Slashdot Mirror
Another Software Spy
No, the second writer on LinuxQuake has it right when he says "It's market research." id doesn't care about current support, they want to know what cards to support in their next software release.
But the reason doesn't matter. The important part is that the software is doing something that it doesn't advertise and that isn't necessary for the operation of the software - sending information about your computer back to id software, which is mentioned nowhere in documentation, readme, EULA, website or installation. id calls it research - I call it a trojan horse program, and if I went into id's offices and installed a similar program that reported back to me on their machines, I would go to jail for it. If I convinced id to download and run it, by disguising it as, say, a video game, I'd go to jail for plain old fraud as well as the computer crime. That's 18 USC 47 section 1030, for the curious. It's been used against a number of 1337 d00dz who weren't quite 1337 enough.
So why does id think this is fine and dandy for them to do?
I like id's games, but this is not a joking matter. Software which performs functions beyond its stated activities is uncool (read: illegal), especially when those functions are spying on their users. Any sort of collection of data from user's machines, even relatively mundane data like the type of their video card, should be announced by the software and in the docs, and users should be able to opt out of it. How much bad press is it going to take before softwre companies get a clue? Or will the first hint they get be when an ambitious prosecutor serves a search warrant on them one day?
Update: 11/28 10:41 by michael : From various posts below and email received by yours truly, it looks as though id did have notification of the data-collecting activity in previous releases of the demo test; but not in the most recent one, for whatever reason. Perhaps the story should be about quality control on readme files. The basic point - companies need to be very open and upfront about things like this, even for benign purposes, and give people the option to opt-out - still stands, but it seems that id just made an error rather than tried to hide anything.
This is going to get more and more frequent, I am afraid.
Unless something is done.
I think some kind of binding code of practice needs to be swiftly adopted. Specifically, users must be warned in advance if *any* information is going to be collected, generated or transmitted from their machine.
I know that there may be legitimate reasons for a company to want to send information back to their server. But if it is going to happen, then the user absolutely must be informed about it.
It's also yet another good reason to use open source software - that kind of abuse simply can't get past a well informed community based on peere review.
I agree with the posters who say that video card info isn't really all that big of a deal, BUT (and it's a big one) Since it's not a big deal, couldn't it just pop up a window (first time only) saying I'd like to tell ID that you are using a wiz-bang 5.32 Video card, is that OK?. I'd click yes to that one personally.
Sending without asking is at least rude, and sets a bad precedent. What info will it be next time?
I have to wonder, is that video card data really worth the stink this will cause?
This has been discussed before, and has been going on with the previous tests.
The message of the day server was intended as a half-assed auto update feature that could be cross platform.
We send a normal message most of the time, but if the version is out of date, we can send a message with telling you where to get the update.
I didn't want to deal with binary auto-updates on three platforms, and I worry a bit about security issues with that in any case.
You can disable it by setting "cl_motd 0" when the game starts up if you really don't want to send anything or see our message.
We added the result of glGetString( GL_RENDER ) to get some much needed information about the distribution of video cards and drivers.
We can see how many people aren't following directions and running glsetup. This is a big support issue.
We can see how many people are running minidrivers, which are going to make our lives a mess in the future.
We can see how many mac (steady 5%) and linux (5%at initial release, tailed off to 2%, probably due to dual booting) people are playing.
Getting this information has been usefull. We can compare the numbers of people playing with a given card with the amount of support emails we field, so we know which vendors (3DFX) we need to give more crap about their driver quality.
John Carmack
Gosh, I can't imagine who would ever want to do a wicked thing like that. :-)
id stated in the Q3Test 1.08 README (its named this for a reason...) that they collect this information:
=======================
== Section 11. ==
== MESSAGE OF THE DAY==
=======================
When Quake 3 Arena starts a map up, it sends the GL_RENDERER string to the Message Of The Day server at id. This responds back with a message of the day to the client. If you wish to switch this option off, set CL_MOTD to 0 (+set CL_MOTD
0 from the command line).
:wq
Lots of other games send information out, with *no* way to stop it.
Any of you played Starseige Tribes? If you host a game it sends your CPU speed, amount of RAM, IP address(duh), version number, and a few other tidbits to their server, and even POSTS it on their master game list.
Sending this kind of information has many uses. It lets them know how many people are still using some ancient version, so they can decide how long to keep support for it in their servers.
His comment about being able to compare the number of people using one video card to the number of complaints received is a good one. From a support standpoint, if you get lots of calls saying that my FooBar Monster 512 board doesn't work, you have no idea if it's a really popular card or if the driver/board just sucks. Being able to tell the two apart is really important for delegating how much time is spent, and where to point the blame.
I'm also a video game programmer(the arcade kind, not home games) and could see also lots of uses for this in a client-server game model. Being able to tailor the stream of data sent to a user if you can tell they can't handle it all, or being able to say 'Their card will only handle 16 bit textures at the resolution they've chosen, save them the download time by not giving them 32 bit textures' is one really nice feature that could be used in some games.
I really don't buy the 'This is an invasion of privacy' argument. If any of this included your name, e-mail address, postal address or anything, I'd be concerned. Knowing what video card and which version of software you're using(which is probably important to the server anyway) is about as trivial as you can get.
Also, all of you running Windows have probably given nearly the same info to the authors of GLSetup, if you used the web-install option, because they're able to log who downloaded which drivers, with the same justification as above.
Lots of information is being sent every time you do anything. Send me an e-mail and I can probably tell you what E-mail client you're using, what version of it, and probably what OS you're using. Until it becomes *personal* or *unique* information about myself, I don't see the problem.
-- Kevin
When the article first showed up, I thought "It IS documented in the release!". I went and looked, and unfortunately, that documentation from the previous release didn't make it into the latest release. Sigh. Our fuckup.
Apropriate quote: "Never attribute to malice what can be explained by incompetence".
I remain unconvinced that we have done something morally offensive.
Yes, we could have (should have, meant to) included a notice that it was going on in the EULA, but honestly, how many people carefully read and consider every line of all the EULA's they click through? How much of a difference would that have made to people?
I dislike lengthy legal verbiage, but it is reactions exactly like these that cause them to grow. Every time someone says "Sue 'em!" over something, a lawyer proposes another paragraph in a license document.
The most upstanding thing to do would be to have explicit UI that asks on installation if you don't mind sending your data when you play multiplayer games. I would consider that justified if we were sending a detailed system spec. That is something we may want to do in the future. Data like that is helpfull in making good development decisions.
But this is just a driver string riding along with your game version. It just seems silly, like requiring you to acknowledge before leaving your house that someone might see you. I would rather have fixed a bug somewhere.
I can see that it is a slipperly slope to be on, and I can easily project it to a scenario that I would be offended by, but I just can't convince myself that knowing the reletive distribution of different OpenGL implementations is violating people's rights.
The system was set up to allow us to notify people with a one-line message when their versions are out of date. I imagine some people are offended even by that, but I consider that a positive service to the community.
Including the renderer string was an afterthought to get some good unbiased data to help make future decisions on. Every once in a while we tally up the numbers, then dump all the logs. That's it.
John Carmack