Things You Should Know About Windower v4

[bluekirby0]

This is to warn everyone that the new Windower v4 Beta launcher collects and tracks information about your machine, including your Machine GUID (globally unique identifier) and quite possibly your IP address as well. If you would like to further examine what exactly is going on, a piece of the decompiled source follows (the most interesting part so far starts at line 32):

http://pastebin.com/P8w4BtVw

This can easily be written off as normal usage statistics tracking done by adware, but at no point in time does it ask for your consent to collect this information. Not only is this practice unethical, but it is quite possibly illegal (note: IANAL).

This gives them the power to feed your information to ad services. It may also give them the ability to relate your character information to your hardware or IP address.

The hooking library has not changed from the previous version, aside from some minor changes to the plugin interface, so a major version bump is a little misleading. The new Lua interface is a step in the right direction in giving developers the freedom to create their own plug-ins for Windower, but it could have easily been released as a plugin without leading people to believe that important changes had occurred with a major version bump.

[S N K]

Ok this should spawn some interesting discussion if this is true. >_>

[Obsidian]

Out of curiosity, how'd you decompile this?

[bluekirby0]

First, you need to de-obfuscate it. This can be done with de4dot since EzObfuscator was used on this particular binary. Next you decompile it using ILSpy. There are other tools out there, and this setup will not work to decompile everything, but for the most part, if something is coded in C#, there is no perfect way to prevent decompiling.

[Byrthnoth]

This just in:
Google Analytics is serious business.

[Aureus]

It's just google analytics for apps. We added a report to keep track of plugin usage, so we know where to devote our effort. Almost literally every website you've ever been to, including bluegartr, uses the exact same thing.

The hooking library has not changed from the previous version, aside from some minor changes to the plugin interface, so a major version bump is a little misleading. The new Lua interface is a step in the right direction in giving developers the freedom to create their own plug-ins for Windower, but it could have easily been released as a plugin without leading people to believe that important changes had occurred with a major version bump.

Enough changed that plugins werent able to be backwards compatible. Yeah, we could have called it 3.5, but we didn't. It's an arbitrary number.

[bluekirby0]

There are ways to disable it in my browser, but there was no opt-out in the Windower v4 Launcher.

If you look at projects like Debian that collect package installation information, they ask you upfront if they can collect that data, make it very clear what they are collecting and what it is used for, and that data is then a matter of public record.

[Aureus]

There are ways to disable it in my browser, but there was no opt-out in the Windower v4 Launcher.

If you look at projects like Debian that collect package installation information, they ask you upfront if they can collect that data, make it very clear what they are collecting and what it is used for, and that data is then a matter of public record.

If you're that paranoid about security, just add a hosts entry for google-analytics.com? I'm not seeing how this is a big deal.

[Kohan]

There are ways to disable it in my browser, but there was no opt-out in the Windower v4 Launcher.

If you look at projects like Debian that collect package installation information, they ask you upfront if they can collect that data, make it very clear what they are collecting and what it is used for, and that data is then a matter of public record.

I agree that users should be notified, if simply because of the fact that it will make them feel more comfortable. Nowadays, making people aware of what information an application gathers and why is incredibly important, as it's easy to scare a casual user. A little box to tick off during the installation process would handle that nicely.

However, I don't believe that creating a thread for this was necessary. It could have been posted in the Windower v4 thread that already exists, and instead of "warning" people, you could have come forward from a more neutral position—that is, one where you intend to notify the public as to what v4 can do, and perhaps asking the developers why they've decided to do this. You did get an answer, and it was defensive, but given the nature of the original post, this is expected.

If you're that paranoid about security, just add a hosts entry for google-analytics.com? I'm not seeing how this is a big deal.

As a developer, you should be aware of the fact that it is a tremendous deal. The average consumer has a heightened awareness of data gathering without the technical knowledge needed to understand it. Acting like it doesn't matter is not smart.

[Aureus]

I agree that users should be notified, if simply because of the fact that it will make them feel more comfortable. Nowadays, making people aware of what information an application gathers and why is incredibly important, as it's easy to scare a casual user. A little box to tick off during the installation process would handle that nicely.

I've added a line describing this and the data we collect to the main windower thread.

As a developer, you should be aware of the fact that it is a tremendous deal. The average consumer has a heightened awareness of data gathering without the technical knowledge needed to understand it. Acting like it doesn't matter is not smart.

I'm really not seeing the big deal with google analytics. It's use is nearly ubiquitous. Practically every website you go to already collects this information, and many applications do as well.

[bluekirby0]

I understand your concern about my methods, but I did feel as though the information would have either derailed the original Windower v4 thread (which is not my intention) or it would have been buried quickly before anyone noticed, as it is a fairly busy thread.

[Kohan]

I'm really not seeing the big deal with google analytics. It's use is nearly ubiquitous. Practically every website you go to already collects this information, and many applications do as well.

And there are plenty of people out there who choose to block Google Analytics when they browse the Internet, whether through independently developed plug-ins, add-ons, or via Google's own tool. If you don't mind it, that's fine. Believing that all of your users should feel as you do and that anything else is wrong is arrogant, though.

I understand your concern about my methods, but I did feel as though the information would have either derailed the original Windower v4 thread (which is not my intention) or it would have been buried quickly before anyone noticed, as it is a fairly busy thread.

Your desire to share the information is understood, but the Windower v4 thread is for that tool, and anything that applies to it. You don't have to worry about derailing it if you're talking about it.

[Aureus]

And there are plenty of people out there who choose to block Google Analytics when they browse the Internet, whether through independently developed plug-ins, add-ons, or via Google's own tool. If you don't mind it, that's fine. Believing that all of your users should feel as you do and that anything else is wrong is arrogant, though.

I guess I just don't understand why, if you're that against it, you don't have a hosts block in place or something to block it across the system. There are plenty of tools (spybot, i believe, does this for you) that set this up as well.

[Kohan]

I guess I just don't understand why, if you're that against it, you don't have a hosts block in place or something to block it across the system. There are plenty of tools (spybot, i believe, does this for you) that set this up as well.

As mentioned, the average user does not know how to do that. I do, but I am definitely not the average user, much as you aren't.

What regular people do know, however, is that some applications gather data about them and their usage of said applications, even if they do not understand why or how that information is collected and used. Awareness has definitely been heightened over the years due to how common handheld computing devices have become, and media outlets love to report on the outrage caused by unwanted privacy violations. Now, it would be entirely irrational to claim that Windower would bring rise to such a reaction, and I would never say that—nonetheless, Windower is by far one of the most well-known and widely-used pieces of third-party software among the FFXI player base, and their numbers are nothing to sneeze at.

[Kari]

Are we really complaining that a free third party tool won't let us turn off something that helps it improve?

Just seems like a bad attempt to make Windower look malicious.

[Praenuntiae]

Are we really complaining that a free third party tool won't let us turn off something that helps it improve?

Just seems like a bad attempt to make Windower look malicious.

It has nothing to do with turning it on or off, merely letting users know that said data is being collected. If it is not malicious there is no reason for not doing so. As such if you were yourself a developer/programmer you would understand that to not give your users notification that their data is being collected and what data exactly this is, is just bad practice especially with all the security issues flying around. This type of thing is generally done (without notification) by spyware and adware (not that windower is either).

[Obsidian]

Are we really complaining that a free third party tool won't let us turn off something that helps it improve?

Just seems like a bad attempt to make Windower look malicious.

I don't really know much about Google Analytics, but I think the concern is that this information is being collected unbeknownst to the user, and a typical user isn't going to know what's being gathered, or what the Windower team is doing with the data. They say it's being used to track plugin usage, but the data they collect could also easily be sold to an ad agency or any number of other interested parties. "What they don't know can't hurt them" is a terrible policy when it comes to information security.

[bluekirby0]

I am not insinuating that Windower is malicious, or that any misuse of the data collected is likely, but I strongly believe that people should be aware of what information is being collected about them and why.

I personally prefer leaving all of my code open-source so that there is no question as to what it does, but it is in no way reasonable to expect that of others. I feel it is my responsibility as a developer to inform people when my code collects information about them or their habits without making them resort to code review. If the code can reasonably function without collecting said data, then an opt-out option is made available.

[Kari]

I don't really know much about Google Analytics, but I think the concern is that this information is being collected unbeknownst to the user, and a typical user isn't going to know what's being gathered, or what the Windower team is doing with the data. They say it's being used to track plugin usage, but the data they collect could also easily be sold to an ad agency or any number of other interested parties. "What they don't know can't hurt them" is a terrible policy when it comes to information security.

So BG should have a big warning label as well? FFXIAH? FFXIDB? Pretty much every site most of the users of Windower are guaranteed to be on?
Just because it's easier to block from a browser? It's hard to make that argument as well when the people you're worrying about aren't going to know how to do that either. =/

I understand the concern, but it's misplaced in saying that Windower is at fault when it's not the first to do this, just the first to be blamed.

[Kohan]

Are we really complaining that a free third party tool won't let us turn off something that helps it improve?

Just seems like a bad attempt to make Windower look malicious.

The original post was written as a warning, and I agree that it was more alarmist than necessary, but it was not an all-out vilification. Furthermore, there's nothing wrong with informing people as to what their software does, and why. In fact, it's expected, and outside of the United States, privacy laws explicitly require a few things: disclosing what the software can gather and why, and implementing functionality that lets users block it, should they so choose to.

I believe it would be in the best interests of the Windower developers to explain everything that Windower is capable of harvesting in a transparent, descriptive manner, as the public is now aware of its ability to gather things, and will have plenty of related questions. Is there no other means of collecting this information? Can developers of plug-ins utilize this functionality? If the core application doesn't do much with it out of the box, are there ways of changing that? Those are merely some questions I've come up with off the top of my head, as they are the sort of things that normal users will ask about.