Jump to content

Unity Analytics and the GDPR


sarbian

Recommended Posts

28 minutes ago, kitingChris said:

Until now I was a happy Kerbal Gamer... I used to play many hours with this fantastic game. But just read about this in the news and I am very concerned about it:
https://www.reddit.com/r/KerbalSpaceProgram/comments/8rpyr1/psa_red_shell_spyware_integrated_in_kerbal_space/?st=jin5mp92&sh=31cf92a6 

Is there a statement from Squad yet?

See the picture earlier in the thread featuring ostriches with their head in the sand. 

 

40 minutes ago, SayNoToRedShell said:

I don't think I have the technological means to spot Red Shell

 

For what its worth, beyond blocking communications through the internet you can simply navigate to KerbalSpaceProgram/KSP_Data/Managed and delete RedShell.dll and UnityAnalytics.dll.  Game will run just fine.

 

This is not what I had in mind when Squad told us the "exciting news":

Quote

We have very exciting news to share with the KSP community today: Take-Two Interactive has purchased Kerbal Space Program. The important thing to know is that this big news doesn’t change much for the KSP community...

They share your passion for the game and we’re really eager to see what Squad and Take-Two can do together for Kerbal Space Program moving forward! 

I, for one, am not eager to see what else Squad and Take-Two can do together.

Link to comment
Share on other sites

2 minutes ago, klesh said:

For what its worth, beyond blocking communications through the internet you can simply navigate to KerbalSpaceProgram/KSP_Data/Managed and delete RedShell.dll and UnityAnalytics.dll.  Game will run just fine.

I only brought the point up as another user said that everyone should just castrate Red Shell and not bother with public forums and such. I was illustrating that not everyone is as technologically savvy, and without the forums many users would not be aware of Red Shell, let alone know how to disable and/or remove it.

Your post is another reason why forums are important.

Thanks for sharing another method for removing Red Shell.

Link to comment
Share on other sites

16 hours ago, SayNoToRedShell said:

Two fronts are better than one, can we agree?

Of course.
 

16 hours ago, SayNoToRedShell said:

It doesn't need to be all or nothing.

In the long-run, no. Though it probably will be for me, because I am stubborn like that.
But right now, the easiest and safest course of action is to give them nothing. If software vendors realise that the choice is "be transparent or get nothing", it might even help the other front too.
Users are not, and should not accept being powerless.
 

16 hours ago, SayNoToRedShell said:

Which really reads like "why bother making noise now, let it happen". But if I'm wrong - awesome. 

Poorly worded, perhaps. How about: Quit with the pants-on-fire, woe is me, must uninstall, bad bad Squad panic, calm down and do something practical about it?
If people have only just realised what is going on, that's on them for ignoring the warnings. I've been pointing out the business model of these companies for years, and yet people still give them personal data in exchange for convenience.
Sure, we should call Squad out. But there's no excuse for not getting your own house in order too.
As you say, two fronts. Those who come along to say "So sad, I have to uninstall KSP now" are fighting only one, and poorly.

 

16 hours ago, SayNoToRedShell said:

We're all on the same side here. Except Squad. Squad is on the other side, and remaining quiet about it.

Indeed we are. :)

Edited by steve_v
Link to comment
Share on other sites

4 hours ago, zamakli said:

This is very interesting, but I feel I may have misunderstood something.Isn't one of the rules for collection that you have to explicitly opt in?

Yes, GDPR means exactly that.

Link to comment
Share on other sites

8 hours ago, gpisic said:

Yes, GDPR means exactly that.

If personal information had been collected by Red Shell, it would have been subject to that, yes.

 

Red Shell and its stated mission were not in violation of the GDPR, unless someone would like to offer up proof that they were using data for more than they claim?

Link to comment
Share on other sites

For what it's worth, it appears that while RedShell is gone from v1.4.4, UnityEngine.Analytics.dll is still included, and the game still tried to make a request to "config.uca.cloud.unity3d.com" upon startup (baked into the main KSP exe according to ./strings).

So, continuing to run KSP behind an outbound-blocking firewall would probably be the best course for now.

Link to comment
Share on other sites

On 6/20/2018 at 8:16 AM, KSK said:

 published by a company with a stated goal of increasing player-base monetisation. 

Over the longer term, that's going to hurt Squad /TTI

Watching TTWO (ticker), as far as Squad and KSP is concerned, the hurt is already on. I've mentioned this before, it began back in February ... the inside trades spoke volumes as well. The MH DLC didn't sell as hoped. Other game issues and negative reviews have impacted sales. Additional bankings that TTWO were looking forward to haven't exactly panned out just yet. You need to realize the size of the beast KSP is now chained to, and the fact it is of very little consequence compared to other ventures they publish. They didn't make Q4 goals, and overall revenues are down, although Smarts are looking with optimism at other key games making a hit... but KSP isn't among them.

https://seekingalpha.com/news/3365636-videogame-sales-2nd-month-hardware-driving

 

Good to hear that Red Shell has been removed.

Link to comment
Share on other sites

10 hours ago, hbk314 said:

Red Shell and its stated mission were not in violation of the GDPR, unless someone would like to offer up proof that they were using data for more than they claim?

First of all, they gathered personally identifiable data without my consent. Mind you that a blanked "we gotz all ur data" in the EULA does not constitute consent.

Consent to data collection under the GDPR requires that it's made

  • explicit
  • can't be bundled with other questions
  • can't be used as a requirement to agree to the contract, unless the data collection is inherently part of it (which it's not).

So Take Two is clearly in violation here.

They also cannot forward your data to a third party, but they are. There is Take Two which is selling this game to me and collecting this data (without my consent) and they are sending this data to a third party, namely the RedShell servers (the servers used are here). More information on what is actually happening in this reddit post.

Again, Take two is clearly in violation here. It's "nice" that SQUAD took out RedShell, but I'm afraid that's not good enough. The law has been violated, data has been collected, user rights infringed upon. The only thing that has to happen now is a formal and extensive GDPR complaint. I don't know if this effort is going on somewhere in the community, but will try to figure out how to do this complaint thing and file a formal complaint with my countries data protection agency. I encourage all EU citizens to do the same.

Edited by Kobymaru
Link to comment
Share on other sites

10 hours ago, hbk314 said:

If personal information had been collected by Red Shell, it would have been subject to that, yes.

 

Red Shell and its stated mission were not in violation of the GDPR, unless someone would like to offer up proof that they were using data for more than they claim?

Looking at Red Shell's homepage: https://redshell.io/home

Quote
  • Red Shell logs a gamer’s fingerprint on clicking custom link: Run campaigns on Facebook, Google, Twitch, YouTube, or anywhere else.
  • Then logs a gamer's fingerprint when launching the game for the first time: Postback event can be fired from the game or game launcher.
  • Fingerprints are matched and gamers are attributed: Campaign stats are reported to your dashboard for easy analysis.

The problem is the fingerprint, as it allows to identify the user. More specifically, it allows game developers to identify which of their players has clicked on which links (after all Steam games have access to your user name and Steam itself even to your real name, if you bought anything).

This makes this fingerprint personal data and therefore is covered by GDPR, i.e. Squad or any other developer needs explicit consent from the user to be able to use this fingerprinting technique on them. Just think of the fingerprint as an extreme version of a browser cookie, as you cannot delete it and it works across applications.

Link to comment
Share on other sites

*remembering all the EULA threads, especially the "private data collection" part of those

Naaaah, you're all just awful paranoid pitchforking people, there is no telemetry or private data collection, and there never was any. :D

Link to comment
Share on other sites

On 6/22/2018 at 5:06 AM, Tullius said:

Looking at Red Shell's homepage: https://redshell.io/home

The problem is the fingerprint, as it allows to identify the user. More specifically, it allows game developers to identify which of their players has clicked on which links (after all Steam games have access to your user name and Steam itself even to your real name, if you bought anything).

This makes this fingerprint personal data and therefore is covered by GDPR, i.e. Squad or any other developer needs explicit consent from the user to be able to use this fingerprinting technique on them. Just think of the fingerprint as an extreme version of a browser cookie, as you cannot delete it and it works across applications.

No. It allows them to identify that some machine somewhere clicked a link and later opened the game, not that your machine or my machine did that. That's all. There's no connection to personal data. It's explicitly not personal information.

On 6/22/2018 at 4:58 AM, Kobymaru said:

First of all, they gathered personally identifiable data without my consent. Mind you that a blanked "we gotz all ur data" in the EULA does not constitute consent.

Consent to data collection under the GDPR requires that it's made

  • explicit
  • can't be bundled with other questions
  • can't be used as a requirement to agree to the contract, unless the data collection is inherently part of it (which it's not).

So Take Two is clearly in violation here.

They also cannot forward your data to a third party, but they are. There is Take Two which is selling this game to me and collecting this data (without my consent) and they are sending this data to a third party, namely the RedShell servers (the servers used are here). More information on what is actually happening in this reddit post.

Again, Take two is clearly in violation here. It's "nice" that SQUAD took out RedShell, but I'm afraid that's not good enough. The law has been violated, data has been collected, user rights infringed upon. The only thing that has to happen now is a formal and extensive GDPR complaint. I don't know if this effort is going on somewhere in the community, but will try to figure out how to do this complaint thing and file a formal complaint with my countries data protection agency. I encourage all EU citizens to do the same.

GDPR applies to personal information, not all information. Red Shell collected no personal information, so GDPR does not apply.

Link to comment
Share on other sites

4 hours ago, hbk314 said:

No. It allows them to identify that some machine somewhere clicked a link and later opened the game, not that your machine or my machine did that. That's all. There's no connection to personal data. It's explicitly not personal information.

GDPR applies to personal information, not all information. Red Shell collected no personal information, so GDPR does not apply.

Ehm, yes they do: https://blog.redshell.io/gdpr-and-red-shell-57f9c03b5769 For their fingerprint, they use the IP-adress and an user ID (Steam ID, Xbox ID, etc.), even though they scramble them them using SHA-256.

They are hoping that hashing these personal information makes them not personally identifiable anymore, and that therefore the GDPR doesn't apply anymore. This is a rather interesting interpretation of GDPR.

Link to comment
Share on other sites

That's the thing - nobody really knows yet because the law can be interpreted in different ways. It's probably wise that we avoid being overly assertive with our opinions until someone somewhere gets to be the Guinea Pig in a court case. 

Link to comment
Share on other sites

2 hours ago, Tullius said:

Ehm, yes they do: https://blog.redshell.io/gdpr-and-red-shell-57f9c03b5769 For their fingerprint, they use the IP-adress and an user ID (Steam ID, Xbox ID, etc.), even though they scramble them them using SHA-256.

They are hoping that hashing these personal information makes them not personally identifiable anymore, and that therefore the GDPR doesn't apply anymore. This is a rather interesting interpretation of GDPR.

By hashing it, they're not collecting or storing it. Logically that would be compliant, but we won't really know until the law has been tested in courts.

Link to comment
Share on other sites

If they are just hashing raw ipv4 addresses, then it's trivial to hash all ipv4 addresses to sha-256 and create a lookup table that enables you to retrieve the original ip address from the hash.  (There might be better/faster ways to do it, but the brute force approach will work).  So at best hashing just obscures the original address.  If the original address is considered personal info, then the hash should be considered personal info as well.  The only way around this that I can think of is to somehow merge the ip address and the username, and then hash that.  But for users with static ip address, even that will probably result in a hash that is unique to that user, and hence can be used to uniquely identify that user, and in my opinion should still be considered a personally unique identifier.  

 

The silly thing is that for computer games, in general I don't see adds as being a driver of sales.  Reviews and Youtube gameplay videos are much more likely to influence my purchasing decisions.

Link to comment
Share on other sites

Quote

We are extremely conscious of data privacy and security throughout our product. We collect the minimum amount of data required to perform our attribution. This data is specific to the device you use and is limited to operating system, installed browsers, screen resolution, available fonts, IP address, timezone, and system language. This data is then irreversibly one-way hashed (with pepper values calculated separately and never stored) and stored in our database along with a unique in-game user id.

From my limited understanding, it seems like they're doing what they can to make it as hard to reverse as they can.

 

49 minutes ago, AVaughan said:

If they are just hashing raw ipv4 addresses, then it's trivial to hash all ipv4 addresses to sha-256 and create a lookup table that enables you to retrieve the original ip address from the hash.  (There might be better/faster ways to do it, but the brute force approach will work).  So at best hashing just obscures the original address.  If the original address is considered personal info, then the hash should be considered personal info as well.  The only way around this that I can think of is to somehow merge the ip address and the username, and then hash that.  But for users with static ip address, even that will probably result in a hash that is unique to that user, and hence can be used to uniquely identify that user, and in my opinion should still be considered a personally unique identifier.  

 

The silly thing is that for computer games, in general I don't see adds as being a driver of sales.  Reviews and Youtube gameplay videos are much more likely to influence my purchasing decisions.

Perhaps they have an ad link on a review site or Youtube video review and get clicks that way? I get where you're coming from, though.

Link to comment
Share on other sites

16 hours ago, hbk314 said:

operating system, installed browsers, screen resolution, available fonts, IP address, timezone, and system language

This is actually a pretty small set of combinations and can, again, be brute forced. And I don't see how saving a hash of a fingerprint makes it any less identifiable than saving the fingerprint itself...

Link to comment
Share on other sites

1 hour ago, cfds said:

This is actually a pretty small set of combinations and can, again, be brute forced. And I don't see how saving a hash of a fingerprint makes it any less identifiable than saving the fingerprint itself..

And unless they use some obscure hashing algorithm, the hash itself is just as useful as the original one in identifying an individual since the data to compare with can also be hashed in the same way...

Link to comment
Share on other sites

On 6/25/2018 at 9:54 AM, Deddly said:

That's the thing - nobody really knows yet because the law can be interpreted in different ways. It's probably wise that we avoid being overly assertive with our opinions until someone somewhere gets to be the Guinea Pig in a court case. 

You know, all of this would be a non-issue if a pop up dialog box was displayed upon running the game for the first time asking for your consent for this data usage to be sent/tracked... you know, I think I've seen something like that somewhere before.

Link to comment
Share on other sites

12 hours ago, Poodmund said:

You know, all of this would be a non-issue if a pop up dialog box was displayed upon running the game for the first time asking for your consent for this data usage to be sent/tracked... you know, I think I've seen something like that somewhere before.

There used to be a popup about that. But it’s been so long since I’ve seen it I don’t remember what it was or exactly what kind of data it was asking about.

Link to comment
Share on other sites

This thread is quite old. Please consider starting a new thread rather than reviving this one.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...