ZOS integrated spyware RedShell by mistake, deleted from live, still in PTS folder

GlennGVZ

Wish I had some money so I could launch a class action, our company had 100s of hoops to jump through with GDPR, and I am certain from having had to undergo training that NOT notifying of you, regardless of what they do with the data is illegal within the EU.

I have unsubscribed from ESO, wish you all the best with ZOS, but they have should EA like intent, and I am checking out.

RinaldoGandolphi

RinaldoGandolphi wrote: »

I completely understand myself

I know exactly how Windows Activation works. They take hashes of your CPU, Motherboard, Hard Drive and other parts and use those parts to create a secret key that is used to activate Windows on that set of hardware. Most times you can change almost any part but the motherboard before it requires you to call MS or re-activate Windows as there is "leeway" in the hardware id algorithm they use so you don't have to re-activate for swapping a hard drive for example.

Your comparing Apple's to Oranges here...Activating a Copy of Windows has nothing in common in with playing an online game or data mining the way this Redshell dll is.

I am not deluded in the slightest, of course Google analyzes data, but they also make it easy to opt out, and they also didn't bundle a new .DLL program in their latest version of Chrome to harvest all my hardware, harvest all my hardware serial numbers

Merlin13KAGL wrote: »

Except you clearly don't. They're not harvesting, they're hashing, creating a UID based on that information, in much the same way Windows does. Client side, when certain things happen, say you look at the details of a crown store item, the 'transaction' is logged to a redshell server under that UID.

Web side, cookies collect the same information and create the same UID, and they log any 'clicks/views' of interest relevant to the original company product/marketing and those get sent to a redshell server under that UID.

Redshell then puts the info together (because they're clearly related) and provides that information to the client (ZoS), say UID (Not this user, with this information we stole) made these associations based on marketing you tried.

Marketing can then see that user with UID was potentially interested in pretty pink dresses in the crown store, but not so interested in the daedric furniture collection.

It's not taking half of what you seem to think it's taking, and the information only goes to the original client (ZoS).

If you insist on being that worried about what's not happening here, feel free to exit via the door. If the door makes you too paranoid, perhaps the window?

Give me a break.

For starters what your talking about and how Windows Product Activation works are not even remotely the same thing. I can tell you WPA does not work the way you seem to think it does. If it was just based off simple UID like you tend to believe, then every copy of Windows would be pirated. Windows ties a generated sum of your hardware to your product key and encrypt that string with Microsoft's Public Code Signing Certificate that ship with Windows and stores it on the MS activation servers with your product key. If you make significant changes to your hardware Windows on login checks this hardware sum periodically and if its substantially different, your forced to re-activate Windows again.If it was only based on a UID that would be easily circumvented like it was in the Win98/2000 days.

But please continue to resort to your insults. After all, anyone who disagrees with "your view" of the world is obviously a a tin hat wearing paranoid person who should just jump out the window LOL!

Yeah I am finished with this conversation. I actually feel dumber for engaging in it with you. I won't make that mistake again. Good day!

yodased

Kelces wrote: »

I don't like possible impicatiins of this either, but that's anything but new - Blizzard entertainment for example has their version of this: https://www.schneier.com/blog/archives/2005/10/blizzard_entert.html

You want for ZoS to take efficient actions against cheaters of any sort? Well, imagine how you would try to accomplish that, if YOU were in charge of this game and regularely get pestered about not doing anything...

Sure, some things are far from optimal, but often if not always the smartest programmers don't make the major decisions.

Well, first i would invest in a 3rd party proven software. Then i would task a team of enigeers to formulate a more permanent solution.

Remove client side processes.
Remove p2p connections.
Handshake with the server for all required verifiable data points that are exploitable. (A good software team knows their intrusion points, even if they cant fix them)
Hire in game monitors that are actually in game.

Cpt_Teemo

Yeah I saw nothing in the Eula or ToS about them having the right to silently install spyware onto your computer shady move, shady. Also the fact I bet they didn't even bother contacting EU about there laws now as well.

Valkysas154

Never mind i am a idiot...

RinaldoGandolphi

For me its more a trust issue then anything else.

ZOS could have made some sort of public statement that they were implementing something like this. would I have liked it? No. would I have voiced concerns? Absolutely. However, even if i disagreed, they would still have my trust as a customer because they would have openly disclosed this fact before hand.

The fact they said nothing, slipped this in without saying a word, hoping no one would notice it has completely killed any trust I had in them. I can no longer trust their updates. I can no longer trust them to not install some sort of tracking/monitoring software on my computer without my knowledge. that's the big one for me.

All they had to do was be up front about this from the get go, and they would maybe still have me as a customer. Now? Simply not going to happen.

I just finished some testing.

1. Deleting or renaming the redshell.dll file causes the game not to load.
2. Editing the host file to blackhole 0.0.0.0 api.redshell.io will block communication of the .dll

HOWEVER, #2 is a violation of their TOS and Privacy policy(they updated in late March with little fan fare) So blocking that Redshell dll may end up getting your account banned.. As i said, I will not play as long as that Redshell is integrated into the game in anyway. I'll check back from time to time to see if its been removed, but until then its a no go for me. no matter how much i like the game, I won't tolerate this. This is not what i signed up for, and certainly not what I paid for. I'd expect this from some F2P game, but not one I had actively paid a subscription for.

I hope they change position on this, but im not holding my breath.

Lylith

Littlebluelizard wrote: »

Marginis wrote: »

Littlebluelizard wrote: »

Marginis wrote: »

Any collection of personal data should have some sort of oversight. Even if it's just having knowledge of what's happening to you, even if it's not malicious, even if it's not clear how or to what extent it's being used. +1 OP for knowledge sharing.

From the FAQ from Red Shell website:

Does Red Shell track my personal information?

No. Red Shell tracks "device" based information about your computer. We do not collect any personal information about gamers. We don't collect names, emails, or addresses. Our service basically says "this computer clicked on a link from this YouTube video and the same computer played your game." We have no interest in tracking people, just computers for the purposes of attribution. All of the data we do collect is hashed for an additional layer of protection.

I don't even think this can be applied on Crown Store buys. They are probably using this to track how effective their ads from YT, FB, and etc are. Assuming what OP is telling is the true, since they provided 0 evidence to support his claim.

EDIT: There is a RedShell.dll in "Zenimax Online\The Elder Scrolls Online\game\client", in both Steam and non-Steam versions the game.

Their and my definitions of "personal information" are different. Stuff that I, personally, do, places where I, personally, go, games that I, personally, play - that is personal data. The definition they're going by is likely more a legal term, like "personally identifying information". The kind of information they collect, as far as we know by what they say, likely can't be used to personally identify us individually from others. However, as people have previously stated, your computer is still targeted, and you can still be targeted by ads and such. The targeting is what I worry about, not about being personally identified by my videogaming habits.

EDIT: Not to say any of this is the case, but it could be, and is as far as I'm aware likely to be the case. Either way -

Any kind of talk disregarding the need for transparency and not exercising due caution when it comes to data collection is dangerous, because in just one step any data collection can turn malicious. Not to say it will, just that it's important to be vigilant in these matters.

Read the link about hash function. They can't obtain personal information about you unless they try really hard. And even then, RedShell is quite common, they would've been exposed and closed the company by now if that was the case. As for transparency, you probably forgot about it or simply didn't read ZOS terms when they updated it. They have a whole section about Monitoring. You can check it out if you want, at section 6. Though I will admit it not clear that they are doing this but it fits the EULA.

There are plenty of other sources that will spy on you and obtain much more information from you than RedShell will. Many apps on your phone ask a lot of access like Local (meaning they can track where you go), your Contacts, Photos, etc. Facebook can even track what you're browsing when you have it open, or simply installed on your APP. FB even has access to your microphone, so they can potentially hear your conversations whenever they feel like it. We have to accept that we will have this kind of data collected from us, or we will go nuts thinking about x app or x game is spying on you.

part of the reason i don't use any of that ***.

Lake

If you want a response quickly, you'd need to send this as a tip to lower-tier bloggers, MMO news sites and other gaming media.

For example, the sites that covered the Guild Wars 2 spyware debacle included: Massively OP, Motherboard (Vice), Kotaku, Bleedingcool, Pcgamesn, TechRaptor, N4G etc.

Cpt_Teemo

RinaldoGandolphi wrote: »

For me its more a trust issue then anything else.

ZOS could have made some sort of public statement that they were implementing something like this. would I have liked it? No. would I have voiced concerns? Absolutely. However, even if i disagreed, they would still have my trust as a customer because they would have openly disclosed this fact before hand.

The fact they said nothing, slipped this in without saying a word, hoping no one would notice it has completely killed any trust I had in them. I can no longer trust their updates. I can no longer trust them to not install some sort of tracking/monitoring software on my computer without my knowledge. that's the big one for me.

All they had to do was be up front about this from the get go, and they would maybe still have me as a customer. Now? Simply not going to happen.

I just finished some testing.

1. Deleting or renaming the redshell.dll file causes the game not to load.
2. Editing the host file to blackhole 0.0.0.0 api.redshell.io will block communication of the .dll

HOWEVER, #2 is a violation of their TOS and Privacy policy(they updated in late March with little fan fare) So blocking that Redshell dll may end up getting your account banned.. As i said, I will not play as long as that Redshell is integrated into the game in anyway. I'll check back from time to time to see if its been removed, but until then its a no go for me. no matter how much i like the game, I won't tolerate this. This is not what i signed up for, and certainly not what I paid for. I'd expect this from some F2P game, but not one I had actively paid a subscription for.

I hope they change position on this, but im not holding my breath.

Yeah I rechecked the Eula & ToS, nothing states they had the right to implement spyware on our computers, i'm sure they got there lawyers claiming its just a modification but yeah, no its not imo.

TheMythicDawn

ZOS sneaks this spyware onto our computers and if we try to block it we can get banned? wtf

LumbermillOverlord

thanks guys added more info in first post
can someone backup this topic somewhere in case ZOS gonna delete it?

Syncronaut

Lake wrote: »

If you want a response quickly, you'd need to send this as a tip to lower-tier bloggers, MMO news sites and other gaming media.

For example, the sites that covered the Guild Wars 2 spyware debacle included: Massively OP, Motherboard (Vice), Kotaku, Bleedingcool, Pcgamesn, TechRaptor, N4G etc.

Famos youtubers are more effective.

jaschacasadiob16_ESO

Im curious to see how many pages before ZOS will say anything. Which will be only to say that they have removed some comment.

MehrunesFlagon

Solution is suing the hell out of Redshell.Destroy them

mongoLC

ZOS game such a fail they have to resort to this?

mongoLC

you know the only way they can do this is to completely separate eu from usa meaning no eu players could ever play on us servers. I am totally willing to sacrifice my privacy and view adds on load screens if I never see another Brit on a usa server again! Buh bye Izzy! Well at least until brexit and the queen will never let that happen unless her fiat money is replaced.

Marabornwingrion

RinaldoGandolphi wrote: »

HOWEVER, #2 is a violation of their TOS and Privacy policy(they updated in late March with little fan fare) So blocking that Redshell dll may end up getting your account banned.

This is sooo f***ed up.

@ZOS_GinaBruno
@ZOS_JessicaFolsom
@ZOS_MattFiror
@ZOS_Edward

LumbermillOverlord

@Syncronaut hey mate but how you can tell you was really opt-out? dll will still load
you will not see any traffic from it?
its just their words you know
they can lie

RANKK7

They better get rid of the damn thing, others did it.

https://forums.funcom.com/t/why-are-conan-exiles-sending-data-to-redshell/5043

Syncronaut

LumbermillOverlord wrote: »

@Syncronaut hey mate but how you can tell you was really opt-out? dll will still load
you will not see any traffic from it?
its just their words you know
they can lie

Well they havent replied that they 100% removed me yet, so i cant say for sure.
They only said i will be added on the list. Probaly a list of dont track that person, but even this is kinda illegall if you know what i mean. (any info abauth me)

Personaly if the company wont respect my privacy, i will just take my biznis somewhere else.

EasyTiger

This is becoming such an abusive relationship.

xeNNNNN

Raraaku wrote: »

This is inconsequential compared to the ways social media platforms and google/search engines collect, track, and sell your information.

You think Google paid a bunch of translators to create Google Translate? Lol, no. The bulk of it came from scanning emails. Terms of Use and such. South park had a great episode about it.

There is also the fact that for European players as far as I know zenimax has not addressed their ToS and ToA for players too accept and log in since the EU has pushed through the GDPR bill which states companies working within Europe may not collect,use or sell your personal information without your consent. This is only while operating in European countries however. So for those who log on too the EU server and those who connect with an EU ISP should have an automatic opt out from the get go. As far as I know this doesn't just effect websites though I could be wrong.

Charliff1966

Its not allowed in the EU to get such programs installed without consent. So for those on the pc/mac go get them.

LumbermillOverlord

any lawyers here btw? who can explain consequences

Elusiin

karthrag_inak wrote: »

ADarklore wrote: »

Wow... I swear, all the paranoid people out there... now I know why so many people actually believe conspiracy theories.

I'm sure ZOS' TOS that we agree to, and they recently updated, includes a provision for them to utilize this. If you accepted the TOS, then you agreed to it, if you block it, then by all means they have the right to block access to THEIR game. If you wish to quit because of it, SEE YA!

I've been a data scientist for >4 years and this is nothing "paranoid". You can prove via information theory beyond a certain level of doubt the required info to uniquely identify a user just by their browser configuration (i.e. fonts installed, browser type, etc.) and, using this information, any surfing behavior can be attributed by multiple sources to a single individual. This is some of the information redshell is collecting.

There are minimal laws restricting the sharing of this "innocuous" information so it can be shared with multiple interested parties with impunity, who can aggregate this data and build profiles of hundreds of millions of people with surprising accuracy. I've done this before.

People are surprisingly "linear" in their behavior, and very simple models can be used to not only connect seemingly diverse behaviors with high accuracy, but also to predict future behaviors. Using a single hidden layer NN I was able to predict future purchases for a large commercial website (sundance) with around 95% accuracy, among their hundreds of thousands of customers.

I was also able, with minimal effort, to link their desktop and mobile devices, which always broadcast timestamped geo location information, illustrating locations and timing patterns.

The stories I could tell. This is uncool.

Yeah I completely agree, this is uncool and an overreach and an attack on privacy. Doesn't one of this violate something in the constitution that guarantees privacy? I'm no expert there, but I'm pretty sure one could make a good argument in court.

Syncronaut

LumbermillOverlord wrote: »

any lawyers here btw? who can explain consequences

Not a lawyer, but you can read the law here to get the idea:
https://europa.eu/youreurope/citizens/consumers/internet-telecoms/data-protection-online-privacy/index_en.htm


Making a complaint

If you think your data protection rights have not been respected, you can make a complaint directly to your national data protection authority which will investigate your complaint and give you a response within 3 months.

You can also chose to file a case directly in court against the company or organisation concerned instead of first going to your national data protection authority.

You may be entitled to compensation if you suffer material damage, such as financial loss, or non-material damage, such as psychological distress, due to a company or organisation not respecting EU data protection rules.



You can simply say in courth that tracking from company is causing you a psychological distress (getting spamed by adds for example) and you can win the case.

Psychological distress can manifest in multiple ways and at different levels of severity. But in very general terms it is psychological discomfort. It can be experienced as sadness, anxiety, distraction, and in the most extreme cases - psychotic symptoms. It can be caused by many things - a severe stressor, everyday stressors, medical illness, or mental illness. It is a sense of discomfort and feeling unsettled, and usually at a level that is getting in the way of activities of daily living (e.g. work, school, caregiving, self-care). In less severe cases, psychological distress can be managed through rest, taking a break, self-care such as exercise. But if the distress and the symptoms are really interfering with life or leading to thoughts of harming self or others - intervention is required as quickly as possible - with a licensed medical or mental health professional.

Haenk

So here we go, just sent this to our Data Protection Center ("Datenschutzzentrum", which *will* do an official investigation, and they are not known to play around):

"
Mit dem weit verbreiteten Online-Spiel "Elder Scrolls Online" zusammen wird die Software "Red Shell" zum Sammeln von individuellen Daten verwendet. Dieser Sammlung wurde weder mit den AGB zugestimmt, noch wird sie dem Benutzer mitgeteilt. Die Ausleitung der Daten erfolgt mutmasslich in die USA, ohne entsprechende Datenschutzgrundsaetze.
Im Sinne der Datensparsamkeit sind diese Daten nicht notwendig zur Verwendung des Spiels.


Weitere Hinweise:
https://forums.elderscrollsonline.com/en/discussion/416267/zos-integrated-spyware-red-shell-into-eso-howto-block-opt-out/p1
"

Silence is not the way to go, ZOS. This is a serious issue.

Leandor

@Haenk better copy this thread's contents now and make sure it is retained. After your statement, it will be locked and hidden very very quick.

LumbermillOverlord

yes imho we need backup thread

Syncronaut

Maybe make it on this site:
https://www.mmo-champion.com/forum.php
Or
https://www.reddit.com/r/elderscrollsonline/

Just in case.