You may recall that Blizzard is the videogame company that sued three software programmers for creating BnetD, a free, open source program that allowed gamers to play games they purchased with others on the platform of their choice. Blizzard claimed that the programmers violated several parts of the company's End User Licensing Agreement (EULA), including a provision on reverse-engineering. But it turns out that's not all that Blizzard's lawyers have inserted in the fine print. As Bruce Schneier reports, the company is also using its Terms of Use agreements to justify spying on gamers' computers.
Writes Greg Hoglund, co-author of Exploiting Software, How to Break Code:
I watched the [software] warden sniff down the email addresses of people I was communicating with on MSN, the URL of several websites that I had open at the time, and the names of all my running programs, including those that were minimized or in the toolbar. These strings can easily contain social security numbers or credit card numbers, for example, if I have Microsoft Excel or Quickbooks open w/ my personal finances at the time. ...[The scanning] certainly will result in warden reporting you as a cheater. I really believe that reading these window titles violates privacy, considering window titles contain alot of personal data. But, we already know Blizzard Entertainment is fierce from a legal perspective. Look at what they have done to people who tried to make BNetD, freecraft, or third party WoW servers.
As Schneier
says, this is truly scary stuff. Yet even a few of the security-savvy readers at Schneier's weblog are
downplaying its significance. Why?
Annalee Newitz has a theory that rings true to me: people think of routine spying as normal.
Do you realize the government would have to have a warrant to get the kind of information Blizzard claims it has the right to suck out of your computer to stop cheaters? Doesn't that seem a wee bit wrong?
In a normal world, a sane world, people would be boycotting Blizzard for having the nerve to look through their kids' hard drives. They'd stop playing Blizzard games online and stick to LAN parties, where a bunch of people network their computers together for a group game that circumvents the Internet.
I think fans are still flocking to Battle.net for two basic reasons. One, most probably don't realize Warden is spying on them (it's hard to blame them for not reading all the way through the stultifying terms-of-use page). And two, they've convinced themselves that surveillance is normal. Sure, games are supposed to be entertainment, but in reality they're just compressed, contained reflections of our everyday lives. It should be no surprise that, in an era when Americans submit to having their bags searched on the subway to get to work, they are willing to let corporations riffle through the entire contents of their personal computers so they can have a little fun.
If word gets out about this, it will no doubt register with more people that they need to
read their EULAs, but the problem is much bigger than that. How many more of our rights will courts
allow companies to click-wrap away? And how do we stop digital era privacy norms developing that let people accept things like the government
demanding that ISPs and VoIP providers make Internet surveillance (even) easier, while claiming it has the right to
turn our cell phones into location-tracking devices?
1. Annalee on October 14, 2005 1:29 PM writes...
Speaking of weird things that we allow software companies to do to us, it looks like the latest version of Symantec's anti-virus software is nuking PSP hacks if it finds them on your PC. I hope somebody will investigate this.
Permalink to Comment2. Randy on October 14, 2005 2:20 PM writes...
Show us proof. Some guy saying, I saw this, I saw that doesn't mean a thing. Sniffers have this feature called "logging". They produce, you guessed it, logs. Post some of these logs and we'll start to believe what you're saying. Otherwise, we'll just mark you down as someone stupid enough to name Office documents after account numbers and use financial institutions that put your SSN in post data.
Permalink to Comment3. Italo Leonardo on October 14, 2005 4:22 PM writes...
Greetings!
They allow that I enter in this to talk, saying that close to the technological barbarity that is committed here in Brazil, where we have that to be "specialists" so that let us can identify the false products, of bad quality. E worse, is that we do not have nor where to complain.
Surely the exceptions exist.
Hasta Hotra!!!
Permalink to Comment4. Seth Finkelstein on October 14, 2005 6:17 PM writes...
I've often said that the DMCA imposes requirements that would have people screaming in other contexts. The de facto ISP registration (for safe harbor from legal liability) would draw howls of outrage if the reason was "National Security".
But for "contract", we can be Bill Gates' towel boy
Permalink to Comment5. Thumpah on October 14, 2005 10:25 PM writes...
Not only is Greg at least 3 to 4 months late to the party (Blizzard had full disclosure of this software on their official forums. The thread is still sticky, and is prominently displayed), but Annalee decided to throw fuel on the fire by taking her Chicken Little routine to her son, who has never played World of Warcraft, and has no idea of what this software does.
Please don't continue to spread this panic. Please let the level heads have their say. I'm seriously concerned now that this viral idiocy has spread to Boingboing.net. Pretty soon, the meatheads in the mainstream press will get hold of it, and finally someone in the Senate will start another stump speech about the evil of video games.
Permalink to Comment6. drwex on October 15, 2005 8:12 AM writes...
So let's say it's true. Blizzard is spying on me. (Yes, me, I play those games and I'm talking about myself here.) Why don't I boycott Blizzard for this behavior? Value received and lack of comparable alternatives, I think.
I like playing these games. I have investments in the time and relationships built up within them. The ideal situation would be one in which I didn't have to trade off my privacy for commercial value but over the last two decades we've set up a social system in which that's the de facto exchange.
From supermarket cards on down, corporations have built systems, and habituated our society, to a model in which the atomic consumer's data are tokens of exchange for merchant value, whether in the form of discounts, access, or bald-faced terms of service. You may complain about this, and take individual action to circumvent or introduce friction into the system. But no pocket of rebellious sheep is going to change the direction of the vast flock.
I do not believe individual action is the appropriate response to this. What is necessary is legislation. Unless all companies are forced to compete on the same playing field there is too little incentive for one company to disadvantage itself by giving up these data. Anti-spyware legislation could fairly easily be extended to prohibit this kind of scanning practice, or to limit the collection of personally identifying data.
So I'll lobby for that, and in the meantime continue playing WoW.
Permalink to Comment7. smoothie on October 17, 2005 10:21 PM writes...
As a long time player of Blizzard gamed and other online computer games, I have no problem with what Blizzard is doing - as long as they are only using the programs to stop cheating. Cheating is a big deal in on-line games, and it is really really easy to do in any on-line game and completely ruin it for everyone else. Players allow their computers to be scanned because they would rather play in a game that isn't ruined by cheaters than have a little more privacy but have their game ruined.
Permalink to Comment8. J. Stanley on November 4, 2005 12:16 PM writes...
Randy: perhaps you're not familiar with how aptly named Windows is. Everything--every user interface element--is a window. This includes not only dialog boxes, but buttons, labels, text boxes, etc. If Warden is scanning window text, it could be gathering a LOT more information than you think.
Permalink to Comment9. NCS on December 4, 2005 8:35 PM writes...
J. Stanley,
Permalink to CommentYour wrong,
you should do some more research.
Windows does NOT use IM for elements.
write a program and try gaining button names
using IM, you can't. Not that there aren't ways of gathering element names, but the point being, gathering window titles does not gather other elements.
10. Marcus on October 18, 2006 10:59 AM writes...
Wow, good thing you inform us about this... not that it's news or anything...
Permalink to Comment