Unity Analytics and the GDPR

[radonek]

1 hour ago, steve_v said:

Really, I don't get all this outrage.

Simple. Lots of people just now realizing that those hairy wild-eyed hacks with tinfoil hats were actually up to something all the time.

[steve_v]

58 minutes ago, radonek said:

tinfoil hats

Are entirely optional. Generally speaking, a healthy suspicion, basic experience with human greed and enough technical competence to know where to look is all that is required.

I find it rather bewildering that so many people can be comfortable using the internet and internet connected devices without even looking into what is really going on when they do.

Of course software publishers are collecting information on you, it's easy and it makes them money.
You'd be hard pressed to find a modern car that doesn't snoop on you, let alone some black-box software you got off the 'net. This isn't shocking, it's blindingly obvious.
That doesn't make it okay, but it sure isn't a big revelation either, just because someone posted about it on reddit.

Effort would be far better spent learning how to detect and thwart this activity than getting all outraged and shouting about it. Hell, you don't even need a hat.

Edited June 19, 2018 by steve_v

[radonek]

I for one do not want to live like checking everything I buy like product of adversarial entity. It's waste of everyone's time for zero productive result. In the end, it means computers are dangerous to use for everybody outside of small group of professionals, just because environment is too toxic for, you know, the people.

6 hours ago, steve_v said:

Effort would be far better spent learning how to detect and thwart this activity than getting all outraged and shouting about it. Hell, you don't even need a hat.

Do you really believe you can run this kind of arms race against companies doing this for money?

[SayNoToRedShell]

17 hours ago, Deddly said:

Hi @SayNoToRedShell. Welcome to the forum! We had an existing thread about this issue, so I merged the two together.

People are going to be so confused about your name in the future when this issue has long been sorted out

Thank-you for allowing the discussion to be had at least, I will take it as a sign of good faith that my post was not silenced off the hop.

This moniker will only exist until the issue is sorted out, so no confusion will be had.

I'm a bit dissatisfied that my post will now be harder to find, due to Red Shell being removed from the title and my post being buried halfway down a thread - where people are less likely to read - rather than being the first post.

However, progress is progress.

Let's get an official word on Red Shell, let alone the implications it has concerning GDPR compliance.

Quote

Effort would be far better spent learning how to detect and thwart this activity than getting all outraged and shouting about it. Hell, you don't even need a hat.

Effort is better spent discussing the issue like adults, and landing on a solution that benefits both the end user and the company. Such as full disclosure of what is tracked, giving users the ability to opt-out, anonymizing data, secure transport of data, not collecting beyond what is necessary, etc. Company keeps the analytics they require to make the game work, user gets to be involved in the choices that affect them, company gets good press.

Quote

Really, I don't get all this outrage. Yes, spying on users is not nice, but developers have been bundling spyware with proprietary software for ages. Why make so much noise now? Games were phoning home 10 years ago, and nobody seemed to care.

What logical gymnastics is this? "They've been violating our privacy for 10 years, so why are you mad, just let it keep happening." Hello?!

10 years ago, people weren't aware of the extent of the data collection, if they were aware at all.

The big problem isn't that a single company is doing it. The problem is that the net is so wide now that everything is swept up and amalgamated with other information from other data brokers. 10 years ago, the technology wasn't there to geolocate your photo via AI, match it with some facial recognition, combine that with your contacts list, gaming habits, IP addresses to create a dossier beyond what George Orwell ever imagined in his book. Companies you've never heard of are able to predict your movements, know your sleeping habits, predict health risks. Oh, and now "pre-crime" AI is being rolled out...JOY. And guess what? The data that Red Shell collects is another piece of the puzzle. Another data point to parse.

The laws were unclear, misinformed or non-existent 10 years ago, now we have a solid backbone in the form of the GDPR as well as other North American data privacy initiatives.

This is what happens when people wake up to whats happening around them.

I'm making noise now because I was in no position to make noise 10 years ago. Now I am.

And I'm going to make noise, company by company, product by product, app by app. It's not just KSP - its a global issue. But we have to start somewhere. Every developer who turns the page and realizes the damages caused by the analytics-net they've cast and in turn becomes more transparent (even if they continue to collect data, giving the user the knowledge that they are) is a global win. Eventually these small developers, sands of grain in comparison to the giants like FB - if enough of them start respecting privacy, the castle will crumble. One grain of sand at a time.

That's why I'm here. I have faith in Squad. I have faith in KSP. I have faith in the community. This is a stepping stone in a much wider issue - but that doesn't make it any less important. This is all connected.
So, Squad, please stop vacuuming up all the data you can and instead only focus on the data you need - while telling your paying customers what your collecting and why - and give them an option to opt-out of any unnecessary data collection. Better yet - let the users who don't care about privacy opt-in to the collection of personal data.

Edited June 19, 2018 by SayNoToRedShell
Links

[Temeter]

Man, that's a real shame. I was downplaying the EULA thing myself, because it a) was there for long time, and b) the game itself shouldn't collect too much data anyway, as long as it's not using quite litteral spyware. Not a big deal in itself.

To hear that there is actually spyware included in Kerbal Space Program - and don't anyone tell me stuff  inside a game reading out my browser isn't spyware - is quite a shame. I hope that will get corrected ASAP, I consider this a pretty damn big breach of trust.

Edited June 19, 2018 by Temeter

[MDZhB]

1 hour ago, radonek said:

I for one do not want to live like checking everything I buy like product of adversarial entity. It's waste of everyone's time for zero productive result. In the end, it means computers are dangerous to use for everybody outside of small group of professionals, just because environment is too toxic for, you know, the people.

I agree with your sentiment, but the fact is that every product you buy is the product of the enemy. But what is truly dangerous is that most people (understandably) believe that you must be part of the "small group of professionals" to do anything about it. Most people believe that they are competent at using computers, and any more knowledge is in the realm of "professionals."

Unfortunately, the truth is that the majority of computer users are severely under-educated about how the machines they use on a daily basis actually work. How many "average" users know what an internet packet is? What about a port? Or what the operating system actually does? Maybe these seem like intense technical questions, but in reality a quick google search can enlighten anyone.

In short, the majority of internet users need to realize two things:

1. They are in desperate need of information
2. The information they need is easy to understand and acquire.

1 hour ago, radonek said:

Do you really believe you can run this kind of arms race against companies doing this for money?

Yes, actually. Lot's of people do it. Contrary to popular belief, you don't have to use commercial software, and you don't have to allow it to do whatever you want. So why doesn't everyone already do that? Again, for the reasons I outlined above, but also because it seems that internet users are apathetic enough to simply accept that they are giving away their data.

Now, this is not all to say that redshell isn't a problem, and we shouldn't try to do something about it. Just the opposite, in fact. We must be more diligent than ever if we want to do anything more than pretend that we care about our privacy and information. It is essential to speak up about it, but actually doing something about it is just as essential. You are not helpless, if you take your computing into your own hands, and make your voice heard.

[radonek]

1 hour ago, MDZhB said:

I agree with your sentiment, but the fact is that every product you buy is the product of the enemy.

I beg to differ. In my country, I can buy food without fear of poisons. I can buy electric appliance without  fear of hazard or fire. I can buy a car without fear of safety. I don't see why should I need be afraid of software.

"Informed users" do about as much good with software as with aforemetionables - knowing risks is nice and all, but you can't expect ordinary people to police their own particular software any more then to chemically analyze toxicity of their food.

2 hours ago, MDZhB said:

You are not helpless, if you take your computing into your own hands, and make your voice heard.

I run custom built system with handcrafted kernel. You can hardly take your computing into your hands more than that, unless you are RMS. Heck, I even possess very politically uncorrect penguin t-shirt :-) But if my granny should need that kind effort to use computer (or, as of late, phone or even a lightbulb) I would consider it a failure.

[klesh]

15 hours ago, linuxgurugamer said:

I'm also asking for an official reply to this.

It is disturbing that all we hear is the sound of silence

 

TakeTwo is on the left, and Squad is on the right in case you couldn't tell the difference.

[ibanix]

4 hours ago, radonek said:

Do you really believe you can run this kind of arms race against companies doing this for money?

Considering that protest has already caused a number of publishers to remove this from their product? Yes.

[rtxoff]

This is such an effrontery from any game developer integrating these kind of spyware and it doesn't matter if you can opt out or not. Most users wouldn't even read it and just click on. I say to the devs remove that redshell spyware completely, nobody paid for the game to get spied on. You can do these things on free games if you like but i as a paying customer don't want that crap on my harddisk. 

[lajoswinkler]

This needs to be solved. For what it's worth, I've blocked it with those instructions from Reddit.

[Charonx2003]

If necessary hit them with the GDPR hammer.

Sooner or later the wrong person will either get liquided off (e.g. a privacy-aware fan with a law degree) or someone will figure out how to make money off it (a while ago  some lawyers in Germany specialized in finding corporate websites that lacked legally required information, and sent them the equivalent of a cease-and-desist letters alongside with a demand for payment of a fee... for sending them said cease-and-desist letter.)

Also, the other (main) reason why companies got so antsy and suddendly decided that they need to be compliant RIGHT NOW about the GDPR is that the fines can become rather... sizeable... The "Lower Level" fines for not-so-serious breaches can be

Quote

Up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher

More serious infringements  - e.g. involving "The basic principles for processing, including conditions for consent" (hint hint hint) - can be

Quote

Up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher

So please, Squad, get your Rectum into gear - and if you do not want to do it for us, then do it to get the hell out from under that €20 million+ sword of damokles.

Edited June 19, 2018 by Charonx2003

[radonek]

1 hour ago, ibanix said:

Considering that protest has already caused a number of publishers to remove this from their product? Yes.

Public outrage is not arms race. I was refering to idea that this issue can be resolved by purely technical means (e.g. firewall rules). Getting rid of particular nastyware only forces adversaries to find more covert ways to gather and exfiltrate their precious loot.

1 hour ago, gpisic said:

This is such an effrontery from any game developer integrating these kind of spyware and it doesn't matter if you can opt out or not.

It matters to me. I was ok with original KSP stats collection precisely because Squad was open what is gathered and how to disable it.

[MDZhB]

2 hours ago, radonek said:

I beg to differ. In my country, I can buy food without fear of poisons. I can buy electric appliance without  fear of hazard or fire. I can buy a car without fear of safety. I don't see why should I need be afraid of software.

Sorry, I think I was a little unclear. Every software product you buy is suspect. Certainly we can trust our food not to be poisoned, and we should be able to trust our software not to be poisoned either. Sadly, we can't do that yet. That is why it is necessary to speak up about it.

2 hours ago, radonek said:

But if my granny should need that kind effort to use computer (or, as of late, phone or even a lightbulb) I would consider it a failure.

Software today is a failure for this exact reason. If your granny wants to play KSP without getting spied on, she's out of luck. It's just that, presented with options A: publicly protest unethical data collection, or B: counteract the data collection, I say we do both. I just wanted to make the point in my earlier post that it isn't futile to actively nullify spyware like this

13 minutes ago, radonek said:

Getting rid of particular nastyware only forces adversaries to find more covert ways to gather and exfiltrate their precious loot.

This stuff never relied on any kind of technical ability in the first place, its not their business model. They don't bank their success on their ability to thwart countermeasures, they bank it on users not caring enough to know or do anything about it. When resistance is put up, I highly doubt they'll do anything serious about it. They aren't exactly the NSA.

2 hours ago, radonek said:

I run custom built system with handcrafted kernel. Heck, I even possess very politically uncorrect penguin t-shirt :-)

Is it Gentoo? Can it play KSP? 

Edited June 19, 2018 by MDZhB

[radonek]

22 minutes ago, MDZhB said:

This stuff never relied on any kind of technical ability in the first place, its not their business model. They don't bank their success on their ability to thwart countermeasures, they bank it on users not caring enough to know or do anything about it. When resistance is put up, I highly doubt they'll do anything serious about it. They aren't exactly the NSA.

I agree with everything else, but I think you are mistaken here. Gathering and analysis is already big business and those tend to defend themselves. No need to be NSA, outsmarting average Joe will do. I am no NSA either, yet I can think of several ways how to get data out more or less covertly.

30 minutes ago, MDZhB said:

Is it Gentoo? Can it play KSP? 

Yeah, it is. I'm just betting there is no source mage or scratcher around to call me out :-) As for KSP, there is a steam overlay (it just pulls required libraries) and Unity works fine. Even CKAN works, though I hate Mono with passion.

[MDZhB]

46 minutes ago, radonek said:

I am no NSA either, yet I can think of several ways how to get data out more or less covertly.

They certainly could do it, but it would be a bad move for them. So many people are already angry about it in the first place; imagine the reaction if we found that they became more aggressive, rather than backing off. That's why both information and active countering is important. And, in this specific example, I think it is unlikely that the KSP devs will deliberately do something to bypass firewalls, nor will the redshell folks in the near future. It is a good solution, even if it is only temporary.

[cbowen78]

With great sadness I join those uninstalling KSP until I can easily opt out of any data gathering.

[LordFerret]

On 6/18/2018 at 6:21 PM, Deddly said:

Hi @SayNoToRedShell. Welcome to the forum! We had an existing thread about this issue, so I merged the two together.

People are going to be so confused about your name in the future when this issue has long been sorted out

IF and WHEN this ever gets sorted out and fixed (notice I'm not holding my breath), @SayNoToRedShell can go here and change it...

 

[akardam]

Being the curiousity-killed-the-cat type, I did a little poking about. It appears that the RedShell facility is used to gather, among other things, information on when a user starts (and completes) a tutorial mission, what language the game is launched with, if one or more mods are present, and if Making History (specifically) is installed.

Interesting that they're doing it, though for the moment I feel inclined to refrain from speculating on *why*, exactly...

I agree with others in this thread that blocking things with a firewall (of some type) is probably the least of evils at this point - still lets you play the game without worrying (much) about the tracking and analytics shenanigans. My gaming rig is behind a hardware firewall which blocks all outbound attempts at my hardware firewall, but for what it's worth and for good measure I deleted both the UnityEngine.Analytics and RedShellSDK DLLs (as others have pointed out you can do), and the game seems to run without them.

Nice for all this to come down right when I got motivated to get into the mod-making scene... *grumble !@#$% moan*

[steve_v]

15 hours ago, radonek said:

I for one do not want to live like checking everything I buy like product of adversarial entity.

So don't. A product like KSP has no need for an internet connection, so blocking it entirely is a safe and sane default.
It's not so easy with applications that require a connection to work, granted, but a single player game does not.
 

15 hours ago, radonek said:

Do you really believe you can run this kind of arms race against companies doing this for money?

I do, and I do. It's not always viable, but where is is there's little excuse for not taking basic steps to protect your own privacy. In the case of KSP it's not only possible, it's easy.

There is always more than one option, legal solutions like the GDPR are all well and good, but users need to take charge of their own gear as well. I'm not saying "don't complain", I'm saying "take the technical option where it exists". Then complain.
The vast majority of personal data in the great advertising net was given freely through choice or ignorance anyway, not collected with subtle spyware.

The point I was trying to make in the first place is that uninstalling KSP is akin to the old saying "cut off your nose to spite your face". There are ways to continue playing the game without giving away your data if you make the minimal effort to learn.

 

 

15 hours ago, SayNoToRedShell said:

Effort is better spent discussing the issue like adults, and landing on a solution that benefits both the end user and the company. Such as full disclosure of what is tracked, giving users the ability to opt-out, anonymizing data, secure transport of data, not collecting beyond what is necessary, etc.

Sure. And while you wait for that to make it's way through the  byzantine legal system, you can firewall KSP right now. Plug the leak at the source.

15 hours ago, SayNoToRedShell said:

Company keeps the analytics they require to make the game work, user gets to be involved in the choices that affect them, company gets good press.

Company gets no analytics at all, because this user decides not to give it to them... And doesn't care at all about their press. There's no reason for KSP to connect to the internet, and it's easy to prevent it from doing so.

15 hours ago, SayNoToRedShell said:

What logical gymnastics is this? "They've been violating our privacy for 10 years, so why are you mad, just let it keep happening." Hello?!

I'm not saying "let it keep happening", quite the opposite. I'm suggesting that users take practical steps to prevent it. Uninstalling the game isn't one of those, and IMO, complaining on a forum isn't either.
It's been happening for years, and  the majority of users have been allowing it to continue. Is it any wonder that companies believe they can get away with it? Stop giving them your data.

 

13 hours ago, MDZhB said:

Unfortunately, the truth is that the majority of computer users are severely under-educated about how the machines they use on a daily basis actually work.

Indeed.
IME, these are the same that fail to read licence agreements, fail to back up important data, post their entire lives to social media, then start screaming when somebody points out what they have set themselves up for.
I'm not sure whether this is learned helplessness or pure apathy, but either way it's counterproductive. Teach kids to code, support open source software, stop uploading your life to big data, and learn how to use your own equipment. Knowledge is power, and it's there for the taking.
 

13 hours ago, MDZhB said:

Is it Gentoo? Can it play KSP?

Gentoo here too, FWIW. I wouldn't call it "custom" though...  Most Gentoo users let portage do all the work
I did run LFS for a while...
 

8 hours ago, radonek said:

As for KSP, there is a steam overlay (it just pulls required libraries) and Unity works fine. Even CKAN works, though I hate Mono with passion.

I found that overlay more trouble than it's worth TBH. And I hear you WRT mono.

 

 

5 hours ago, cbowen78 said:

With great sadness I join those uninstalling KSP until I can easily opt out of any data gathering.

Sigh.
You can easily opt out of data gathering. Firewall the KSP process or send DNS lookups for the redshell domain(s) to localhost.
It's not rocket science, and a quick internet search will show you how. If you'd rather give up playing the game though, suit yourself.

 

 

Edited June 20, 2018 by steve_v

[Umlüx]

blocking KSPs access to the web with my firewall for now.

if there is no official statement to this, i'll think twice ever buying a squad game again...

[KSK]

On 6/19/2018 at 6:24 AM, steve_v said:

As for all the talk of "uninstalling until this is removed", if you do that hurt no-one but yourself. Squad / TTI isn't interested in you playing the game, they're interested in people buying it. If you want to punish them, post some nasty reviews...

Not sure I agree with that. Particularly when we're talking about a game for which community content is quite so important and which is published by a company with a stated goal of increasing player-base monetisation. 

Every player that quits over this is one less potential modder, one less potential Mission builder, one less potential evangelist for an increasingly elderly game, possibly one less purchaser of future DLC. Over the longer term, that's going to hurt Squad /TTI much more than yet another nasty review. Especially since the signal to noise ratio for most online reviews is so abysmally low anyway that gamers posting single-issue bad reviews is just another source of noise to filter out.

TL: DR 

Talk (posting a review) is cheap, action (quitting the game in protest) less so.

Edited June 20, 2018 by KSK

[steve_v]

18 minutes ago, KSK said:

Talk (posting a review) is cheap, action (quitting the game in protest) less so.

Maybe. Still hurts you more than it hurts them though, at least in the short-term.
One can quit playing and not help to publicise or mod the game, or one can keep playing and not help to publicise or mod the game. This is the internet, and with the analytics firewalled nobody knows you are a dog player. Just as effective (or not) either way.
One of these options allows you to keep playing a game you (presumably) enjoy.

I suspect, if Squad / TTI gets A into G and complies with the GDPR, this will become a moot point before protesting here has any real impact anyway.

Edited June 20, 2018 by steve_v

[SayNoToRedShell]

7 hours ago, steve_v said:

1) Sure. And while you wait for that to make it's way through the  byzantine legal system, you can firewall KSP right now. Plug the leak at the source. 

 

2) Company gets no analytics at all, because this user decides not to give it to them... And doesn't care at all about their press. There's no reason for KSP to connect to the internet, and it's easy to prevent it from doing so.

3) I'm not saying "let it keep happening", quite the opposite. I'm suggesting that users take practical steps to prevent it. Uninstalling the game isn't one of those, and IMO, complaining on a forum isn't either.
It's been happening for years, and  the majority of users have been allowing it to continue. Is it any wonder that companies believe they can get away with it? Stop giving them your data.

1) It doesn't need to go through a legal system. Squad just needs to pony up to the task. But, I would concede that yes - this is best fought from both fronts. Plug it at the source indeed. Also, raise hell about the source. Two fronts are better than one, can we agree?

2) I suggested a compromise because that's how progress is generally made. Through concessions. I can understand from a companies point of view why they want to know crash analytics, source of installations, etc. It doesn't need to be all or nothing. Some people may be comfortable sharing more than others are. All I want is transparency and a reasonable amount of control over my data. Things like crash anayltics I have no problem sharing with a game developer, given I can purge it of PII and only provide what is necessary. This is a two-way street.

Also, please keep in mind what is "easy to do" to you, is not easy to everyone.

3) Perhaps I took your words too literally. It sure sounded like you said exactly:

Quote

Really, I don't get all this outrage. Yes, spying on users is not nice, but developers have been bundling spyware with proprietary software for ages. Why make so much noise now? Games were phoning home 10 years ago, and nobody seemed to care.

Which really reads like "why bother making noise now, let it happen". But if I'm wrong - awesome.

Other than quietly blocking access, what do you suggest? Everyone is provided with a free CS course and instructed on how to search for and block these SDK's? I'm quite handy with computers, but I don't think I have the technological means to spot Red Shell - the only reason I found out about it was from forums, the very thing you say is ineffective. It's only because of the forums that I was able to find out something was wrong, which let me do research and figure out what to do to stop it. In fact, it was a forum that shared with me how to block Red Shell. Without all this noise, good chance people wouldn't have found out.

This thread is proof that going to the forums makes a difference. Already people have said that they've decided to block it - thanks to instructions laid out on in this thread.

Quote

It's been happening for years, and  the majority of users have been allowing it to continue. Is it any wonder that companies believe they can get away with it? Stop giving them your data.

Not everyone has the technical know-how or awareness to know that it's been happening for years, let alone the savvyness to stop it in its tracks. The companies get away with it because only those with either an education or intense passion in computing have found out about it and until recently, no one believed us. Thanks to forums, and a loud voice, those who never knew are now able to fight back. Thanks to the foums, people are now able to just "stop giving them your data".

-------------------------------------------------------------------------------------------------------------------------------------------------------------

It seems like we're getting caught up in a debate of "what is the best method to combat this". I don't know why it has to be a zero-sum game.... Do it all. Stop giving them data by whatever means are available AND make noise about it so that others - who may not be is smart with computers as you - can learn what they can do. All the while putting public pressure on the company, which has time and time again worked.

 

We're all on the same side here. Except Squad. Squad is on the other side, and remaining quiet about it.

Edited June 20, 2018 by SayNoToRedShell

[kitingChris]

Until now I was a happy Kerbal Gamer... I used to play many hours with this fantastic game. But just read about this in the news and I am very concerned about it:
https://www.reddit.com/r/KerbalSpaceProgram/comments/8rpyr1/psa_red_shell_spyware_integrated_in_kerbal_space/?st=jin5mp92&sh=31cf92a6 

Is there a statement from Squad yet?

Edited June 20, 2018 by kitingChris