Red Shell is spyware for tracking gamers across the internet

Conspiracy theorists have been proposing for years that we’re being tracked in ways we cannot control on the internet, and on the Web 2.0 wave we’re surfing, this is becoming an increasingly sophisticated and surreptitious practice for companies that want to know more about us. Recently, a group of amateur sleuths on Reddit discovered a service called Red Shell that uses cookies and other methods to figure out whether the game you were just playing was bought after being exposed to an ad campaign. The discovery appears to have taken several publishers aback, and there is a growing movement to patch out Red Shell from existing titles to avoid a larger backlash from the gaming community.

In a Reddit thread started on 11 June 2018, a user by the name of “Alexspeed75” alerted others to an announcement by Daylight Studios that they were removing new software called Red Shell from their game, Holy Potatoes! We’re in Space?!, after complaints from their users about the existence of the software and the need to opt-out of the data tracking rather than opt-in. Daylight Studios noted that the main reason for using and integrating Red Shell was to help improve their visibility and targeted advertising for the game, and only intended to promote the game to gamers on social media and other advertising platforms.

The announcement by Daylight was made in their Steam group where they explained that Red Shell was helping them to gather analytics about where players might have clicked on an advert for their game on social media, as well as whether the player bought the game through Steam or not through the use of a cookie. The cookie created upon clicking the advert contains a hash of the user’s IP address, which the Red Shell API looks for when you start up the game for the first time. The Red Shell API generates a second hash from your IP address on the internet when the game loads for the first time, and looks for the cookie created by the browser.

By comparing the hashes, Red Shell is able to determine that the user bought and installed the game after clicking the advert. The secret key used to generate the hash value is unique to each game. According to Red Shell’s FAQ, their service is 98% accurate in determining whether users are buying games through exposure to advertising campaigns or not.

In addition, Red Shell is able to collect information on player statistics such as how many players completed the game’s tutorial, how active they are in multiplayer matches, how many players have completed the game, and so on. Red Shell meets the definition of spyware because it is installed without the user’s consent, is usually bundled with other software, and runs in the background by launching its own process and does not inform the user of its existence or activities.

The Reddit thread started by Alexspeed75 continued to get updated over the course of the next two weeks, and includes a list of games that have had the Red Shell API removed from their files, or have been pledged by the developers to remove the API in a future patch. These include titles such as The Elder Scrolls Online, the Total War series by Creative Assembly, Warhammer: Vermintide II, Dead by Daylight, Hunt: Showdown, Quake Champions, Kerbal Space Program, and many others.

The thread also lists over two dozen games found to have the Red Shell .dll and SDK files in the game’s folder. These include Civilization VI, Sniper Ghost Warrior 3, the Doodle God series, Injustice 2, Warriors: Rise to Glory!, and many more. Most games that include the Red Shell service only include a .dll file and a copy of the bundled SDK, both of which can be used to run or trial the service. However, several games also now have the service integrated into the executable, which means there is no way of knowing which games include Red Shell except by monitoring internet traffic to known server addresses.

In a statement given to Kotaku, Red Shell CEO Adam Lieb explained the company’s stance on the service and the public backlash they’ve received. “We collect the minimum amount of data necessary to do attribution. Our customers rely on us to tell them which activities they’re engaged in are working and which ones aren’t. Any information that doesn’t help us make those matches we don’t collect,” Lieb said. “We are gamers. We love games. We do what we do because we love working with game developers to help grow their games and build their communities. The last thing we’d want to do is anything that is going to upset their communities.”

According to Lieb, Red Shell does not spy on user’s browsing activities, does not sell the data to third parties, and additionally includes an opt-out option on their website that users can enable to stop tracking.

However, because Red Shell is integrated as a .dll file, games which include it will not run if the file is deleted or renamed. Blocking communication to the servers using a host file or at the router/firewall level is the only way in which users can guarantee privacy in the future. With the way the public internet currently works, users can be allocated a new cookie for each IP address assigned to them, but it is possible that before the cookie expires the data can be refreshed with a new IP address. Therefore, it might be possible to have a permanent fingerprint added to your user ID collected by Red Shell when you relaunch games after receiving a new IP address.

For readers who may want to opt out of the data tracking, you can either visit this page to opt out of future tracking, or you can contact the developers or publishers of the game you’re playing that has integrated Red Shell, and get them to remove your data from the service.

Funny thing though – opting out places a cookie in your browser that will tell Red Shell’s servers that you opt out of data tracking anytime you launch a game or click on an ad campaign on a website, or even if an advert is loaded on a web page you’re browsing. That cookie is effectively still tracking you, even if it doesn’t end up sharing that information with Red Shell, and can be deleted when clearing browser cookies, reinstalling your browser, or moving to a new system.