It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
low rated
avatar
kohlrak: I wonder if anyone thought about "black box reverse engineering" some of the DLLs and replacing them to get rid of the telemetry.
avatar
Gekko_Dekko: I had some thoughts about it, but as mentioned above - it would be a whack-a-mole. Say, for galaxy.dll, we had at least 3 updates thus far that required people to redownload their games solely due to internal changes of this library. So you have to patch it once, then again, then again. And keep backwards compatibility for those who live on the countryside and cant afford downloading new installers due to low speed/pricey connection.
And thats just one library that doesnt update too much. For game engines, you must verify every single patch to ensure things still work as intended.
Thus we are stuck with either making per-app firewall rules or adding whole telemetry domains to hosts.

Actually, Im genuinely interested if game engine with built-in telemetry (that doesnt have any way to opt-out for both developer and those who play the games) violates GDPR. Like... shouldnt there be some clear indication that "yeah, we collect stuff. Accept it or refund the game" on game's startup?
That's why we're talking about "black box reverse engineering." This means that you completely reimplement the functions from scratch. In this case, though, you wouldn't even have to fully implement, just drop a return code that didn't result in a crash. These apps usually don't break when there's no internet connection, so you need to find out what return code is "error" for a given function.

This method also comes with the benefit of being entirely legal to distribute, too.
Post edited July 13, 2021 by kohlrak
avatar
pds41: True, but remember that giving consent under GDPR doesn't have to be under a valid contract - you just need to have an indication that the consumer has given consent. So, if you have to tick the box in the offline installer that says "I've read and accepted the EULA", that would probably be consent to process data under the GDPR. The only argument you could make would be that the EULA wasn't clear enough (which might get you there if anybody could be bothered to take anyone to court over this).
avatar
toxicTom: Doubtful. What if you don't consent?

But... telemetry data is not necessarily a subject to the GDPR. The GDPR is concerned with privacy - the handling of personal information. That means, it concerns data that is traceable to an individual.
On the first point, my understanding of the GDPR is that a company can refuse to provide a service if you don't consent. In that circumstance, it would be grounds for a refund of the product or service (assuming that you haven't previously given consent and enjoyed the service - or game). I think the best bet would be to argue the ambiguity of the consent (i.e. if it's in the EULA, it's not clearly separated from the other line items, so how do you know the consent is specific). The other joys of the GDPR is that it's "General" in the European sense of the word - i.e. the rules are harmonised but implemented and enforced very differently in the EU27 + the UK (it never ceases to amaze me how that happens).

On the second point, I've been thinking about that, and I suspect that argument could be relied upon by the games companies. I know that Germany operates a lower bar around what personal data is than other countries - it would be interesting to see what happened if this ever did come to court. Not that I'm going to do a court case myself as I'm really not that worried about it (and I don't let my GoG games through the firewall anyway).
avatar
pds41: but remember that giving consent under GDPR doesn't have to be under a valid contract - you just need to have an indication that the consumer has given consent. So, if you have to tick the box in the offline installer that says "I've read and accepted the EULA", that would probably be consent to process data under the GDPR.
The good thing here is that the GDPR is much stricter than that: mere consent is not enough, what is required is informed consent. Ticking a box without reading the related EULA would probably not count as a valid consent.

Of course, we now need to see if the GDPR rules will be actually enforced…
avatar
vv221: Of course, we now need to see if the GDPR rules will be actually enforced…
If they were, I doubt Win10 could be legally used in any business processing personal data (and those are most). Not unless MS reliably and reproducibly lays open what data their telemetry transmits, and how it's not possible to link any of it to actual people.

Sadly "the power of fact" is that everyone is dependent on MS' products and services. It just won't happen, because TINA.
low rated
avatar
pds41: but remember that giving consent under GDPR doesn't have to be under a valid contract - you just need to have an indication that the consumer has given consent. So, if you have to tick the box in the offline installer that says "I've read and accepted the EULA", that would probably be consent to process data under the GDPR.
avatar
vv221: The good thing here is that the GDPR is much stricter than that: mere consent is not enough, what is required is informed consent. Ticking a box without reading the related EULA would probably not count as a valid consent.

Of course, we now need to see if the GDPR rules will be actually enforced…
And how would you set up a standard for ensuring people are informed? The problem is, we need a system that goes both ways. But, here we are, expected to read several pages of text and understand our roles, and all this post-purchase of a license to a product. This really isn't any different from the usual BS that comes with medical treatment where, at least in the US, you never know what you're paying until after the procedure is finisehd. It's rare that you can even give estimates, because they just won't tell you, and that's partially because the doctors don't know. You'd think that'd be someone's job to help you consider your options, especially if you don't have insurance, but no. I distinctly remember a lot of criticism against a certain US president for trying to fix that system, though. Let's be clear: the money makers are in charge and they know you'll pay anything as long as you don't know hte price and have to pay it off later. Or comply with something you don't agree with... etc... Oh, but we so diligently sign them anyway.

EDIT: Relevant
Post edited July 14, 2021 by kohlrak
USA law seems to be very different, personal data there can be a commercial product like any other kind of data. That’s why a regulation like GDPR would make no sense in the USA.

But in Europe personal data is not regular data. It can not be negotiated in a commercial contract, including EULA. Anything asking you to share personal data for commercial reasons is now downright illegal.

Personal data collection from European citizens based on some post-purchase EULA agreement is not allowed.
This is a really good thread. Is there a list anywhere of Unity games that use telemetry (without giving the user an opt-in)? The impression I have is that Unity has a telemetry module, but developers can disable it or choose not to use it. So, it doesn't seem reasonable to simply assume that all Unity games are using telemetry.
Post edited July 25, 2021 by Time4Tea
Garrys mod changed it's terms a while back to force extra spyware into it's game. Someone tried justifying it by saying valve was already doing it to an extent.
avatar
Time4Tea: This is a really good thread. Is there a list anywhere of Unity games that use telemetry (without giving the user an opt-in)? The impression I have is that Unity has a telemetry module, but developers can disable it or choose not to use it. So, it doesn't seem reasonable to simply assume that all Unity games are using telemetry.
i bet most of them have hidden telemetry
avatar
vv221: USA law seems to be very different, personal data there can be a commercial product like any other kind of data.
Everything in the US is fucked up. Better to not think too much about it, and treat it as the madhouse it is.

On GDPR, it's definitely a move in the right direction. But what it doesn't cover, is the analysis of the personal data, which is the more important part. Yeah, it's nice that I can tell company X to delete the data about me, but when that data already is let loose on 1000 servers and analysis tools, it's kinda too late, and you can't take back all that stuff. Well, you could (nobody believes it's anonymous anyway), but GDPR doesn't cover it.
avatar
Time4Tea: The impression I have is that Unity has a telemetry module, but developers can disable it or choose not to use it. So, it doesn't seem reasonable to simply assume that all Unity games are using telemetry.
I have no source at hand, but I kind of remember it being the other way around: the basic Unity3D contracts do not allow the developers to disable telemetry in the game builds they sell.
avatar
Time4Tea: The impression I have is that Unity has a telemetry module, but developers can disable it or choose not to use it. So, it doesn't seem reasonable to simply assume that all Unity games are using telemetry.
avatar
vv221: I have no source at hand, but I kind of remember it being the other way around: the basic Unity3D contracts do not allow the developers to disable telemetry in the game builds they sell.
Thank you for sharing that information.
Post edited September 30, 2021 by SpellSword