Red Shell spyware found in games

[Rachael]

I got a DM from someone in Discord today, pointing me out to this issue:

https://www.dualshockers.com/red-shell-outcry/

Basically it seems like it collects a lot of information about you, and your gaming habits, and sends it to other developers who opt into this program.

Some developers have pledged to remove it - but you know how it is, they were quite happy using it right up to the point where they got caught. Shame on them, in my opinion.

Here's a very active reddit thread where this was brought up:

https://www.reddit.com/r/Steam/comments ... _in_space/

[dpJudas]

Big deal. Microsoft already logged everything worth logging about my computer. Google mined my email and all my DNS lookups and all websites I visited one way or another (via google analytics, google fonts, gmail, etc.). Facebook tracked every news site I've been to the past 10 years and sold it to the Russians. The banks tracked every transaction I did and then leaked the information along with the 450 million+ other credit cards.

And this is before we bring in intelligence agencies in the world.. they all have lovely laws that say I have no rights according to America (not an US citizen) and thus OK to spy on. The Americans on the other hand have no rights in europe. The intelligence services cooperate with each other and voila - the governments know virtually everything.

Sleep tight.

[Scripten]

Because of GDPR (and likely other privacy laws), we do have this avenue to opt-out: https://redshell.io/optout

EDIT: Actually, based on my knowledge of GDPR (I work in the tech sector), RedShell may still be breaking the law because they are assuming affirmative consent.

[Graf Zahl]

Strictly speaking, any single mobile game made in the last 10 years would be illegal, I have seen first hand what kind of invasive stuff they embed. As a result I haven't installed any app on my phone for the last 6 years. So now they do the same shit in PC games as well? How good that I don't buy this stuff anymore.

[Gez]

Looking at the list on reddit, I'm glad to see this includes 0 games I've played and just one I've even been remotely interested in playing.

[NeuralStunner]

Looking at the list on reddit, I'm glad to see this includes 0 games I've played and just one I've even been remotely interested in playing.

Seconded.

Best advice by far:

Complain to the Developers. Don't buy their games. Refund if you can. Make others aware.

Seems to me like threatening their profit margin would carry more weight than calling in the hounds lawyers.

[Rachael]

SidAlpha went and covered this - https://www.youtube.com/watch?v=wF-umETMsSg

I am not strictly anti-data collection - after all, I did GZDoom's HTTP code for the stats collector - something that 4chan's /vr/ LOVES to rail against both me and him for, but fuck it, I am not ashamed of what I did. You know why? Because I believe Graf handled the whole thing very ethically and with integrity. Graf can even tell you that initially I was very reluctant to help him with that, but eventually I did.

I was also very transparent about the data collected and how the server stores it - even when Graf didn't have full access to everything the server received, he had only the data points he needed, I plainly stated that it was there. Mostly to cover my own ass if it was hacked, which, let's face it, we like to defend against that and prepare for it as much as possible but none of us are immune to such a thing. Unfortunately, being Dreamhost, I could not eliminate that from the server logs even if I wanted to, but in the end even that doesn't matter - because if that was compromised, guess what - there's a whole ton of sites out there with logs that contain YOUR IP anyhow - and snatching your IP off the ZDoom forum is as easy as cake. So that point, really, is moot anyhow. We took a redundant precaution, and it still worked out in our favor.

So I would be a hypocrite if I said RedShell is the most evil company in the world - they're not. The issue I have is - the data collection was never even disclosed! It was done in secret, and without the knowledge or consent of the users. That's what I have an issue with, and I fully agree with SidAlpha that the attitude companies have that data is available for a five finger discount is nonsense. It makes sense to collect it - and in many cases it carries a huge benefit to do so, even for non-profit developers - but let people know what you're doing, and give them an avenue to get out of it. Then we're good. (Oh, and don't gate the opt-out behind some 15-paragraph EULA - that's bullshit, too, it might work for courts but it's still shit and despicable)

[Graf Zahl]

So I would be a hypocrite if I said RedShell is the most evil company in the world - they're not. The issue I have is - the data collection was never even disclosed! It was done in secret, and without the knowledge or consent of the users. That's what I have an issue with, and I fully agree with SidAlpha that the attitude companies have that data is available for a five finger discount is nonsense. It makes sense to collect it - and in many cases it carries a huge benefit to do so, even for non-profit developers - but let people know what you're doing, and give them an avenue to get out of it. Then we're good. (Oh, and don't gate the opt-out behind some 15-paragraph EULA - that's bullshit, too, it might work for courts but it's still shit and despicable)

That pretty much mirrors my standpoint about this issue.
And regarding hiding such options behind walls of text - we'll have to see how that holds up in court, if it ever gets contested. People are truly wary of these things and I have seen some court rules that dismissed this as a valid defense because all that text had apparently been designed to hide the true intent behind smokes and mirrors. At least on PCs the user is in a position to monitor traffic and examine executables for malicious content. But on mobile phones things are very different. You normally download some opaque blob from the app store which then gets saved into some memory that is unreachable to the end user which has to put complete trust into the software and its makers. And of course I've yet to see a single such app that asks the user for consent (which essentially makes all of this illegal under EU laws.)

And let me state it here since it fits the topic:

While the last survey gave us valuable data points, e.g. it made it abundantly obvious that dropping the Direct3D backend for the software renderer would only affect a tiny minority of users, we only discovered afterwards that with one piece of info we made a mistake and made it too coarse. I am talking about querying what rendering hardware people use. By having one "modern, non-Vulkan compatible OpenGL" data point we effectively lumped together entry level OpenGL 3 cards which are barely better than their GL2 predecessors with high end hardware that can run the game at full power with all features on.
So now, with a proper check for Vulkan present in the code I plan to re-run the survey with the 3.5 release to get some real data about how the average graphics hardware of GZDoom's users looks. What I do not want to do is focus on some minority high end segment which most users cannot benefit from.

[NeuralStunner]

(Oh, and don't gate the opt-out behind some 15-paragraph EULA - that's bullshit, too, it might work for courts but it's still shit and despicable)

Hasn't there been at least one case where a judge ruled against an esoteric EULA? I hope I'm remembering correctly.

[Graf Zahl]

I cannot cite an example but I definitely remember that there were rules against some overly obtuse terms and conditions and it was decided that they have to be presented in a way not to overwhelm the customer. This crap is definitely a result of a broken American legal system but it has spread everywhere by now.

[NeuralStunner]

On a positive note, I've seen a lot of sites that have made their TOS etc. human-readable of their own volition, which I hope becomes more widespread.

[Rachael]

Vote with your wallet. When a corporation does something good, support them - and make it clear what you are supporting. If enough people do it - the marketing teams will take note.

Remember - corporations are not inherently immoral - they're amoral. That means quite simply - they don't go out of their way to be evil - they do whatever earns them the most money. If being evil does it, so be it - but if doing good things gets them more money, then that's what they will do.

That is why corporations rarely speak out about racism and homophobia and other major political issues - they want customers, not moral ground.

[Zan]

I know from someone working in the triple A industry that they have software telling them even how many times you jumped in a game. It's all data mining and pattern creation so they can sell better.

[Graf Zahl]

Vote with your wallet.

I had to think about Apple when reading this sentence. As a developer I can see their antics on a regular basis. They update their terms of service each month and present the changes in the most customer unfriendly manner possible. But to ensure that they did not just add something evil, it always has to be given to a lawyer first for review, costing lots of time and money. I know of too many people who just click through that stuff and never think about the implications.

As a private person I wouldn't touch any of their stuff ever, considering how sneaky they act.