Dan in Saint Louis
October 18th, 2005, 12:11 PM
From ED FOSTER'S GRIPELOG, "You are granted permission to forward this column to friends who would have an interest in this topic."
The Warden Sees All
Tuesday, October 18, 2005
By Ed Foster
It's not really that big a surprise to discover that game publisher Blizzard can be added to the list of companies that distribute EULA-sanctioned spyware. The real question is whether Blizzard will permit anyone to keep an eye on what the "Warden" software in its World of Warcraft is actually doing besides keeping an eye on the product's users.
"I would like to inform you of a rather interesting feature of World of Warcraft, the very popular MMO (Massively Multiplayer Online) game from Blizzard, a subsidiary of Vivendi," security researcher Greg Hoglund wrote me recently about the results of his analysis (http://www/rootkit.com/blog.php?newsid=358) of Warden. "This game includes a module known as the 'Warden' client. This code is downloaded on the fly from the game server, running about every 15 seconds. It opens all running processes and open windows on your computer, and reads information from them to see if there are any 'unauthorized third party programs' running. Although the software is designed to catch bots and cheaters, I believe it to be a violation of privacy, even though their EULA has language that allows them to do it."
Although Hoglund saw no evidence that Warden was transmitting any of the information it looked at in his files back to Blizzard - as long as it didn't find anything on his computer it deemed unacceptable, anyway -- the program's behavior was alarming enough that he felt compelled to sound a warning. Shouldn't World of Warcraft customers at least be aware of the fact that Blizzard is creeping all around their computer every fifteen seconds or so?
Of course, users would be aware of Blizzard's intentions if they read deep enough into the World of Warcraft EULA and Terms of Service (TOS). Down in the "Acknowledgements" section (no, apparently that's not where they roll the credits) of the TOS is the clearest description. "The World of Warcraft client may monitor your computer's Random Access Memory and or CPU processes for unauthorized third party programs ... that in Blizzard Entertainment's sole determination" are cheats or hacks. In the event it finds anything it deems illicit, information can be communicated back to Blizzard "including without limitation your account name, details about the unauthorized third party program detected, and the time and date the unauthorized third party program was detected."
Now, I admit I'm not much of a gamester myself, but from talking to those who are I do understand a bit about what a huge frustration game hacks are for MMO users who just want a level playing field. So there's no doubt that the great majority of World of Warcraft customers would say they are more than willing to sacrifice a little privacy to keep cheaters at bay. But do they really want to write Blizzard the privacy blank check that its EULA and TOS terms demand? And, since these documents are supposed to be legal agreements binding on both parties, shouldn't they contain some commitments from Blizzard about what it won't do with the information it might glean from its customers?
But, be that as it may, there is actually a much bigger issue here. Hoglund is essentially a reverse engineer by trade. While he has refrained from publishing any information he felt Blizzard might legitimately consider sensitive, he doesn't dispute that what he did in his analysis could be considered reverse engineering. Of course, the World of Warcraft EULA and TOS both prohibit reverse engineering of any kind - even forms of reverse engineering that are sanctioned by copyright law. And what about Warden itself? Could it be considered a technological measure controlling access to a work that is therefore illegal to circumvent under the Digital Millennium Copyright Act? If so, Hoglund is skating a very thin line in discussing his findings at all.
If you think it wildly improbable that Blizzard would try to push such over-reaching legal claims in court, then you just aren't aware of the Blizzard v BnetD case (http://www.eff.org/IP/Emulation/Blizzard_v_bnetd/). There, against defendants who were probably even less guilty of any real wrongdoing than Hoglund is, Blizzard took its EULA reverse engineering ban and DMCA anti-circumvention claims all the way to federal appeals court. And won. What it won was the right to deprive all of its customers of all of their fair use rights with a few words in their EULAs. So when their terms give them virtually unlimited right to abuse your privacy, you'd better take it seriously. After all, it's obvious our courts will.
Blizzard unquestionably has the EULA-sanctioned right to snoop on its customers with Warden, but does Hoglund have the right to tell us what that program is doing? That's what he now realizes is in fact a very serious question. "It's really been an education these last few weeks," he says. "I had no idea these EULAs were being taken so seriously. It's just amazing to me that anti-reverse engineering language in a EULA or the DMCA could keep people like me from publishing information what the Warden does. Isn't it the right of consumers to know what their software is doing?"
You'd like to think so, because somebody needs to be spying on those who are spying on us. I'm sure Blizzard would prefer I call Warden something other than spyware, but how else are we to refer to software that sits there watching everything you're doing in order to report back to its masters who-knows-what? And I think that's particularly so for a spymaster that happens to be a multinational corporate giant that's proven its willingness to send armies of lawyers anywhere to argue that its customers have clicked away all of their rights. If no one has the right to spy on their spies, the only eyes that will see what's happening on our computers will be those of the Warden.
The Warden Sees All
Tuesday, October 18, 2005
By Ed Foster
It's not really that big a surprise to discover that game publisher Blizzard can be added to the list of companies that distribute EULA-sanctioned spyware. The real question is whether Blizzard will permit anyone to keep an eye on what the "Warden" software in its World of Warcraft is actually doing besides keeping an eye on the product's users.
"I would like to inform you of a rather interesting feature of World of Warcraft, the very popular MMO (Massively Multiplayer Online) game from Blizzard, a subsidiary of Vivendi," security researcher Greg Hoglund wrote me recently about the results of his analysis (http://www/rootkit.com/blog.php?newsid=358) of Warden. "This game includes a module known as the 'Warden' client. This code is downloaded on the fly from the game server, running about every 15 seconds. It opens all running processes and open windows on your computer, and reads information from them to see if there are any 'unauthorized third party programs' running. Although the software is designed to catch bots and cheaters, I believe it to be a violation of privacy, even though their EULA has language that allows them to do it."
Although Hoglund saw no evidence that Warden was transmitting any of the information it looked at in his files back to Blizzard - as long as it didn't find anything on his computer it deemed unacceptable, anyway -- the program's behavior was alarming enough that he felt compelled to sound a warning. Shouldn't World of Warcraft customers at least be aware of the fact that Blizzard is creeping all around their computer every fifteen seconds or so?
Of course, users would be aware of Blizzard's intentions if they read deep enough into the World of Warcraft EULA and Terms of Service (TOS). Down in the "Acknowledgements" section (no, apparently that's not where they roll the credits) of the TOS is the clearest description. "The World of Warcraft client may monitor your computer's Random Access Memory and or CPU processes for unauthorized third party programs ... that in Blizzard Entertainment's sole determination" are cheats or hacks. In the event it finds anything it deems illicit, information can be communicated back to Blizzard "including without limitation your account name, details about the unauthorized third party program detected, and the time and date the unauthorized third party program was detected."
Now, I admit I'm not much of a gamester myself, but from talking to those who are I do understand a bit about what a huge frustration game hacks are for MMO users who just want a level playing field. So there's no doubt that the great majority of World of Warcraft customers would say they are more than willing to sacrifice a little privacy to keep cheaters at bay. But do they really want to write Blizzard the privacy blank check that its EULA and TOS terms demand? And, since these documents are supposed to be legal agreements binding on both parties, shouldn't they contain some commitments from Blizzard about what it won't do with the information it might glean from its customers?
But, be that as it may, there is actually a much bigger issue here. Hoglund is essentially a reverse engineer by trade. While he has refrained from publishing any information he felt Blizzard might legitimately consider sensitive, he doesn't dispute that what he did in his analysis could be considered reverse engineering. Of course, the World of Warcraft EULA and TOS both prohibit reverse engineering of any kind - even forms of reverse engineering that are sanctioned by copyright law. And what about Warden itself? Could it be considered a technological measure controlling access to a work that is therefore illegal to circumvent under the Digital Millennium Copyright Act? If so, Hoglund is skating a very thin line in discussing his findings at all.
If you think it wildly improbable that Blizzard would try to push such over-reaching legal claims in court, then you just aren't aware of the Blizzard v BnetD case (http://www.eff.org/IP/Emulation/Blizzard_v_bnetd/). There, against defendants who were probably even less guilty of any real wrongdoing than Hoglund is, Blizzard took its EULA reverse engineering ban and DMCA anti-circumvention claims all the way to federal appeals court. And won. What it won was the right to deprive all of its customers of all of their fair use rights with a few words in their EULAs. So when their terms give them virtually unlimited right to abuse your privacy, you'd better take it seriously. After all, it's obvious our courts will.
Blizzard unquestionably has the EULA-sanctioned right to snoop on its customers with Warden, but does Hoglund have the right to tell us what that program is doing? That's what he now realizes is in fact a very serious question. "It's really been an education these last few weeks," he says. "I had no idea these EULAs were being taken so seriously. It's just amazing to me that anti-reverse engineering language in a EULA or the DMCA could keep people like me from publishing information what the Warden does. Isn't it the right of consumers to know what their software is doing?"
You'd like to think so, because somebody needs to be spying on those who are spying on us. I'm sure Blizzard would prefer I call Warden something other than spyware, but how else are we to refer to software that sits there watching everything you're doing in order to report back to its masters who-knows-what? And I think that's particularly so for a spymaster that happens to be a multinational corporate giant that's proven its willingness to send armies of lawyers anywhere to argue that its customers have clicked away all of their rights. If no one has the right to spy on their spies, the only eyes that will see what's happening on our computers will be those of the Warden.