Thursday, March 13, 2008

Privacy versus Protection of Digital Assets

Every time a new patch comes out I and see the new Terms of Agreement on my welcome screen, I can’t help but think about Warden. If you aren’t familiar with Warden, let me give the quick 100 foot view: Warden is an anti-hack program that Blizzard loads onto your computer at login and queries every 15-30 seconds about your activities to ensure that you aren’t doing anything to cheat. In order to operate, it needs to scan your memory and processes that are outside of the World of Warcraft game.

Blizzard positions Warden as a form of protection (or DRM) that safeguards it’s digital assets from unauthorized manipulation. The criticism against Warden from Privacy advocates is that it needs to scan and collect things unrelated to World of Warcraft in order to gather the information it needs to performs it’s analysis. Interestingly, Warden was not something that was included in the game at release, but came as a result of protecting the game from exploits, botters and other cheats. It was not an announced change. It hides itself. It permutates or changes its composition at login so that it can’t be easily identified. In fact, it behaves so much like a virus, it’s not uncommon for Anti-Virus programs to incorrectly target it. In the early days of Warden, this was even a method of defeating it.

How many people know about Warden? My guess is fairly few and likely only the ones that take the time to read websites like mine. And how many people know what Warden scans? Very very few. Ironically, outside of Blizzard, the only people who really know what Warden is scanning are the same people that Blizzard is trying to keep out. Namely, people providing the botters and exploiters with products to defeat Warden.

And therein lies the crux of my complaint. Blizzard has every right to protect their game. Quite frankly, it wouldn’t be worth playing if they DIDN’T protect it. But first, we can all see by the prolific gold selling and bot farmers that Warden can and is circumvented. I know of two programs a few clicks away that I could download and be happily botting Warden-free in under an hour. An ongoing lawsuit against one of those companies is evidence enough that Blizzard knows the protection offered through Warden is not working.

Still – I can talk myself out of being upset about all that. After all, the only people really hurt by it are the botters and exploiters, right?

Maybe not. In the 2.3 patch back in November, Blizzard introduces some subtle changes to Warden that prevent an observer from tracing down what they are monitoring. Why is that important? Well, at least before, if something illegal or immoral was happening – then people who do keep an eye on Warden would at least know that was happening. All it really takes is one malicious developer to insert some code and none of us would be any wiser.

Well still – this only hurts botters right? Not really. The change does nothing to address the current methods being implemented to defeat Warden which either revolve around outright hiding or spoofing results. To me, this crosses a major line in regards to Privacy protection.

To which you reply, “But if you don’t like it, you don’t have to play.” The people who use this argument are the same kids who took their ball and went home to leave everyone else out on the playground. These types of use it or lose it agreements are very one-sided. True agreements are negotiated and bargained. These contracts are instead dictated to us and we, in turn, are expected to agree to them in order to use the product. It’s like signing a waiver before a treatment for a painful ailment. Your choice is either get the treatment or don’t sign the waiver and suffer. Many of these types of contracts are often not enforceable if challenged in court.

But more importantly, look at it a different way. Pretend it’s not Blizzard and it’s not about botters. How would you feel if Microsoft made the same requirements for Windows and it scanned your whole computer for whatever data they wanted without your knowledge and then sent back results to be used however they wanted? And worse, they did it in such a way that you could never tell what they were scanning or sending back.

And that’s the rub. If Microsoft were to bundle something even remotely similar to the current incarnation of Warden in it’s products, one million IT professionals would be marching on Washington DC to ensure that privacy would be protected. The uproar would be incredible. Microsoft took a lot of flak on this topic when they wanted to send data back about simple bug reporting to enhance user performance. That’s why they have the little screen that pops up that lets you opt-in to reporting an issue and will even provide snapshot of the data being sent back to report the crash. Unlike Warden, it is VERY transparent and obvious what they are reporting.

Yet – most users of World of Warcraft have never even heard of Warden and those that have consider it a lesser evil than botting. Try expressing Privacy concerns regarding Warden on the WoW forums and within three replies you will be called out as a cheater. The nasty thing here is that it sets a precedent for acceptable behavior by a software developer. Do we really want to accept that a software developer can embed hidden processes that mimic virus and spyware in their products?

The real irony is that it offers very little protection for Blizzard. Anything loaded into the memory of your computer can be defeated regardless of how cleverly it is programmed. If it operates within your computer’s memory, any form of protection can be reverse engineered and defeated. The burden for the exploiter is not to learn all that it does, but only to learn one method in how to circumvent it. The better investment would be to invest more heavily in forms of detection that cannot be defeated. In other words, teach the servers to be smarter about identifying the exploits – not the client software. Exploiters don’t have access to files or system memory on the server itself and without that access, there is no way to protect themselves from server-side detection mechanisms.

If you do feel it’s absolutely necessary to have a Warden reporting back information, then at least provide a log of what is being scanned and reported. At the very least, this type of activity should be made transparent in order for the users to be fully informed about what is happening on their computer outside the game itself.

No comments: