Facts about the Spyware Article

[nbnb]

You dont need to be a cool hacker with cracked firmware to find out whats going on.

Every everage IT guy can tell you:

AF truely wasn't coded for that many users: there are some big issues and some of them were hotfixed. Some of them still need to be fixed. We are waiting for the update.

Do you send your contacts? (when you just play a normal user without comm feature)
NO.

Do you ever send your contact list?
YES.

When?
Whenever you press the "update my friends" thing.

Is it at least encrypted?
NO. At least not at the moment. encryption will be patched.

What exactly is sent?
To be as axact as possible:
- your total friend count
- every phone id/last_change_id/number/email tuple in your phone book

Is it stored?
I dont know. you cant tell.
but at least there is no way i know about for IT-People to retrieve this data.
and as you might have realised: i know many details about the game.

So it kind of IS a big deal.
If i were you i would not update the friends till update 1.0.0.1

and remember: most of you exchange email/httpAuths/ftp and many more things unencrypted.
this is very compareable.

Wait for the updates and stay calm

[roar]

Vouch for nbnb, bringing this forum great content since June 2008!

Seriously though, thanks for more information as always nbnb!

+karma

[nbnb]

i 'm watching all my iphone traffic and untill today when i synced my friendlist there were no privacy issues with AF.

I posted the article because i think im "neutral"
no fan boy - no headline hunting blog writer

The devs don't underestimate privacy issues. I remember them hotfixing a privacy-related security thing in less than an hour.

[vegantnt]

Jul 22, 2008 2:08:54 GMT -5 nbnb said:

i 'm watching all my iphone traffic and untill today when i synced my friendlist there were no privacy issues with AF.

I posted the article because i think im "neutral"
no fan boy - no headline hunting blog writer

The devs don't underestimate privacy issues. I remember them hotfixing a privacy-related security thing in less than an hour.

I'm really glad you wrote this. What I wrote was more of a defense of something I thought was being attacked. People were writing about it as if it was a sinister plot to steal their info.
I know there is a whole technical side to it but I didn't touch that part because I'm not well versed on it and I didn't want to sound like I was making things up. It was just clear to me that in a 1.0 version of a game, on a new platform, unsure of how popular it will or won't be, doing things no other app is, it was most likely looked over or purposefully skipped over to focus on other things.

But again, thank you for this. +1

[lancewallen]

I don't see the purpose in it sending out all of that information. The server should pull YOUR info and share it if you choose to, I don't need some server pulling my mothers cellphone number out because I play a game. If that's not removed I can't really continue using this software, which is a shame because I really enjoy it even in it's broken state.

I'd like some developer communication on this with some real official details and what exactly is happening and how they plan on handling it in the future. I don't want my entire contacts list sent anywhere, it's irrelevant to this game.

[vegantnt]

Jul 22, 2008 11:02:51 GMT -5 lancewallen said:

I don't see the purpose in it sending out all of that information. The server should pull YOUR info and share it if you choose to, I don't need some server pulling my mothers cellphone number out because I play a game. If that's not removed I can't really continue using this software, which is a shame because I really enjoy it even in it's broken state.

I'd like some developer communication on this with some real official details and what exactly is happening and how they plan on handling it in the future. I don't want my entire contacts list sent anywhere, it's irrelevant to this game.

Well it's kinda relevant. If the game only sent the users data then how would other people know you have an AF account? The only other way is to manually type in the cell/home number and email of everyone you THINK might be playing...

That's a lot more work than it's worth.

This topic refers back to the one I did last night
aurorafeint.proboards100.com/index.cgi?board=world&action=display&thread=314
if you scroll to the bottom of the first page you will see a reply from Jason Citron, who is one of the 2 developers, talking about the update being submitted today and making sure your info is as secure as it should be.

Hope this helps

[lancewallen]

There should be a way to opt out of having your entire contacts list sent. I only want my personal info sent out there, not my mother or girl friend, etc... There's no point in sending my entire list of contacts out. I'd rather manually add than have all my info out on a server whether its been encrypted or not. It should be my option whether or not to send that data, and right now the only way I have that option is to not utilize the online portion of this game at all.

[vegantnt]

Jul 22, 2008 11:19:30 GMT -5 lancewallen said:

There should be a way to opt out of having your entire contacts list sent. I only want my personal info sent out there, not my mother or girl friend, etc... There's no point in sending my entire list of contacts out. I'd rather manually add than have all my info out on a server whether its been encrypted or not. It should be my option whether or not to send that data, and right now the only way I have that option is to not utilize the online portion of this game at all.

The only thing stored on the server is your info (name, phone, email) and that info doesn't even have to be real. as long as it matches something in your contacts it will work. Your entire contacts are not stored on their server.

Personally, I would prefer that the list of AF users be sent to my phone and cross referenced. However Apple doesn't let apps touch certain functions of the iphone so that probably isn't possible. =/

[Danielle Cassley]

I would like to let everyone know that last night we restructured out system to use industry standard protocols for protecting sensitive data over the wire. Our privacy policy (located on the website) details our exact use of the contact list and typed in data. Feel rest assured that Jason and I have taken this very seriously.

[jacobtgaines]

What's funny is the fact that nobody saw this coming. One second this game's just a fun project and the next it's the biggest freeware game on the internet! Congratulations! Think of these required security measures as a step in the right direction. All of these requirements and upgrades are just preparing you for the hundreds of thousands of players who are yet to come.

[caldaan]

OK OK OK Time Out!

First I know this is opt in. But the devs have stated repeatedly that this feature is suppose to help people join into the community. What if this current statue of this feature prevents the very thing they want to accomplish?

It is one thing for me to put my information out there accessible to a 3rd party. Encrypting what I send you is awesome but you still receive the information. Just because you don't store the queries doesn't mean you can't. That means I have to trust you.

Fine I trust you.

But what about my boss, his boss, my clients, what if I don't want you to know about the doctors I see(trust goes only so far). Granted if they play and they have accounts and have posted that info they don't care. However, I can't just send confidential information to a 3rd party just because I want people to show up on my friends list for a game I play.

You made the feature great, but a more normal industry standard search for individual people is more important. This way I never have to send confidential information to you just to see friends show up and participate in the community. The ability to accept or deny friends would be good to.

The next update takes care of all spyware concerns by being 100 percent upfront with what is going on. But I don't have to send all the doctor's I see to Valve just to use the community features of Steam. I don't have to send my client's information to Sony to keep track of people in my friend's list for my characters in Everquest 2. I really don't see how this is any different.

[omar]

Making things automatic and all that is fine where it is called for. I personally take my privacy very seriously, and do not appreciate my personal information used without my knowledge, whether it was sent over the wire encrypted or not. That is why there is statutes out there that force the credit card companies, doctors, any one you deal with to give you those brochures about privacy, and that is just information about you.

I believe this has stepped way over the line by taking phone information, names, email addresses from my contact list WITHOUT my permission or notice.

This sounds like a serious legal issue, and with the great number of people who have been affected by this, could be a huge class action if this information has been compromised in any way.

[peloquyn]

Why is it that everyone is so quick to threaten legal action? Please, explain it to me. I understand being concerned, I understand feeling as if you were not fully informed - but "huge class action" sounds to me as if you feel as though you're entitled to....something. The developers have taken responsibility, worked to rectify the situation, and as far as we all know (and they've been honest, I expect them to continue with that) there was never a "compromise" to any information - at all.

So you can make your displeasure known, but threatening legal action is poor form.