https://www.reddit.com/r/Steam/comments/8pud8b/psa_red_shell_spyware_holy_potatoes_were_in_space/

Redshell is a kind of data collection tool that developers can put into their games to collect user data for ''analytics purposes''. It tracks a users through multiple applications (mainly browser and the game into which it is integrated) to ''measure the effectiveness of marketing campaigns''.

They describe how they work on their website : https://redshell.io/home

There's a big list of games that have this integrated into them, and most of them don't have an option to opt out, although Redshell themselves recommend having an opt out option despite claiming none of the data they collect is ''personal data'' as per the GDPR. So it was on the developers and almost all of them refused to give an opt out option.

The infected list is too big to post here but can be found in the reddit link. High profile games include Civ 6 and all Total War games.

So, wat think?

EDIT :
Redshell in Civ 6 : https://steamcommunity.com/app/289070/discussions/0/1694923613870153288/
Redshell in TW games :https://www.reddit.com/r/totalwar/comments/8q02ph/psa_total_war_games_have_red_shell_spyware/e0fsc3w/

You are asking this one a platform that seems to be increasingly interested in monetizing private data of its user base.

Personally, I am not surprised, even if it makes me angry. If any of my data has value, nobody should have the right to take it from me without explicit consent. I don't consider some vague clause hidden somewhere in EULA "explicit consent," either.

Certainly detest this type of thing in paid products (I can understand "free"-to-play games relying on this for financing, and consequently avoid them like the plague), but I doubt things are going to change much.

The fact that RedShell implementation was a standard deployment case of spyware should, at least under GDPR, result in some legal action, but I'm not holding my breath.

Society in general has long decided privacy has no value to individuals, only companies as a trade good.

Assuming this is true it's very common stuff that 95% of people don't care at all about or see as "private information," so it's not likely to change. It is what it is.

Is this much different from google/facebook tracking?

Yes. It installs to your PC's HDD along with the game. There is no opt out option. There isn't even any notification that it is installed. No 3rd part DRM warning on Steam, no separate installer for it, no way to disable it after it installs.

This is bad for gaming industry.

This is quite bad, much worse than Unity's telemetry. Luckily for me, I have none of these games, nor interest in them. I did some reading on the Internet and found on the elderscrollsonline forums someone who explained it better (comment #59).

It's a RedShell.dll that comes with these games (they might change its name in the future after getting all the flak), so you may wanna check any games you have installed for such file. People who don't do online gaming and block all their games in the firewall are probably safe from this.

I'm curious if something else is installed by this RedShell spyware along with the game, in other folders than the game's one. Maybe something in the user data folders?

That is disturbing thanks for that info , i found a opt out link to red shell and opted out.

https://redshell.io/optout

also block it through hosts

0.0.0.0 redshell.io

0.0.0.0 api.redshell.io

0.0.0.0 treasuredata.com

0.0.0.0 in.treasuredata.com

From the steam subreddit : I'd guess what and where it creates its folders are dependent on what data the devs want to collect. If everything they want can be collected from the dll, that may be all, but if not, there may be others, but that's just a guess. You can also check user appdata if it created something there. Haha you opt out of by engaging with a third party? The devs could've at least offered a link to this. Thanks for sharing this! I need this since I play TW :D

That's even more worrying. Thanks for the info.

Damn telemetry everywhere..

P.s: can Unity addresses be blocked too in the hosts file?

So are any of the games on the list on GOG, and does the GOG version have the same?

What does EU-GDPR (General Data Protection Regulation) say about this? The person must be asked for a permission to gather such personal information BEFORE that data gathering happens, so where is it stated this takes place, and where is the permission asked?

Optimally, it should be the game asking for the permission when you launch it, and they need to state clearly to whom the data is going (who is going to use it, and for what purpose). If they say it is the general Steam TOS that covers that, then the Steam service must specifically list this company as well, and all that extra information. Steam (nor GOG for that matter) can't just make a generic statement "personal data might be gathered by different companies for some purposes". Not good enough, you need to state who is gathering what, and for what purpose.

You see, GDPR is not all bad. It gives us, the end-users, more rights, and more responsibilities to the data miners.

Me personally, I don't necessarily care that much if they track me, as long as the game is playable even when that tracker goes inactive in the future, or I don't have internet turned on. But, they still need to be open about what they are doing (thanks GDPR).

The problem is that the only games we know about are those that did not directly integrate RedShell's code, but use their stand-alone .dll file.

It's blatantly illegal under GDPR.

Frankly, I reached the point where I get quite literally nauseated every time I learn another game is data-mining. Since when did it become all right to put some vague value of "metrics" above the privacy and security of users' computers? Even dismissing outright the quite high potential for much shadier intent behind the data-mining.

At this point I am getting extremely interested in the real reason why so many GOG games require localhost loopback to start up without crashing. It's something distinctly affecting only GOG games, and you could do quite a few nasty things that way if the code running cannot directly access outside network at that point.

Stories like this, with a spyware having been running in so many titles without anybody knowing for quite a while, do not inspire much confidence.

Thanks for the warning

You should come up with US-GDPR. Or would it be state by state?

While GDPR certainly has its problems and to many (small) companies and societies it feels like unneeded extra bureaucracy, at least it forces the companies (including dedicated data miners) to stop and think what exactly they are doing, and how should they be doing it, or whether they should be doing it at all. Up until now it feels like it has been free-for-all wild west, at least for international companies.

It is not just Facebook, there is e.g. an Asian company that tracks your mobile phone's battery level, and if you often let it get to lower digits or even become empty, that is a flag that you are not necessarily a very organized person, which in turn can mean that some online loan company decides to charge you more for a loan (you are considered more risky, due to your mobile phone battery usage, wheee!).

Or if you google online for Parkinson's disease (because your mother has it or whatever) or erection problems, how would it feel if you started to get ads for Parkinson disease medicines or erection problem clinics whenever you go online? Hey, targeted advertising, wheee!

Apparently they sell their games also to EU citizens, so basically the company could possibly be disclosed to any of the EU-GDPR authorities. Or, I am pretty sure there are loads of GDPR consultation law firms which might be willing to take the task. Not sure if it would be more fruitful to go after selected game publishers using the technology, or the company offering the technology. Maybe both. :)

Oh yeah, now I remember, that Austrian Max Schrems guy (who became famous for asking for his personal data from Facebook) is running such a law firm, IIRC. At this point he is after the bigger guys though I think, like Google and Facebook.

https://www.reuters.com/article/us-europe-privacy-lawyer/austrian-data-privacy-activist-takes-aim-at-forced-consent-idUSKCN1IQ0ZI