Site icon Sophos News

Holy Potatoes! Popular games remove “spyware” after gamers revolt

The games industry has just been taught an important privacy lesson: don’t mess with gamers – especially the ones who play something called Holy Potatoes! We’re in Space?!
It was on a forum connected to this game on 8 June that one of the biggest gamer insurgencies of recent times finally drew blood.
The complaint was that some recent downloads of the game had included a marketing monitoring program – Red Shell – developed by a company called Innervate, that behaved like “spyware”.
The controversy originated on other forum threads months ago but by now alarm about Red Shell was spreading like wildfire, not helped by the coincidence – openly acknowledged by its developers – that a 2004 Trojan shared the same name.
The game’s developer took the path of least resistance and caved, agreeing to de-install Red Shell using a software update.
More developers pledged to do the same, including the makers of Elder Scrolls online, Conan Exiles, the Warhammer series, Total War, and a list of others constituting perhaps a third of the total number of games that currently incorporate Red Shell.
Whether what Red Shell does is an invasion of privacy or a harmless tool seems to depend on whether you’re a developer or a concerned games consumer.


To its makers, and what turned out to be its numerous developer customers, it’s an analytics plug-in that can be used to see which marketing campaign on sites such as Facebook, Twitter or YouTube led to someone downloading and purchasing their game.
This monitoring includes the ability to “fingerprint” if not the gamer then his or her computer or console. As its makers describe:

Red Shell tracks information about devices. We collect information including operating system, browser version number, IP address (anonymized through one-way hashing), screen resolution, in-game user id, and font profiles.

As gamers began calling out Red Shell as “spyware” on Steam and Reddit, it quickly became clear that this form of market surveillance was not going down well.
The following Reddit exchange between a representative of UK developer Creative Assembly (publisher of the Total War series) and a gamer sums up the gulf between the two sides.
Creative Assembly:

Red Shell is a program we use to measure the effectiveness of our advertising. It’s not spyware. It’s a marketing attribution tool. It helps us determine which of our adverts are most effective.

Gamer:

I understand that analytics data is extremely valuable to businesses. […] However, at the same time I kind of feel like my video games really don’t need to know what my web browsers (or any other applications on my computer) are up to.

The first mistake games developers made when they added Red Shell was not telling anyone about it, or even offering a clear way to opt in or out.
The second mistake was to think that some in the games community, perhaps fired up by controversies such as Facebook’s ties to Cambridge Analytica, wouldn’t object when they found out.
Innervate’s CEO Adam Lieb has been quoted as saying that Red Shell meets the requirements of the EU’s new and now-feared GDPR rules because it does not collect personally identifiable information (PII).
That’s technically correct but, equally, the tolerance for any commercial surveillance is wearing thin across the industry. It’s just that it’s not always the worst offenders who are being called out.


Image courtesy of HolyPotatoesGame.com

Exit mobile version