76 comments

[ 3.8 ms ] story [ 145 ms ] thread
They did get quite a few negative reviews on the Steam store page about this issue, and there's also a large thread with users complaining ( https://steamcommunity.com/app/289070/discussions/0/17095641... ) which probably led to this action.

As an aside, complaints might have been even more numerous if the game were actually good, as of now Civ 5 has a peak of 30K users playing daily, while Civ 6 a peak of only 20K.

> As an aside, complaints might have been even more numerous if the game were actually good, as of now Civ 5 has a peak of 30K users playing daily, while Civ 6 a peak of only 20K.

A question to the gamers on HN: What makes Civ5 in your opinion/in the opinion of many gamers better than Civ6?

Been a while since I've played Civ6 but I didn't like some of the weird game mechanics. For example, some of the city boosts required you to permanently sacrifice tiles, which made the boosts a lot less interesting. Graphics were cool, though. Personally, I prefer Civ4 a bit over Civ5, and don't like Civ6 at all.
Thanks, I thought I was alone in this. I don't like to permanently sacrifice tiles and honestly this feels like adding another layer of micromanaging and distracting players from the bigger 4X picture which to me is where the fun in Civ lies.

Civ 5 was a mess when I originally played it and Civ 4 still plays much more seamless. I honestly didn't mind stacking units and I think it makes perfect sense for a video game -- not to mention it made the AI much simpler and therefore much less stupid when comparing vanilla versions of Civ 4 and 5 (or 6, for that matter)

I always thought the Great Person tile improvements in Civ5 were really interesting, because they felt like a big, rare sacrifice - you had to pick a tile to weaken for a different payout. Converting it to a standard feature of development makes for strange gameplay, even if it makes a lot of thematic sense.

Still beats the Beyond Earth development experience for me, but that's not really saying much...

I think it’s just way cheaper? I’ve played both and if I didn’t have a lot of cash I probably wouldn’t have Civ 6. So Civ 5 is “better” in the sense of a way longer development cycle with a bunch of expansions. Civ 6 has some pretty graphics though.
Generally for the Civ games the new one doesn't become overly popular till a few expansions are released. It was the same when Civ V came out, a lot of people were saying Civ IV was better. Civ VI is a good game I think most people will switch eventually, just takes some time.
It is more about modding outside of the general player base that already played, and dropped it.

The sustained users are ones that have good mods that improve the AI, and other aspects of the game. Civ 6 hasn't released the DLL, so us as modders, are in a holding pattern. Most of the major modders have quit (as have I) until the DLL is released.

As an AI modder, I just can't improve the AI without the DLL.

// The sustained users are ones that have good mods that improve the AI, and other aspects of the game. Civ 6 hasn't released the DLL, so us as modders, are in a holding pattern. Most of the major modders have quit (as have I) until the DLL is released.//

That's it right there. The Civ5 mod(s) "vox populi" is a must in any game I play. And it changes much of the game. Not possible to do in Civ6.

Also, I don't like the cartoon graphics of Civ6.

The way it feels on my 2014 MPBr, I figure one those new, fully-spec'd MBP's ought to be able to play it acceptably... on medium settings.
Maturity, game mechanics, mods.

Civ6 will eventually be the same, probably once Civ7 is released.

Once the DLL is released. Modders can't make proper mods until they release the DLL. Civ 4, was released immediately and had an amazing mod community. Civ 5 was delayed release, and the modding community got into a groove afterwards for some amazing mods.

Civ 6, who knows. The longer they wait, they more they have to rely on their game to drive play. And the AI for example, is a trainwreck that needs help

The AI in Civ 6 is kind of a mess, I have civs on the other side of the globe I've never interacted with more than a scout passing by once dozens of turns before just declare war on me. Then nothing happened for 3 dozen turns because they couldn't reach me and they sued for peace. That happened multiple times.
I'm an AI modder for Civ. Civ 4, Fall From Heaven AI, Civ 5.

Civ 6 hasn't released the source for the DLL, so none of the AI modders can do anything about it's AI. We have the tools, we're aware of how it works, we're just completely held back until Firaxis releases it.

Base Civ 5 AI is terrible. Modded Civ 5 AI is glorious.

Every single AI modder has quit, waiting for the DLL. I don't even know if we get everyone back the longer they wait. Really disappointing.

Are Civ5 AI mods allowed when the game comes from Steam? Doesn't Steam do some sort of integrity checking for the game files?
Can't speak for civ, but steam hasn't ever done any sort of integrity checking for other games in my library. For instance, something like fallout 4 script extender modifies/replaces much of the core game files, and steam hasn't once complained.
I’ve never met a civ 5 fan that uses AI mods. I’m sure many use AI mods, but I must know a dozen or so fans of Civ 5 and none of them play with mods, just expansions. Most didn’t move on to Civ 6, but “no AI mods” wasn’t a complaint that I heard.
It's pretty common to see this with games from Firaxis (the developers of the Civ series). They tend to design each new title around a couple of Big Ideas, but they don't fully shake out the ramifications of those ideas during development. Instead, they put the game into the hands of players and then listen to them to figure out what's working and what isn't. Then they release a big expansion pack a year or two down the road that fixes the things that didn't work. Civ 4 wasn't really "complete" until the release of the Beyond the Sword expansion; Civ 5 wasn't until the Brave New World expansion; XCOM 2 until the War of the Chosen expansion; and so on.

As a result, it's not unusual for people to vocally prefer an older, already-expanded Firaxis title to its newer, still rough-around-the-edges successor at the successor's initial release. Lots of people strongly preferred Civ 4 over Civ 5 for years, until Firaxis fixed the big complaints they had with the latter.

I expect at some point we'll see expansions to Civ 6 that address the major issues people have with it now, and then Civ 7 will come out and we'll all have to listen to people longing for the good old days of Civ 6 for a year or two.

For me, it's mainly because of Communitas -> Community Balance Patch -> Vox Populi (rebrandings and changing devs over the many years) it's what makes Civ V really worth playing (Windows-only because the SDK was only released for the windows Civ version). Far superior AI, balance and more features.

But also because Civ VI feels like it's much more combat focused.

Can someone confirm if I've understood this right?

When you view a red shell enabled ad, a script on the page (or perhaps the ad server itself, based on HTTP headers) computes a fingerprint of your browser (IP address, browser version, fonts installed, screen size etc.) and stores (ad_id, fingerprint) in a database somewhere.

When you install and run a red shell enabled game, it computes the fingerprint of your machine and sends (game_id, fingerprint) to the server, which stores this in another table.

By joining these tables on the fingerprint, you can get some info on which ads are correlated with which game purchases.

Apart from this, red shell does NOT modify your browser settings, inject code into all pages you visit, add a browser toolbar, constantly run in the background, MITM your TLS or anything else like that. [EDIT: not trying to defend red shell here, just checking whether I need do a full reinstall of my PC to get rid of this thing]

Are you implying this somehow makes it ok?
No - what part of my post are you interpreting like that? I'm happy to edit if I'm giving the wrong impression. I just want to know how worried I need to be about my own gaming PC at the moment.
"Apart from this, red shell does NOT modify your browser settings, inject code into all pages you visit, add a browser toolbar, constantly run in the background, MITM your TLS or anything else like that."

This is the part that made me think you were defending it. My apologies for misunderstanding.

> I just want to know how worried I need to be about my own gaming PC at the moment.

Not sure if you play on Linux at all, but a good way to start is to run Steam in firejail. It isolates that environment from the rest of the OS.

https://wiki.archlinux.org/index.php/Firejail

Isn't this just beneficial for everyone? Why wouldn't it be okay?
It is detrimental to the privacy of the players. That makes it not okay.
So where do we draw the line? Is all analytics without permission not okay?
If you live in Europe, the answer seems to be "indeed, all analytics without permission are not okay". If you live in the US, it seems to be "whatever you can get away with".

Gamers seem to agree that this company should not get away with this. Wherever "we" have drawn the line, Red Shell has apparently crossed it.

Pretty sure spying on people who just want to play a video game without telling them or letting them opt out ahead of time is not only a bit immoral but also very much illegal, at least in Europe.

I doubt the form they have on their website where you have to know your id to opt out of the spying would hold up in court.

And that's probably why they gladly removed that piece of software - they would risk being fined in long term in Europe, I believe.

Opt-out as someone already noted, is available on red shell company site but I would try to block it in hosts instead of going on site where you can be again tracked. In a nearly ideal world, Firaxis would ask their customers if they agree for this e-life "improvement" of more accurate ads and whatnot else. In a perfect one, they wouldn't bother including Red Shell at all.

Red shell is gdpr compliant
How so? The opt-out is sketchy at best. Also, if I fire up Civ VI, I'm not at all aware of this practice. Neither of these suggest compliance; they suggest non-compliance.
If you read their site you would see that the information is not PI. It's just to match the two events.
I have three reasons

First, and the biggest, is you have to trust these scum. That they are doing only what they say they are and won't decide to do more in the future. Are they being audited? What are the notification capabilities and contracts when they decide to look more invasively?

Second, you have to trust their programming capability. Who knows what update / reporting capabilities it has, and how well secured it isn't (every time Project Zero looks at stuff like this they find holes. Every. Time.)

Third, the lack of transparency. If this is so awesome for me as a consumer, then these companies should prominently disclose it.

Scum? You're trusting hundreds of companies with your data everyday already. Redshell is regulated by EU as a data processor just like these other services.

Lack of transparency? Go check out redshell.io right now and see how they open up about everything they do pretty damn clearly.

Multiple devs who use redshell announced its integration in patch notes. What more do you want?

An explicit opt-in when said devs made the integration, and the game dev to not send tracking data be default.

Not expect every user to read all the patch notes go to a third party website and fill out an opt out form, and then pray the third party to honour your request. This is slightly different from expecting a game dev to do so - tracking is not their sole business model after all

Actual, prominent notification, not something hidden in the patch notes.

Facebook is regulated as a EU data processor too. And look what that's done (very little so far.)

If it was beneficial, the company would be trying to give us their data so that the company could benefit. They certainly wouldn't just be taking everyone's data and providing benefits to customers not paying for that benefit.
Could you rephrase that? This software allows companies to give measurable ROI to for example community events or streams. With this they can actually prove that by sponsoring a steamer they get X amount of game installs. Everyone wins from that.
Just to answer your question properly, I don't think you need to reinstall your PC to get rid of it. Most games are now removing it through an update.

There's a thread on Reddit that collates which games are still using Red Shell and which have removed it: https://www.reddit.com/r/Steam/comments/8pud8b/psa_red_shell...

I think you can just uninstall the ones that aren't planning to remove it yet.

Also, you can opt-out from RedShell's website. Although it doesn't seem straight forward to me: https://redshell.io/optout

It would be nice if malware and antivirus scanners could find/remove it too. I'm kind of miffed that the antivirus software I pay for let this stuff remain on my Windows partition for months even after the software was known to exist.
Removing it will probably break the game (it's a DLL loaded by the game executable, and I'm guessing most game devs don't bother to correctly handle its absence).
People were suggesting the home remedy of adding redshell sites that the software reports to to your hosts list.
Is there some Panopticlick-like program to test how trackable my PC can be? Other than what fonts are installed, what other ways are there to id a PC from an arbitrary program that can be also checked from the browser?
Pretty sure everything but VM clones are uniquely identifiable. Windows itself generates a ton of GUIDs at installation-time, things like graphics drivers also generate install-IDs and so on.
Why fonts? Or do they use fonts as an ID?
Because every browser except the latest from Apple will happily tell every website you visit exactly what fonts you have installed. And that list changes very slowly over time, if ever, you know kind of like those patterns of skin ridges on your fingers.
Fonts are part of the fingerprint, especially if you know the OS. You take the set of installed fonts and subtract the set of OS default fonts, and you are likely to arrive at a unique key.

Take my corporate domain for instance: you could identify any machine on my domain since we'd all have a custom typeface installed (used on our company letterhead.) You could further identify our marketing coordinator, because she has a lot of strange typefaces used for signage and promotions. You could probably further identify me as a web developer since I have a lot of WOFF2 packaged fonts installed.

Side question -- do/could type foundries find pirate companies by looking at IP addresses using paid fonts without a license? Hardest part would be linking paid licenses to IP addresses, making individual unpaid usage harder to nail down. But if a company with dozens or hundreds of users at a single IP address all had a particular font installed, that IP was linkable to the company, and company didn't have a license, wouldn't that be pretty damning evidence?

Typeface piracy is otherwise pretty difficult to detect isn't it? Is it part of normal enterprise asset tracking / inventory systems?

It's one factor in a set of variables, that when combined can pinpoint you uniquely. This helps them overcome anti-tracking mechanisms like disabling cookies and such. Basically, by implementing this kind of technology, they know you don't want to be tracked and are attempting to do so anyway.

See the mechanisms used for this browser test, particularly the link for 'fingerprinting' after running the test: https://panopticlick.eff.org

Funnily enough (and not that it makes it OK) you didn't have to accept the agreement to play the game (just click "I don't agree" or whatever the option is). Not sure if they still continued harvesting data though...
Does anyone have a list of the domains these guys use?

I'm curious if these are in the DNSLB easy lists or the lists used by PiHole.

If they aren't I'd like to add them to my blacklists on Pfblocker-NG.

redshell.io is already in uMatrix' list of blocked domains, so it looks like the easy lists are up to date.
(comment deleted)
Does the game show adverts in-game? Is the game free or do you pay for it? Sounds insane! I'd be upset enough about the ads nevermind the added salt of tracking!
No ads in game - this is supposed to be a campaign effectiveness tracker.

Since you buy these PC games through Steam there's no easy way to associate an ad impression with a resulting purchase like there is on mobile. Red Shell creates a device fingerprint for each ad and each play session and compares the two sets to see which ads were followed by purchases.

So on one hand, no ads in game and unlike Superfish or something it's perfectly reasonable info for devs to want. But on the other hand, it's achieved by way of a deep fingerprint which is uniquely identifying, and which could in theory be matched to other device fingerprints elsewhere.

I'm glad to see it gone, but I'd be fine if it came back as something fancy like a client-side hash of the data; the ad correlation is fine with me, the retained fingerprint isn't.

I think something like Red Shell is obviously good for society and consumers are hurting themselves by overreacting.

Better targeted ads == less money wasted on ads and more money spent on development == less people annoyed by ads they're not interested in == better games. Shame.

This seems like a misunderstanding of the complaint. I know people do oppose targeted advertising, but that's not why they're mad about Red Shell.

The way Red Shell targets ads involves building and storing full device fingerprints when you play a game. It's a privacy risk totally separate from the targeted advertising question. And yes, individual devs could do that also, but at least I've chosen to deal with those devs, and my data can't be tracked across different games by different companies.

If Red Shell switches to something like a device-side hash of the fingerprint, so that it can recognize returning users but not give out (or lose) the underlying data, I'd feel vastly better about it. Basic targeting analytics don't bother me, and "did this game ad work?" is vastly more justified than most tracking. I just don't want it tied to an externally-stored device fingerprint.

I guess I don't understand in what way that's a privacy risk. They have the device fingerprint, isn't that just the device id, like a name? This is only meaningful if paired with another piece of information, like your personal identity or other tracking. In this case it's game sales which I think is definitely a positive thing. I mean if they were tracking other things or keylogging or something I would be mad but...
They are apparently also logging the Steam ID which is unique for each Steam account. In my eyes the Steam ID is PII as very few people with more than one game on it will change their Steam account.
Although making a one way hash is the right way, having no opt-in is not in the EU. Also, you'd be surprised at what counts as PII in the EU. I know I've been after I read a lawyer's blog on the matter (sadly in my native language).
Better for society? Do you think industrial companies dumping pollution is better for society because it makes cheaper products too? By harvesting this data, these companies are making a negative externality and not compensating any of the affected users for it.

If they had been open about this, it'd be a different argument, but they kept it hidden

But in this case there isn't a third party that's being harmed...
No there's not, it's the second party being harmed directly. These game companies secretly harmed users by extracting and storing personal information without making it apparent that it was part of the deal
Maybe we'd have better games if diet, exercise, etc stats for all game devs and staff were publicly available ;)
"Better targeted ads == less money wasted on ads"

You're gonna have to expand more on that point.

"less money wasted on ads and more money spent on development"

There's no guarantee at all that the money not spent on ads (if that does happen) will be spent on development instead of just being pocketed.

"less people annoyed by ads they're not interested in == better games."

This doesn't follow at all.

There's better targeting like "This is a guy, so tampon ads are not likely to convert" and there's better targeting like "This guy watches a lot of porn, uses Facebook religiously, uses GitHub, lives in a high-rent area of San Francisco, owns two dogs, is probably gay, and is looking to buy a vacation property in Nevis."

The first is broad strokes. The second is extremely intrusive.

> Better targeted ads == less money wasted on ads and more money spent on development == less people annoyed by ads they're not interested in == better games. Shame.

The best targeted ads, for me, are no ads. I don't like wasting my time on ads, I don't like being manipulated by ads, I like to decide for myself based on my needs instead. I'm done with the "hey, do you need this?" crap shoved down my throat. Its like walking around in Eindhoven getting cocaine offered on every street corner. No, I'm not interested!

Now you could argue, "it isn't targeted enough on this person". I'm a cheapskate and I don't wanna play RNG lotteries.

Also, your logic is very much from an advertising company PoV. For the rest of the world it does not follow. What will likely happen is the exact amount of money (based on budget) will be spend on ads. Targeted ads just lead to more sales, at the expense of privacy. If I have the choice between targeted ads vs general ads I rather have general ads, because I don't want to see ads in the first place since I don't want to get manipulated (and I feel I often succeed on that one).

I set up a separate gaming rig specifically to isolate these kinds of problems. That's where I run all my games and nothing else.

You'd think it'd be more expensive to have another machine specifically for gaming. But the slowing of CPU advancements means that old systems can be usefully repurposed. I grabbed the husk of an older desktop from a few years ago, its CPU and memory being more than enough for gaming. Threw my GPU over to it (not needed for work or personal desktop usage), and I had a dedicated gaming rig for "free". Now I don't worry about scummy studios releasing malware masquerading as games.

For those more technically inclined, you can do a gaming VM. That used to be my setup prior to having a separate machine. GPU passthrough allows you to give your GPU to the VM. I had it running under Ubuntu, with Windows as the guest. Near identical performance. That was a cool setup, but kept breaking on OS updates so I decided to just use a separate physical machine.

But these are ultimately just defenses and are no excuse for knowingly running malware. Gamers should make it a point not to buy games or other software that plays loose with their privacy. These studios should be ashamed of themselves. But it's impossible to always know ahead of time what horrors lie within your software. So at least I sleep better at night knowing these "games" at least have their own cesspool to writhe around in.

Nice setup. I run all my games from a separate partition with its own copy of Windows, but your way is even better. I’m not looking forward to the world where we need a separate machine for each piece of software in order to ensure privacy, but sadly we are heading there.
(comment deleted)