I just posted the second Skotos Guest Voices article, "The Cost of
Insecurity: Griefing, from Anonymity to Accountability". It can be
found here:
http://www.skotos.net/articles/guestvoices2.phtml
Guest Voices is a new Skotos column where we're giving everyone a
chance to share their expertise with the online game development
community. If you'd like to contribute an article, please let me
know; anything related to games is fair game and I'd love to see
some more articles from MUD-dev!
Shannon
<EdNote: Text below.>
--<cut>--
The Cost of Insecurity: Griefing, from Anonymity to Accountability
by Steven B. Davis
2005-05-10
Steven is the CEO of IT GlobalSecure Inc.. This article centers on
his area of expertise, discussing griefing and cheating in online
games.
The dark side of the explosive growth of online gaming has been an
infestation of griefing and cheating. Griefing is truly an
'Internet' problem. The relative anonymity of Internet
communications has resulted in a decline in civility and the massive
scale of the online games has resulted in a loss of 'adult
supervision'. After all, if you were playing a face-to-face
role-playing game, you would likely not 'grief' for fear of being
slugged or snubbed by your soon-to-be-former friends. First, to
define, somewhat formally our terms:
Griefing: an act, action, or communication that is technically
legal under the rules of the game (as implemented and enforced in
software), but is disruptive to the game experience of
others. Such activities may be prohibited by Terms of Service and
are often beyond the pall of ordinary human decency and common
sense.
Cheating: an act or action that is illegal under the rules of the
game (as implemented and enforced by software) that has been
circumvented by any means including altering of game state,
communications, race conditions, buffer overruns, etc.
Griefing and cheating are of concerns to game developers publisher
and operators because they cost money.
Customer Impact:
- Players quit because they don't like the negative experience
- New players don't join because they don't want the hassle
- Ethically ambivalent players get expelled (they wouldn't have
cheated or griefed if they knew they would get caught).
Company Impact:
- Increased customer service support costs to deal with
complaints, real and perceived
- Increased in-game customer service costs
- Increased technical support costs to identify threats
- Increased technical support costs to counter threats
- Increased technical support costs to identify & remove malicious
players
Of course, game companies can and do ignore security problems --
sometimes the cost to fix a problem is just too high. Also, because
of the structure of the games industry, developers, who are best
positioned to address these problems, have little to no financial
incentive to do so. They get paid for delivering a working game on
time and on budget. There is often no reward for reducing or even
planning for 'lifecycle support'. Publishers have not addressed
these issues since most revenues come within the first several
months of a product's release -- long before annoying security
problems (and bugs) become visible.
Online gaming has changed this dynamic. Simply adding network play
can add 10% to 40% to the sales of a title. After all, if you want
to play with a friend online, you can't borrow her copy; you have to
buy one yourself (see Battle.net, Counterstrike for Half Life, and
the forthcoming Guild Wars). This effect is magnified for expansions
and follow-on products. If subscription or pay-for-play is added,
the revenue opportunities for a single title (and the corresponding
impact of security flaws and bugs) multiply. In January 2005, Bungie
terminated thousands of Halo 2 players for cheating and griefing -
costing Microsoft tens to hundreds of thousands of dollars in
revenue per year1.
This article will focus on one of the most pernicious aspects of
griefing -- harassment and abusive communications. We will explore
existing solutions and a sample alternative from both a technical
and business perspective.
No 'Right to Anonymity'
Insults and harassment are virtually routine for many online
games. The anonymity afforded to online game players has given rise
to widespread and increasingly aggressive harassment. The hardcore
gamers that are otherwise prized by game companies are often the
worst offenders and taunt 'n00bs'2. This, of course, is the riskiest
time for a game operator -- new players are liable to abandon a game
that they find hostile. There is often a perception of a 'right to
anonymity'. There is no legal basis for this and, in fact the
Privacy Act in the US did not come into being until 19743. Sexual
and racial harassment also, regrettably, occur to often.
In-Game, Community, and Customer Support
To fight these problems, as well as to address other issues, game
companies provide customer support and community
features. Apparently as many as 25% of customer support calls are
due to griefers. This direct avenue for complaint is also a direct
cost to the game company. The most common 'griefer counter-measure'
is to put in place a strong community system. Depending on the game,
these community services provide clan features, friends lists,
reputation stats, and other features both to tie players more
closely to the game and create an environment that reduces anonymity
for misbehaving players. One of the best features of a strong
community system is that it can provide substantial security
benefits at negligible cost. After all, the game developer is
putting the system into place for business growth and marketing
purposes.
There are two main limitations of community systems. First,
malicious players can often create new accounts (especially for free
game services) removing the effectiveness of the social stigma of
griefing. And second, malicious players can use the anti-griefing
system to cause further grief by wrongly accusing players of
griefing. This is an excellent and unfortunately example of griefers
using the game system against itself and other players. Some online
game services, such as Battle.net, X-Box Live, and Valve's Steam
have the capability to tie a license key or other unique tag to a
Player. X-Box Live has apparently banned several thousand players
for griefing.
The other major form of support is found in persistent world games
where live monitoring of game play through Game Masters is often a
part of the environment. This gives the game provider the ability to
respond in near real time to griefing incidents. This solution is
quite powerful, but it does come at a cost. First, the game operator
must staff the live team with sufficient Game Masters to handle
griefing as well as their other functions. Considering that online
games are 24x7x365 operations, each in-game position may require 5
full-time employees. The cost of salaries and benefits for such an
employee can range for $25,000 to $50,000, the cost for having one
live position equivalent dedicated to griefing problems will range
between $100,000 and $300,000 per position per year.
The cost of managing griefing can grow rapidly for a game service
provider -- causing the problem to be neglected, redirecting staff
from other assignments, or increasing the total staff cost for the
game. For a small game, these costs can be the difference between
success and failure. For a large game, these costs are a continual
drag on the bottom line.
Given these numbers, a game company can make a decision as to
whether a new security solution is needed. If griefing is at all a
problem in a game, it is probably costing hundreds of thousands of
dollars. Minimum. The question is, are there solutions, and what do
they cost?
Answers
A security solution would stop, but should detect, and hopefully
deter the griefers. Stopping griefing through 'dirty word' lists is
almost impractical -- though Disney's Toontown Online architecture
that eliminates 'chat' except among trusted friends4 is an ingenious
exception. This solution worked excellently in Toontown's unique
environment, but for most games, a general-purpose communication
capability -- either via text chat or voice is integral to the game
experience. Real 'dirty word' lists are very vulnerable to
'misspelling' attacks that will thwart the security system while
effectively conveying the harassing message. Live license keys are
fairly effective, but they do not have a strong binding mechanism to
an individual message. Similarly, credit card controlled accounts
for massively multi-player games can strongly identify an individual
player during a session, but they also cannot be bound to a
potentially offending message. The best tool to bind a message to an
individual is a digital signature.
While there are numerous sources that can explain how digital
signatures work, the important feature they support is
non-repudiation. Non-repudiation is the property that only one
individual could have signed a message. This works by taking
advantage of the critical characteristic of public key
cryptography. Namely, that knowing the public key (P) 'half' of a
public-private key pair will not allow the reconstruction of the
private (secret) key (S). Thus, I can broadcast my public key to
everyone and they will be able to decrypt my messages, but only I
can encrypt them.
I can then use my private key to 'sign' a message by encrypting a
hash of the message (or the message itself). Then, anyone can use my
public key to validate my signature:
The signed message:
S(message) or message,S(hash(message))
where only I know S( )
The verification process:
P(S(message) = message or P(S(hash(message)) = hash(message)
where everyone knows P( ) & hash( )
Now, if we build our communication system (either voice or text) and
we add in a digital signature system, players will not be able to
deny their messages. If a player can store and forward these
messages to the game operator, the operator will have an undeniable
record of the conversation. This has several benefits. First, the
potential griefers will be deterred knowing that their actions are
not-deniable nor spoof-able. This is probably the most important
characteristic of the system. Deterring griefing (like crime) has a
much better return on investment than hunting down and catching
griefers. This actually can be extended to regular in-game actions
to deter spawn camping and other griefing problems. Second, the game
operator can reduce the live team and customer support staffing for
grief-management because the reliable capture of grief
communications means that real-time response is less
critical. Players can post messages for reliable adjudication and
both sides of a conversation can be used as reliable evidence --
which leads to the third benefit: fewer customer disputes and
complaints.
This quick introduction to an anti-griefing system has, of course,
short-changed many details. For example, a public key infrastructure
needs to be put in place to make this system work (to issue,
distribute, and maintain public and private keys). Also, there needs
to be a way to ensure that the signatures are actually bound to an
individual. Finally, the infrastructure for reporting and handling
alleged griefing incidents must be created.
There are many tools to help you implement such a system, and some
of them are free. One I like is (Tom St. Denis's LibTomCrypt -
http://libtomcrypt.org/), though there are many others. Companies
like RSA (
http://www.rsasecurity.com), Certicom
(
http://www.certicom.com), others provide commercial cryptographic
toolkits. Our company, IT GlobalSecure, can easily support signed
messaging as part of our anti-cheating product, SecurePlay
(
http://www.secureplay.com)
Implementing security systems securely is a distinct engineering
discipline -- good technology can be undermined by a poor system
implementation and business processes. Also, there are export and
other issues that may be a factor, depending on your markets and the
specific security technologies you choose.
Conclusions
Security needs to be judged by the same standard as any other
product or service -- does it reduce costs or gain customers and
revenue. In the discussion above, effectively reducing harassment
griefing could result in direct cost savings of between $75,000 and
$ 200,000 per position per year (by simply changing from 24x7
anti-griefing support to 8x5 coverage. In fact, even if the size of
the problem remained the same, there would be a 10-20% savings by
simply eliminating shift work). If, as cited, griefing accounts for
25% of support calls, a substantial portion of those resources can
be allocated elsewhere.
This article has reviewed the cost of insecurity due to griefing for
online games. We discussed both the business issues as well as the
technology. Online gaming is unique -- cheating and griefing
security problems are clearly and directly reflected in your
profits. The problems are real and their impact on your revenue can
be clearly measured. As you have seen, security problems can be
addressed without technical solutions, but also that there can be a
compelling business case made to invest in protecting your game and
your bottom line.
1.
http://www.bungie.net/News/TopStory.aspx?story=weeklywhatsjan14. Given
the $50 ($49.99) yearly subscriptions to X-Box live, the cost per
thousand banned is; $50,000 (US). One should commend Microsoft,
Blizzard, Bungie, and others for being willing to disclose
security problems and to actively address them.
2. 'Inflicting Pain on Griefers', David Becker,
http://news.com.com/Inflicting+pain+on+griefers/2100-1043_3-5488403.html
3. Surprisingly, the US actually has quite weak privacy
laws. Online game developers should be aware that in many places
in Europe and Asia, privacy laws are quite strict and should be
considered in the design of an online service. They may affect
both the collection and storage of individual data and marketing
information.
4. Mike Goslin, 'Postmortem: Disney Online's Toontown',
Gamasutra/Game Developer Magazine, 1/28/2004.
--<cut>--