Privacy in gaming

Arkandel · Nov 15, 2019, 6:23 PM

This came up in the TS thread (because of course it did) but it definitely deserves its own space.

How much - if at all - do you value your privacy online in the context of gaming?

The following is just a prompt where I was going to respond to Pandora. Feel free to expand and add your thoughts.

@Pandora said in The ethics of IC romance, TS, etc:

I think we've gotten so entrenched in 'PROTECTIN' MAH RIGHTS!' that people aren't really giving any thought to how (not)useful this so-called right is in the context of a GAME as opposed to real life.

I don't protect my privacy because it's useful to me. I value it because it's important.

Or to quote Snowden: Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say.

Derp · Nov 15, 2019, 6:27 PM

And yet, it's a reality of the medium.

Players can value privacy. Staff can respect privacy. But there is no barrier there. Staffers can invade it if they want to, because you are essentially walking into the ultimate surveillance machine, and players have to accept that it is entirely possible that their privacy is being violated, and they'll never know unless that information is somehow misused.

And it has been misused. Repeatedly. Yet we still continue to play these games and hope for the best.

Ultimately, there just isn't much you can do about this, ETA: other than make a big noise about it and hope that someone cares, though there is precisely zero action that you can really take, short of quitting the game (or really, the hobby, since it's possible on every game). It's a great armchair argument, but in practical terms, you have zero control over this. Whoever has access to the server/code does.

Auspice · Nov 15, 2019, 6:28 PM

You are literally sending data over an unprotected means of communication.

If you are so hyper concerned about omg my text sex might be read by someone.........why are you even posting here? This isn't ultra secure communication.

Even WhatsApp has been proven to not be as secure as they claim.

The deal is: any MU out there can slap a flag on you and start monitoring everything you say or do.
Any server admin can start recording everything on a game.

You have to realize no matter what game you're on, the potential is there.

You just need to be gaming places where the staff has the integrity not to abuse aforementioned potential.

I've left games because I realize (or have it proven) that I can't trust staff not to be abusive in their power. But by and far, I realize most staff has far more important and better things to do with their time than to watch me TS.

.....and if they are watching me TS? I hope I'm entertaining at least.

Jeshin · Nov 15, 2019, 6:29 PM

Privacy in MUs is very misleading. Not only are you sending information to a server run by strangers but there is no means of recourse to preserve your privacy. Just like this forum I don't use a password here that links to anything important to me. I don't expect my IP to be private if the forum closes and the owner wants 5 dollars for selling the list of IPs and emails >_>

You can advocate for respecting privacy but there is still the reality that people should take actions assuming their privacy isn't going to be respected.

PS - I still find it odd that MUSH players expect game owners to be unable to see everything that happens on their games. I still just assume every command I enter include quit and RP posts gets saved to a runlog somewhere even though I've been assured in multiple threads that isn't how things work in MUSH circles.

Ghost · Nov 15, 2019, 6:34 PM

@Auspice Thank you. Repeating record, here.

MU transmissions sent over telnet port 23 are transmitted in plaintext and highly susceptible to keystroke loggers, password sniffing, and other forms of interception. Telnet is the current MU standard, replaced in every other industry by SSH around 2005 due to horrific vulnerabilities.

I can only surmise that since people don't seem to worry about this (but are horrifed that staffers or other players could be reading their TS) that the emphasis on privacy is more related to feelings on persons within the community than about 3rd party snooping or spouses using spyware.

Arkandel · Nov 15, 2019, 6:39 PM

@Ghost And yet this is not a good argument. Of course plaintext data are easier to intercept but the payoff potential is very small that no one intending to make a profit from it will bother.

Profit is not the only incentive for violating someone's privacy though. Consider stalking as an obvious example. Exploits within the game, be it by staff or anyone else running 'eavesdropping' objects are far more likely than intercepting site to site communications.

L. B. Heuschkel · Nov 15, 2019, 6:42 PM

There's never a promise of true privacy in someone else's sandbox, and obviously, staff can and likely will, poke at things uninvited -- particularly if you give them some sort of rules violation to go from. You should never enter anything into the command line that ultimately, you don't want anyone else seeing.

That said... I think I said it before, in the other thread, but here goes again. The hill I'm willing to die on is respect between players and admins. The fact that you can monitor someone's conversation doesn't give you the right to do so.

But I'm not going to contest the argument that some people will, anyway.

Auspice · Nov 15, 2019, 6:48 PM

Also, another point: in part, your privacy is on you.

Not in the scenario of 'is an admin reading my scenes?' If they are that's on them.

But in regards to, say,'Can someone Google my name and find me?''Does my social media give away too much?'
These are the considerations that often lead to privacy concerns.

I've known people who think just because they don't have a Facebook, they can't be found. But they didn't pay close enough attention when, say, registering to vote and allowed their district to make their data public record so now all someone needs to do is throw their name in Google and: oh hey I have your name, address, phone number, political party..........

To me it's a scale of importance. You can't find me on Google (without presumably already knowing a good deal about me), but if someone thinks my RP is good enough to snoop? Whatev.

Ghost · Nov 15, 2019, 6:49 PM

@Arkandel Perhaps, but let's take it a little deeper.

In theory any online service that communicates with persons in the EU falls under the GDPR, even if monetary transactions aren't taking place. Per the GDPR any processor or controller of PII (personally identifying information) of EU citizens must disclose what is being collected, what is getting logged, how long it will log for, how it will be shared, and can only collect/keep as much is necessary for the service to take place.

So, in theory, since the GDPR considers IP addresses to be PII, it wouldn't be out of bounds for a citizen of the EU to demand an audit of a MU for any PII of theirs that was collected, shared, etc.

I know the topic is in regards to privacy in terms of "reading someone's poses", but between using telnet and the fact that most game runners don't even know what info is kept/collected (or whether or not that DB stolen from the old WoD game was made to make a new one) there's a chance that plenty of stuff exists in storage on these games that people may not wanto be collected.

Everyone who play these games should absolutely assume that staff, players, people snooping their connection, etc are able to read their TS, because it really is an insecure hobby with a shitload of "PII collecting gray area". Most people care a lot about policies regarding behavior/staff snooping, but tend to not think to ask about whether or not staff are aware of or have an eyeball on how their PII is controlled or TS logs are able to be read by Swedish 16 year olds with warez that were obsolete almost 15 years ago.

L. B. Heuschkel · Nov 15, 2019, 6:49 PM

@Auspice I am ridiculously easily found on Google. I mean, this is my name. The one in blue right there. I am a writer, I need people to be able to find me, I use my name everywhere. For me, the privacy filter is between hands and keyboard, putting nothing on the net that I don't want to see in Google later.

Sunny · Nov 15, 2019, 7:02 PM

If I were playing somewhere and discovered that I was being spied upon in a way I found objectionable, I would leave (immediately) and probably holler about it here to make sure nobody else was surprised like I was. I have no expectations that my communication is secure, and I know damn well how easy it is to spy. I still have an expectation of reasonable privacy, and if I don't get it, it's a deal breaker. Not because I said something I don't want to be made public, not because I'm super worried about my ts being watched, but because privacy itself is valuable, and if someone violates it for their own gain or entertainment, they aren't someone I can trust in even the most basic way.

Alamias · Nov 15, 2019, 7:03 PM

I wouldn't hate it if MU's moved to a different more secure port. I don't know why it hasn't moved up with the times to use a more secure connection.

Sunny · Nov 15, 2019, 7:04 PM

If you aren't trustworthy enough to respect privacy when there is no need to violate it, then you aren't trustworthy enough for me to play at your table.

Ghost · Nov 15, 2019, 7:07 PM

@Alamias Most modern clients support SSH, and ive heard of a few games that tested it. SSH encrypts the entirety of the message, including users/password authentication. The settings are always around there somewhere.

@Sunny in theory, written policies on how staff collect, snoop, and share data transmitted to and from the MU isn't a horrible thing to make into a standard.

faraday · Nov 15, 2019, 7:11 PM

@Ghost said in Privacy in gaming:

Telnet is the current MU standard, replaced in every other industry by SSH around 2005 due to horrific vulnerabilities.

SSH won't protect you from the game owners snooping though. It falls into the same vein of Gmail employees reading your emails, Discord employees snooping on your juicy gossip, or Ark & company here on MSB choosing to sell our emails. The only thing really stopping them from doing so is their own internal policies. That only goes so far.

The GDPR theoretically applies to MUs and provides some data protection "rights", but good luck getting that enforced. Or even understood.

I think that any reputable MU should have a privacy policy and informed consent via some sort of 'terms of service' acknowledgement. While I don't think it needs to be as elaborate as, say, Blizzard's Privacy Policy, it should set expectations. Blizzard is very up-front that chat logs, etc. ARE logged and subject to review for abuse and whatnot. That doesn't stop people from playing WoW.

The difference between Blizzard and your average MU is accountability. If some Blizzard employee is discovered getting their jollies by snooping on random chat convos, they're going to get fired. We lack that accountability on MUs because - as someone pointed out on the other thread - MU players generally tolerate that kind of nonsense and continue playing even after such abuses are 'outed'.

@Jeshin said in Privacy in gaming:

I still just assume every command I enter include quit and RP posts gets saved to a runlog somewhere even though I've been assured in multiple threads that isn't how things work in MUSH circles.

It can be. Even if the game server doesn't let you turn on full command logging with a switch, it can be done. Bottom line: if you're sending data to the server, then the owner of the server has access to the data. It's what they're gonna do with it that's the interesting question.

Ghost · Nov 15, 2019, 7:17 PM

@faraday said in Privacy in gaming:

SSH won't protect you from the game owners snooping though.

True. At that point you delve into whether a MU applies as developed software and should have some form of EULA that describes right to privacy and how/when (and user agrees to) the app owner can breach that privacy.

In theory, if someone pages another person with their name and phone number, that information sticks to the DB, then someone with access to the DB utilizes that in some kind of crime, there could be ramifications, there. I'm no lawyer, but this seems a sound assumption.

Ghost · Nov 15, 2019, 7:22 PM

The reason I bring this up is because all telnet port concerns aside, you gotta ask questions, like: "If I'm in a TS scene and a staffer who hates me collects my IP information or pages, what's to stop them from using the DB as a data aggregator that results in my spouse being found on FB and logs of my TS being sent to them?"

Sure, it's an extreme case, but when discussing privacy it's those kinds of questions that can create good policies and security standards.

faraday · Nov 15, 2019, 7:24 PM

@Ghost Yeah I am definitely not a privacy lawyer or anything, so I can't comment on potential liability. But I think that in today's tech/privacy climate, MU owners should protect themselves and their players. That means having a policy for what data is collected and how it can be used, and ensuring that other staffers follow that policy.

faraday · Nov 15, 2019, 7:44 PM

@Alamias said in Privacy in gaming:

I wouldn't hate it if MU's moved to a different more secure port. I don't know why it hasn't moved up with the times to use a more secure connection.

Double post because I missed this while replying to the other one...

A big reason is barrier to entry. Setting up a SSL certificate and getting the server settings right is not trivial. You have to remember that most folks running MUs are not professional server admins. I've made it as easy as I can to set up HTTPS for the Ares web portals, but it still trips people up sometimes. Also I'm not sure all MU clients even support it, so you still have to provide the insecure port as well.

Derp · Nov 15, 2019, 7:56 PM

@faraday said in Privacy in gaming:

Setting up a SSL certificate and getting the server settings right is not trivial. You have to remember that most folks running MUs are not professional server admins. I've made it as easy as I can to set up HTTPS for the Ares web portals, but it still trips people up sometimes.

adds this to his to-do list