Across Reddit and Steam forums, a few people are getting up in arms about Redshell, a tracking program that game developers use to see how well their advertising is working. To customers, Redshell represents yet another uninvited invasion of digital privacy. And while people on gaming forums being upset isn’t unusual—and Redshell itself seems to be mostly harmless—developers are dumping Redshell with unusual speed.
The snowball started a week ago with a post on reddit about Holy Potatoes! We’re in Space?!, a space exploration game. Within a couple of days, these small potatoes had started to grow as other users found the Redshell analytics program installed on their own games. General paranoia and frustration over digital privacy rights and surveillance fueled the spread of the post into other gaming communities. The list expanded into a Google spreadsheet that included games like Civilization VI, Kerbal Space Program, and Elder Scrolls Online.
“This practice is disgusting,” one user wrote in the Civilization VI Steam forum. “Uninstalling now until [the developer] removes Red Shell from the game.” “Seriously,” wrote a purchaser of Hunt: Showdown, “George Orwell wrote his book and everyone ran off to create the world like good predictive programmed sheeple.”
The list grew fast, but just as quickly, developers started apologizing and agreeing to remove Redshell from their games. Total War: Warhammer 2, and Conan: Exiles, among others, responded to their communities with a brief explanation (“We actually intended to disable Red Shell”; “It’s not spyware”) and a promise to remove the program in a coming update. So far, I haven’t been able to find a single developer who is digging in and insisting on keeping Redshell active.
So what’s going on here? Redshell is a program that helps game developers find out how customers decide to buy their games. If you watch a trailer on YouTube and click a link at the bottom to go to Steam and buy it, that link takes a snapshot of just enough data to identify a computer—including IP address, screen resolution, and a list of installed fonts—and assigns an identifier to it. Later, when a game with Redshell integrated launches for the first time, it takes a snapshot of those same pieces of data and phones home. When Redshell finds a first snapshot to match to the second, they know that you clicked on that link and then purchased the game, and that particular link in that particular ad worked.
Though this particular invasion of privacy is innocuous, very few of these developers gave players a heads-up that Redshell could be taking a peek at their PC settings and sending that information elsewhere. They could even have been violating their side of their terms of service—as one user pointed out, Conan: Exile‘s EULA never mentions data collection involving Redshell. Though Redshell insists that the data collected is anonymous, up until December 2017 some Redshell integrations collected unencrypted IP addresses and used Steam IDs as identifiers, the combination of which is more than enough to identify a user. (To comply with the General Data Protection Regulation—or GDPR—in Europe, Redshell began encrypting IP addresses and Steam IDs).
Developers can already track the performance of their advertising campaigns by measuring clicks on links. For many of these users, confirming that those clicks turned into purchases just isn’t a good enough reason to take any information, no matter how small. Given the speed that developers are dropping Redshell at the first sign of protest, it looks like they agree: Redshell’s service isn’t worth it.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.