It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
avatar
jhAtgog: One might argue that the term "for the general operational purposes of GOG GALAXY Application" does not really cover connecting the collected data with the user account. At least i would see it that way.
avatar
Gersen: It's an enumeration, they collect X, Y, Z "and" your activities in the GOG GALAXY Application and on other platforms connected to your GOG account for the general operational purposes of GOG GALAXY Application.
Yes it is, maybe I was a little too short. What i meant was, that

"If you use GOG GALAXY Application (including GOG GALAXY Store) we will also collect technical logs, information about achievements in games you play and how long you play them; your multiplayer sessions and your activities in the GOG GALAXY Application and on other platforms connected to your GOG account for the general operational purposes of GOG GALAXY Application."

does not cover the collection of e.g. "When you change a setting" and connect this to your user account, so the data is no longer anonymous. I don't see the "general operational purpose" here. The collection might be acceptable, if the collected data was anonymous.
I'm not saying you're wrong to be concerned. We need more people to be worried about what data is being sent without their permission or knowledge. We have to stop being a commodity. We are paying for the product, we are not for sale.

Let's consider some of your findings:

When you successfully log in Probably retrieving an OAuth token or something similar upon login that can be presented with other submissions to authenticate the user.

When you view a game Check ownership, retrieve current status, check save game sync percentage, check achievements, check other player progress.

When you view your friend list Verify your friends are your friends, verify that you're still allowed to see the data you were seeing, verify that you're still a member in good standing at GOG.

When you view a friend's profile Verify your friends are still your friends, verify that you're still allowed to see the data you were seeing, verify that you're still a member in good standing at GOG.

When you view your library It has to check to see if there are new games available, and that existing games are still available. Mine seems to pickup on my XBox Ultimate Game Pass. Kind of. For example.

When you click the install button on a game Checking to see if you still retain permission to install the game.

When you open the store Have to retrieve the current version of the store to show it to you.

When a game finished downloading including how long it took Not saying it doesn't track how long a download took, but it might also server as a marker to GOG to discard temporary files that they made available so you could download them. It might be tracking the response times of a cache vs. data about you.

When you open a store page Have to retrieve the current version of the store page to show it to you. Visible through web logs.

When a game is installed Update your library statistics so the new installation is recognized, initialize storage for the game for saved game sync or check for saved games that need to be synced, set a timer on your profile for the game.

When you view your activity feed Retrieve the latest details of your activity.

When you change a setting Most of these settings appear to be stored server side. That may be a complaint.

When you open the search Search implemented server side?

When you click on a search result Access check to see if you're still allowed to access the search result.

When you filter the library I haven't looked but it might be that the library listing is managed server side. So rather than do anything client side when you filter (or unfilter) that information is sent to the server so it can be processed. This is one way multiplatform functionality is maintained.

When you clear library filters See above.

* When you look at the currently downloads
* When the client is launched
* When you open/focus the client window
* When you unfocus the client window
* When you minimize the client window
* When you switch tabs (Overview, My progress, Extras) in the game view
* When you open the settings
* When you switch settings tabs
* When you click the menu option to file a bug report

The rest of these seem like UI experience measurements. That is, yep, they would be recording what you do without a direct benefit to you. But this type of data is easily anonymized or pseudonymized and retains value as performance metrics for the software.

I also haven't taken the time to setup a middleman and parse what GOG's requests actually look like.

That's my take on it. I give GOG the benefit of the doubt because I've been a member since they've started and I've never seen them treat us wrong. In terms of data collection, I know they're familiar with the GDPR and it's requirements.
Post edited November 27, 2020 by Talonius
avatar
Talonius: The rest of these seem like UI experience measurements. That is, yep, they would be recording what you do without a direct benefit to you. But this type of data is easily anonymized or pseudonymized and retains value as performance metrics for the software.
I think there's a fundamental misunderstanding about what I'm reporting on. I know there are some requests that are necessary to provide data for the client to work, no issue with that. What this is about are all the small requests to an analytics server that all have the same structure and return no content to the client. I've attached a screenshot and you can see yourself that they all return HTTP 204. And yes, they could be easily anonymized, but that's not the case here, at least not on the client side. They're sent with the same auth token as everything else. Sorry if my original post was misleading to you.

avatar
Talonius: I also haven't taken the time to setup a middleman and parse what GOG's requests actually look like.
I did that and this is what one of these requests looks like. I've attached a screenshot of the full request view as well with any IDs blacked out because I was too lazy to figure which one was personally identifiable.

{
"data": {
"sub_view": "activity",
"view": "friends_view"
},
"date": "2020-11-26T23:22:01.399Z",
"type": "view_focused",
"uuid": "c1e71214-5161-466e-ace7-85dcc38c4db2"
}
Attachments:
Post edited November 27, 2020 by Yepoleb
I figure the website and basically every website does all this too. But with a client, it's so much more conveeeeeenient!
avatar
Yepoleb: There is nothing in the transmitted data that couldn't also be collected from using the website.
In fact, the website (at least the store, though not the forum from what I've seen in a few seconds) also sends a lot of telemetry to insights-collector.gog.com
You can stop this in Firefox by adding an entry to your profile's permissions.sqlite (using your favorite sqlite editing interface) in the mozperms table for origin: https://insights-collector.gog.com, type: fetch, permission: 2
avatar
Orkhepaj: then you still trust others to say the code is fine
You are quite right that trust is involved.

We are all reliant on other people to some extent or another, whether we like it or not. Unless we intend to go live on a deserted island somewhere and be totally 'self-sufficient': grow our own food, make our own medicines, generate our own electricity, build our own computer/car, gather and research our own news, etc.

So, for me, the real question is not "should we trust anyone else at all", because we have to - there is no choice, but rather "who do we choose to trust?". Personally, regarding software, I prefer to trust a small group of people who are volunteering their time unpaid to maintain a Linux distro, because they are passionate about certain principles and what it represents. Rather than putting my trust in large corporations (Google, Amazon, Microsoft and the like) that have obvious vested interests and have shown themselves through their past actions to be untrustworthy.

Everyone has to make their own decision on who to trust.


avatar
Time4Tea: Not if you use a privacy-focused browser; block javascript from Google Analytics; and use a spy blocker.
avatar
Gersen: As soon as you are connected with your account they know everything you are doing on the website, privacy-focused browser or not.
Sure. I have a GOG account, so they obviously have access to my games library, wishlist, etc. There's no doubt they know what sort of games I like. But they don't have access to anything else, i.e. what I am doing on other sites, or otherwise on my computer.
Post edited November 28, 2020 by Time4Tea
avatar
Yepoleb: I had a peek behind the scenes of the Galaxy client again and noticed an awful lot of requests to an insights-collector.gog.com domain.
I'm not surprised that they use the same tracking mechanism in Galaxy as they use in their web pages. Actually you can be happy that they use a mechanism which is rather easy to analyze and also easy to block.
avatar
Yepoleb: It's also very unlikely that this stream of events would reveal anything personal about you.
It "just" adds more data to sharpen your profile.
avatar
Yepoleb: What I can say for sure is that all the privacy focused marketing from GOG is quite dishonest.
"Privacy focused marketing"? Where did you get that from? They use personalized, targeted marketing. Have you ever had a look at one of their marketing mails? They are loaded with personalized tracker links. GOG has dropped privacy long ago and has changed to a data collecting company like many others.
avatar
Yepoleb: I'm also going to be requesting another personal data dump from GOG according to GDPR to see if there is anything interesting in it that they're honest about collecting.
I'm not using Galaxy and do not have GDPR to help, but I would be interested in your findings.

avatar
HypersomniacLive: It's been a while since insights-collector.gog.com was introduced (don't recall exactly how long ago, but a good few months for certain). The difference between using GOG-Galaxy and the site via browser is that in the latter case one can block it from running with uBlock or/and uMatrix, and the site still works just fine.
You probably can block access to insights-collector.gog.com for Galaxy too without harming its function (with a hosts file or firewall rules).
Post edited November 28, 2020 by eiii
semi-related question - are galaxy download links accessible to fetch from outside of galaxy client? Like via some api calls or something.

Could be possible to make kind of opensource galaxy clone without telemetry (I mean - we already have gogrepopy, but it downloads standalone installers. I automated installation process on my machine, but for obvious reasons it takes like 2x space on disk of game's actual size (coz you download packed installer first, then unpack in manually))