never try and sue a company in civil court first, if you can press criminal charges.
And in case you wondered, I am a long time id software fan. However I am also extremely impartial. It's nothing personal; they not only violated people's privacy, but they also did not inform anyone they were doing it. I am holding off on buying Quake 3 until I know they've patched this and apologized about it.
--- Grow a pair, liberals... stop letting the Republicans bully you!
This has been discussed before, and has been going on with the previous tests.
The message of the day server was intended as a half-assed auto update feature that could be cross platform.
We send a normal message most of the time, but if the version is out of date, we can send a message with telling you where to get the update.
I didn't want to deal with binary auto-updates on three platforms, and I worry a bit about security issues with that in any case.
You can disable it by setting "cl_motd 0" when the game starts up if you really don't want to send anything or see our message.
We added the result of glGetString( GL_RENDER ) to get some much needed information about the distribution of video cards and drivers.
We can see how many people aren't following directions and running glsetup. This is a big support issue.
We can see how many people are running minidrivers, which are going to make our lives a mess in the future.
We can see how many mac (steady 5%) and linux (5%at initial release, tailed off to 2%, probably due to dual booting) people are playing.
Getting this information has been usefull. We can compare the numbers of people playing with a given card with the amount of support emails we field, so we know which vendors (3DFX) we need to give more crap about their driver quality.
John Carmack
You've obviously missed my point. I would've been happy to give ID any information about my video card that they wanted... had they asked for it. I would've told them pretty much anything they wanted to know about my system (I don't have anything important on here :-) but the point is they didn't ask for it... they took it without my knowledge. Don't get me wrong, I love ID, and I am a big fan of their products. This is not going to stop me from buying Linux Q3. I'm simply stating that if they wanted my system's specs, they should've asked first.
yebyen@adelphia.net
Restating the obvious since nineteen aught five.
The problem I have with it is its not mentioned anywhere. It just does it and was found out by 'accdient'. I really could care less if it was documented. Just putting it in with no mention anywhere is sneaky and underhanded.
id stated in the Q3Test 1.08 README (its named this for a reason...) that they collect this information:
=======================
== Section 11. ==
== MESSAGE OF THE DAY==
=======================
When Quake 3 Arena starts a map up, it sends the GL_RENDERER string to the Message Of The Day server at id. This responds back with a message of the day to the client. If you wish to switch this option off, set CL_MOTD to 0 (+set CL_MOTD
0 from the command line).
:wq
Lots of other games send information out, with *no* way to stop it.
Any of you played Starseige Tribes? If you host a game it sends your CPU speed, amount of RAM, IP address(duh), version number, and a few other tidbits to their server, and even POSTS it on their master game list.
Sending this kind of information has many uses. It lets them know how many people are still using some ancient version, so they can decide how long to keep support for it in their servers.
His comment about being able to compare the number of people using one video card to the number of complaints received is a good one. From a support standpoint, if you get lots of calls saying that my FooBar Monster 512 board doesn't work, you have no idea if it's a really popular card or if the driver/board just sucks. Being able to tell the two apart is really important for delegating how much time is spent, and where to point the blame.
I'm also a video game programmer(the arcade kind, not home games) and could see also lots of uses for this in a client-server game model. Being able to tailor the stream of data sent to a user if you can tell they can't handle it all, or being able to say 'Their card will only handle 16 bit textures at the resolution they've chosen, save them the download time by not giving them 32 bit textures' is one really nice feature that could be used in some games.
I really don't buy the 'This is an invasion of privacy' argument. If any of this included your name, e-mail address, postal address or anything, I'd be concerned. Knowing what video card and which version of software you're using(which is probably important to the server anyway) is about as trivial as you can get.
Also, all of you running Windows have probably given nearly the same info to the authors of GLSetup, if you used the web-install option, because they're able to log who downloaded which drivers, with the same justification as above.
Lots of information is being sent every time you do anything. Send me an e-mail and I can probably tell you what E-mail client you're using, what version of it, and probably what OS you're using. Until it becomes *personal* or *unique* information about myself, I don't see the problem.
-- Kevin
You know... there's paranoid, and then there's this. Yeah, okay, maybe it wasn't the wisest decision. The folks at id could have let us know, or made it an option, or something. I think it's a little rediculous, though, calling Q3 a "trojan horse program."
Of course, the comment about this data being useless for support reasons raises the question: What if these packets were linked to you personally? Would this have made it all better? No. We'd be reading a similar article right here on Slashdot, only with more fire-and-brimstone to it, about the same invasion of privacy. And if id had mentioned it somewhere? I'll bet someone still would have complained about sending personal information to them. If they left it out completely? They don't get the information on what video cards and platforms are being used. It's a lose/lose/lose/lose situation.
I have a feeling someone will moderate me down for this, but I don't think this is something to turn our backs on id Software for. People need to take a step back and look at the big picture. The reasons for sending this information have been explained. Overall, it seems to me like this will make for a better product and easier updates. If you don't like it, well... go buy Unreal.
--
"I personal[ly] think Unix is "superior" because on LSD it tastes like Blue." -- jbarnett
Sue them. No, wait... it's a criminal offense so prosecute them. Don't buy Q3A... we'll run 'em out of business.
My God! I used to think the slashdot crowd was a generally intelligent and level-minded group. But this is nuts. Nuts.
The top 3d game maker (arguably, I suppose), general innovater, and primary linux supporter in gaming (besides Loki) adds a little code that is intended to aid in hardware support on one level or another to a free TEST version of their new game. They apparently did not hide this, but neither did they make it obvious (it seems to me an unimportant part of the game anyway).
They are our friends. And we bite them in the ass.
We have very little problem dealing with our enemies. It's our friends that we can't handle.
Jose M. Weeks
When the article first showed up, I thought "It IS documented in the release!". I went and looked, and unfortunately, that documentation from the previous release didn't make it into the latest release. Sigh. Our fuckup.
Apropriate quote: "Never attribute to malice what can be explained by incompetence".
I remain unconvinced that we have done something morally offensive.
Yes, we could have (should have, meant to) included a notice that it was going on in the EULA, but honestly, how many people carefully read and consider every line of all the EULA's they click through? How much of a difference would that have made to people?
I dislike lengthy legal verbiage, but it is reactions exactly like these that cause them to grow. Every time someone says "Sue 'em!" over something, a lawyer proposes another paragraph in a license document.
The most upstanding thing to do would be to have explicit UI that asks on installation if you don't mind sending your data when you play multiplayer games. I would consider that justified if we were sending a detailed system spec. That is something we may want to do in the future. Data like that is helpfull in making good development decisions.
But this is just a driver string riding along with your game version. It just seems silly, like requiring you to acknowledge before leaving your house that someone might see you. I would rather have fixed a bug somewhere.
I can see that it is a slipperly slope to be on, and I can easily project it to a scenario that I would be offended by, but I just can't convince myself that knowing the reletive distribution of different OpenGL implementations is violating people's rights.
The system was set up to allow us to notify people with a one-line message when their versions are out of date. I imagine some people are offended even by that, but I consider that a positive service to the community.
Including the renderer string was an afterthought to get some good unbiased data to help make future decisions on. Every once in a while we tally up the numbers, then dump all the logs. That's it.
John Carmack