Monday, July 25, 2016

CCP's War On Illicit RMT: Hacking And An Extended Ban Wave

Tweets like those above are not unusual. Tweets like those above coming on a summer Sunday afternoon in Reykjavik? Something is going on.

I don't know if a major hacking attack happened yesterday. The odds are good that hackers accessed the customer records of a major company, which usually results in account hacking attempts against CCP, and CCP Bugartist wanted to warn players to protect themselves. But the number of hacked accounts is increasing. In a Reddit thread on 9 July complaining about slow responses for aid with hacked accounts, EVE Universe Community Manager CCP Falcon stated:
We're of the opinion internally that it's a combination of a number of factors:
  • A recent general spate in hacking that's exposed a lot of email/username/password combinations publicly
  • A significant number of EVE players choosing to share their accounts (a sizeable proportion of "account hacking" is down to this, and account ownership disputes)
  • The introduction of skill trading, which has had an effect on account hacking due to it being a fast way to cannibalize accounts for ISK which can be used for RMT (skill trading is VERY popular).
Our Customer Service team and our security team are changing internal policies, adapting to the situation and working on clearing up the tickets that have been caused due to this, but it's taking time because of the complexity of the investigations that need to happen.

Contrary to popular belief, it's not just a case of throwing bodies at the problem, this won't work. The Customer Support guys who're working on this are extremely skilled at what they do, with intricate knowledge of our tools and systems. That doesn't come overnight, most of the staff assigned to working on this have been with us 5+ years.

Tracking the sale of illicit ISK at the Player Auctions website, the amount of money players spent buying ISK nearly tripled from January to March. When including the sale of skill injectors, spending at Player Auctions is still up 2 1/2 times over January.

CCP Falcon also explained why dealing with hacked accounts is so difficult.
Progress on resolving hacked account issues is a lot slower than ship reimbursement. Each case can take days each if it needs extensive investigation.

For example, if your account is hacked and all your SP is drained, and your assets are taken, the SP then may be sold on the ingame market to unwitting buyers to raise ISK that's then sold for RMT purposes, along with the assets.

It's then a matter of tracking all this SP and all these assets, reversing transactions where appropriate, or making the decision not to if it would have an effect on an innocent player who's done nothing wrong and simply legitimately bought SP from the market.

These are incredibly complicated cases that have to be treated very carefully so as not to cause a chain reaction that affects multiple people who are innocent of any wrongdoing.

It's not just a case of "reverse everything and give the account back". It's far more complicated.

The best advice we can give you is to make sure your account is well protected with 2fa, and that you're not sharing your login details with anyone.
The above description of the issue suggests that CCP uses the results of the investigations to ban those involved either buying or selling items and skill points. Reviews left by dissatisfied buyers show the internal policy changes CCP Falcon mentioned are having an effect.

I should add that up until this month, bans against ISK buyers and sellers appeared in the Player Auction reviews mainly during the first week of a month. In July, as the graphic above shows, the bans occurred on a continuous basis.

One last observation about the state of the secondary market. One interesting fact is that ISK sellers try to convince potential buyers that they do not obtain their products through illegal means. They do so because CCP takes a closer look at hacked accounts than they do when catching botters. With ISK sellers relying more on hackers, the risk of buying ISK and skill points off the black market just keeps growing.

Tuesday, July 19, 2016

EULAs, Terms of Service, Can Matter In Court

Digging into the Counter Strike: Global Operations gambling scandals unearthed a lot of information. One little item I discovered in the Steam Subscriber Agreement is from Section 2G:
"You are entitled to use the Content and Services for your own personal use, but you are not entitled to: (i) sell, grant a security interest in or transfer reproductions of the Content and Services to other parties in any way, nor to rent, lease or license the Content and Services to others without the prior written consent of Valve, except to the extent expressly permitted elsewhere in this Agreement (including any Subscription Terms or Rules of Use);"

With "Content and Services" defined as:
"...including but not limited to Valve or third-party video games and in-game content, and any virtual items you trade, sell or purchase in a Steam Subscription Marketplace."
So technically, sites like OPSkins that convert skins to real world currency with funds deposited to a PayPal account violate the SSA. I use the term "technically" because Valve appears to allow the sites to operate with a wink and a nod. At the very least, Valva does not enforce its rules very vigorously. A cynic may even claim the rules are only enforced when lawsuits are filed, but I don't know that for a fact.

I decided to reread the Steam Subscriber Agreement after rereading the top question in the Ask Us Anything conducted by eSports/gaming lawyers Bryce Blum, Ryan Morrison, and Jeff Ifrah.

Q. Lawyers, I personally have gambled skins before, I'm over age and can so it's not something illegal for me to do. My question is, is this technically gambling? The reason I ask is because there is no technical way to 'cash-out' the skins without using a 3rd party site that goes Valves ToS/SSA.

The reason I ask this is because in Florida we have had this lawsuit between the government and 'arcade owners'. The Arcades are basically slot machines but you get gift cards and not cash if you win. The courts found the Arcades ok since gift cards are not considered monetary value.

Doesn't that seem very similar to Skin betting and all?

Blum: This is a great question, and should probably be higher up. When it comes to skin betting, there is a threshold question of whether or not skins constitute consideration and therefore fall under the wide array of gambling laws we're discussing throughout this thread.

For my money, I think this is a no brainer because the secondary market is prominent, permitted to exist, and skins have widely known value. That being said, there isn't a case directly on point here so it's impossible to say for certain. I've discussed this issue at length with /u/ifrahlaw [Jeff Ifrah] so hopefully he can chime in as well.

Edit: I'd also add that it's not necessarily a safe assumption that simply because you are overage you are acting within the bounds of the law. Regulations vary significantly depending on jurisdiction and the type of wagering activity involved. In the US for example, internet based gambling is largely prohibited, even if you are over 18.

Ifrah: Agreed - great question. To start, the distinction Florida makes on the 'arcades' is not one that every single state shares. That is part of what makes the gaming industry so tricky in the US. Not only are there federal laws to comply with, but every state has its own definition of gambling that must be taken into consideration.

But, I agree with your premise about the cashing-out distinction. In our work, the question is whether the skins are a 'thing of value.' Generally, in traditional gambling cases, this means cash or chips. There is a recent court decision from Maryland – Mason v. Machine Zone - that stressed the distinction between virtual things of value and things of value with 'real world' value. I think this case will be instructive in the future. Skins, even with secondary markets, hold their value because of the gaming, which puts it squarely in the virtual world. If the skins are virtual things of value, using them for gambling would be OK under most laws.
The significance of the responses from the two lawyers is that they do not believe that gambling for virtual goods violates most gambling laws, even with the presence of unsanctioned secondary markets. Valve may face legal problems with their possible connections and implicit approval of secondary RMT sites like OPSkins.

Looking into the opinion in Mason v. Machine Zone, I found something on page 3 that made me smile:
Crucially, there is no real-dollar value attached to “gold,” chips, or any Casino prizes. On the contrary, Defendant’s Terms of Service (“ToS”)—appended to Plaintiff’s Complaint—provide that “Virtual Currency and Virtual Goods may never be redeemed for ‘real world’ money, goods or other items of monetary value from [Defendant] or any other person”; that players receive a nontransferable “revocable license to use the Virtual Goods and Virtual Currency” solely for personal entertainment purposes; and that, aside from the foregoing license, players have “no right, title, or interest in or to any such Virtual Goods or Virtual Currency.” (ECF No. 1–2 at 9.)

Although the ToS expressly bar players from “buy[ing] or sell[ing] any Virtual Currency or Virtual Goods outside the Services or in exchange for ‘real world’ money or items of value” (id. at 10), Plaintiff alleges that “players have created secondary markets to buy and sell Game of War accounts” (ECF No 1 ¶ 37). Plaintiff does not allege that Defendant hosts or sanctions these secondary markets, nor does she allege that she has ever sold or attempted to sell an account—nor even that she intends to do so in the future. 
First, if the game company in question does not provide a method of cashing virtual goods or currency into real world currency, the company is not held liable for any gambling charges. The second is that the judge treated the terms of service for Game of War as a legal document, or at least relevant in this case.

I find the whole situation with CSGO fascinating. Whatever the legal result is in the two class-action suits will probably impact gambling in all other games, including EVE Online, at least in the U.S. Perhaps the biggest long-ranging impacts coming out of the whole mess is that EULAs and ToS do legally matter.

Friday, July 15, 2016

Valve Shutting Down The CS:GO Gambling Sites

"You may not use Cheats, automation software (bots), mods, hacks, or any other unauthorized third-party software, to modify or automate any Subscription Marketplace process."

The fallout of the Counter Strike: Global Operations gambling scandals picked up steam after the filing of the second class-action lawsuit against Valve in Florida on 1 July. The plaintiff modified the filing on 7 July to include CSGOLotto, Trevor “Tmartn” Martin and Tom “Syndicate” Cassel following the revelation the two popular YouTubers also own CSGOLotto. On Wednesday, Erik Johnson, one of Valve's business development authorities, posted the following announcement on Steam:
"In 2011, we added a feature to Steam that enabled users to trade in-game items as a way to make it easier for people to get the items they wanted in games featuring in-game economies.

"Since then a number of gambling sites started leveraging the Steam trading system, and there’s been some false assumptions about our involvement with these sites. We’d like to clarify that we have no business relationships with any of these sites. We have never received any revenue from them. And Steam does not have a system for turning in-game items into real world currency.

"These sites have basically pieced together their operations in a two-part fashion. First, they are using the OpenID API as a way for users to prove ownership of their Steam accounts and items. Any other information they obtain about a user's Steam account is either manually disclosed by the user or obtained from the user’s Steam Community profile (when the user has chosen to make their profile public). Second, they create automated Steam accounts that make the same web calls as individual Steam users.

"Using the OpenID API and making the same web calls as Steam users to run a gambling business is not allowed by our API nor our user agreements. We are going to start sending notices to these sites requesting they cease operations through Steam, and further pursue the matter as necessary. Users should probably consider this information as they manage their in-game item inventory and trade activity."

Monday, July 11, 2016

Counter Strike: Gambling Operations

"In chaos theory, there's a concept known as sensitive dependence on initial conditions. Most people call it the butterfly effect. In EVE, we call it the sandbox."

Among the interesting developments in EVE Online is the growth of online gaming sites utilizing in-game currency and virtual goods. I don't think that popular sites like EveBet and I Want ISK really worry about real world gambling laws. After all, the money wagered is internet spaceship bucks and not convertible to real world currency without violating the EVE Online End User License Agreement and Terms of Service. No need to worry about lawyers or governments intervening, right?

Monday, July 4, 2016

Chasing Shadows

I didn't get off to a very good start with the July update last week. I didn't really get settled in until I discovered I needed to stay logged into the Captain's Quarters. Once I figured that out, I was good to go, right?

Not really. The next step involved participating in the new event, The Shadow of the Serpent. The concept seemed simple. Just log into the game and see the available events on the character select screen. Of course, since the game is EVE Online, not everything is so straightforward.

On Wednesday, I decided to give the event a try. First, I looked at the four activities on the character select screen. Three kill missions and a mining mission. Okay, maybe mission isn't the correct word, but that's how I think of them. Only, the mining mission disappeared by the time I logged my main into the game. Then came the confusion. Where do I find the events? I had heard that in previous events the sites appeared in the probe scanner, so I flew around high sec and low looking for one to appear. After about 45 minutes of fruitlessly looking, someone in a chat channel told me the sites appear on the overview. I just flew to a station, docked up, and logged out.

My next opportunity to play video games was Friday. Due to the 4th of July holiday, I only had to work a half-day. So what did I do Friday afternoon? Play EVE. Instead of logging into my main account, I logged into my industrial account. I may define industrial differently than others. My main industrial alt can't fly battleships, but can fly everything up to and including command ships. But I didn't have to worry about that, because one of the event options included mining 500,000 units of scordite.

I know where to find scordite! I decided I would do the events in high sec, so I flew to a system in which I had set up a cache of ships to do some mining. So I hopped in a Skiff and headed out to a belt.

Now, I did have a couple of concerns. Did I have to only mine scordite, or could I mine any type of scordite, like condensed scordite? Also, would I need to transport the mined ore to a station? The event description didn't say. If I needed to transport the ore, I could always multibox and use both my Orca and the Mastodon. As for the types of scordite, mining condensed scordite for a minute wouldn't really hurt matters in the long run.

To my surprise, not only could I mine all types of scordite to meet the requirement, but I got to keep what I mined. So for about 80 minutes of effort, I got 500,000 units of scordite and 1000 of the event points. Well, I actually got a small bonus. Another of the events required killing Angel Cartel ships in belts. So while I mined, I also received 50 event points for defending myself against the NPCs trying to kill my poor Skiff. Not too bad.

After finishing the first two activities, two more popped up. The first involved destroying 20 Angel Sortie sites. Destroying that many sites seemed like a lot of effort, so I chose another one that required killing Angel Cartel ships. I figured the easiest way to finish the event was to clean out one of the combat anomalies in the system. Rummaging around the station, I found an autocannon Vagabond I used to run the level 1 Sisters of EVE epic arc when I needed to improve my standings. The Vagabond is really fun to fly. I took the ship out to a site and killed the ten rats in a couple of minutes.

The next event was a touch of fun. I needed to kill Angel ships, but in a frigate. What type of frigate? Did the term frigate mean tech 1 frigates only? I decided to take a chance and fit up a Jaguar, one of the Minmatar tech 2 assault frigates. I opened up pyfa and came up with a passive shield regeneration, 200mm autocannon PvE fit. I had most of the modules in my hanger, so I just needed to fly to Rens to pick up a couple of modules and rigs.

Once again, I headed out to a combat site and once again took out the guarding NPCs in a few minutes. Not so surprisingly by this point, I received credit for the kills. But that all for the quick events. Now to face destroying 20 Angel Sortie sites.

The Angel Sorties are designed for even a solo cruiser to do quickly. The standard composition awaiting players is one battlecruiser, two cruisers, and four frigates. The frigates do not attempt to tackle players, at least for now. My solo Vagabond chewed through the sites with ease. The biggest problem involved finding 20 sites. I only completed 16 by the time I logged out for the night.

Those familiar with The Shadow of the Serpent event will realize I have not talked about the bread and butter activity, "Keep Up the Pressure". I think the destruction of the Serpentis Shipyard and Research Facility sites deserves a stand-alone post plus screenshots. I also have a couple of other observations to make that won't make sense without writing about Keep Up The Pressure. So one more post about The Shadow of the Serpent is coming before I move on to another subject.