Yes it is, maybe I was a little too short. What i meant was, that

"If you use GOG GALAXY Application (including GOG GALAXY Store) we will also collect technical logs, information about achievements in games you play and how long you play them; your multiplayer sessions and your activities in the GOG GALAXY Application and on other platforms connected to your GOG account for the general operational purposes of GOG GALAXY Application."

does not cover the collection of e.g. "When you change a setting" and connect this to your user account, so the data is no longer anonymous. I don't see the "general operational purpose" here. The collection might be acceptable, if the collected data was anonymous.

I'm not saying you're wrong to be concerned. We need more people to be worried about what data is being sent without their permission or knowledge. We have to stop being a commodity. We are paying for the product, we are not for sale.

Let's consider some of your findings:

When you successfully log in Probably retrieving an OAuth token or something similar upon login that can be presented with other submissions to authenticate the user.

When you view a game Check ownership, retrieve current status, check save game sync percentage, check achievements, check other player progress.

When you view your friend list Verify your friends are your friends, verify that you're still allowed to see the data you were seeing, verify that you're still a member in good standing at GOG.

When you view a friend's profile Verify your friends are still your friends, verify that you're still allowed to see the data you were seeing, verify that you're still a member in good standing at GOG.

When you view your library It has to check to see if there are new games available, and that existing games are still available. Mine seems to pickup on my XBox Ultimate Game Pass. Kind of. For example.

When you click the install button on a game Checking to see if you still retain permission to install the game.

When you open the store Have to retrieve the current version of the store to show it to you.

When a game finished downloading including how long it took Not saying it doesn't track how long a download took, but it might also server as a marker to GOG to discard temporary files that they made available so you could download them. It might be tracking the response times of a cache vs. data about you.

When you open a store page Have to retrieve the current version of the store page to show it to you. Visible through web logs.

When a game is installed Update your library statistics so the new installation is recognized, initialize storage for the game for saved game sync or check for saved games that need to be synced, set a timer on your profile for the game.

When you view your activity feed Retrieve the latest details of your activity.

When you change a setting Most of these settings appear to be stored server side. That may be a complaint.

When you open the search Search implemented server side?

When you click on a search result Access check to see if you're still allowed to access the search result.

When you filter the library I haven't looked but it might be that the library listing is managed server side. So rather than do anything client side when you filter (or unfilter) that information is sent to the server so it can be processed. This is one way multiplatform functionality is maintained.

When you clear library filters See above.

* When you look at the currently downloads
* When the client is launched
* When you open/focus the client window
* When you unfocus the client window
* When you minimize the client window
* When you switch tabs (Overview, My progress, Extras) in the game view
* When you open the settings
* When you switch settings tabs
* When you click the menu option to file a bug report

The rest of these seem like UI experience measurements. That is, yep, they would be recording what you do without a direct benefit to you. But this type of data is easily anonymized or pseudonymized and retains value as performance metrics for the software.

I also haven't taken the time to setup a middleman and parse what GOG's requests actually look like.

That's my take on it. I give GOG the benefit of the doubt because I've been a member since they've started and I've never seen them treat us wrong. In terms of data collection, I know they're familiar with the GDPR and it's requirements.

I figure the website and basically every website does all this too. But with a client, it's so much more conveeeeeenient!

In fact, the website (at least the store, though not the forum from what I've seen in a few seconds) also sends a lot of telemetry to insights-collector.gog.com
You can stop this in Firefox by adding an entry to your profile's permissions.sqlite (using your favorite sqlite editing interface) in the mozperms table for origin: https://insights-collector.gog.com, type: fetch, permission: 2

You are quite right that trust is involved.

We are all reliant on other people to some extent or another, whether we like it or not. Unless we intend to go live on a deserted island somewhere and be totally 'self-sufficient': grow our own food, make our own medicines, generate our own electricity, build our own computer/car, gather and research our own news, etc.

So, for me, the real question is not "should we trust anyone else at all", because we have to - there is no choice, but rather "who do we choose to trust?". Personally, regarding software, I prefer to trust a small group of people who are volunteering their time unpaid to maintain a Linux distro, because they are passionate about certain principles and what it represents. Rather than putting my trust in large corporations (Google, Amazon, Microsoft and the like) that have obvious vested interests and have shown themselves through their past actions to be untrustworthy.

Everyone has to make their own decision on who to trust.


Sure. I have a GOG account, so they obviously have access to my games library, wishlist, etc. There's no doubt they know what sort of games I like. But they don't have access to anything else, i.e. what I am doing on other sites, or otherwise on my computer.

I'm not surprised that they use the same tracking mechanism in Galaxy as they use in their web pages. Actually you can be happy that they use a mechanism which is rather easy to analyze and also easy to block. It "just" adds more data to sharpen your profile. "Privacy focused marketing"? Where did you get that from? They use personalized, targeted marketing. Have you ever had a look at one of their marketing mails? They are loaded with personalized tracker links. GOG has dropped privacy long ago and has changed to a data collecting company like many others. I'm not using Galaxy and do not have GDPR to help, but I would be interested in your findings.

You probably can block access to insights-collector.gog.com for Galaxy too without harming its function (with a hosts file or firewall rules).

semi-related question - are galaxy download links accessible to fetch from outside of galaxy client? Like via some api calls or something.

Could be possible to make kind of opensource galaxy clone without telemetry (I mean - we already have gogrepopy, but it downloads standalone installers. I automated installation process on my machine, but for obvious reasons it takes like 2x space on disk of game's actual size (coz you download packed installer first, then unpack in manually))

Guys, do you know how bad are Steam, Epic?

Thankfully in GOG I can download the offline installers via web, but not the same luck on those stores...
or there are methods? Please share!
Thanks Yepoleb for this revealing info and discussion

If you don't like it, don't use it. KISS.

Offline binaries are the way. Play online as you see fit using the tools that are available or the services you are cool with.

Meanwhile, anyone that wants to play online are screwed.

That's exactly what the "don't like, don't use" argument entails.

Store pages for the games apparently don't uniformly tell you if galaxy client is required. The MW5 page (as of the time of not to long before this post) doesn't say word one about requiring galaxy to do coop.

There is no meaningful option in the realm of new PC games online where you aren't forced to accept telemetry in order to play a game online that I know of.

Investment money apparently is completely disinterested in anything but making everyone give up as much PII as possible in ... anything ... software now.

There is no rebel niche going against this, besides some backwaters. Everyone wants the sweet cash cow above all else. We just lost audacity to this effect.

This is honestly our fault, though. We could've said no, and if enough people rejected it it would've went another way, but, no, no one rejected.

Not entirely our fault I think, because somehow there are always people actively against this things but is not just a matter of exercise the rejection not buying, or informing our neighbours consumers... that is not enough.
This requires and demands more areas and their true engagement: laws, IT, education, social lobbying.
Because the simplistic solution of auto excluding us into the offline installers is mere st.p.d
Think all those hopes and IT dreams we gamers share, that are not fullfilled yet (cross play, hardware independent, immersion, to name a few) We are not going to give up on them and go back to play pong just to avoid any telemetry! We need to keep it Smartly! and we are fooling us with the "simple" term :)

That's false and nobody really lives or thinks that way.

Stop and consider what happens when you apply that in the rest of life.

"it's their fault because they *didn't fight back*"

----

Sure, we should have seen this coming and pointed it out at the start, but when people complained back in the days of half life 2, we were treated as retrograde luddites.

Now we are in the situation where there is no viable option for most of the bigger games. Making money and "bugfixing" by telemetry has become normal. It shouldn't be.

Ironically, this is one of the contributing factors to the horrid patches for windows. MS effectively got rid of their pre-release bugtesting/qc department on windows patches and instead are trying to rely on telemetry, so now we get bsods, data being erased, random failures, etc, at a level we didn't before.

Yeah, I'm old enough to remember industry could operate without constant snitching.

I know it's uncomfortable that they're tracking this much activity, especially without consent, but is it really that bad? Or are people being paranoid about what this could become? I don't see anything malicious they could do with this data given the metrics they're tracking here, but I could be wrong.