The games industry has just been taught an important privacy lesson: don’t mess with gamers – especially the ones who play something called Holy Potatoes! We’re in Space?!
It was on a forum connected to this game on 8 June that one of the biggest gamer insurgencies of recent times finally drew blood.
The complaint was that some recent downloads of the game had included a marketing monitoring program – Red Shell – developed by a company called Innervate, that behaved like “spyware”.
The controversy originated on other forum threads months ago but by now alarm about Red Shell was spreading like wildfire, not helped by the coincidence – openly acknowledged by its developers – that a 2004 Trojan shared the same name.
The game’s developer took the path of least resistance and caved, agreeing to de-install Red Shell using a software update.
More developers pledged to do the same, including the makers of Elder Scrolls online, Conan Exiles, the Warhammer series, Total War, and a list of others constituting perhaps a third of the total number of games that currently incorporate Red Shell.
Whether what Red Shell does is an invasion of privacy or a harmless tool seems to depend on whether you’re a developer or a concerned games consumer.
To its makers, and what turned out to be its numerous developer customers, it’s an analytics plug-in that can be used to see which marketing campaign on sites such as Facebook, Twitter or YouTube led to someone downloading and purchasing their game.
This monitoring includes the ability to “fingerprint” if not the gamer then his or her computer or console. As its makers describe:
Red Shell tracks information about devices. We collect information including operating system, browser version number, IP address (anonymized through one-way hashing), screen resolution, in-game user id, and font profiles.
As gamers began calling out Red Shell as “spyware” on Steam and Reddit, it quickly became clear that this form of market surveillance was not going down well.
The following Reddit exchange between a representative of UK developer Creative Assembly (publisher of the Total War series) and a gamer sums up the gulf between the two sides.
Creative Assembly:
Red Shell is a program we use to measure the effectiveness of our advertising. It’s not spyware. It’s a marketing attribution tool. It helps us determine which of our adverts are most effective.
Gamer:
I understand that analytics data is extremely valuable to businesses. […] However, at the same time I kind of feel like my video games really don’t need to know what my web browsers (or any other applications on my computer) are up to.
The first mistake games developers made when they added Red Shell was not telling anyone about it, or even offering a clear way to opt in or out.
The second mistake was to think that some in the games community, perhaps fired up by controversies such as Facebook’s ties to Cambridge Analytica, wouldn’t object when they found out.
Innervate’s CEO Adam Lieb has been quoted as saying that Red Shell meets the requirements of the EU’s new and now-feared GDPR rules because it does not collect personally identifiable information (PII).
That’s technically correct but, equally, the tolerance for any commercial surveillance is wearing thin across the industry. It’s just that it’s not always the worst offenders who are being called out.
Image courtesy of HolyPotatoesGame.com
Joe
It collects IP addresses though, I thought that counted as PII
John E Dunn
PII is data unique to an individual – that doesn’t include IP addresses, which identify networks. ISPs can relate this to a connection and the account associated with it but not a person.
Paul Ducklin
I think that different juridictions have different opinions on whether IP numbers count as “personally identifying” or not. Even if an IP number needs an ISP to trace it back to a particular subscriber’s account, and even if multiple people could be or are sharing that IP number through a router, most consumer IP numbers at least loosely “tie back to you”.
The UK Information Commissioner’s Office (ICO), for example, says that IP numbers are, or at least may be, PII, considering that they are often used to “join the dots” for purposes such as connecting together multiple visits to the same website.
PII doesn’t literally have to be unique to an individual, or else mobile phone numbers would not be considered PII because, technically speaking, they are issued to a SIM card, not to a person, and are available to be re-issued if the original subscribers stop using them. Nor would your physical address, on the grounds that you leave it behind when you move house and the next individual (or family) takes it over, nor your vehicle’s registration number (tag) because it’s generally tagged to the vehicle, not the owner or the driver.
Bryan
Red Shell tracks
IP address (anonymized through one-way hashing),
in-game user id
Hey, we scramble your IP address…there’s no WAY this can be traced back to you!!
Paul Ducklin
The problem with simply “anonymising through hashing” (without being clear about what hashing process is used) is that there are fewer than 4 billion valid IPv4 numbers, so creating a lookup table listing all possible IPs and their hashes might be feasible (and perhaps even very easy), as happened in this example;
https://nakedsecurity.sophos.com/2014/06/24/new-york-city-makes-a-hash-of-taxi-driver-data-disclosure/
If you can compute such a table then you can trivially reverse every hash to its corresponding IP with a single lookup, and there’s no anonymity at all.
Bryan
Yeah, I recall that article. Wouldn’t be surprised if such a lookup table has already been independently brewed by multiple assailants ^H^H^H entities.
I was sarcastically putting myself in the “PR shoes” of the Red Shell folks as they understate the breadth of surveillance–particularly since userID is by necessity unique and can easily IMO count as PII.
e.g.
No one else in the world has a Twitter handle named DuckBlog. While it’s less obfuscated than others it’s still a non-word that’s nonexistent on your car insurance or mortgage documentation–yet can be directly traced back to its owner. The fact that you’re more well-known online than I won’t likely impede that a great deal.
Paul Ducklin
Indeed – I wasn’t intended to criticise our remarks about hashing (I read your words as wryly satirical), just adding some additional thoughts on the matter.
Bryan
Yeah, thanks; I figured :,)
Backatchya. For posterity and such. When I add non-joke educational content here, you’re the last one I expect needs to “learn” it.
Anonymous
It depends on who is noticing the IP address – an ISP would be able to relate an IP address to an account but a games maker wouldn’t without a lot more information. Arguably, a MAC address would be a far better identifier than an IP if tracked across a range of connections.
Paul Ducklin
Depends what else you know about that IP from earlier traffic.
MAC addresses don’t pass through routers.
emailx45
and … if your MAC address were encrypted in a “string” or (like a puzzle) was placed as part of an innocent string, before will it be sent to “observer”?
Paul Ducklin
Well, that would IMO certainly be PII and definitely collected without consent…
My point was simply that in an analytics system that collects data without trying to hide it (for example so that it can lie about how much it is collecting, or because it is incompetent), the originator’s IP number is always there because it survives end-to-end in every network packet. OTOH, the MAC addresses is not because it is replaced at each inter-network hop.
Bryan
Well, at least when handled directly by the TCP/IP spec.
But sometimes the MAC can leap a bit further… :,)
https://nakedsecurity.sophos.com/2018/06/18/the-worlds-worst-smart-padlock-its-even-worse-than-we-thought/
John E Dunn
They do if the software (i.e. a game in this instance) captures that on the client.
Anonamoose
Facebook can easily and does trace IP’s back to actual people just as easily as an ISP. And, gamertags can also easily be traced back to social media accounts and actual people. The problem is that “a lot more information” is readily available on a number of different pieces of potential PII, such as IP’s, usernames and other pieces of data.
John E Dunn
Point taken.
Equally, I’ve had the same mobile number for 23 years while my router’s IP changes every Tuesday when I reboot it….!
John Bryan
IP addresses do not identify networks, they identify networks devices including phones, cars, watches, fitness devices, medical devices, your home etc. All of those I would count as being a personal identification.
At both a technical level and a GDPR legal level (IANAL) IP addresses are PII. Even dynamic IP address are as:-
a) Dynamic[sic] IP addresses can stay the same for years
b) They can be combined with historical data or other data to identify a unique person.
John E Dunn
It depends which IP addresses you’re talking about.
If your home router hands out an IP number (192.x.x.x) that’s not really PII because it might change every time you connecta few minutes apart. The same could be argued for many ISP addresses, which will change under PPPoE every time the router is rebooted.
But your concern about IP addresses is not unreasonable – perhaps everything is PII.
Paul Ducklin
Firstly, the fact that something *might* change every few minutes is not enough to treat it as “not PII”. Secondly, the private IP number that your home router gives you almost certainly does *not* change every few minutes. (My home router has given me the same IP number via DHCP every day for the last two years.) Thirdly, the IP number that outside servers see is the IP number of your router, which is determined by your ISP and probably doesn’t change that often. Some ISPs give out static IP numbers, so they almost never change; some give out dynamic IP numbers that change rarely, dishing out the same one for months even after reboots; and others give out a different IP approximately every time you reboot your router. (My ISP has given my home router the same IP number for the last two years.)
John E Dunn
Clearly, there’s no hard and fast rule. An IP adress might be PII but not in every case.
Bryan
An IP adress might be PII but not in every case.
Disagree. Until the ISP purges DHCP records that are subpoena-able, the ISP IP is PII
That may be the most palindromical-looking non-palindrome I’ve seen :,)
Bryan
Red Shell meets the requirements of the EU’s new and now-feared GDPR rules because it does not collect personally identifiable information (PII).
A gamer’s UserID should count as PII. Well-known gamers are recognizable by both anyway.
No game developer allows duplicate usernames, whether in-game or just for account (i.e. Steam). It might technically involve an extra step to convert “DucksAndBunnies” back to “123 Main Street,” but the breadcrumbs are patently present.
Anonymous
The GDPR doesn’t say that companies can’t collect PII as long as they have gained consent and people have a means of opting out after the fact. Presumably that consent is buried somewhere inside the games developer’s EULA.
John E Dunn
Game IDs are PII but presumably the game needs that.
Bryan
Game IDs are PII but presumably the game needs that.
Right, but Red Shell doesn’t.
Critter
I wounder as we move more to IPv6 if that would be PII.
James
The Sophos XG Firewall Home Edition would be perfectly positioned to block this on a network. Is there an option to block these kind of trackers with it?
Zipod Bibrox
In what sense is GDPR “new”? It’s been law (or whatever the right word is for a regulation) for more than two years already. And on what planet is it “now feared”? Or is that just journalistic license in action?
John E Dunn
GDPR was approved by the European Parliament in 2016 but came into force on May 25 this year.
As for being feared, plenty of companies have expressed worries about staying on the right side of the law – a good example might be Instapaper, which has started blocking users in EU countries from logging in.