Gamers: Is Red Shell ‘spyware’ being used in the games you play?

Red Shell logs a gamer’s fingerprint so game developers can discover where players are coming from and if their marketing budget is being used wisely. Some gamers, however, view this fingerprinting more along the lines of spyware.

Innervate, the company behind Red Shell, launched the service one year ago – June 1, 2017. At the time, it was described as “a tool that enables developers to understand exactly where their paying customers are coming from on the Steam PC gaming portal.” It also can track console games.

Nearly a year passed before there was much said about the analytics service. Whether this is based on suddenly observant gamers or the new General Data Protection Regulations (GDPR), the backlash against Red Shell really started a couple weeks ago with posting on Reddit and Steam.

Red Shell told gamers that it is not spyware even though it shares the name with a “14-year-old trojan.” As for tracking, the company says it “tracks information about devices. We collect information, including operating system, browser version number, IP address (anonymized through one-way hashing), screen resolution, in-game user ID, and font profiles.”

Examples provided in the documentation include gathering information about which operating system is being used, the screen resolution, time zone, language, as well as all fonts and web browsers installed on the gamer’s PC.

Red Shell went on to tell gamers that it does “not collect any personal information about gamers. We don’t collect names, emails, or addresses. Our service basically says, ‘this computer clicked on a link from this YouTube video and the same computer played your game.’ We have no interest in tracking people, just computers for the purposes of attribution. All of the data we do collect is hashed for an additional layer of protection.”

Whether the information collected and tracked is it considered personally identifying information seems to depend upon if the developers are lazy or not.

The documentation under user ID stressed to developers that “it is very important that all individual users get a unique user ID.” How that is done really depends upon the game developer, as Red Shell recommended “that you use some form of user account id. In the past we have seen success with things such as Steam IDs or game-specific account ids. We also recommend that you provide this ID in a hashed format if it would otherwise be considered PII by your legal team.”

At any rate, as has been pointed out on Steam, Reddit and Bleeping Computer, gamers have been compiling lists of which games are using Red Shell and which developers have pledged to remove it.

Game developers react to Red Shell backlash

Here are a couple of examples of how game developers responded to the backlash.

Zenimax Online Studios said Red Shell was “erroneously added” to Elder Scrolls Online as the company had been “experimenting with a better way to link which advertisements and web content new players see to the eventual account that is created in the game.” Red Shell was reportedly removed from ESO on June 4.

Daylight Studios removed Red Shell for now, adding that it might integrate it more properly in the future with an ‘opt-in’ approach.

According to a Reddit post which continues to be updated, as of Saturday, June 16, these are the games that committed to removing Red Shell:

• Elder Scrolls Online (Pledged to remove it)
• Conan Exiles (Pledged to remove it)
• Ylands (Pledged to remove it)
• Holy Potatoes! We’re in Space?! (Pledged to remove it)
• All Total War games (Pledged to remove it)
• Warhammer: Vermintide II, (Pledged to remove it)
• Warhammer: Vermintide I, (might get removed also?)
• My Time At Portia, (Pledged to remove it)
• Dead by Daylight (Pledged to remove it)
• Battlerite (Pledged to remove it)
• AER Memories of Old, (Pledged to remove it)
• Magic the Gathering Arena (closed beta & not on Steam), (Pledged to remove it for now)
• Secret World Legends (Pledged to remove remains of it)
• Hunt: Showdown (Pledged to remove it)
• Escapists 2 (Pledged to remove it)
• Omensight (Pledged to remove it)

Games still using Red Shell include:

• Civilization VI
• Kerbal Space Program
• Guardians of Ember
• The Onion Knights
• Realm Grinder
• Heroine Anthem Zero
• Warhammer 40k Eternal Crusade
• Krosmaga
• Eternal Card Game
• Sniper Ghost Warrior 3
• Astro Boy: Edge of Time
• Ballistic Overkill
• Cabals: Card Blitz
• CityBattle | Virtual Earth
• Desolate
• Doodle God
• Doodle God Blitz
• Dungeon Rushers
• Labyrinth
• My Free Farm 2
• NosTale
• RockShot
• Shadowverse
• SOS & SOS Classic
• SoulWorker
• Stonies
• Tales from Candlekeep: Tomb of Annihilation
• War Robots
• Survived By
• Injustice 2
• The Wild Eight
• Yoku’s Island Express
• Raging Justice
• Warriors: Rise to Glory!
• Trailmakers
• Clone Drone in the Danger Zone
• Vaporum
• Robothorium
• League of Pirates
• Doodle God: Genesis Secrets

The list could continue to change, as Red Shell advertises that game developers can “start tracking for free.”

Some gamers don’t care about Red Shell

As mentioned previously, it is clear that many gamers consider Red Shell to be spyware-like, but there are also some gamers who simply don’t care. As an example, I asked a few fellow gamers how they felt about the developers integrating Red Shell without giving any notification of deploying it. One claimed it was no worse than Facebook and another made jokes about everything from Windows 10 to the neighbor’s dog spying on him.

Other gamers simply didn’t know about Red Shell, but an “opt-in” option could change that. Then again, how many gamers really read the end-user license agreements before agreeing to the EULA and could tell you how they already agreed to being tracked and monitored?

An opt-in approach may be easier to get than game companies admitting that loot boxes are considered gambling that may need to be regulated.