ZOS integrated spyware RedShell by mistake, deleted from live, still in PTS folder

Lake · June 2018

NewbieOKS wrote: »

Ok found it..is it ZOS or steam who installed it? Since only impact steam players who install ESO through steam

It does? I don't have Steam and never installed ESO through Steam - and it's in the folder.

Alinhbo_Tyaka · June 2018

NewbieOKS wrote: »

Is there any solid proof? I just want to confirm whether it is just a hoax....

Proof for what?

If you are questioning Red Shell being there all you need to do is look in the ESO client directory to see the redshell.dll there. It is also in the client debug directory. As to whether it is executed you can rename it and see the game fail to start, do a netstat to see the redshell.dll has many open connections to Red Shell servers, or use something like Process Explorer to see that the dll is loaded. Pretty incontrovertible proof that ZOS includes the spyware in ESO. The worst part is they snuck it in so players have no way to decide if they will continue playing the game since you can't turn the Red Shell data collection off.

I know it changed my plans to stop playing Final Fantasy XIV and moving my subscription to ESO.

LumbermillOverlord · June 2018

NewbieOKS wrote: »

LumbermillOverlord wrote: »

NewbieOKS wrote: »

LumbermillOverlord wrote: »

NewbieOKS wrote: »

Is there any solid proof? I just want to confirm whether it is just a hoax....

use search on your PC

I used steam and try the regular windows search using key “red shell”,...

Result is none...is there any specific search term?

Ok found it..is it ZOS or steam who installed it? Since only impact steam players who install ESO through steam

look at my screenshot again
its not only steam

Merlin13KAGL · June 2018

yodased wrote: »

@merlin13kagl not about the permissions its about communication and transparency towards users.

This company may be the worst when it comes to being open about what is actually going on

@yodased I'll certainly agree that they've effectively stepped on their own stuff with as many people are up in arms about this.

A simple informational release would have gone a long way towards bettering understanding and easing tensions.

Good, bad, or indifferent, they'll have a hell of a lot more damage control required now than had they simply said something upfront.

JamuThatsWho · June 2018

Wouldn't something like Red Shell be illegal now in the EU due to GDPR?

Alinhbo_Tyaka · June 2018

NewbieOKS wrote: »

LumbermillOverlord wrote: »

NewbieOKS wrote: »

LumbermillOverlord wrote: »

NewbieOKS wrote: »

Is there any solid proof? I just want to confirm whether it is just a hoax....

use search on your PC

I used steam and try the regular windows search using key “red shell”,...

Result is none...is there any specific search term?

Ok found it..is it ZOS or steam who installed it? Since only impact steam players who install ESO through steam

It isn't just Steam. It is installed as part of the base ESO client so affects all ESO players.

Lake · June 2018

A moderator / community ambassador just pinned this message on the Reddit post, saying ZOS is working on a reply and claiming the Privacy Policy allows it:

NewbieOKS · June 2018

I just read the RedShell website...it says somehting like this below...sorry I dont read all the previous comments...is there someone in the group that can explain to us whether there is any negative impact to us as gamers?

Link https://redshell.io/gamers

Frequently Asked Questions For Gamers

What is Red Shell? And what does it mean to me as a gamer?

Red Shell is a software package used by game developers and publishers to help them measure the effectiveness of their marketing campaigns. It works by tying information from marketing campaigns to in-game play.

An example: Imagine a game developer is running an ad on Facebook and working with a popular Twitch channel. The developer wants to know which of those ads is doing a better job of showcasing the game. Red Shell is the tool they use to measure the effectiveness of each of those activities so they can continue to invest in the ones that are working and cut resources from the ones that aren't.

Does Red Shell track my personal information?

No. Red Shell tracks "device" based information about your computer. We do not collect any personal information about gamers. We don't collect names, emails, or addresses. Our service basically says "this computer clicked on a link from this YouTube video and the same computer played your game." We have no interest in tracking people, just computers for the purposes of attribution. All of the data we do collect is hashed for an additional layer of protection.

What type of information does Red Shell track?

Red Shell tracks information about devices. We collect information including operating system, browser version number, IP address, screen resolution, and font profiles.

Does Red Shell track me across games?

No. Red Shell isolates all of our data on a per game basis.

Can I opt out?

Each game that employs Red Shell may offer an opt-out for any type of data/analytics services they use (which could include Red Shell). To opt out of Red Shell specifically please use our opt-out form.

We take your privacy and security extremely seriously. Red Shell is a service built by gamers to help game developers grow their games successfully. If you have any questions don't hesitate to ask by clicking the chat box in the corner of your screen or shooting an email to privacy@redshell.io

Edit typo errors

Syncronaut · June 2018

They didnt declare it in big text thats for sure:

When a company or organisation asks for your consent, you have to make a clear action agreeing to this, for example by signing a consent form or selecting yes from a clear yes/no option on a webpage.

It is not enough to simply opt out, for example by checking a box saying you don't want to receive marketing emails. You have to opt in and agree to your personal data being stored and/or re-used for this purpose.
(there is no option like this under account)

You should also be given the following information before you decide to opt in:

information about the company/ organisation that will process your data, including their contact details, and the contact details of the Data Protection Officer (DPO) if there is one
(they failed to disclose that - redshell)
the reason why the company /organisation will use your personal data
how long they intend to keep your personal data
(i didnt see this info unless i am blind)
details of any other company or organisation that will receive your personal data
information on your data protection rights (access, correction, deletion, complaint, withdrawal of consent)
(no idea what companys, they just say random companys)

All this information should be presented in a clear and understandable way.

In other words, they failed to re-present that information to us directly:

I maked parts in black where they failed to up-hold the law.
https://www.zenimax.com/legal_privacy
https://account.elderscrollsonline.com/privacy-policy

Alinhbo_Tyaka · June 2018

JamuThatsWho wrote: »

Would't something like Red Shell be illegal now in the EU due to GDPR?

That's the general feeling of folks in the EU or familiar with the law. I believe a player has already filed a complaint about this so I guess we should see an official response from that sometime in the future (but who knows how long that will take).

Turelus · June 2018

Samadhi wrote: »

Turelus wrote: »

Leandor wrote: »

Haenk better copy this thread's contents now and make sure it is retained. After your statement, it will be locked and hidden very very quick.

Note that even when hidden ZOS retains copies of the thread in an archived section for staff.
The conversations I've had with their staff it seems they don't actually delete any threads,.

They also only tend to archive the threads when it's an offensive one or spamming up the forums, most threads like this critical of their policies get locked but remain for people to view them.

Having moderator experience for a f2p gaming company
can say that no post that ever appeared to be deleted was fully removed
everything was just made invisible to general forum users

If you want even more creepy
It is quite possible this line that you did not type
"Edited by Turelus on June 1, 2018 7:09AM"
works as a link for moderators, allowing them to view every aspect of your post that was changed
delete a word and replace it with another word to correct your grammar in a forum post?
It is all permanently logged.

If they're checking my edits they could at least point out all my other typos I miss.

yodased · June 2018

@newbieoks redshell is no more intrusive than a facebbok tracking pixel, an amazon cookie, a google local file or any websites cookie data.

If you use the internet on a regular basis and do not regulate data packets in and out of your box, the data redshell adds is simply relevent to the game you are playing.

The risk? Nothing other than a small inconvenience if they are legit in their statements. Now, they could have some legal loophole like cambridge that allows the data to be used nefariously.

The real problem? You have no idea what is truly being shared and the way it was rolled out was shady a.f.

Elsonso · June 2018

JamuThatsWho wrote: »

Would't something like Red Shell be illegal now in the EU due to GDPR?

No. GDPR does not prevent data collection, it requires that it be documented, protected, and allows for query and deletion.

Alinhbo_Tyaka · June 2018

lordrichter wrote: »

JamuThatsWho wrote: »

Would't something like Red Shell be illegal now in the EU due to GDPR?

No. GDPR does not prevent data collection, it requires that it be documented, and allows for query and deletion.

Which would mean the ESO and Red Shell implementations violate GDPR as they allow for none of those.

Elsonso · June 2018

Alinhbo_Tyaka wrote: »

lordrichter wrote: »

JamuThatsWho wrote: »

Would't something like Red Shell be illegal now in the EU due to GDPR?

No. GDPR does not prevent data collection, it requires that it be documented, and allows for query and deletion.

Which would mean the ESO and Red Shell implementations violate GDPR as they allow for none of those.

I am not a lawyer, but basic reading of the Privacy Policy suggests that they have at least attempted to cover all of that. Whether they did it well enough is not up to me.

Alinhbo_Tyaka · June 2018

lordrichter wrote: »

Alinhbo_Tyaka wrote: »

lordrichter wrote: »

JamuThatsWho wrote: »

Would't something like Red Shell be illegal now in the EU due to GDPR?

No. GDPR does not prevent data collection, it requires that it be documented, and allows for query and deletion.

Which would mean the ESO and Red Shell implementations violate GDPR as they allow for none of those.

I am not a lawyer, but basic reading of the Privacy Policy suggests that they have at least attempted to cover all of that. Whether they did it well enough is not up to me.

I agree. That's why I said we won't really know until we get an official response to the complaint that has been filed in the EU. I suspect it does violate GDPR as it doesn't allow you to see what has been collected about you and allow you to have it deleted not to mention no easy way to opt out of collection entirely. Red Shell opt out doesn't stop collection just use of the data as near as I can tell.

InvitationNotFound · June 2018

yodased wrote: »

@newbieoks redshell is no more intrusive than a facebbok tracking pixel, an amazon cookie, a google local file or any websites cookie data.

If you use the internet on a regular basis and do not regulate data packets in and out of your box, the data redshell adds is simply relevent to the game you are playing.

The risk? Nothing other than a small inconvenience if they are legit in their statements. Now, they could have some legal loophole like cambridge that allows the data to be used nefariously.

The real problem? You have no idea what is truly being shared and the way it was rolled out was shady a.f.

You are wrong in many ways regarding the technical aspects.

If i use something like facebook i know that i'm tracked (besides they track other users as well, but i'm capable to deal with this using addons e.g. noscript). If i have different browsers, third party cookies aren't shared, as an example. browser do not have that kind of access or at least do not grant web sites that kind of access.

This here is different as it is a component that is directly run on your machine and can collect way more data than a browser would allow a malicious site (e.g. facebook

) to collect (at least regarding my pc and the data stored on it). This is a huge difference and an issue.

kyle.wilson · June 2018

I guess gaming sites are picking this up now.
http://massivelyop.com/2018/06/01/players-try-to-figure-out-how-to-opt-out-of-elder-scrolls-onlines-new-spyware/

yodased · June 2018

InvitationNotFound wrote: »

yodased wrote: »

@newbieoks redshell is no more intrusive than a facebbok tracking pixel, an amazon cookie, a google local file or any websites cookie data.

If you use the internet on a regular basis and do not regulate data packets in and out of your box, the data redshell adds is simply relevent to the game you are playing.

The risk? Nothing other than a small inconvenience if they are legit in their statements. Now, they could have some legal loophole like cambridge that allows the data to be used nefariously.

The real problem? You have no idea what is truly being shared and the way it was rolled out was shady a.f.

You are wrong in many ways regarding the technical aspects.

If i use something like facebook i know that i'm tracked (besides they track other users as well, but i'm capable to deal with this using addons e.g. noscript). If i have different browsers, third party cookies aren't shared, as an example. browser do not have that kind of access or at least do not grant web sites that kind of access.

This here is different as it is a component that is directly run on your machine and can collect way more data than a browser would allow a malicious site (e.g. facebook ) to collect (at least regarding my pc and the data stored on it). This is a huge difference and an issue.

Hence the statement if you do not regulate packets on your machine.

A local dll being run by an admin will have more access to core computer data, but identifying personal data is way more easy to access through unrestricted access through the browser.

Also, i wasnt attempting to explain the technical aspects of datalogging, its irrelevent what access they have to what data. The point simply is they hid this addition and hise behind 3rd party tools

billp_ESO · June 2018

"Our service basically says "this computer clicked on a link from this YouTube video and the same computer played your game." " -- RedShell

So, when I'm playing ESO,, 3rd party spyware is watching what else I do and sending that data off to be sold to who knows who. And all with no warning, no option to not do it, or explanation as to what data it is actually collecting and what/who it goes to.

yodased · June 2018

billp_ESO wrote: »

"Our service basically says "this computer clicked on a link from this YouTube video and the same computer played your game." " -- RedShell

So, when I'm playing ESO,, 3rd party spyware is watching what else I do and sending that data off to be sold to who knows who. And all with no warning, no option to not do it, or explanation as to what data it is actually collecting and what/who it goes to.

Yeah basically, if you trust them, they are not sharing or selling this data. But this is also the company that slid this in amongst a huge content patch and hoped we wouldnt notice.

MarbleQuiche · June 2018

Simply not good enough under GDPR.

Privacy policy does not cover it. Zeni need better lawyers.

A 'soft' opt-in is permitted if there are legitimate commercial needs when processing a user's data, or if there are lives at stake etc. Otherwise, there must be an explicit opt-in. That could form part of the privacy policy, but not in its current state. There would need to be a box that has to be checked by the user to explicitly opt-in to this data sharing. Any box must NOT be pre-checked (which is what a soft opt-in is regarded as representing). Any box to opt-in must be accompanied by an equally prominent opt-out box. You can't force a user to opt-in to data sharing to use your products and services, unless that opt-in forms a vital commercial component of the product or service you're offering (which is the grey area where a soft opt-in is permitted).

Zeni, you seriously need to get this sorted. EU will be aggressively pursuing those who breach the laws of trading within its borders. This is considered as fundamental a cornerstone in the EU as the US Constitution and its amendments are in the States. Politically, this is about the freedom of EU's citizens' and the freedom of democratic institutions. It may appear to be a large stretch from a privacy policy to something that threatens the existence of political institutions, but that doesn't mean you shouldn't be culturally awake to this. You definitely need to be legally awake.

Get it fixed. Please.

Turelus · June 2018

billp_ESO wrote: »

"Our service basically says "this computer clicked on a link from this YouTube video and the same computer played your game." " -- RedShell

So, when I'm playing ESO,, 3rd party spyware is watching what else I do and sending that data off to be sold to who knows who. And all with no warning, no option to not do it, or explanation as to what data it is actually collecting and what/who it goes to.

I'm going to load ESO and then leave a ten hour playlist of MLP FiM going just to mess with their data.

yodased · June 2018

Something that isnt being looked at here that i just dialed into.

How would i use this if i wanted to be evil?

Google, facebook and instagram analytics give me user hashes, i would use a service like onesignal to identify mobile and get push permission from them.

Then, you send specific tracking codes to the mobile that lead to a cookie place on a website with google and facebook tracking.

From there i can start linking mobile hash to website hash and link mobile to general hash.

Now. With redshell i can link a specific mohile push to a video which features a crownstore item. I can then track that purchase against players who opened the game after seeing that link.

From there. You aggregate allsources of data and say, yodased aka john doe aka steamuser yodased hopped these 4 cookies to buy this hat.

Advertise to yodased moar hats.

Tl;dr You are triangulating personal data from multiple sources and purchase data to identify users.

Troneon · June 2018

I hope they get massively fined for this, completely illegal in Europe / UK.

Haenk · June 2018

yodased wrote: »

You are triangulating personal data from multiple sources and purchase data to identify users.

Unfortunately, most people *still* don't know about Big Data. If they knew what is possible with mass data collection and statistics, they would be scared to death. No tin foil hat will help you (any more), the data is already out there. No need to add more data to "their" knowledge.
I have no doubt, that it's easily possible to track down an individual with Red Shell - they even admit it, since you can opt out with your Steam ID - that one is pretty unique.

DanteYoda · June 2018

Isn't this crap illegal now due to the new EU security laws?

yodased · June 2018

Haenk wrote: »

yodased wrote: »

You are triangulating personal data from multiple sources and purchase data to identify users.

Unfortunately, most people *still* don't know about Big Data. If they knew what is possible with mass data collection and statistics, they would be scared to death. No tin foil hat will help you (any more), the data is already out there. No need to add more data to "their" knowledge.
I have no doubt, that it's easily possible to track down an individual with Red Shell - they even admit it, since you can opt out with your Steam ID - that one is pretty unique.

Yeah i mean, they literally tell you to send them your email associated with your eso account and your steam account to stop tracking, like uhhhh how is that not PII?

If you can stop tracking me specifically then you can pick me specifically out. That logic means you can also identify me whenever the f*($ you want to.

Troneon · June 2018

DanteYoda wrote: »

Isn't this crap illegal now due to the new EU security laws?

YES

karthrag_inak · June 2018

yodased wrote: »

Something that isnt being looked at here that i just dialed into.

How would i use this if i wanted to be evil?

Google, facebook and instagram analytics give me user hashes, i would use a service like onesignal to identify mobile and get push permission from them.

Then, you send specific tracking codes to the mobile that lead to a cookie place on a website with google and facebook tracking.

From there i can start linking mobile hash to website hash and link mobile to general hash.

Now. With redshell i can link a specific mohile push to a video which features a crownstore item. I can then track that purchase against players who opened the game after seeing that link.

From there. You aggregate allsources of data and say, yodased aka john doe aka steamuser yodased hopped these 4 cookies to buy this hat.

Advertise to yodased moar hats.

Tl;dr You are triangulating personal data from multiple sources and purchase data to identify users.

On its face, analytics isn't that bad - it's currently used most often to, in effect, give folks information about stuff they have shown prior interest in, as you have stated.

The problem is that this data doesn't expire, and "new and exciting uses" might come about that are more insidious.

Imagine a scenario : massive time-stamped datasets have been compiled that hold comprehensive, far-reaching and surprisingly accurate information about a substantial portion of the population. Everything from where folks go throughout their day (via linked mobile data) to the websites they visit, the things they google, the items they buy, the services they express interest in or engage in online.

Now imagine if, through simple analysis, simple supervised learning and trajectory analysis (all technologies that exist today and are used extensively by pretty much everyone who contributes to this data aggregation effort) all kinds of arcane and non-obvious connections are drawn between the known data and certain unknowns.

Unknowns like propensity for disease or health condition, likelihood to commit a crime or engage in anti-establishment behavior, and other "unknowns" that are at the heart of why privacy is so important.

Imagine what insurance companies and governmental agencies would do with this information, either for their bottom line or for "the public good".

Shoot, even something as simple as what someone might buy in the future. I did this on my own at my old job, with my relatively puny dataset of only a few billion transaction records for a million customers, predicting if and when and what folks who have purchased things in the past may purchase in the future, from a list of about 40 categories, with >95% accuracy. Supposedly this was used just to help direct folks, but it could have been just as easily used to silently increase prices by some small margin of the goods the customer was predicted to be interested in. I've seen stuff like this happen on amazon already.

There's not much we can do to stop this from happening, unfortunately - this is the direction things are heading. But that doesn't mean we shouldn't do what we can to fight it.