[0.24] StillBetterThanSpyware - A mod to disable ModStatistics

[spookydonut]

A quick question for people who object to the existence of this plugin- how many of you are modders who stand to benefit from the statistics collected?

Better question, how many people have benefited so far from the data?

[Ralathon]

I'm not afraid of running it. I've reviewed the source code in some depth.

A lot of laws are there for a good reason. This particular one is to respect one's right to privacy. This is something I hold quite strongly.

And a lot of laws are made by dips who don't know anything about the things they govern. I don't want to get into politics but look at how many utterly ed rules and laws there have been over the ages. Appealing to authority without any supplementary argumentation isn't going to make a very valid argument. If that law is there for a good reason, then why not give me that reason instead?

If you've reviewed the source code and you see there's nothing it can do to harm you then what is the problem here?

[IceBadger]

The mod does claim to not collect any personal data, though if it sends a crash log similar to the "error.log" file KSP generates, it does contain personal information (computer name), or if it contains an IP, Mac Address or similar ID, which would be a breach of the US COPPA (Children's Online Privacy Protection Act) law and the UK Data Protection Act

Though that is only if the data contains personal information, which it should not according to the creator.

However the EU Data Protection Directive is quite a bit more strict, and would require:

disclosure of who is receiving the data (this is not shared and to comply should be, but is possible to get with a simple domain trace)

if personal data is being sent (which is being disclosed and it is not sent, so thats good)

the ability for an individual to see his/her own information that is sent in a clear intelligible form (which I do not think it currently is, you can see all data, but not yours specifically)

the ability for an individual to ask for their data to be deleted or blocked

Personally I think the ModStatistics Mod is fine, but it should be an opt-in or have the ability to opt-out when first run (and stay that way if updated, or ask again)

I also think this mod is fine considering there is no current option to opt out without having to modify a configuration file, which is too much to ask for a end user.

[Ignath]

A quick question for people who object to the existence of this plugin- how many of you are modders who stand to benefit from the statistics collected?

I am not a modder and do not object to this mod at all. I object to a few things regarding the entire situation:

1. The passive aggressive manner at which you are attacking Majiir in nearly everything about this mod, including user messages which is frankly childish, off-puting, sad and disrespectful

2. The constant insistence that ModStatistics is akin to malware or spyware

3. The ridiculous "privacy" crusade that has sprouted up around this...there are NO privacy concerns with this. No financial or personal information is sent (other than IP address and Unique ID...which is sent with EVERY transaction over the internet)

[Dred_furst]

What do you people think Majiir or anyone else will do with a Unique ID and an IP Address? Also, what do you think your UserID on this forum is? It's a UniqueID that is tied to the IP Address you are posting from. Anyone could get basically the same info from that as they could from Majiir's data...except you know, the helpful stuff from Majiirs data.

again, you miss my point. I'm not objecting to the actual data collection. I am objecting to how Majir has gone about the data collection. It has the following problems:

• It re-installs itself unless you delete all copies
  
• It's opt-out procedure is
  (what do you mean you've never been to alpha centuri... etc.
  
• Its not anonymous when it claims to be
  
• What actual use is this data. If you are wanting feature analysis to find out what features people actually use your mod for, use proper software for it. Inform the user. modstatistics doesn't upload any crash reports (I'd be really pissed if it did, as those definetly do contain personal information), so what use are the statistics?
  

[Megadyptes]

Thanks a lot for the plugin, it's kinda sad that this plugin has to exist but there we go, cheers. Also Rathalon and Ignath should stop ting up this thread.

[turks]

Everyone who is defending ModStatistics because it's harmless, shouldn't you at least be ok with this mod because it is also harmless? Why is everyone making so much effort to defend modstatistics? What are you worried will happen if people install StillBetterThanSpyware? All of this yelling and screaming could stop if you just let this be, just let StillBetterThanSpyware exist and quietly do it's thing of being an easier way of removing a mod than going through 5 or 10 or 50 odd folders for other mods to make sure ModStatistics isn't there.

If you're worried that making it opt in would mean nobody would use it, I think this whole rigmarole has proven that plenty of people are fine with it. When the dust has settled you might find making it opt in would have ended in more people using it.

Edited July 20, 2014 by turks

[ragzilla]

And a lot of laws are made by dips who don't know anything about the things they govern. I don't want to get into politics but look at how many utterly ed rules and laws there have been over the ages. Appealing to authority without any supplementary argumentation isn't going to make a very valid argument. If that law is there for a good reason, then why not give me that reason instead?

If you've reviewed the source code and you see there's nothing it can do to harm you then what is the problem here?

The information about my KSP install (and the mods installed therein) is MINE. What right does anyone have to export that data without my explicit permission?

I'll summarize how I think ModStatistics should have been implemented (and maybe if Majiir had listened to the dissent leading up to the 0.24 release, would have implemented this way).

- ModStatistics should have not been bundled with other mods/plugins. This is the crux of the spyware/crapware allegation- the fact it's shoveled in with other software people do want.

- ModStatistics should present an Interface (like blizzy's toolbarmanager interface), and provide an API in the form of a wrapper (again see blizzy's excellent toolbarwrapper) for plugins which use ModStatistics, to register themselves with ModStatistics.

- ModStatistics should only collect hardware information after explicit consent of the user (see Steam Hardware Survey and their random sampling, opt-in protocol)

- ModStatistics should not generate a GUID for the install, or any other unique identifier for the installation- unless the user consents. This is how people handle 'Mostly Invasive' tracking cookies in the EU at least- Get. Explicit. Consent.

I guess going opt-out, bundling with popular addons/mods, and collecting information on every mod the user has installed was easier than implementing something which respects the user's privacy.

[Lucchese]

Most useless discussion ever.

If you dont like this or do not see the need for this plugin then just move on?

[SolarLiner]

"Instead of installing a mod which blocks the objectionable mod, you should just go through EVERY mod you download, EVERY time you use it, and delete the mod you don't want!"

Or you know, use something which blocks the mod you don't want running. I've tried to address Majiir's reasonable request to not start a mod war with the distribution restriction on this plugin. So now you're all arguing that users should not have access to a plugin which prevents what some people feel is questionable behavior.

At least with StillBetterThanSpyware you get to choose whether to install it or not.

One think I was wrong in this is that you don't even have to not install the DLL. A single cfg and you're opt-out. And you? Well, you made a whole C# Project (which by the way looking at the code, I don't really know how you know if ModStatistics is installed or not) to achieve this "delete the DLL" thing.

Also, good luck in finding back the computer that is linked to the GUID. The only reason this is created is to have a way to identify the data (and not the guy or the computer) that comes in, and successfully gather statistics.

Also, Anonymous: Not identified by a name. So {50fea-dthrj-3d21t-dgf32} is truly anonymous, along with the data the comes with it. Even SolarLiner is anonymous technically (except if you search it I guess you'll easily find who I am and coarsely where I live).

It makes sense, too, because else even the ID that is linked to your account right here on the KSP forums would be a violation of the law somehow.

[Woodstar]

Dude, ModStatistics is not malware and people who think it puts their personal info at risk are quite frankly paranoid.

All ModStatistics does is track things like version numbers and ksp logs, nothing else. If you don't believe me you can check the freely available source code. Windows and most major programs do the exact same thing. Heck, even KSP itself tracks your data and sends it to Squad.

I don't want it tracking ANYTHING i do on my computer, Including playing KSP. I do agree modders should have an opt-in option.

[ragzilla]

I am not a modder and do not object to this mod at all. I object to a few things regarding the entire situation:

1. The passive aggressive manner at which you are attacking Majiir in nearly everything about this mod, including user messages which is frankly childish, off-puting, sad and disrespectful

The notification was a late night addition after a few beers, and I've committed to revising it once ModStatistics does not resemble Spyware as much as it does in the current implementation. I know Majiir's intentions were good, but he's had plenty of people giving him feedback on how his current plan was a bad idea, and continued down this path anyway.

2. The constant insistence that ModStatistics is akin to malware or spyware

Spyware is software that aids in gathering information about a person or organization without their knowledge and that may send such information to another entity without the consumer's consent, or that asserts control over a computer without the consumer's knowledge.[1]

- It gathers information

- I do not explicitly consent by installing it, or having an opportunity (without going into a config file) to prevent statistics collection

- It asserts control by re-downloading itself. Although this does have explicit consent so I'll give it a pass.

2 out of 3 ain't bad.

3. The ridiculous "privacy" crusade that has sprouted up around this...there are NO privacy concerns with this. No financial or personal information is sent (other than IP address and Unique ID...which is sent with EVERY transaction over the internet)

It provides a mechanism to track a KSP installation as the user changes locations, this was serious enough for the IETF to develop privacy extensions for IPv6, it's a violation of EU Privacy Directives (no opt-in for the GUID), it's serious enough to be concerned about.

[rynak]

Rule of thumb:

No matter what some party does - it really doesn't matter what - someone on the internet will come forward to defend or attack it. It has nothing to do with the facts at hand or the circumstances - the mere fact of there being something resembling a "team", will attract people who want to attack or defend something - the justifications and reasoning, they will then make up themselves, but the true motivation simply is argueing for the sake of argueing - they like to be on a team and fight for it. (Yes, i do have a very low opinion of humans - not my fault)

As such, the entire discussion in this thread IMO is kinda pointless - the initial post, and the statements by modstats pretty much explain the situation to anyone who cares about data and facts. Those argueing in the thread here instead? It doesn't matter what arguments or facts you bring up, no one of the warriors will switch sides, "retreat" or be "beaten". It's completely pointless, unless you like this particular.... sports game.

Edited July 20, 2014 by rynak

[sjjvjixh]

I'm not afraid of running it. I've reviewed the source code in some depth.

Did you also notice that auto updates are not signed?

[ragzilla]

One think I was wrong in this is that you don't even have to not install the DLL. A single cfg and you're opt-out. And you? Well, you made a whole C# Project (which by the way looking at the code, I don't really know how you know if ModStatistics is installed or not) to achieve this "delete the DLL" thing.

It queries the assemblies loaded into the current .net application (KSP), and finds any using the name ModStatistics. Then it queries them for their _version attribute (thanks fwb for the interface documentation there) and when StillBetterThanSpyware is queried for it's _version attribute (ModStatistics does this to ensure only one instance is running, since it's crapware shovelled into a half dozen other addons you end up with several instances) it responds with the highest _version + 1 so all the other instances think a newer version of ModStatistics is present and running. This only works if StillBetterThanSpyware starts first, hence the 000_StillBetterThanSpyware folder naming.

And editing the .cfg file is a fine workaround for people who are familiar with computers. Many software developers (myself included) fall into this trap of assuming their users are more capable than they are.

[turks]

One think I was wrong in this is that you don't even have to not install the DLL. A single cfg and you're opt-out. And you? Well, you made a whole C# Project (which by the way looking at the code, I don't really know how you know if ModStatistics is installed or not) to achieve this "delete the DLL" thing.

Please just calm down and let it be. Ragzilla coded a C# project so that people like me can just download this, which is even simpler than modifying a cfg! It is a bad precedent to allow a mod to install itself without user consent, even if it did literally nothing. What do you even have to gain by arguing here? You had an opportunity to be the adult and blew it.

[somnambulist]

• Your data being collected without your being notified, for someone else's profit?
  

(Formatting mine). Are you seriously accusing Majiir of profiting from ModStatistics?

[Ignath]

The notification was a late night addition after a few beers, and I've committed to revising it once ModStatistics does not resemble Spyware as much as it does in the current implementation. I know Majiir's intentions were good, but he's had plenty of people giving him feedback on how his current plan was a bad idea, and continued down this path anyway.

Still no excuse for it, it makes you look bad man. You are free to leave the messages and passive aggressive attacks in your post and code...just know it makes you look childish.

- It gathers information

- I do not explicitly consent by installing it, or having an opportunity (without going into a config file) to prevent statistics collection

- It asserts control by re-downloading itself. Although this does have explicit consent so I'll give it a pass.

2 out of 3 ain't bad.

Too bad you passed right by the most important part of the Wikipedia definition: WITHOUT THEIR KNOWLEDGE

As soon as you load KSP, you are notified that it is running. Any lack of knowledge of what it is or does after the notification falls squarely on the user.

The mod:

1. Alerts you that it is running as soon as you open KSP and it loads.

2. Provides (via steps on the Mods forum link) an ability to opt-out of the collection and transmission of data

3. Will not transmit the data until you re-start KSP, giving you the time, ability and option to opt-out before any data is sent.

Spyware, it is not.

It provides a mechanism to track a KSP installation as the user changes locations, this was serious enough for the IETF to develop privacy extensions for IPv6, it's a violation of EU Privacy Directives (no opt-in for the GUID), it's serious enough to be concerned about.

And IE and Chrome and FF and all browsers have the same mechanism based on IP...as does just about anything you do online, unless behind a VPN, TOR network or some such other thing. Privacy arguments regarding this are so overblown and mis-stated it's beyond belief. What are you afraid of? SQUAD or Majiir knowing you go from the internet cafe to your home and play KSP at both locations? You think they're going to live-tweet that you are now switching locations while playing? You are aware that your cellphone and many other things you do on a daily basis do this same thing, right?!

[SolarLiner]

Please just calm down and let it be. Ragzilla coded a C# project so that people like me can just download this, which is even simpler than modifying a cfg! It is a bad precedent to allow a mod to install itself without user consent, even if it did literally nothing. What do you even have to gain by arguing here? You had an opportunity to be the adult and blew it.

The point is: there's actually a mod who is fighting another mod.

"Install without user consent" haha, it is literally written in every single mod that use it (as it is a requirement to not be against the law, because ModStatistics dos sends anonymous statistics data (yes I keep using that word), but hey, nobody got time to read, right? It's like these Terms of Services, or the license agreement: everyone accepts it, but little-to-nobody actually reads it.

Also, I'm calm as always, I'm just debating the fact that this mod fights an other mod. And don't worry about me being an adult or not, I'm fine if your look at me like I'm a 5 yo child - I don't mind.

[Megadyptes]

It 'fights' another mod but downloading this mod is entirely optional and the only people that are going to download this mod (which isn't included in other mods) are people that don't want modstatistics collecting their data. The same can be done by editing a config, or you can OPTIONALLY download this mod. The same end result. People who don't care about privacy won't download this mod or edit any config files to disable modstatistics. There really isn't any major issue here apart from with Ignath, Solar and that Rath guy causing issues.

[Raven.]

I took a look at the source code to mod statistics, so that I can determine for myself what mod statistics is actually doing. First of all, the statement that mod statistics is handing out personal information is a load of crap.

Here's the code: https://raw.githubusercontent.com/Majiir/ModStatistics/master/ModStatistics.cs

Secondly, I think it's very disrespectful to Majiir and other modders to not work with them on this issue. Thus I cannot, and will not support this.

Edited July 20, 2014 by Raven.

[ragzilla]

I took a look at the source code to mod statistics, so that I can determine for myself what mod statistics is actually doing. First of all, the statement that mod statistics is handing out personal information is a load of crap.

Here's the code: https://raw.githubusercontent.com/Majiir/ModStatistics/master/ModStatistics.cs

Secondly, I think it's very disrespectful to Majiir and other modders on this issue to not work with them. Thus I cannot, and will not support this.

As I understand it, in the code you linked (which I'm abstaining from reading to maintain my ability to maintain a clean-room re-implementation) a GUID is generated, which uniquely identifies the KSP install. While I do understand the benefit here (prevents double counting installs), I feel there are better ways it could have been handled (mod hours played, or asking for explicit consent to generate the GUID, or making the whole thing opt-in in the first place and not bundling it with other mods).

I'll happily pull down this plugin once it's been demonstrated that modstatistics has been implemented in a way which respects the user's privacy by default. My criteria for that is:

- Removing/prohibiting 3rd party distribution, or prominent notification during first KSP load. (to address consent)

- Majiir publishes a privacy policy. (to address utilization of data)

- Prominent notification during first KSP load to accept the creation and use of the GUID.

- Not reporting on every other mod and assembly in the KSP installation. Mods should have to utilize an interface to ModStatistics to report on their mod, it shouldn't collect wholesale information about the KSP installation.

[ragzilla]

(Formatting mine). Are you seriously accusing Majiir of profiting from ModStatistics?

I should have used the term benefit there rather than profit, since profit has pecuniary implications.

vvv

You might want to edit your OP then.

Done! Thanks for the feedback.

Edited July 20, 2014 by ragzilla

[somnambulist]

I should have used the term benefit there rather than profit, since profit has pecuniary implications.

You might want to edit your OP then.

[eRe4s3r]

I took a look at the source code to mod statistics, so that I can determine for myself what mod statistics is actually doing. First of all, the statement that mod statistics is handing out personal information is a load of crap.

Here's the code: https://raw.githubusercontent.com/Majiir/ModStatistics/master/ModStatistics.cs

Yes, and this is not personal info eh? Taken directly from the json data stream. from v 1.3 ModStatistics which maybe you should have checked instead of the code ;P

{"started":"2014-07-18T08:13:37.382Z"
"finished":"2014-07-18T08:40:59.621Z"
"crashed":false
"statisticsVersion":7
"platform":"Windows"
"id":"8a841a8d74054a18abd7db9f05ea8658"
"installedWithSteam":true
"gameVersion":{"build":549
"major":0
"minor":24
"revision":0
"experimental":0
"isBeta":false
"isSteam":true
"is64":true
"scenes":{"loading":58812.3639
"mainmenu":13135.7512
"spacecenter":388282.2085
"editor":282945.1836
"flight":777710.4824
"trackstation":41504.3739
"sph":79646.5556}
"systemInfo":{"cpus":6
"gpuMemory":1990
"gpuVendorId":4318
"systemMemory":16384}} 

Maybe we have different definitions of what is personal information. When I play KSP and when I stop playing KSP, is absolutely, 100%, personal user information. That + Unique ID + IP allows profiling... but why exactly does a mod stat plugin keep track of when I play a game and when I stop ?

Easier solution than this plugin, is just blacklisting the ksp exe's in the firewall. But this is for the people who don't know how to do that, and why should they. Modding a game like KSP shouldn't really require having advanced PC skills

Anyway, I promise I won't drag this dead horse around any longer ^^

Edited July 20, 2014 by eRe4s3r