Jump to content

Unity Analytics and the GDPR


sarbian

Recommended Posts

So we have now reached may 25th and KSP still have Unity Analytics enabled and uses an other tracking tool called RedShell. Those tools send data with a unique user id that are exactly the type of data that the GDPR target. (see here for an earlier post where I showed the sent info). There is no (official) way in KSP to opt-out of those.

Unity published earlier this week an asset to make their Analytics tool compilant. (Thread and Asset Store). Redshell basically said "we have a unique userid but we don't understand the law so we leave it" (the GDPR is clear about this, unique id require consent). 

With Unity releasing their plugin a few days ago I did not expect an update before the deadline (today) but now the tool are here. So when can we expect an update with the explicit consent for both systems? BTW 1.4.4 is not a valid answer. This need to be done now and not after the weeks that 1.4.4 still require. A build with only those change would not change anything else and could be done in day(s).

Edited by sarbian
basicallY (missing letter...)
Link to comment
Share on other sites

26 minutes ago, DeltaDizzy said:

I hope that it[GDPR] can save us Americans too.

There is already a discussion that the Euro standard may become a provider "universal" standard. Here's why...

The European Union's GDPR actually has tentacles that reach beyond national borders. In other words, if you are an online entity and you serve a customer base in Europe and you collect data, you MUST adhere to the law regarding people living within the EU. But here's the catch: companies will do this themselves because it makes no sense to have two or three different standards BECAUSE that would:

1. Require additional capital to keep to separate systems.

2. Potentially lead to violations of the GDPR, even if by neglect.

Here's an interesting article on how it will affect the medical field here in the United States:

https://www.natlawreview.com/article/does-gdpr-regulate-clinical-care-delivery-us-health-care-providers

And there's another test lab, in case that one isn't good enough. In the 1970s and 19870s, the state of California set some of the most rigid smog control/emission requirements for cars in the nation. In fact, the laws were more strict than the federal guidelines. And guess what? By the middle of the 1990s, nearly every car produced in the United States was made not to federal standards, but to California standards. Why? Because in the long run, it was financially cheaper for the auto manufacturers. And this is why I say give it time, @DeltaDizzy. At most, I suspect within a few years, if that long, it will become the global standard for specific user data collection (unless one even more rigid is put into effect).

Edited by adsii1970
Link to comment
Share on other sites

Back to the front page you go.  This is important.

 

I would be willing to bet they do not act on this at all, from no official reply to no game update for explicit consent.

 

Link to comment
Share on other sites

12 hours ago, klesh said:

Back to the front page you go.  This is important.

 

I would be willing to bet they do not act on this at all, from no official reply to no game update for explicit consent.

 

Well GDPR has the nasty sidebite that it applies to all _users_ within the EU.

So Squad has to either block all users from the EU or adapt.

 

Link to comment
Share on other sites

Just now, Curveball Anders said:

Well GDPR has the nasty sidebite that it applies to all _users_ within the EU.

So Squad has to either block all users from the EU or adapt. 

 

 

Or I suppose they could do nothing until someone actually brings them to court.

Do EU governments file against offenders, or is it left up to individual private parties?

Link to comment
Share on other sites

Private parties files to their country privacy agency. The agency then review the complain and decide what to do with it. 

And said private parties don't benefit financially if there is a fine (some poster in the other thread implied it...).

 

No need to burn bridges for now. Squad/T2 is not the only company who is late on being compliant. We ll see...

Edited by sarbian
Link to comment
Share on other sites

1 minute ago, klesh said:

 

Or I suppose they could do nothing until someone actually brings them to court.

Do EU governments file against offenders, or is it left up to individual private parties?

The EU Court files against obvious offenders.

For less obvious ones it's up to individuals to report to the EU court

 

Link to comment
Share on other sites

  • 3 weeks later...

As many of us might have noticed the GDPR has come into effect come end of May (and we got lots and lots of e-mails and whatnot about it).

That said, KSP now has (aside from that rather unpleasant business with the generic "Take 2" EULA - aka "we may slurp all your data") the issue with the data gathered by Unity Analytics and Red Shell.

According to the GDPR the data collected must be kept at the very minimum necessary to provide whatever service AND the user must explicitly & actively give permission (i.e. check a checkbox) before PII may be collected & processed (BTW: And yeah the companies that only sent you a "please yell if you don't want us to gather your data" e-mail might very well be walking in legal minefield right now).

Also you are not permitted to force the user to allow you to gather data that is not necessary for the "service", in order to use the service (i.e. signing up for this forum won't really work without you providing your e-mail address, since they need a way to communicate with you. But while they may ask you for permission to collect & process your SteamID or Facebook URL or whatnot, they are NOT allowed to block you from signing up if you do not give them permission.)

So is KSP already GDPR compliant? If it still has Unity Analytics and Red Shell running by default I fear the answer might be no, which sooner or later may lead into legal trouble (depending on local laws, there may be good money to be made if you are a nitpicky lawyer), so when can we expect an update to adress this issues?

Link to comment
Share on other sites

Moderators in charge of approving this post or not... I ask that you allow this discussion to flourish. Although it is critical of KSP, it's in the best interest of everyone involved to at least let this discussion be had. If you don't want this discussion to be had on the KSP forums, it can be brought elsewhere. I urge you to think about how it will be perceived if you block this post - it will only serve to add fuel to the flame. It'd be best if we can have a grown-up discussion about Red Shell.

I've got 300+ hours in KSP.

Unknown to me, my "gaming persona" has been fingerprinted and other data siphoned off by the Red Shell spyware which is present in KSP (and a number of other games, not just KSP).

Bleeping Computer has recently posted about Red Shell, with a full list of games which the spyware is included.

16 games and their developers have realized the mistake that Red Shell is, and have either removed it or pledged to remove it in upcoming releases. Will the developers of KSP stand up and remove Red Shell? Will they sit in silence, and pretend this issue doesn't affect them?

Let's find out how KSP cares for its community.

------------------------------------------------------------------------------------------------------------------------------

I'm here to ask that the developers remove Red Shell.

TLDR: Red Shell is spyware. It tracks a variety of personally identifiable information (in violation of the GDPR) including IP addresses, browser versions, operating system, screen resoultion, etc. The combination of information it collects is enough to "fingerprint" a single user, and begin tracking them web-wide. This is especially true when this is combined with other data streams such as Facebook, Google, or the hundreds of independent data brokers who make a living selling your personal information.

Giving KSP the benefit of the doubt, we can hope that KSP is using Red Shell only for tracking the source of installation. If this is true - give us the option to opt-out after KSP is installed.

------------------------------------------------------------------------------------------------------------------------------

I'm here to ask that the passionate gamers, who want to play a game rather than be a product for a data hungry unknown party, stand up for their privacy. It's a weird world we're in already, we don't need the games which we pay for compiling "device-based information" for whatever use they see fit.

Red Shell's website dresses it up in nice playful terms and expertly downplays the stranglehold which SDK's like this can maintain on a device.

Quote

Red Shell tracks information about devices. We collect information including operating system, browser version number, IP address (anonymized through one-way hashing), screen resolution, in-game user id, and font profiles.

Although Red Shell claims not to track any personal information, this information above is way more than enough to individually identify users. This information is enough to track you around the web, if you aren't taking opsec precautions (who would bother, when playing KSP?).

Other companies have claimed that they only use Red Shell to track the source of an installation. If that was true, how come so many developers are now removing Red Shell due to public outcry? How come Red Shell needs to continuously track all of the above after installation?

In another brilliant move by Red Shell, they side-step this exact issue on their FAQ (says something about a company, when they need to claim they aren't spyware in their FAQ):

 

Quote

 

I've heard Red Shell is spyware, is that true?

No. In a brilliant move by our marketing department Red Shell shares the name with a 14 year-old Trojan virus. Certainly Red Shell does not (nor could it) execute any code on your computer outside of the game you are playing. Inside that game all that is run is a simple postback used for attribution and analytics (containing solely the information described the other parts of our FAQ)

 

Emphasis is mine. They are technically correct, Red Shell doesn't and can't arbitrarily execute code. This is a fantastic way of side-stepping the main issue: spying. No one is saying Red Shell executes code. Everyone is saying Red Shell is a rampant spyware, used to fingerprint and track gamers and their devices. Notice how they don't deny that? Instead the focus on code execution. This is called a red herring.

------------------------------------------------------------------------------------------------------------------------------

Even if you want to argue that Red Shell is helpful to the developers (which it likely is, given the amount of information is gathers), the choice to make it opt-out rather than opt-in is very telling. Any developer who includes spyware on a forced opt-out basis (which, I haven't even seen KSP offer an opt-out of Red Shell), rather than asking the users to opt-in, immediately loses all respect from me.

 

I'm not going to be quiet about it.

I ask that you don't be quiet about it either.

Enough is enough.

Remove Red Shell from KSP.

 

Reddit discussion on the discovery:

https://www.reddit.com/r/Steam/comments/8pud8b/psa_red_shell_spyware_holy_potatoes_were_in_space/

 

Edited by SayNoToRedShell
Link to comment
Share on other sites

8 hours ago, SayNoToRedShell said:

I'm here to ask that the developers remove Red Shell.

Hi @SayNoToRedShell. Welcome to the forum! We had an existing thread about this issue, so I merged the two together.

People are going to be so confused about your name in the future when this issue has long been sorted out :P

Link to comment
Share on other sites

23 minutes ago, Deddly said:

People are going to be so confused about your name in the future when this issue has long been sorted out :P

Given for how long we have been complaining about this and the total lack of official response (beside the "this deserve it's own thread") I guess his nick will be relevant for quite a while. 

Link to comment
Share on other sites

... Is this where I finally have to uninstall a game I paid money for after being shoehorned into a new license agreement (which this redshell thing certainly seems to operate under the purview of)? I don't want this info being collected.

Out of curiosity, does anyone know about any other similar programs/utilities used as widely as redshell? Or is it pretty much the go-to standard for companies trying to collect info like this, given how many games are using it? I have to say I've kinda tuned out of KSP ever since the EULA update and this hit me like a slap in the face. In the meantime is there a TTI email I can contact? I'm honestly not expecting a reply or even someone to physically read the thing but darn it I feel like I need to do something.

Link to comment
Share on other sites

Until this stuff is removed, I've blocked KSP's internet access with a firewall, and I've blocked RedShell websites as outlined in this reddit post: https://www.reddit.com/r/gaming/comments/8rxdwn/batch_file_to_block_redshell_new_steam_spyware/

Just because you have it doesn't mean you can't fight back. In fact, I think I'll keep these changes permenently. It's not like KSP actually needs internet access anyway.

Link to comment
Share on other sites

1 hour ago, MDZhB said:

Until this stuff is removed, I've blocked KSP's internet access with a firewall

This^.

Making a fuss might well get this lot removed, or it might not. Either way, nothing will happen immediately.

As for all the talk of "uninstalling until this is removed", if you do that hurt no-one but yourself. Squad / TTI isn't interested in you playing the game, they're interested in people buying it. If you want to punish them, post some nasty reviews...
Or, you could take charge of your own systems and learn how to operate a firewall, then you can fix it now.

Really, I don't get all this outrage. Yes, spying on users is not nice, but developers have been bundling spyware with proprietary software for ages. Why make so much noise now? Games were phoning home 10 years ago, and nobody seemed to care.

It's going to take more than complaints on the forum to change this behaviour. For now, just firewall the damn thing and be done with it.

Edited by steve_v
Link to comment
Share on other sites

This thread is quite old. Please consider starting a new thread rather than reviving this one.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...