Does KSP really have spyware in it?

[Cheif Operations Director]

Straight from the Privacy Policy

"The Company may also share your personal information with third parties as described in this Privacy Policy. The Company may share your personal information to fulfill a request you have made, such as signing up for an email list or requesting customer support. In the event we offer services or promotions where your personal information is separately collected and used according to the privacy policy of a third party, we will inform you of that at the time of collection and you may elect not to participate in the service or promotion. In addition, we may share aggregate and other information regarding Online Service usage statistics and user demographics with third parties.

We may share your personal and other information with third parties in connection with an investigation of fraud, intellectual property infringements, or other activity that is illegal or may expose you or us to legal liability, including as required by law enforcement or other government officials. We also may share your personal and other information with third parties when we have reason to believe that a disclosure is necessary to address potential or actual injury or interference with our rights, property, operations, users, or others who may be harmed or may suffer loss or damage, or when we believe that disclosure is necessary to protect our rights, investigate, or enforce our policies, terms and conditions, combat fraud and/or comply with a judicial proceeding, court order, or legal process served on the Company. In addition, your personal and other information may be disclosed to a potential or actual successor or assign in connection with a proposed or consummated merger, acquisition, reorganization, bankruptcy, or other similar event involving all or a portion of the Company, the Company's customer information may be transferred to our successor or assign. "

-----------------------------------------------------------------------------------------------------------------------------------

 

"To protect your personal information, the Company follows generally accepted industry standards and maintains reasonable safeguards to attempt to ensure the security, integrity, and privacy of the information you have provided. The Company has security measures in place designed to protect against the loss, misuse, and alteration of the information under our control. Personal information collected by the Company is stored in secure operating environments that are not available to the public (e.g., locked rooms). To prevent unauthorized electronic access to personal information, the Company maintains information collected online behind a firewall-protected server and uses SSL encryption for purchases made through our online store. However, no system can be 100% secure and human errors occur, so there is the possibility that there could be unauthorized access to your information. By using our services, you assume this risk."

--------------------------------------------------------------------------------------------------------------------------------

 

"Your refusal to submit personal information may limit your ability to participate in some activities, such as sweepstakes or the use of certain Online Services. However, as described above, regardless of registration we may nonetheless publish gameplay boards and multiplayer match records that contain certain information as a result of your use of the products, such as your online ID, where they are essential components of the services we offer you and other users."

------------------------------------------------------------------------------------------------------------------------------

From the EULA

"By installing and using the Software, you consent to the information collection and usage terms set forth in this section and Licensor's Privacy Policy, including (where applicable) (i) the transfer of any personal information and other information to Licensor, its affiliates, vendors, and business partners, and to certain other third parties, such as governmental authorities, in the U.S. and other countries located outside Europe or your home country, including countries that may have lower standards of privacy protection; (ii) the public display of your data, such as identification of your user-created content or displaying your scores, ranking, achievements, and other gameplay data on websites and other platforms; (iii) the sharing of your gameplay data with hardware manufacturers, platform hosts, and Licensor's marketing partners; and (iv) other uses and disclosures of your personal information or other information as specified in the above-referenced Privacy Policy, as amended from time to time. If you do not want your information used or shared in this manner, then you should not use the Software. "

back to top

back to top

 

From the Privacy Policy

"The types of information collected in connection with the activities listed above will vary depending on the activity. The information we collect may include personal information such as your first and/or last name, e-mail address, phone number, photo, mailing address, geolocation, or payment information. In addition, we may collect your age, gender, date of birth, zip code, hardware configuration, console ID, software products played, survey data, purchases, IP address and the systems you have played on. We may combine the information with your personal information and across other computers or devices that you may use. Prize winners may be required to provide additional information for prize fulfillment.

If you use, purchase, or register for an Online Service through a third-party service such as a gaming console's network service, an internet based gaming service, or a social network website, or request that we associate a Company account with a third-party service account, then limited user account personal information may be transferred to the Company as part of the registration process and we may be able to collect information about your use of the Online Services. For example, if you purchase virtual currency through a gaming console service, that gaming console service will provide us with information to effectuate the transaction, including the amount of virtual currency purchased and a means to identify your Online Service account.

When you use an application on a Social Networking Site ("SNS"), you allow us to access certain information from your profile from that SNS. The information you allow us to access is affected by the privacy settings you establish at the SNS. For example, our Facebook applications may access and store some or all of the following information, as allowed by you, the SNS and your preferences: your "basic information" you have shared with everyone on the SNS; your profile picture or its URL; your friends list, your user ID number, which is linked to publicly available information such as name and profile photo; or other information indicated as part of the "Request for Permission" prompt from the SNS. Your agreement to share this information takes place when you "accept" (or similar terms) one of our applications on an SNS. Once your information is received from an SNS, that information is stored and used by us in accordance with this Privacy Policy. The Company is not responsible for the terms, policies, disclosures or actions of any SNS.

When you use Facebook Connect, OpenID or another multisite ID to log in to an Online Service, those ID services will authenticate your identity and provide you the option to share certain personal information with us to pre-populate our sign up form. Depending on your account settings, multisite IDs may also provide other information to us. Please check the terms of those services before using them to log into an Online Service. When you play certain software products published by the Company, information about your gameplay may be collected and transmitted to the Company through network services or any other internet connection method used by the hardware on which you play such games (collectively and individually your "Internet Connection"). See "What Gameplay Information Does the Company Collect?" below for further details. "

[mostlydave]

2 hours ago, John FX said:

I use a raspberry pi running Pi-Hole as my DHCP and DNS server.

It looks at all the DNS requests any device connected to my network makes and just does not pass through any that are on your blacklist. Mostly I use it to stop ads. Works with tablets, phones, PCs, anything that uses DNS and DHCP.

It speeds up the internet too because about 27% of the requests my PC wants to make to the internet are marketing, adverts, trackers and so forth. You get a handy web interface with graphs and things. Very nice. Lots of control.

Just added the two addresses to stop KSP phoning home too. Or any other program that uses that service.

On top, Windows asks me if any program can use the internet, I will just say `no` like always.

Then I will not think about it again.

Which 2 addresses did you add for KSP?

[Tutanchamun]

Aside from the fact that this EULA is illegal in any country within the EU ("DSGVO law", https://gdpr-info.eu/art-6-gdpr/, see also https://community.spiceworks.com/topic/2007530-how-the-eu-can-fine-us-companies-for-violating-gdpr, quote: "[...] the new rules place heavy fines for violations — up to €20 million or 4 percent of global revenues, whichever is higher.") i want to express my very sadness about this move.

Just for this post i registered an account, being a long-time lurker since 0.23. I was a VERY big fan of KSP/Squad and even purchased KSP three times via Steam (for myself, 2nd time for myself after around 2000 hours of play time and i gifted it to a nephew of mine).

To get to the point: i will

a) not buy the add-on (which i already longed for purchasing in order to give Squad something back)

b) uninstall the official steam version of KSP myself (keeping my old copies, of course)

c) try to convince all my friends using it to do the same

I am working for a quite big software company in germany and we're taking data protection laws VERY seriously (we're in the b2b and b2c cloud business) and i am so disappointed how Squad manages to flip from "the most non-evil game company in the world" to the exact opposite.

I considered pointing a few german it-zines to this, but i guess it will happen anyway and i have some respect left, so at least i don't want to be responsible for the then-happening excrements storm.

Edited March 9, 2018 by Tutanchamun
spelling + link to DSGVO/GDPR added

[Cheif Operations Director]

for those who don't want to read this is the summary. 

We can collect all your information if we so choose just short of your birth certificate. Bank account, Phone, First and Last Name, IP Address AKA your real address, Physical Location, etc. They also may sell it to whomever they please or share it whomever they please.

At least that is my understanding

[toril]

Really guys??? The completely up front in your face opt in sending debug info on crash that has appeared on first launch of the game since what way back in .18 or .19 is just now stirring people up?

Seriously, you have to click yes for it to do anything.  All other traffic out is usually mod based. 

So opt in is now bad? Really?

 

 

[Brainlord Mesomorph]

3 minutes ago, Cheif Operations Director said:

for those who don't want to read this is the summary. 

We can collect all your information if we so choose just short of your birth certificate. Bank account, Phone, First and Last Name, IP Address AKA your real address, Physical Location, etc. They also may sell it to whomever they please or share it whomever they please.

At least that is my understanding

mine too,

How dare we use the word "spyware"

[Cheif Operations Director]

Just now, toril said:

Really guys??? The completely up front in your face opt in sending debug info on crash that has appeared on first launch of the game since what way back in .18 or .19 is just now stirring people up?

Seriously, you have to click yes for it to do anything.  All other traffic out is usually mod based. 

So opt in is now bad? Really?

 

 

What part of we can send whatever we want such as your first and last name AND banking info etc sounds like a debug send?

1 minute ago, Brainlord Mesomorph said:

mine too,

How dare we use the word "spyware"

What? I'm confused

[Brainlord Mesomorph]

Just now, toril said:

Really guys??? The completely up front in your face opt in sending debug info on crash that has appeared on first launch of the game since what way back in .18 or .19 is just now stirring people up?

you're not paying attention.

1. they don't offer an option in 1.4

2. its not debug data, its (a LOT of) personal information.

2 minutes ago, Cheif Operations Director said:

3 minutes ago, Brainlord Mesomorph said:

How dare we use the word "spyware"

What? I'm confused

someone was complaining about the word "spyware" before, but it does seem accurate

[toril]

Sorry I may be wrong haven't downloaded it yet so please excuse my assumption if it is wrong.  

[Cheif Operations Director]

1 minute ago, Brainlord Mesomorph said:

you're not paying attention.

1. they don't offer an option in 1.4

2. its not debug data, its (a LOT of) personal information.

Yes tell me about it that's what I'm saying. I was confused by what you were saying. I get it now and agree.

Just now, toril said:

Sorry I may be wrong haven't downloaded it yet so please excuse my assumption if it is wrong.  

Ahh I see I suggest you read what I highlighted above before you buy it.

[toril]

2 minutes ago, Cheif Operations Director said:

 

Ahh I see I suggest you read what I highlighted above before you buy it.

Sorry bought it way back when it cost like 5 bucks I'm already screwed

[Cheif Operations Director]

2 minutes ago, toril said:

Sorry bought it way back when it cost like 5 bucks I'm already screwed

Ha Me too at least the latter part.

[toril]

Guess Its time to start running ksp in its own little special locked down vm on qubes lol

[TheCardinal]

3 minutes ago, toril said:

Guess Its time to start running ksp in its own little special locked down vm on qubes lol

It's much easier to run KSP on a standalone computer without internet.

[toril]

2 minutes ago, TheCardinal said:

It's much easier to run KSP on a standalone computer without internet.

But then what am I going to do with my cubes os box?  It is fun to play with I'll admit but now it has a better use..... KSP!!

[Cheif Operations Director]

9 minutes ago, TheCardinal said:

It's much easier to run KSP on a standalone computer without internet.

 

5 minutes ago, toril said:

But then what am I going to do with my cubes os box?  It is fun to play with I'll admit but now it has a better use..... KSP!!

What does all this have to do with spyware

[TheCardinal]

3 minutes ago, Cheif Operations Director said:

 

What does all this have to do with spyware

Obviously, spyware can't send data from a standalone machine without internet.

[DoctorDavinci]

So this thread blew up over night .... I guess we're still waiting for an official response then?

Well, in the meantime, here's another little tidbit of info ...

SWIM (someone who isn't me) decided to ask his/her employer (large corporate entity) if they would allow SWIM to run KSP v1.4 on their corporate network as a test for data connections going out, SWIM's boss said go for it

What was discovered is a little disconcerting

Said corporate network of this unnamed corporation track any and all incoming and outgoing connections from the network through a corporate firewall ... KSP 1.4 connects over TCP 443 to api.redshell.io and various hosts in cloud.unity3d.com. 

This firewall also does inline decryption of traffic to and from the network ... You want to know what else it discovered, it failed to decrypt these connections, so it isn't just speaking HTTPS but instead something else over TCP 443 ... Question is what is it sending and why is it encrypted?

@Darth Badie, care to comment?

[panzer1b]

Im not really concerned (until some sort of MP is released good luck getting anything past my firewalls when its clearly singleplayer or requires turn based MP which wouldnt need the game itself to be networked), but i do believe i saw something suspicious in the Kerbal Space Program\KSP_Data\Managed folder.  Its called RedShellSDK.dll and the game continues to function fine with that .dll removed (i have KSP on steam, but ive never actually ran it from steam directory so i have it in a separate folder in my C:/games/ or whatever i named my folder where i have all my games.  If im correct, redshell is some sort of marketing/advertizing/tracking company, so there is a very valid concern for those that are super paranoid and for whatever reason dont have 2+ firewalls (like what i do) running in parallel all set to whitelist mode.

Red Shell | Marketing attribution & Steam tracking for PC games

Anyways, feel free to take a look at their website.  It might be harmless, but i unlike most people whenever my KSP (or any other game) updates i actually take a good look into all the files and see if there is anything that stands out, and well this dll stood out.  

Now i didnt actually go all the way and decompile the dlls or anything, and there could be something built into the base game too, but having a redshell.dll in the game folder isnt a good sign for those that are excessively paranoid.  At least they didnt add DRM though, the one thing that would instantly make me stop updating KSP (removing DRM manually is a major pain id rather not have to do).

[Cheif Operations Director]

6 minutes ago, DoctorDavinci said:

So this thread blew up over night .... I guess we're still waiting for an official response then?

Well, in the meantime, here's another little tidbit of info ...

SWIM (someone who isn't me) decided to ask his/her employer (large corporate entity) if they would allow SWIM to run KSP v1.4 on their corporate network as a test for data connections going out, SWIM's boss said go for it

What was discovered is a little disconcerting

Said corporate network of this unnamed corporation track any and all incoming and outgoing connections from the network through a corporate firewall ... KSP 1.4 connects over TCP 443 to api.redshell.io and various hosts in cloud.unity3d.com. 

This firewall also does inline decryption of traffic to and from the network ... You want to know what else it discovered, it failed to decrypt these connections, so it isn't just speaking HTTPS but instead something else over TCP 443 ... Question is what is it sending and why is it encrypted?

@Darth Badie, care to comment?

Did you see what I posted from the EULAs and Privacy Policies.

7 minutes ago, DoctorDavinci said:

So this thread blew up over night .... I guess we're still waiting for an official response then?

Well, in the meantime, here's another little tidbit of info ...

SWIM (someone who isn't me) decided to ask his/her employer (large corporate entity) if they would allow SWIM to run KSP v1.4 on their corporate network as a test for data connections going out, SWIM's boss said go for it

What was discovered is a little disconcerting

Said corporate network of this unnamed corporation track any and all incoming and outgoing connections from the network through a corporate firewall ... KSP 1.4 connects over TCP 443 to api.redshell.io and various hosts in cloud.unity3d.com. 

This firewall also does inline decryption of traffic to and from the network ... You want to know what else it discovered, it failed to decrypt these connections, so it isn't just speaking HTTPS but instead something else over TCP 443 ... Question is what is it sending and why is it encrypted?

@Darth Badie, care to comment?

Its the second post from the top of THIS page

Someone should create a mod to set up a kerbal firewall to block take twos encrypted transmissions.

[Alpha 360]

Gosh. This is not a good situation. Too bad since, to me, it looks like we'll be getting more updates, content and more fun. Looks like I'm have to sell my soul identity to the devil world + hackers + governments + businesses and corporations. At least I get to play KSP.  

[Cheif Operations Director]

That's probroly against the eula

Just now, Alpha 360 said:

Gosh. This is not a good situation. Too bad since, to me, it looks like we'll be getting more updates, content and more fun. Looks like I'm have to sell my soul identity to the devil world + hackers + governments + businesses and corporations. At least I get to play KSP.  

This is an outrage. I'm glad I didn't buy Making History. 

We should strike against making history until it is changed.

[Alpha 360]

But it looks so fun. I know I'm playing devils advocate, but still. I just can't get off KSP. 

[Cheif Operations Director]

Union of Kerbal Executive Officers of Kerbal Space Programs. Against updated EULA and privacy policy.

Just now, Alpha 360 said:

But it looks so fun. I know I'm playing devils advocate, but still. I just can't get off KSP. 

I know 

[Brainlord Mesomorph]

1 minute ago, Alpha 360 said:

But it looks so fun. I know I'm playing devils advocate, but still. I just can't get off KSP. 

I'm still playing 1.3 and will be carefully going over my 1.3 EULA (which is the last one I agreed to)