Blizzard’s War Against Customer Privacy Continues…

After the longest time without an extreme fail post, I came across something that I just had to share.

For those who don’t want to read the whole thing, the important line is “in the near future, anyone posting or replying to a post on official Blizzard forums will be doing so using their Real ID — that is, their real-life first and last name…” Yeah, folks, you read that right. If you want to post on the public forums you have to use your real ID to do it. You know, that “so invasive you should only share it with real-life-friends or family” thing? Yeah, that one. That’s your new forum display name.

I can’t, for the life of me, figure out why Blizzard wants to give away my personal information to anyone and everyone they meet. Are they being paid to provide their customer’s personal information in a way that is easily gathered by marketers, but (supposedly) leaves them clean? Are they trying to strong-arm people into buying their supposedly-optional authenticator by tying account security to a single e-mail address that you then give to people (along with your real name) to people to add to your friends list? And now this bit of idiocy as (apparently) an anti-trolling measure. Seriously? There was no middle ground between “make unlimited level 1 forum trolls” and “I’m giving your real name to everyone on the forum”? Like, say, requiring a single avatar to be designated as your forum avatar (and perhaps have some additional level restriction or perhaps make this avatar default to the one with the most achievement points – ostensibly the person’s “main”). What’s next? Our phone numbers and addresses will be handily provided so that would-be stalkers and marketers don’t have to take the 10 seconds it takes to google them?

I’ve seen it argued that internet privacy is a myth. Maybe it is, to an extent. But that doesn’t mean we have to roll out the welcome mat to anyone who wants our personal information. The much-quoted example, Facebook, allows me to designate who can and cannot see my personal information. My pictures, birthdate, events, e-mail, etc. cannot be seen by anyone who is not on my friends list. And (here is the most important part) that’s only if you know my name to look for me to start with. Which none of you do. Because I have prudently chosen not to share that information with you. Just as I have cautiously and vigilantly failed to mention my real name or link this blog with my facebook page in any way. Anyone who looks to learn more about me on my Facebook page won’t find anything more than my name (and as we already established, if they find me on facebook, that’s what they had to start with). That being said, this information was shared as part of a social networking site: in other words, your name and a certain amount of personal information are required for the site’s function. A small, but guarded, invasion of privacy is an expected and necessary evil in that context. Which is why I made the decision to share it.

But how about reporting a bug in Warcraft? Why does my name need to be made publicly available to anyone and everyone free for the reading in that context? Does another user really need to know my name for a Blizzard employee to be able to fix their own faulty coding? Does Blizzard have *any* cause to *ever* publicly share *any* of the personal data required to start an account, especially considering that the terms stated at the time specifically claimed that your personal data would be kept private? The more Blizzard goes down this path the sadder I am that I chose to use a real name to start my account. Maybe this seems an overreaction when, after all, the data in question (your real name) is exactly the same in both scenarios. However, to me, there is a very large and very alarming difference between choosing to share my personal data, and a company deciding to share it for me. Especially when the involuntary sharing of information is required for what some would call necessary basics of the game (i.e customer service and technical support).

So under the new system, I make a bug report and my name is displayed for anyone to read. Someone takes that name and plugs it into facebook. They find a handful of people (one of whom is me) and thankfully get no further, because Facebook’s security is better than Blizzard’s. But this is the best-case scenario, as I am someone who is aware of some of the risks and actively seeking to guard his information. What about someone who was a little less guarded with their facebook page, owing to the expectation that these two worlds would never cross? Our scenario would end more like this: they find a handful of people and one of them is not set to private. They gather my birthdate and e-mail address and now have everything they need to steal my Blizzard account. In other words, the potential security risk isn’t just in the information itself, it’s in the link it makes between two previously-separate databases of information.

I hate to come off as some sort of rabid paranoid, but it’s like Blizzard is actively trying to undermine account security, all the while wringing their hands and acting all bewildered about why account theft is on the rise and grows higher with each “advance” towards unification. I mean, you take a unique and secure username and replace it with an e-mail address. What could go wrong there? I mean, people have been really vigilant about not sharing their e-mail address with anyone, right? Because as we all know, an e-mail address is a secure piece of information that should be kept private and not some half-anonymous communication tool that we hand out to anyone who wants to contact us because it’s just a freaking e-mail address. And it goes downhill from there. In fact, Blizzard’s entire security philosophy seems to be hoping that everyone else (from social networking sites to your e-mail provider) has better security and privacy protection than they do. And that folks, is the very definition of extreme fail.


6 thoughts on “Blizzard’s War Against Customer Privacy Continues…

  1. While I don’t necesarially agree with you, I need to point out one serious flaw that seems to have been going around with the RealID thinking.

    Your email address is ONLY given out when you want to have someone add you.

    It works like this.

    I want to friend you, I enter your address. If you accept, then I see your name (and you see mine), and we can see the names (no emails) of other people we’ve added as RealID friends.

    Now, if you want to friend me, you need my email – and it’s just like the above. Plus, I never get your email address.

    With the forums, it will be your name showing up – not your email. Nobody will ever see your email unless you actually give it to them.

    Again – I’m not saying this is a good thing, but there’s a lot of misinformation about the email part of it.

    • I’m not sure how much of it is actual misunderstanding and how much of it is (justifiable, IMO) questioning of “what if” the game gives away more than it intends to, or “what if” Blizzard changes their own rules about giving away your information again. After all, they will have already broken their own terms of service once by simply enacting the “we’re giving away your name” plan on their forums. Additionally, it’s not like they aren’t well known for unintended security flaws (like say, anybody with certain add-ons can steal your real ID info even if they aren’t on your realID list).
      Certainly in my case it’s more of a mistrust of Blizzard (or more accurately, a mistrust of Blizzard’s understanding of the actual security threats facing their customers) than a misunderstanding of the realID mechanics. I know that Blizzard doesn’t hand out my e-mail address (aka my *Login Name*) willy nilly yet, but the very fact that they felt this was an acceptable maneuver at all (as evidenced by requiring it to add a realID friend) is cause enough for concern. Especially when they are moving towards having less care and concern for customer safety and privacy.
      I just, I don’t know, I guess I’d be a little more comfortable trusting in Blizzard’s security if it were a step or two above something as frivolous as, say, your typical messenger program (MSN/AIM, etc.). As it is, even the most basic chat program has at least one layer of protection (allowing a difference between displayed information and actual identity/account information) that WoW doesn’t. In the meantime, even if Blizzard isn’t handing out my e-mail, simply handing out my name would be enough for somebody who knows what he’s doing to get it. Which is one reason I don’t give out any more information than necessary. It’s not just one piece of information you’re handing out, it’s a piece of a puzzle (or a link in a chain, if you’d prefer) that can lead to more and more info. Eventually, somebody’s going to come across some information that you wish they didn’t have.
      In short, I don’t want to give away my real name. I don’t want to do it for a souped-up friends list. I don’t want to do it in a vain attempt at getting customer support for one of the numerous bugs and errors that plague the game (especially around patch days). I don’t want to do it at all, ever, for any reason. There is absolutely no reason that anyone outside of the billing department needs to know my real name unless I specifically tell it to them. As such, designing features, either optional (realID list) or necessary (Customer Service, Tech Support, and Bug Report forums) that require me to give away said information, not just to a blizzard employee (who doesn’t need it), but to the general public (who really doesn’t need it) is a signal that Blizzard really has no idea about account security whatsoever.

  2. There’s all kinds of “what if” scenarios that you could go into, with companies that ‘should’ know more about security.

    What if – someone gets a pile of email addresses and account infor from Apple regarding their iPad?

    What if – a disgruntled (or opportunity seeking) employee steals a bunch of records containing banking and personal information?,2933,287862,00.html

    We can play the What If game all day long.

    • I’m not sure what you’re trying to accomplish, here. The fact that other companies have had security breaches does nothing to alter the fact that Blizzard has a history of having holes in their security and that recent changes in policy are moving towards less security, rather than more. I wouldn’t give the benefit of the doubt to Apple or a bank with a history of fraud, robbery, or information theft, either. Again, aside from a flimsy veil of smoke and mirrors, I don’t see what linking information about other companies is supposed to do, unless your implying that disgruntled employees might steal my billing file or that Blizzard might leak my e-mail address, which would actually support my position that Blizzard needs to improve security.
      I might also point out that, here you are, making up arguments with me, a complete stranger, for seemingly no other reason than your own entertainment. A fairly typical internet forum scenario. Your first point was “correcting” an argument that I never made, and now you’re citing strawman evidence to attempt to “disprove” completely unrelated data. Yes, we can play the “what if” game all day long, I could say “what if sharks had laser guns” but reducing the argument ad absurdum doesn’t change the fact that asking “what if Blizzard takes the next step down their current course” is neither fanciful nor imprudent. If you’d prefer the exact same question phrased differently, how about “why should I give Blizzard the benefit of the doubt with my personal information when they have a history of being untrustworthy?”
      All that being said, I don’t see how giving you my name or you giving me your name (or Blizzard giving everyone both of our names) would do anything to improve this pseudo-debate or any other scenario that crops up on internet forums. Which, after all, is what this was all about. You have half the supporters of this change claiming it’s going to reduce trolling and the other half telling the naysayers to relax because the change does nothing to reduce privacy, anyway. So, naturally, my question is this: if this really does nothing to reduce privacy, why would it do anything to shame the trolls into silence?

  3. I found this blog post from google. Though I don’t play WoW I totally get where you’re coming from with this. I haven’t played any Blizzard games since Warcraft III, but recently I’ve been trying to get back into gaming. I had to start a new account since I haven’t touched mine in 8 years, but I was stunned at how much personal information they wanted!

    Do they really need my full name, address and phone number? And then they linked me to their privacy policy, which I can summarize as: you can voluntarily provide us with your private information (except that it’s all mandatory to sign up with an account) and we’ll use it to send you spam advertisements about products that you don’t want, send your email contacts spam to try to get them to join, and then give away your personal information to any other company that might find it useful for their own spam.

    Since I was actually planning on purchasing Starcraft II and maybe even the Warcraft III expansion online through the Blizzard store, I figured a account would be the way to go, but this is all too ridiculous. I think I’ll just buy the hard copies of the CD’s in a real store or on Amazon, and just forget about playing online.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s