Does a "World of Warcraft" EULA compliance mechanism count as spyware?

CORRECTION: 1:30 pm CT 10/26/05: An earlier release of this story attributed comments regarding "The Warden," Blizzard's anti-cheating utility, to security expert Bruce Schneier. The comments were in fact made by another security expert, Greg Hoglund, who was quoted verbatim in a posting to Schneier's blog. We regret the error and have made corrections herein.

Irvine (California) - The debate over the rights of individuals to protect themselves from intrusion by networks, versus the rights of networks to protect themselves from intrusion by individuals, has been raised to the next level. According to security experts, an anti-cheating tool called "The Warden," used by players of the popular network game World of Warcraft (WoW), collects information about all running processes in Windows, and reports back about those processes to the server of the game's publisher, Blizzard.

WoW gamers are familiar with "The Warden," which is installed as a security measure to disable known measures of cheating, and to unplug characters from the network where there is evidence of cheating. As we reported last month, some players were able to take advantage of a bug in the WoW game code, that exploited the capability of a virtual potion to inflict damage more quickly upon players with fewer experience points (XP). While this particular bug could be exploited through legitimate game play, most exploits are actually caused through direct hacking, especially by developing proxies that communicate with the server as though they were the WoW game client, reporting results that would be impossible through normal game play.

Such results can lead to the creation of virtual characters with disproportionate abilities compared to their experience, and that disrupt the stories of legitimate characters.

Last September, security software engineer Greg Hoglund, co-author of the book Rootkits: Subverting the Windows Kernel, noticed peculiar behavior while testing the development of a robotic character generator - in effect, a virtual operator for a virtual character. According to a Web site for open-source developers of such "'bots," Hoglund reported in one of its private forums that The Warden's behavior had apparently changed from what had previously been observed. Instead of looking for particular game-hacking programs, The Warden looks through all open Windows processes, searching for window titles with particular names: usually the names of known bots, which are often prefixed with the characters WoW!. Comparing Blizzard to the Gestapo, Hoglund suspected that the information being collected through this method was being passed on to Blizzard's server, and may result in Blizzard banning the 'bot character.

Whether a virtual court of appeal exists for virtual people pretending to be virtual characters for the sake of virtual ill-gotten gain, is virtually unknown.

Controversy over the extent to which Blizzard protects its own network began erupting last August on the publisher's own message boards, leading to a company representative making a lengthy post on the subject. "What those players seem to be concerned about is whether the hack scans are ethically appropriate," reads one post from 23 August. "To address those concerns, we'd like to make it clear that the scan does not review or retrieve anything that's personally identifiable." The post refused to go into detail about what The Warden does scan, citing the need to protect the company's own proprietary processes from malicious exploitation. However, the post explained that Blizzard did not need The Warden to collect any personal information from the player's computer to be able to ascertain whether its network is being hacked, as well as to suspend the suspect's account.

The Blizzard forum post's obvious omissions may have inspired some to fill in the blanks, and investigate how The Warden does make a judgment call on behalf of Blizzard. This led to another of Hoglund's posts being excerpted by security expert Bruce Schneier a few weeks ago, under Schneier's headline, "Blizzard Entertainment Uses Spyware to Verify EULA Compliance."

In the excerpted post, Hoglund discusses having thoroughly examined The Warden, discovering it to be a process that runs every 15 seconds, running the Windows API function GetWindowTextA() to retrieve the title bar contents of all running processes on his computer. Next, he reported, The Warden sniffed out the e-mail addresses of his MSN correspondents, the URLs of all open Web pages in his browser, and the Registry names of all running processes, including minimized programs and toolbar functions.

All the collected character strings, Hoglund reports, are passed through a hashing function that generates derivative values, or "hashes," that are compared against other hashes of the titles, brand names, or handles of known 'bot programs. Next, he observed The Warden accessing his e-mail client and his PGP key manager, which is used to encrypt messages and authenticate senders. Hoglund writes:

This behavior places the warden client squarely in the category of spyware. What is interesting about this is that it might be the first use of spyware to verify compliance with a EULA. I cannot imagine that such practices will be legal in the future, but right now in terms of law, this is the wild wild west. You can't blame [Blizzard] for trying, as well as any other company, but this practice will have to stop if we have any hope of privacy.

To the end of the Hoglund excerpt, Schneier posted a comment which reads, in part, "This is a program designed to spy on the user and report back to Blizzard. It's pretty benign, but the next company who does this may be less so. It definitely counts as spyware."

The Hoglund excerpt sparked a long, though not unprecedented, debate among his blog users, some of whom agreed with his contention that The Warden is spyware, while others stood up for Blizzard's rights, asserting that many online security and anti-virus tools use similar practices.

The End-User License Agreement (EULA) is the contract that a user signs with the press of an "I Agree" or similar button, to indicate that the user agrees with everything the software publisher intends to do to his system or to his life, in advance of that action taking place. Blizzard contends that WoW customers are fully informed of the behavior they should expect from The Warden, by way of the game's EULA. Annalee Newitz, a contributor to the online publication AlterNet, has been following the controversy, and writes:

The thing that really pisses me off is that this is all being done in the name of having fun and playing games. I'm supposed to give up my Fourth Amendment rights in order to ax a bunch of warriors controlled by teenagers in Milwaukee? No thanks...Do you realize the government would have to have a warrant to get the kind of information Blizzard claims it has the right to suck out of your computer to stop cheaters? Doesn't that seem a wee bit wrong?

The best offense, someone else once wrote, is a counter-offense. Throwing, if not water, then at least some form of liquid substance onto the flames, on 17 October, Hoglund released through his Web site a utility he calls The Governor. Its job is to sniff out the activity of The Warden, and report that activity to gamers. According to Hoglund's page, The Governor is not a cheat or subversion program, just a "sniffer," making users aware of The Warden's procedures. But on the download page for the utility, Hoglund stops just short of daring Blizzard to ban users of The Governor, just to see if the company will cross that line.

"Will Blizzard ban me if I use The Governor?" Hoglund writes. He reports having witnessed no such attempts by Blizzard thus far on his test systems, but adds, "Blizzard can choose to ban you for using a 3rd party program. The Governor is a 3rd party program...In my opinion, banning people for seeking the truth about warden would sink Blizzard to a new all-time low. But, this isn't my decision. I cannot guarantee you won't be banned."

Admitting most responders to his recent posts have disagreed with his and Schneier's position that The Warden constitutes spyware, Hoglund recently floated the argument on his Web site that, with respect to the basic definition of spyware, The Warden may indeed fall outside that category. Yet he goes on to argue that, in the wake of laws that are changing our viewpoints, our definitions may be in flux, and perhaps should be. Still, he says, The Warden constitutes a violation of personal privacy, and asks for readers to join him in "drawing the line" to determine where it is they stand on this critical issue.

Incidentally, the link just above Hoglund's essay reads, in bold, italicized letters, "Featured Article: Evading hack detection mechanisms in online games."