It's the same for many other video games I play. A recent example is the anticheat that got introduced in the Rust beta builds. It takes screenshots of your desktop while you play, so what if I have a private chat or banking info open on my second screen? I don't want to have to be paranoid about that getting screenshotted and uploaded to their servers. Pretty sure this is illegal in my country, but I've contacted them and they do not care.
Its not 'ok' anywhere. It may be covered by small print EULA obfuscation. But its an underhanded, selfish, dirty thing for them to do. Regardless of whether they can be prosecuted for it. Lets be clear about the difference between legal and ethical.
I think, the fact this behavior is documented makes this okay. It's not an EA's fault that users don't read the accompanying documentation then are surprised the software does some things as a part of its job. I mean, accessing any information (private or not) is okay if you had reasonably clearly stated you would/may do so.
However, the fact accompanying documentation is a mess, so it's very hard to comprehend it, makes this not really okay.
I documented punching an old lady in the head, so it's ok.
No, it's not ok. Origin is a piece of software used internationally. Many countries have explicitly ruled that the EULA is not an out of legal requirements of those countries, which are more protective than the legal requirements in the US.
You can't just go and do something illegal and claim it's ok because one country has interpreted that the EULA lets them do that due to that same country's laws being heavily biased towards the corporation. That's what the GP was saying.
> I documented punching an old lady in the head, so it's ok.
How did you come with that? That's non sequitur.
As far as I know, no country outlaws merely scanning a list of recently ran applications. And article in question only talks about that, not storing, sending or whatever - actually it has completely no idea why Origin's accessing that UserAssist key.
If you insist - please, name me a country where, for example, it would be illegal to locally access (one again, not send anything based on that to a remote processing or storage system, that's another story) your contacts for a piece of software on your phone that had forewarned you it will access your contacts?
There's (almost) no permission systems on desktop, but there are other means to convey that information. Here, I'm considering EULA as not a legally binding piece of text, but as a part of documentation.
That's not how EULAs work, so far the only decision about EULAs not being binding is when they prohibit you from reselling the software. Not when you agree that the other party is allowed to do something.
> That's not how EULAs work, so far the only decision about EULAs not being binding is when they prohibit you from reselling the software.
I can write a EULA that requires you to sign over the rights to your firstborn child, your soul to the devil, and any other nonsense that I could come up with[0].
That doesn't mean that it's actually legally enforceable. Certain clauses have been deemed nonenforceable by law in contracts[1], so just because it's in the EULA doesn't mean it's valid.
Also, just because it hasn't been deemed nonenforceable previously doesn't mean that it is valid either; it has to be tested (as with all law).
That doesn't give a definitive answer either way, except to say that just because it's in the EULA doesn't mean it's permissible, either morally (subjective) or legally (objective, or at least "objective").
[1] The ones that people on this site may be most familiar with are noncompetes and/or invention assignments (in certain states - these particular examples are actually more hazy than most people think, but that's a separate matter). Other extreme examples would be contracts that make a person the legal property of another person (e.g. in many/most countries, you cannot enter into "consensual slavery" with a legally binding contract).
This is a bit tricky, though! The Origin EULA is not necessarily post-purchase.
It is, if you buy the disk, install the game and then click through. It ain't if you download Origin, install, accept the EULA and then buy a game.
Still, it is questionable whether a contract that is rarely read and can be changed at whim is a contract in some legislations at all. This is still a HUGE open topic.
Certain clauses will be unenforceable, obviously. But this isn't about enforcing, this is about you granting them permission to do something. After that you'll have really hard time in court trying to argue that they shouldn't have been doing it.
The point is that in many countries, you can't agree to give others permission to do certain things. The court will simply throw out any clauses which would try to permit these things.
Even in the USA, you can't sell yourself into slavery for the rest of your life, as an example of a contract that might be invalid. Most other countries simply have more consumer rights which disallow even more forms of contract.
In Germany, this is contract is very likely a violation of "established/good morals" ("Gute Sitten", https://de.wikipedia.org/wiki/Gute_Sitten ) and therefor null and void.
Which decision in which legislation? This is highly contextual.
In Europe, for example, contractual freedom with a consumer (not in between companies) is often highly regulated. And even then, it differs from country to country.
It's quite likely to be cheat-detection scanning filenames, maybe even file contents. Valve had an issue like this recently. (edit: the Valve issue was actually DNS cache scanning)
Yes Steam I think tracks what websites you've been to, but they only do this when they are already suspecting you of cheating, and they only send a hash of the url to see if matches known cheat sites. That's just one of the things I remember.
In a perfect world EA would just use steam and give up on Origin. I'm sure they can pay Valve enough to get top billing on steam and it would be less than they spend on their own anti-cheat and origin engineering. They'd also have to cut steam in on sales, but it might still be worth it. It would definitely be worth it to the user as the Origin software is horrible.
> Yes Steam I think tracks what websites you've been to, but they only do this when they are already suspecting you of cheating, and they only send a hash of the url to see if matches known cheat sites. That's just one of the things I remember.
And this is perfectly okay, but looking through a list of start menu entries isn't? In fact I'd consider shipping off lists of URLs and domains I've been to worse than looking through installed programs.
> In a perfect world EA would just use steam and give up on Origin.
I disagree, competition is a good thing. By this same argument we should all ditch every other operating system because most users run Windows, so using others isn't necessary. Sure Origin has had its' share of bumps, but so did Steam in its early days, now look at it - Steam is adored by gamers and anything else is immediately shunned.
> would be less than they spend on their own anti-cheat
I'm not sure about this, but from my understanding Steam doesn't really offer much anti-cheat, mostly just DRM. Valve games all have VAC, but I'm not sure how widely used VAC is for non-Valve games.
> It would definitely be worth it to the user as the Origin software is horrible.
I partly disagree with this. The Origin interface really isn't that bad, I actually find it a lot faster/more responsive than Steam's. Steam's interface is also far from great - although they do have great cross-platform consistency, it is at the expense of being inconsistent with the users operating system.
Region locking fun. The worst part being they say in the eula that you can not use VPN services with the Origin shop. So the choices is between either play guess the interface with real money or having them be able to say we blocked your account you no longer have access to your games.
Well, as a German I don't have problems understanding German, I just prefer having it like everything else in English. But it is a reason for me not to use them.
Steam's current client is basically terrible in all respects, try playing with SteamRE or one of its variants and it's insane how much better it is. Only a matter of time until someone drops a full featured open source client that performs much faster, more efficiently, and probably offers a better interface besides.
Sending a one-way hash of a hack phone-home URL only AFTER the hack was detected is far less disturbing than sending a ROT-13 list of recently used programs indiscriminately.
It isn't sending ROT13 encoded data anywhere (Well, it may, but the screenshots do not have any evidence of this), all the screenshots show is Origin reading registry entries that Windows stores about opened programs.
Honestly, though I actually use and like Steam, I absolutely hate how the walled garden / vendor lock in approach is making its way into PC gaming. There are games I 100% would have bought except for the fact that they force you to buy it through Origin. The only way to play without it is to use a pirated version.
Part of me wishes they could outlaw these types of things, but I don't really see any way you could logically force someone to make their platform available to competitors.
Lock-in is the holy grail of all software vendors. If they can achieve a pervasive lock-in, they're golden. We should always have that present in mind when we're discussing the actions of software companies, because it's a conflict of interest. It means consumers need to be extra vigilant about demanding data portability and cross-compatibility, since software vendors are not going to be happy to provide them voluntarily.
Almost every action Microsoft has taken in the last 20 years has been about furthering their lock-in. The Xbox exists solely to promote DirectX, which tightens Windows' foothold; other consoles were (and are) mostly based on a derivative of OpenGL, which made it easier to port games to non-Windows platforms.
.NET exists solely to ensure that more business software requires Windows, and Windows Phone exists to ensure that more mobile software requires Windows. Java's write once, run anywhere philosophy is one of Microsoft's main targets, and has been since Java gained popularity in the early-mid 90s. Cross-platform compatibility is the bane of software vendors within their sphere of influence. Since MS primarily sells operating systems and office software, everything they do is about ensuring it's difficult to use a different operating system or office software.
You can go through a similar history for almost every major software vendor. It's in their monetary interest to make it difficult for users to switch platforms, which means it's in their interest to keep your data locked up and/or obfuscated.
Xbox sales were #1 for years - had to be a profit motive there regardless of software 'lock-in'.
.NET maybe, but Windows Phone? Last place in phone sales. How does that lock anybody into anything?
IE supports Java - no lock-in possible there.
Sometimes companies complete by writing software people want to buy. Microsoft has demonstrably done that, and in a market where they are clearly incapable of locking anybody to anything.
IE runs Java applets through a third-party plugin, and Java runs on Windows because the Java guys write and distribute a VM that supports Windows. Microsoft already got itself in very hot water for trying to strongarm people off of its platform entirely (Netscape antitrust case), so they're not about to try that again. You can make software for Windows, but Microsoft is going to use their clout in legally "fair" ways to make sure you don't damage their lock-in. Java was a very serious threat to MS, which is why they created .NET and built an enterprise sales apparatus around it.
Sun lost its way and Microsoft ate up most of the custom enterprise software market with .NET. A pity really; the future could've looked much different if Sun had successfully and aggressively countered .NET. MS made sure it didn't happen because write once, run anywhere meant that Windows wasn't going to be very important anymore. .NET touted similar features, but the catch was they only wrote a VM for MS platforms, incidentally.
Pre-reply: Yes, Mono exists, Microsoft made minor contributions here and there to it, but it is now and always has been a second-class citizen in this space, and Microsoft will ensure that it always will be. It seems Mono typically gets support for an API just as it becomes deprecated and its new big brother starts to emerge on Windows. That's intentional.
The Xbox barely kept up with GameCube sales, and was ultimately a grossly unprofitable adventure.
Any business' end-goal is profit. With the Xbox, this is through both vendor lock-in and "owning the living room". Some MS exec once also talked about using it as a way to transition the masses of console gamers to PC, but that was probably just a "nice to have" at best.
The Xbox doesn't exist to support DirectX, most AAA games write to bare metal for better performance.It exists because Microsoft wanted a living room presence the way the Soviets coveted a warm water port.
There is no bare metal on Xbox, you always go through DirectX. The difference is that the Xbox version of DirectX has much lower overhead than the Windows version and provides access to all the functionality of the GPU, not just whatever's in the comparable PC version of DirectX.
Why don't you use your ability to purchase software from somebody else (or use open alternatives) rather than increase the ability of governments to threaten and imprison people? While there are societal benefits from regulating monopolies, making "anything that might annoy a consumer" illegal is a dangerous path and does little but erode freedoms.
Probably because of the massive power asymmetry between vendor and user.
Suppose my only option for earning a living depends on software from Vendor X, who has used lock-in techniques to eliminate their competition. At this point there would be nothing to be done except make vendor lock-in illegal.
It would be easy to do, too, simply by requiring either A. up-to-date, detailed documentation of file formats and protocols necessary for data migration, or B. support for an interchange format that provides the same features as a proprietary format.
I'm still not understanding why it should be illegal. We can start with an assumption that Vendor X eliminated their competition by fair practices or they would already be subject to antitrust regulations. If Vendor X uses their position to unfairly prevent competition (either in their own space or others), they are already breaking the law. If they aren't doing that, I fail to see why just having lock-in should be illegal.
This is not to say I'm a fan of vendor lock-in. Quite the opposite, actually. But I do know laws like this will always have unintended consequences, will always be manipulated by those same large companies ostensibly being regulated to give them advantages over new entrants, and, as a result, will always make the competitive landscape more difficult than it would have otherwise been. How big does your market have to be? How big does your company have to be? Is the broadband chip on your phone subject or just your whole phone? What about trade secrets?
The advantage of the antitrust laws is in the lack of specificity. It takes a complete trial to actually show wrong-doing.
I totally agree with your sentiment. But, how exactly would you enforce it? All they have to do is say "The games make use of Origin technology and won't work without our software". I am not really sure how you could prove otherwise or compel them to somehow provide it without the feature.
This paints it as more of a societal problem than a legal one, and I think you're correct in hindsight.
I think about my gamer friends, and they've resigned themselves to vendor lockin because "What choice do I have if I want to play with my friends?", something I've come to call the Facebook Argument.
However, when I think about [some of] my colleagues, many of them don't like vendor lockin when it's applied to them, but aren't against implementing similar features in their own projects with a different name, and I have a hard time believing they don't see it for what it is.
Because a case can always be made that the lock in provides some benefit, such as providing a consistent user experience. What you are really arguing is that the benefits they can provide through controlling the experience end to end are clearly outweighed by the negative aspects. While this is probably apparent to most people, proving it as a legal argument may be much harder.
Why is "everything on steam" a perfect world scenario? Give all the power to one system that already has significant problems with DRM and offline play?
We learned monopolies are bad this decade, again. Or is that again again? Or again again again? Or maybe it was again again again again again. I can't keep track. But we have a large portion of our population clamoring for every game to be on Steam or every house to be on Google fiber.
If you read the linked thread, they are not "accessing your browser history". Rather, as a specific countermeasure against specific cheats, they checked the DNS cache for access to a particular set of phone-home server addresses embedded in some cheats. Not websites, but backend servers (ironically) enforcing DRM for cheat software. Like all such countermeasures, it was effective for a short while, then counter-countered by the cheat. What they sent back to valve was only a "yes they appeared to have accessed cheat backend server X", not a list of all accessed servers or browsing history.
I'm not saying I love it, but it's important to be accurate before turning the outrage dial to 11.
So far as outsiders were able to tell, it sent back hashes of every DNS cache entry. Someone stuffed their DNS cache with a larger-than-usual number of entries and found the amount of encrypted data sent back consistently increased by exactly the amount required to send every hash twice, then went back to normal when they cleared their DNS cache.
This is worse than checking history in some ways. It's much easier to get a stray entry in your DNS cache than to accidentally visit a "bad" website (which isn't that hard either). If anyone links to an image on that domain's servers, Valve will use the presence of the domain in the resolver cache as evidence that you're a cheater. That's not a very reliable system, and I don't think it justifies the privacy invasion from either perspective.
Well.... As far as spying goes it doesn't sound that horrible. Since they are only checking hashes of your history against a list of common cheating site hashes they really gain minimal information. If their were clear opt-ins and transparency I would definitely be okay with this sort of anti-cheating measure.
Well to be fair, you can often receive those gorillas from reputable shippers (torrents), keep them each in their own strong cage (different user account under wine, chroot/namespaces being the next step), and prevent them from getting overexcited by the jungle (iptables).
Prove that Steam collects data about your system, except for hardware statistics that it asks you want to send. Being the first platform for gaming, I think that Steam gets audited by a lot of people quite often; despite that, I have heard nothing about Steam spying on its users.
The only "invasion of privacy" found was in VAC, which uses security through obscurity to deceive cheaters. When somebody got concerned about that, Gabe Newell immediately explained publicly the security mechanism, letting everybody with basic IT knowledge deduce that Valve has thought this quite thoroughly for privacy.
Last time I refused to participate in the Steam hardware survey, it was because the description of the data sent in the survey included "software installed on the system." If you use anything other than Steam on your system, that's not really acceptable. AFAIK, though, that is only if you join the Steam hardware survey.
You are mistaken. Steam looks at your local DNS cache to see if you've got the DNS entries of known cheat sites (since some of the cheating tools have their own convenient licencing mechanism that requires them to phone home at a special URL, this is easy-mode detection) in your cache. They do not look at your browsing history.
It's actually much worse than that. Without any kind of ad blocking or privacy extensions, 2 minutes after loading the page, it has made 770 HTTP requests and used 18.5 MB of data. Is this becoming the industry standard now for blogs and news sites?
And now we're going to get OS level DRM that works through all of our browsers, thanks to Netflix, Google, Microsoft, Apple, and last, but not least, the W3C. Terrific.
The issue goes deeper than DRM. Online games like Rust, CS:GO and so forth attract cheaters.
Often the intent of a cheater is to ruin the game for everyone else, with patches that give them super-powers (aimbots and wall hacks are pretty common) and the ability to unfairly dominate the other players. Sometimes there are cheaters in official tournaments (a high-profile player in Germany was recently found to be cheating).
Scanning a whole system for "DRM cracking tools" seems very, very bad to me. If this is what EA is doing then they had better have a really good explanation.
Scanning a the running environment of an online game, under the umbrella of a EULA, seems fine. I'll note that if you object to this, you're free to play on non-protected game servers.
Some games are designed to be inherently cheat resistant. One strategy is for the server to never give the game client enough information to be useful for cheating, so even if you've written a totally cheaty client it doesn't do you much good. (Reductio ad absurdum, your client is just a smart video feed with some controller input).
Cheaters suck, but they're a fact of life and if your online game doesn't prevent them then you'll be overrun by the scum and honest players will stop playing.
To compare with Valve's reaction when an user discovered that kind of data collection in VAC, EA representatives don't seem to know a thing, while, for VAC, Valve's CEO Gabe Newell immediately explained publicly the situation and demonstrated that Valve did think their system quite thoroughly for their users' privacy: http://reddit.com/r/gaming/comments/1y70ej/valve_vac_and_tru....
Is there any proof of this actually being packaged up and sent to EA? It seems to me that this is probably like Blizzard's Warden process, which actively scans for hacks while the client is open. I'll save my outrage until there is proof that they are phoning home with these file scans.
Wow... people seem to be ok with this - saying this is in the EULA, therefore it's all cool?
"Errrm, I couldn't help but notice that the videogames company representative just let himself into your house, fucked your dog up the arse, killed your goldfish and pissed in your coffee"
"Oh yes, it's all in the EULA, it's perfectly fair, I am playing the game I bought from them, don't you know!"
They did so very openly, although you clearly couldn't play the game without submitting to the requirements.
Of course, this was back when things like having the government surveil our library history was considered a big deal in privacy. Culture's changed quite a bit since.
Snooping my files? Ugh, jackasses. But using ROT13 to hide your activities? That's downright offensive. Who the hell uses a Caesar cipher in the 21st century?
Actually the UserAssist reg key is meant for windows explorer usage tracking and does the ROT13 encoding automatically. You can turn off the encoding or tracking in general. Source-http://www.aldeid.com/wiki/Windows-userassist-keys
This is what scares me about Steam at little. My understanding (though not sure) is this is what Apple's OSX store and Microsoft's windows app store are trying to solve. Basically sandbox native apps so you can install them and not worry they can do stuff like this.
I'm not saying they succeed at that. I have no idea how secure their sandboxes are and what limits they place. But, that is arguably the intent (or at least one of the intents).
Steam on the other hand has no such intent AFAIK. Of course in all those cases, including Steam, there is the threat to the publisher they'll be banned from the store if they do this kind of thing. I don't know if there is any example of Steam removing an app because of "unethical behavior". I would guess if it was an indie they'd ban first, question later whereas if it was a big publisher like EA they'd probably talk first, try to get them to address the issue.
I'd be curious to know if Steam Box makes any effort in this direction. I was similarly worried about Boxee apps (the PC/OSX/Linux version), XBMC scripts. etc...
The UserAssist registry key was meant for tracking Explorer stats. EA is just reading a reg area that windows is already tracking. Also, you can turn it off. Source- http://www.aldeid.com/wiki/Windows-userassist-keys
People need to be educated on what software/websites is/are doing by default. I would assume that most people familiar with today's tracking boilerplate would know better than to install Origin in an unsandboxed environment in the first place. Unfortunately, this doesn't seem to be the case.
The worst thing is that Origin is compulsory for many EA distributed games now. e.g. If you played Mass Effect 3, you had to go online with Origin running every time you played the game to get past the DRM, even if you bought a physical disk to install the game. There were no other options for acquiring the game legally.
Besides being intrusive, Origin is spectacularly unfriendly to user mods. The mod community has made some nice texture upgrades for ME3, but to use them with an uncracked ME3 executable requires you to shuffle files around while Origin is running so that it never sees the modified executable (Origin scans and validates executables when you start up a game).
I'm not much of a gamer, but Bioware games are a weakness of mine. I look forward to the day when they're no longer infested with EA's spyware.
So wait...these allegations are based entirely on the fact that Windows registry keys exist with ROT13-ed process names?
Let's just check the scorecard:
- Outbound packet captures showing that Origin is capturing this information? Nope.
- Proof that the Origin client is making a targeted effort to steal information about the user? Nope.
- Indications that Origin is accessing the processes of Firefox or Chrome in any way beyond getting their names? Nope.
- Indications that Origin is potentially capturing any information at all beyond the names of some running processes? Nope.
Cheat detection has been named a couple of times, and that's certainly plausible. I'd imagine ROT13 is used to prevent Origin from being spuriously picked up by antivirus software.
Those registry entries were not created by origin. They were created with rot13 by windows explorer. That screenshot shows origin specifically checking whether the entries exist. So origin has a list of files that it checks if the user has.
I guess I don't really know. But the way it says either "SUCCESS" or "NAME NO..." makes it look like it either found the registry entry or it failed to find the registry entry. The second case would probably only happen if it was looking for specific keys.
We need a new hardware architecture to elegantly enable containment and sandboxing. Every application should have its own isolated virtual environment and OS for execution. Like Qubes, but with every environment capable of utilizing the full hardware simultaneously (that is, managed by the hypervisor).
Direct access to the video hardware is the main thing that holds back the virtualization of gaming or other graphics-heavy activities. We desperately need a solution to that.
This is kind of already available for VDI if your willing to accept the overhead of multiple OS instance. Nvidia GRID and similar GPU / Compute boards can handle multiple simultaneous users.
The problem is COST. These are designed for VDI servers supporting 25/50/100 desktop users not 1 gamer and are priced as enterprise equipment.
The program is probably hooking into the web browser, because you need to start some Origin games (BF 3) via the browser! Yeh, I'm not joking.
A similar thing happened for me with Googleupdate.exe it scanned all my hard drives ... They don't do it any more but I still remove googleupdate.exe every time it magically gets installed on my system.
One of the problems with encrypting almost everything, even pictures of your dog, is that it no longer brings suspicion ... And programs like these can send any information without you knowing about it.
Encrypted data is not a security protection, it's a security risk! Because you have no idea what information they send. Probably a lot more then they tell you, because there's no way you can find out.
Kind of crappy sensationalist article. This is common behavior for game clients which do this sort of thing to detect cheating and bots. E.g. World of Warcraft trying to detect automated gold farming, etc.. I can think of at least four programs that do this sort of thing and it would only be news if it didn't, honestly.
While I am aware that warden and things like it can scan the memory of processes, I don't think they are granted full access to read everything on your system. I believe their are restrictions like the file must actively be reading / writing your processes memory before you can scan it.
There is definitely 0 reason that they should be scanning all of the files on your computer and storing them in some sketchy gibberish registry settings. Who knows what else they are looking at.
Warden in fact has capabilities to scan absolutely anything on your computer, but it only does it when new cheat definitions are shipped. (This only happens during mass banwaves which happen every couple of years)
I'm not an OS wizard, but checking the continuity of your working memory sounds pretty expensive and wouldn't necessarily give you the source. I have no idea how you'd look for outside reads unless you had full permissions.
Can you expand a little bit if you have some knowledge on the subject?
Hahaeha, no, warden can and does scan EVERY SINGLE THING on your system. Good luck with fixing that whole "trusting companies that release games I like" thing.
I actually don't even play any blizzard games, but I thought I remembered them being sued over warden overstepping its bounds back in the day. I tried to search for it though and cannot find any evidence, so I guess I must have been wrong.
Even if you think this sort of thing is OK because of EULAs or explicit consumer buy-in (I know multiple people that are OK with it because they are bigtime gamers and appreciate its reduction of cheating,) this is one more NSA attack vector. How's the security on this backdoor? Does EA ever service NSLs?
Origin is a software intended for international use, including such countries where this behavior is:
a) actively prohibited b) probably illegal, but never came to court c) not covered by the EULA, as EULAs are not binding
It might be okay in your country, but not in others.