Jump to content
Double Fine Action Forums
Sign in to follow this  
Deliverance

Spying with Google Analytics

Recommended Posts

Eh, hiding behind EULA is such an EA thing to do though... They should have explicitly stated in newsletter that they use metrics in this build, it would be much more honest of them.

If I knew that before starting the game I would have actually whitelisted Broken Age in my firewall - now I feel like a dick for not helping DF with their stats.

Uh, I'm pretty sure they talked about telemetry in one of the videos. Yeah, it wasn't super explicit, but anonymised telemetry is a pretty standard software design tool nowadays.

Share this post


Link to post
Share on other sites
Cookies are not neccessary for tracking. GA (or any other service that is used in multiple pages or applications) can track you simply by matching your browser fingerprint and your IP address. You have no clue on how tracking works, do you? Yeah it's absolutly possible to tracking users behind a NAT. Talking about.

I'm a professional web developer. I know precisely how tracking works.

Please explain to me how Broken Age can know which browser I'm using. Thanks!

Share this post


Link to post
Share on other sites
Actually, there kinda is :Phttps://panopticlick.eff.org/

Yes, you're right, there kinda is. But it's not very useful as you can see.

Either way, it makes zero difference as we're talking about Google secretly knowing when you're browsing and when you're playing Broken Age. I'm still waiting to hear the connection.

Share this post


Link to post
Share on other sites

Hate to break it to everyone but Google Analytics is most probably used on this website and nearly every other website you go to. If you were truly worried, you wouldn't touch the internet.

Share this post


Link to post
Share on other sites
Hate to break it to everyone but Google Analytics is most probably used on this website and nearly every other website you go to. If you were truly worried, you wouldn't touch the internet.

This has been pointed out already. Some people just want to be right, no matter what, even when they're wrong, and will keep arguing and fighting until everyone else gives up. Like me, now. Bye!

Share this post


Link to post
Share on other sites
Hate to break it to everyone but Google Analytics is most probably used on this website and nearly every other website you go to. If you were truly worried, you wouldn't touch the internet.

This has been pointed out already. Some people just want to be right, no matter what, even when they're wrong, and will keep arguing and fighting until everyone else gives up. Like me, now. Bye!

Yeah, sounds like people are complaining to just complain now.

Share this post


Link to post
Share on other sites

@skankityspence, out of curiosity, which posts did you read before you made yours?

Share this post


Link to post
Share on other sites

Ah. Well, at least that is an explanation then. It's probably similar in other cases, some conversations I had were too strange.

Share this post


Link to post
Share on other sites

@ObsessedChannel and others

If Double Fine actually wrote something like "We are going to collect usage data to analyze how people solve puzzles. The data collection is as well anonymiced [sp?] as we know how to do and we are using tool X for it." I wouldn't have a problem.

But please read what they wrote: No restriction or purpose and they can use of whatever tool they like (Google Analytics is just given as an example in the EULA). And they are not willing to give any promises whatsoever on what their tools will do with the data ("you agree to look solely to the applicable third party and not to Double Fine to enforce any of your rights in relation thereto"). So am I now supposed to ask Google + other unnamed companies on what data they are collecting on me in relationship with Broken Age.

@The Nude Wizard and others

Thanks. I should have thought of the simpler resolvers first.

Share this post


Link to post
Share on other sites
Actually, there kinda is :Phttps://panopticlick.eff.org/

Yes, you're right, there kinda is. But it's not very useful as you can see.

Either way, it makes zero difference as we're talking about Google secretly knowing when you're browsing and when you're playing Broken Age. I'm still waiting to hear the connection.

Ok Mr. "Professional Web Developer" here is the explanation and does not need any form of cookies or signature recognition:

Google Analytics needs a client ID that should not change (otherwise tracking over different play sessions would be impossible) Therefore your system is evaluated to generate a client-ID or a GUID is used. That means google can "track" you playing Broken Age over different play sessions:

80.231.183.193 - CLIENT84144 - 2014-16-01 - Broken Age

80.231.183.193 - CLIENT12732 - 2014-16-01 - My little Farm <-- Someone else in the same household played some other game, but has a different Client-ID

80.239.059.149 - CLIENT84144 - 2014-16-02 - Broken Age

80.232.172.042 - CLIENT84144 - 2014-16-03 - Broken Age

etc. All these records contain: Your external IP, your unique client id, a complete timestamp, the payload and probably even more data that can be used for identification (like details from the HTTP header). Google can now cross-reference this with a list of other records your browser leaves if you are logged in into their service (even if you log out they can still follow you for some time if you don't remove the cookies at once):

80.231.183.193 - xyz@gmail.com - 2014-16-01 - www.youtube.com

80.231.183.193 - abc@gmail.com - 2014-16-01 - www.somesite.com

80.231.183.193 - def@gmail.com - 2014-16-01 - www.some-other-site.com

80.239.059.149 - xyz@gmail.com - 2014-16-02 - www.google.com

80.232.172.042 - xyz@gmail.com - 2014-16-03 - www.google.com

Over time there are enough data points to get a pretty good match: It is obvious from the above data sets that Google can without any problem match your Client-ID (CLIENT84144 ) of Broken Age to your Google Profile (xyz@gmail.com) if they get enough different records - which they will given that any site that uses G+ buttons, that embeds YouTube videos, that embeds Google Maps and of course every Google page itself and - as you stated yourself - a majority of websites deliver your data points to them.

Also you have the misconception that Google has to get a perfect match but that is not the point. It is sufficient if they can be relatively sure about your identitiy to add "Plays Broken Age" to your data profile. If its a mismatch than somebody else has this tag attached to their profile.

Also Google knows if you are behind a NAT with just a few users or some hundre people (like a company, university or residential home) because they see how many different browser signatures originate from that IP at a given time - you stated yourself how many websites use Google Analytics (or G+ like buttons or embedded YouTube Videos or embedded Maps or or or ...). If there are too many they can just apply a lower scoring factor to the gathered information. If it's just one within the last few hours they know that there is probably only one active user and can use a high factor.

Point being: If you have not one but a whole bunch of data points from different databases you can cross-reference them even if in each database a different "anonymous" unique ID is used. This is a pretty easy task for a company that has some of the best data-analyzing tools of the world - so the answer is: Yes, they do know if a specific Google User plays a specific game.

Share this post


Link to post
Share on other sites
I trust DF enough not to be pissed off about this. :)

Ok, fair enough. But do you also trust Google enough to not be pissed off about this?

Share this post


Link to post
Share on other sites
Hate to break it to everyone but Google Analytics is most probably used on this website and nearly every other website you go to. If you were truly worried, you wouldn't touch the internet.

I use ghostery and noscript, they block google analytics and a bunch of other stuff when browsing. Double fine, I'd appreciate an opt-out, a simple checkbox in the settings would be nice.

Share this post


Link to post
Share on other sites
Ok Mr. "Professional Web Developer" here is the explanation and does not need any form of cookies or signature recognition

OR how about this - if they wanted to "tag" your account so badly they would simply check if you had an email with Broken Age steam key in your gmail.

Static IPs are getting more and more rare nowadays, so the usefullness of cross-referencing by IPs is dubious at best.

With google plus, and your search history, and your browsing history (and that's even when not using chrome) google has much more robust tools to profile users and categorize advertisements than some custom guesswork for tagging miniscule number of users with inconsistent results.

Share this post


Link to post
Share on other sites
Actually, there kinda is :Phttps://panopticlick.eff.org/

Yes, you're right, there kinda is. But it's not very useful as you can see.

Either way, it makes zero difference as we're talking about Google secretly knowing when you're browsing and when you're playing Broken Age. I'm still waiting to hear the connection.

Ok Mr. "Professional Web Developer" here is the explanation and does not need any form of cookies or signature recognition:

Google Analytics needs a client ID that should not change (otherwise tracking over different play sessions would be impossible) Therefore your system is evaluated to generate a client-ID or a GUID is used. That means google can "track" you playing Broken Age over different play sessions:

80.231.183.193 - CLIENT84144 - 2014-16-01 - Broken Age

80.231.183.193 - CLIENT12732 - 2014-16-01 - My little Farm <-- Someone else in the same household played some other game, but has a different Client-ID

80.239.059.149 - CLIENT84144 - 2014-16-02 - Broken Age

80.232.172.042 - CLIENT84144 - 2014-16-03 - Broken Age

etc. All these records contain: Your external IP, your unique client id, a complete timestamp, the payload and probably even more data that can be used for identification (like details from the HTTP header). Google can now cross-reference this with a list of other records your browser leaves if you are logged in into their service (even if you log out they can still follow you for some time if you don't remove the cookies at once):

80.231.183.193 - xyz@gmail.com - 2014-16-01 - www.youtube.com

80.231.183.193 - abc@gmail.com - 2014-16-01 - www.somesite.com

80.231.183.193 - def@gmail.com - 2014-16-01 - www.some-other-site.com

80.239.059.149 - xyz@gmail.com - 2014-16-02 - www.google.com

80.232.172.042 - xyz@gmail.com - 2014-16-03 - www.google.com

Over time there are enough data points to get a pretty good match: It is obvious from the above data sets that Google can without any problem match your Client-ID (CLIENT84144 ) of Broken Age to your Google Profile (xyz@gmail.com) if they get enough different records - which they will given that any site that uses G+ buttons, that embeds YouTube videos, that embeds Google Maps and of course every Google page itself and - as you stated yourself - a majority of websites deliver your data points to them.

Also you have the misconception that Google has to get a perfect match but that is not the point. It is sufficient if they can be relatively sure about your identitiy to add "Plays Broken Age" to your data profile. If its a mismatch than somebody else has this tag attached to their profile.

Also Google knows if you are behind a NAT with just a few users or some hundre people (like a company, university or residential home) because they see how many different browser signatures originate from that IP at a given time - you stated yourself how many websites use Google Analytics (or G+ like buttons or embedded YouTube Videos or embedded Maps or or or ...). If there are too many they can just apply a lower scoring factor to the gathered information. If it's just one within the last few hours they know that there is probably only one active user and can use a high factor.

Point being: If you have not one but a whole bunch of data points from different databases you can cross-reference them even if in each database a different "anonymous" unique ID is used. This is a pretty easy task for a company that has some of the best data-analyzing tools of the world - so the answer is: Yes, they do know if a specific Google User plays a specific game.

Right, the data they collect potentially allows that. What we don't know is how Google's architecture for their different types of analytics work, and whether it's even possible to interface those two data sets on their end, (for instance, your client ID might be hashed differently for different services, so google may not even be able to tell if it's the same one) and even if it IS possible, we don't have any suggestions that it's actually happening.

What it really comes down to is whether you have reason to (dis)trust Google as a third-party handler of your data.

Share this post


Link to post
Share on other sites

@The Nude Wizard and others

Thanks. I should have thought of the simpler resolvers first.

No problem

While I agree with some sentiments here about their objection to "big data" its a shame threads like this have to get weighed down by a bunch of internet superheros trading barbs and trying to look smarter than they most obviously are and deriding the opinion of others who don't have the exact same world view they do. You aren't paid to be doublefines supplicant publicity officers, so you're better off providing solutions or just not posting at all imho.

Its analogous to locking your front door or not, unfortunately theives exists, if u wanna live on the internet you just have to accept that locking the doors is your only option if being robbed is something that concerns you. Sure you might not have had to in "the good old days" but that's just the way it is unfortunately.

Share this post


Link to post
Share on other sites

Afaik this was already discussed back here: http://www.doublefine.com/forums/viewthread/6790/P100/#214434

If you want to know the bare necessities of what Google knows about you as a person (without even using or being logged in to any Google Account) just based on Cookies, this is an interesting link: https://www.google.com/settings/ads/onweb

Although this has nothing to do with what I said, actually nothing changed. You don't own games any more or less now than anyone ever did, because it was always a license you bought. Even many years ago when people still thought they owned stuff. But whatever.

I see this being repeated over and over and that's kind of wrong or conflating things. You do and have always owned your copy of the game (as you do other media like say DVD/Blu-Ray movies, music etc.) or a book.

In the EU there was also recently a ruling that made it rather clear that this is also valid for downloadable software licenses by none other than the European Court Justice itself and since then a lot of entities are happily reselling licenses of things like Microsoft Windows or Office entirely legally: http://arstechnica.com/tech-policy/2012/07/top-eu-court-upholds-right-to-resell-downloaded-software/

In the US you have the First-sale doctrine.

It is technically true that you “don’t own the game” and never owned it (which means the copyrighted content on the disc or in your Steam library and related distribution and ownership rights, just as you don’t own the movie from the DVD or the words in a book you bought to do with as you wish), but you have always owned *your copy* of “the game”. This is a rather subtle mistake that a lot of people seem to make when talking about it, but there is a clear difference.

Being able to resell games to a GameStop near you (or to a friend) already flew in the face of several such ToS clauses before and was still legally allowed and always a possibility. This is because legal rights you hold as an individual supersede Terms of Service or any EULA and cannot in any way be overruled by them.

Edit:

Also calling people out for "tinfoil hattery" has kind of lost its luster after an entire year of NSA leaks culminating in talks like these and doesn't exactly have the same effect anymore that it had a few years ago, so think of something new. :P

http://rt.com/usa/appelbaum-30c3-nsa-snowden-986/

Share this post


Link to post
Share on other sites
Hate to break it to everyone but Google Analytics is most probably used on this website and nearly every other website you go to. If you were truly worried, you wouldn't touch the internet.

Or you could use tools that deal with this nonsense and still "touch" the internet while maintaining your privacy.

Share this post


Link to post
Share on other sites

Right, the data they collect potentially allows that. What we don't know is how Google's architecture for their different types of analytics work, and whether it's even possible to interface those two data sets on their end, (for instance, your client ID might be hashed differently for different services, so google may not even be able to tell if it's the same one) and even if it IS possible, we don't have any suggestions that it's actually happening.

What it really comes down to is whether you have reason to (dis)trust Google as a third-party handler of your data.

Google Analytics uses a unified protocol nowadays for Web, Android, iOS, and application integration so it is possible and since googles main source of revenue is selling ads it's not far-fetched assumption that they do this. Why else would they offer this service?

There is a premium version of GA where the paying company can adjust whether the collected data from their service will be aggregated with other data Google has collected elsewhere, which implies that they do aggregate if you don't by premium and opt-out. But of course even then it is a matter of trust since it all runs on their servers.

Share this post


Link to post
Share on other sites
Ok Mr. "Professional Web Developer" here is the explanation and does not need any form of cookies or signature recognition

OR how about this - if they wanted to "tag" your account so badly they would simply check if you had an email with Broken Age steam key in your gmail.

Static IPs are getting more and more rare nowadays, so the usefullness of cross-referencing by IPs is dubious at best.

With google plus, and your search history, and your browsing history (and that's even when not using chrome) google has much more robust tools to profile users and categorize advertisements than some custom guesswork for tagging miniscule number of users with inconsistent results.

Of course: The more data they have the easier it is to identify you. But my example shows that you can identify a single entity over two different data sets even if each data set uses a different "anonymous" IP as long as they share at least one data field (in this case you have two: Timestamp and IP) to cross-reference them.

Also my example works in all scenarios and is easily automated (i.e. without the need to gather specific details like a Steam Key) and can be built into the same routines that are used already to aggregate the data for the customer.

Share this post


Link to post
Share on other sites

Even your cell phone can be tracked. So if you have one and use it regularly, that would make you a quite hypocrite. Not to mention many other ways information gets collected from you since your birth.

Share this post


Link to post
Share on other sites
Even your cell phone can be tracked. So if you have one and use it regularly, that would make you a quite hypocrite. Not to mention many other ways information gets collected from you since your birth.

That's not the same. There is a big difference between several traces you leave with several companies or one company that tries to gather all information and aggregate them. It's a well-known concept: Single bits of information about an individual do not concern privacy in a meaningful way as long as they are not widely aggragted to form a profile of said entity.

So, yes, I will keep using my phone event though I know what data traces my phone leaves, thank you very much, but that does not mean that I also have to be OK with Google trying to merge every bit of information about me they can get their fingers on.

Share this post


Link to post
Share on other sites

There's a nice way to opt out though, don't install the game. If you do you indeed agree to the EULA, but there's a way not to agree to it, don't play.

Share this post


Link to post
Share on other sites
Even your cell phone can be tracked. So if you have one and use it regularly, that would make you a quite hypocrite. Not to mention many other ways information gets collected from you since your birth.

That's not the same. There is a big difference between several traces you leave with several companies or one company that tries to gather all information and aggregate them. It's a well-known concept: Single bits of information about an individual do not concern privacy in a meaningful way as long as they are not widely aggragted to form a profile of said entity.

So, yes, I will keep using my phone event though I know what data traces my phone leaves, thank you very much, but that does not mean that I also have to be OK with Google trying to merge every bit of information about me they can get their fingers on.

Take it easy. :)

I just think that some people get a rather "paranoid" about this entire "Government knows where you live and what you do" kind of thing.

Just to make it clear, I'm European.

Share this post


Link to post
Share on other sites

Some quick thoughts from me about this:

a) Every modern developer wants to track its users' behavior so they can find where their game design went "wrong" - no individual data is needed, just individual anonymous user data is needed (e.g. to generate "paths" taken through an application and identify most common paths or common paths for users that stopped playing shortly after)

b) Not every developer denotes this fact in their EULA, TOS or anywhere, they just do it (no F2P game works without analytics)

c) Some developers use custom-built systems for this, but the smaller the company, the more probable it is that they use a third party tool

d) Kontagent for mobile and Gameanalytics for pc/console games are very well known analytics companies that "record" every user action in games (developers pay per action pushed into their databases

e) The usage of Google Analytics for this purpose is quite new and very attractive for small companies that don't want to spend a lot of money on their analytics solution - the API is very robust and easy to implement

And here's where I understand why some people are upset:

- Why are players not asked, directly, whether or not they want to allow tracking? Just ask "We use google analytics to make our game better - do you want to send us that anonymous information?" - do not hide it somewhere in EULAs which could give people wrong ideas about what is actually happening.

- Why use Google? Sure it's cheap, but being able to cross-reference analytics data is a huge (!) sales pitch for paid analytics services. Some analytics providers have a "free" tier, where you can only work on your own data - pay a monthly fee and now you can see which other games your users have played. I'm not saying Google Analytics allows this (haven't worked with it directly) but I know third party tools for mobile products which allow just that.

Personally I'm not worried by this and I don't mind the usage of Google Analytics, but they could've been more upfront about it and could've given players an "Enable Telemetrics (uses Google Analytics)" checkbox in the options. It's nothing to be shy about, just be open about these things.

Share this post


Link to post
Share on other sites

Google Analytics uses cookies to attach a unique identifier to you as you browse the web, assuming you use the same computer and browser regularly. It does track user location down to the city level. I'm pretty sure that it does not actualy store IP addresses - at least not in the GA data. It is expressly forbidden by their terms of service to collect 'personally identifying' information. Storing emails, names, a date of birth, or even gender are not allowed. (Though newer features do exist to allow Google to 'infer' this information based on what kind of media you are consuming or what products you're buying.) Mind you, Google may themselves collect this data - but people using GA are not allowed to do so.

What Double Fine is mostly likely doing is setting up locations and actions in the games whereby a specific event is sent to GA. GA allows you to create funnels of 'likely steps' to get from point A in a system to point B. It can then visualize the path taken by any unique user through that chain of events, which allows Double Fine (or any other company implementing a similar system) to figure out who is missing a certain item or hint along a typical path, how many people are diverging from the 'assumed' path to completion.

In other words, they can see just how many people get to the riddle in Vella's story without first finding the item required to solve the riddle. They could also see how many times you were grabbed by a snake, etc (which would be an amusing statistic). I find it unlikely they are collecting any info beyond actual game events.

Share this post


Link to post
Share on other sites
Sign in to follow this  

×
×
  • Create New...