16 Studios Removing Alleged Spyware From PC Games After Fan Outcry

In Mario Kart, red shells target your nearest rival and ruthlessly stop them in their tracks. Marketing company Red Shell, meanwhile, helps video game companies more accurately target you. This fact has not sat well with some players who have recently discovered the software in a veritable kartload of Steam games.

Image: Red Shell

According to Red Shell's website, their software is meant to help game companies "measure the effectiveness of their marketing campaigns" by "tying information from marketing campaigns to in-game play".

Basically, it's installed alongside games and tracks information about your devices (operating system, browser version number, IP address and so on) in order to ascertain how effective advertisements for that particular game are. The company swears up and down that it doesn't collect personal information.

"We don't collect names, emails, or addresses," Red Shell says on its website, noting that games can offer an opt-out to players if developers so choose. "Our service basically says 'this computer clicked on a link from this YouTube video and the same computer played your game.' We have no interest in tracking people, just computers for the purposes of attribution."

The software has been discovered in over 50 games, including The Elder Scrolls Online, Conan Exiles, Hunt: Showdown and Civilization 6. For the past couple of weeks, a contingent of players have dedicated themselves to weeding it out, decrying it as "spyware" that many companies failed to disclose.

"Red Shell is a spyware that tracks data of your PC and shares it with 3rd parties," Redditor Alexspeed75 wrote last week in a thread that's became something of a rallying place for aggrieved players.

"On their website they formulate it all in very harmless language, but the fact is that this is software from someone I don't trust and whom I never invited, which is looking at my data and running on my PC against my will. This should have no place in a full price PC game, and in no games if it were up to me."

Since then, players of the aforementioned games and many more have started irate threads in Steam forums and subreddits. In many cases, they have gotten developers to pledge to remove Red Shell.

"We integrated Red Shell with the goal to track the efficiency of our marketing campaigns (how many players clicked on our advertisements on social media platforms and then purchased the game afterwards). There was never any intention to sell data to third parties," said the developers of multiplayer horror game Dead By Daylight, expressing a sentiment similar to many other developers who've removed Red Shell from their games.

"That being said, we have seen the player frustrations expressed about the use of this technology. Our passionate and dedicated fans are the reason why Dead by Daylight is a success, especially the ones who have been with us from the beginning. We have removed Red Shell from Dead by Daylight in the 2.0.0 update."

As of now, 16 games have either removed Red Shell or have pledged to do so in the near future, including The Elder Scrolls Online, Conan Exiles, Hunt: Showdown, Battlerite, Secret World Legends, Total War and Warhammer: Vermintide.

Red Shell’s Adam Lieb responded to our request for comment, saying that he feels like Red Shell has been mischaracterised by some players.

"We are disappointed," he said in an email, noting that Red Shell does not sell data to third parties, nor is it used for ad targeting in the traditional sense (rather, it helps companies sort out which ads they’re already running are worthwhile).

"We are gamers. We love games. We do what we do because we love working with game developers to help grow their games and build their communities. The last thing we’d want to do is anything that is going to upset their communities."

He added that, contrary to some people’s belief, Red Shell doesn’t run on your PC in the background when games aren’t open. Data collection, meanwhile, is in service of attribution, rather than more nefarious ends some players have suggested.

"We collect the minimum amount of data necessary to do attribution," he said. "Our customers rely on us to tell them which activities they’re engaged in are working and which ones aren’t. Any information that doesn’t help us make those matches we don’t collect."


Comments

    Misinformation and fearmongering is frustrating. Currently playing with similar software and it's really helpful at determining which Facebook ads are worth running.

      Misinformation in the internet? How did that happen?

      The issue is disclosure. The game devs failed to disclose the usage of Red Shell, which may well only take the "minimum amount of data", but ultimately was taking SOME data from users PCs without the devs transparency. For many users, this is a breach of trust. The option to submit information about your personal data or PC setup has generally been opt in the PC space. By taking user information without transparency, it has prompted a backlash of fear mongering, yes. But this fear mongering is only really occuring because devs broke consumer faith without considering the consequences. So, tears shed? Nil.

        I think you hit the nail on the head. And I think distributors really need to take the approach of (a) it's not mandatory and (b) it's made clear to users. Just stating that you use it isn't good enough, there has to be an option for players to not install it in the first place, but still be able to play the game.

        I'm looking at you Steam, Blizzard... and EA and Ubisoft and ... the list goes on.

          I guess there's a reason that the EU brought in the GDPR

        Disclosure is the biggest thing, I didn't even see Red Shell in the EULA's of a few games which run it. The other part is that if I'm running Facebook then I've accepted that rather than paying with money for a service, I'm paying with data. More than an intelligence agency and less regulated, which is at least a little concerning, but that's the trade and I knowingly make it.

        But if I've handed over money for a game, why am I signed up in the background to a phone home data collection service? Which phones Red Shell, not the devs. Red Shell collects enough information to uniquely identify your machine and uses that fingerprint across multiple contracts for multiple companies.

        Which is not what I signed up for when, again, I handed over money. Mobile games are "free", with copious amounts of grinding and data collection in return, but these aren't mobile games. There's big games from big companies with premium costs, but they're acting like this is Apple's App Store and they're a shady data collection corp. Pick one.

          I agree 100%. I have the same problem with Windows 10. If it's free ok, tell me you're gathering data and that's the "price". If I have to pay then I should absolutely have control over whether my data is harvested (for any purpose).

          I probably should have made that clear in my previous post. I don't have a problem with making data collection mandatory on a free game. I was specifically thinking of paid ones at the time.

      regardless if it is harmless, it's still spyware installed without your knowledge which is used to track your activity.
      Make it an option that can be opted out of during installation of game files from the get go, and the outrage wouldn't have been nearly as bad.

        by all right it should be opt in, not opt out

    Damn it funcom....

    Hmmm not sure how i feel about this? It feels like everything is out to market you right now.

    Ah, rightio. Was briefly concerned from headlines this morning, but this seems a fucktonne more innocuous than, say... using the facebook app on your phone, or in fact just using facebook at all.

    In fact, if it were opt-in, I'd probably tick that box. Seems like a very indie-friendly tool to reduce marketing budgets. The advertising industry's pretty fucking scummy for a much wider variety of reasons, anything that helps hold them to account for what's working and what's not is pretty OK in my book.

      (Caveat: anything that helps hold them to account... without uniquely identifying me.)

        In at least some cases, they are uniquely identifying you (e.g. via Steam user ID, Xbox gamertag, or PSN ID).

        They're definitely uniquely identifying you, that's the core purpose of the tool. It uses individually non-identifiable data (IP address, OS version, user agent, list of fonts, etc) to generate a fingerprint of your system that is unique with reasonable confidence. They do the same thing in both the browser when you visit an enabled website, and in the game when you start it up, and then they try to associate your game activity with your website activity.

        Once that's connected, they can then associate your in-game profile and anything that includes (eg. details you used to sign up to the game's online service) with websites you browse. Because Red Shell is a centralised intelligence service, the fingerprint you generate on one website or in one game can be (and perhaps is) used to map across other websites and other games from unrelated companies. Red Shell hasn't said a word on that, which is concerning, because accumulating the fingerprint data of a user across multiple game profiles and multiples websites would allow them to build up quite a detailed picture of the user, their game interests and behaviours, one that they definitely should not have access to without consent.

          Jamesh notes below that apparently they say they don't cross-reference data across games, although I find that somewhat unpersuasive. If true it does slightly limit the scope I mentioned in the second paragraph, but even within a single game the fingerprint it can build is still uniquely identifiable by necessity.

            It's probably down to the semantics of identifying 'you', vs identifying 'your machine'.

            Of course, as I mentioned before: still seems a fuckload more innocuous than almost anything Facebook does. But the real test is always less what they intend to do with the data than 'what CAN be done with the data?'

              I'd hope Facebook isn't the yardstick of what's acceptable, they're the pinnacle of shady shit.

    I guess it comes down to wether or not it was mentioned directly or indirectly in the EULA.

    i dont know anything about the information or the company but if i was paranoid about tracking i would say if theyre using steam accounts and ip addresses you can get billing info from that possibly then you have a real name? depending if youre trying to track someone down but thats true tinfoil hat thinking. hopefully im wrong and just an idiot with a silly idea

      Your concerns remind me of work discussions around the most important question in InfoSec: intentions are irrelevant; CAN the data be mis-used, and if so, do you really need it?

        Well if its got a vulnerability, then it will be exploited somehow, which is probably the most true when it comes to any cyber-security, no matter how genuine the original intentions are it wont stop a blackhat.
        i really dont know much but im guessing my concern is what a standard consumer might feel.

      The EULA isn't sufficient any more, now that the GDPR is in effect. The latter requires 'clear and explicit consent' from the user to collect personal information. While some individual pieces of information aren't personal under the GDPR, it does take into account that when non-personal pieces of information are collected together they may form data that can be used to reasonably establish someone's identity, which does fall under the GDPR. I'd consider what Red Shell does such a case of aggregate data producing an identifiable fingerprint.

      Also tagging @transientmind since this is a related follow up to a reply I gave to you above.

        Cheer up. EU's a funny beast when it comes to privacy, but when it comes to the Australian government, we can be sure to relax in the knowledge that it doesn't matter how much meta-data is aggregated into something which is just as (if not more) revealing/a breach of privacy as specific message content, it's all good. :)

          I like the GDPR, wish it was used everywhere. At least we get the cascade benefit that any global company that wants to do business in Europe has to comply with it, so we mostly still get the benefits even though it's not law here.

    So if I understand it right, there's two halves of Red Shell's service: for the online ad side, they use JavaScript to try and fingerprint the user's web browser via [screen resolution, user agent string, time zone offset, language, available fonts], along with the IP address when the ad sends all this back to Red Shell. On the game side, it does the same again, this time collecting it via an SDK built into the game. Red Shell can then try to match the two fingerprints to connect the two events.

    So far, so good. It gets a bit more insidious when Red Shell is encouraging game developers to send user identifiers in order to help track console games:

    https://docs.redshell.io/docs/console-quick-start
    https://docs.redshell.io/reference#console-identifiers

    Since you'd generally be clicking on ads on your PC, while playing the game on the console, they can't do the regular fingerprinting. Instead, they recommend the game developer send the PSN ID, Xbox gamer tag, or equivalent. Then if the game has a website that lets users log in with console credentials (e.g. to view stats), they can do fingerprinting there and link the console gaming session to the ad click.

    Even though they probably don't need to, the Reddit thread seems to indicate that at least some of the PC game devs are sending the unique Steam user ID to Red Shell. So that seems like a legitimate concern.

      To follow up, while Red Shell says they don't cross reference the data collected from multiple developers, it certainly sounds like they are in a position to do so (or alternatively, anyone who compromises their databases would be able to do so).

      That's the main concern I have over a developer doing all this data collection themselves.

        It's not just the account ID though. The GDPR notes that even a set of individually non-identifiable data can become identifiable data when it's collected together. The fingerprint they collect in browsers is arguably over that line, since unique identification is the core of their system.

        Frankly, if their business is above board, there should be no problem with informing the user that the website or game wants to collect information about them, and giving them the option to opt in (default no collection). The whole reason the GDPR was introduced in Europe was to stop shady under-the-table stuff like this from going on.

        Do you have a source on the 'do not cross reference' claim by the way? I looked for that before when I was researching this, and looked again just now, but couldn't find it.

        Also worth noting that IP address and account ID are both personal information under the GDPR, which requires consent to collect. Red Shell seems to think they can collect it without consent as long as they encrypt it, which is not correct.

          Yeah. Encryption is pretty meaningless here, since the data can just be decrypted again. Even if they really meant one-way hashes, it is still going to be PII if they choose a hash that will have essentially zero collisions (e.g. SHA1, SHA256, etc).

          And in order to pull off their fingerprint linking for console games, they need collisions to be rare or non-existent.

    Yeah, RedShell doesn't actually seem that bad, but the way some people have been reacting to it, you'd think it was a straight-up virus. A post on the Steam Board for My Time at Portia was written in the same tone as if the devs were like consciously conspiring to ruin lives. I'm biased because I work in Communications, but maybe if it was the norm to clearly notify users of what was being used and explain how it works in terms they can understand (i.e. the new mandatory EU opt-in) people would be less afraid. The whole smoke-and-mirrors, don't-tell-them-even-when-they-need-to-know marketing schtick is a huge pain in the ass for both staff and end users.

    It's an issue of disclosure. Tell people if you're bundling tracking software/capabilities into your games, just like websites (are supposed to) disclose whether or not they use cookies and the Facebook Pixel to track you on their site.

    The lack of notification, lack of disclosure of information collected, and lack of options to opt-in/opt-out are the issues underpinning this... with a lack of these things, we have a right as consumers to assume the worse.

    After all we have to assume the worse, we just had that whole drama about Cambridge Analytica and that was because of an innocent looking social quiz and random data collection got to the point they could manipulate peoples opinions on an election..

    Most games that ask me to send them usage data its an opt in sort of thing, i have the ability to say no

    I usally always click "yes you can look at my game data"

    Its NOT okay to sneak it in their like a pervy spy cam in a bathroom, because thats what it feels like when they dont tell you about it

    Ill let you look at me shit if you ask, i will not let you spy on me shitting without asking

    Gross analogy but its the same sort of thing

    Wow, then the devs would have been wasting money if they thought my purchases were influenced by me clicking on ads. I need more info than an online ad to get me to open my wallet.
    I tend to read about games online, through various sites like Kotaku, and then follow up with a few favorite YouTubers. If I am really interested I might even click on the games own website. From the sounds of things none of these activities are captured by RedShell.

    There is something I'm not understanding about the defined purpose.

    "Our service basically says 'this computer clicked on a link from this YouTube video and the same computer played your game.' We have no interest in tracking people, just computers for the purposes of attribution."
    So if this is installed when I install a game. Is it locked to that game or monitoring for all of Red Shell's clients?

    If it Is locked to the game it was installed with - is it scouring PC browser history to see if I visited any relevant sites prior to the purchase? Is it accessing any logged in social media channels to see if I had posted or viewed any posts relevant to their marketing campaign, again prior to my purchase?

    I suspect that it looks for anything that is relevant to any of Red Shell's clients- not just the developer of the game that has been installed.

    Of course I may have missed something in the reporting, but the explanation provided just doesn't seem 100% legit.

    If installing there was a box to tick that told me bout it, I'd probably tick it.

    The fact they were being so secretive about it until it came to light doesn't help, be it innocent or not.

    Blizzard used spyware way back in 2004/05 IIRC. Not sure if it's still in place but I suspect it is.

    When hackers were having a difficult time setting up additional accounts for OW after being banned I always suspected it was the Blizzard spyware which left a ban flag of some sort (could be totally wrong).

Join the discussion!

Trending Stories Right Now