Sunday, January 25, 2015

Verified Identities and Archeage

One of the major MMO stories of last year was the launch of Archeage in the West to a reasonably welcoming audience. However, Archeage was overrun by spammers, hackers, and bots to such a degree that many people gave up on the game.

Many commentators pinned the blame for this on Trion, the western publishers. Trion in turn, said that they required help from the developers, XLGames, to combat these problems. Most commentators seemed to feel that this was just Trion trying to cover up for their mistakes.

But what if Trion was right? Most MMOs these days need to build in anti-spam, anti-hacker, and anti-bot defenses. What if Archeage didn't have these defenses that we in the West take as normal?

From my quick research, Archeage Korea requires three extra items to create an account:
  1. A Korean IP Address
  2. A Korean mobile phone
  3. A Korean Social Security Number (some sort of number assigned by the South Korean government)
These three external requirements tie the Acheage account to a very specific person. What if Archeage in Korea doesn't need built-in software defenses? What if these external requirements are enough to reduce spam, hacking, and botting to acceptable levels, or eliminate it entirely?

Perhaps companies in the west need to come up with a way to create a verified identification before allowing account creation. Of course, the problem is that there are multiple countries, all with different identification documents and numbers, and legal restrictions on how those identifiers can be used. You might be able to do something with a dedicated third-party company, which the game companies support.

Rather than a software arms race between spammers, hackers, botters and the game devs, verified identities might be a more successful strategy to pursue.

9 comments:

  1. Even if in Korea they don't need those defenses, they must be out of touch with the reality of..... always... to think that they don't need them in the west.

    I think that this is much more easily explained by the fact that F2P MMO are not about quality, but about keeping costs down.

    BTW after Blizzard real-ID fiasco I wish good luck to all the companies willing to go the same road. (and this is even without taking into account the fact that I'd NEVER provide that kind of data to a company unable to guarantee a minimum of security, which clearly they aren't).

    ReplyDelete
  2. This is both revolutionary and obvious. I mean in real world services they don't need anti-bad-manner protection, because the police do it for them. If I start to "spam" (shout nonsense) in the cinema, the cops will show up and arrest me for being drunk and disorderly. If I "exploit" in the casino, I'm facing up to 5 years in jail.

    On the other hand in virtual worlds I can do whatever I want, the worst case that can happen to me is losing an account.

    Identifying customers and placing punitive actions into the EULA would end bad behavior. I mean after you're banned for botting, the company should sue you for punitive damages.

    ReplyDelete
  3. Consider this blog post from Jeff Atwood (co-creator of StackOverflow etc.): http://blog.codinghorror.com/your-internet-drivers-license/

    This Internet Driver's Licence is basically what you are asking for, no? Authoritative identity, which can be guaranteed with reasonable accuracy to be unique to a particular person.

    To those people concerned about Blizzard Real ID, I don't think there is any reason to show this data in-game, on forums or anywhere public. It would simply be used to create a unique account.

    ReplyDelete
  4. @Gevlon, but not only: the real-life behaviours you mention are not sanctioned by the cinema owner or the casino owner, we have an "independent third party" which is in charge of guaranteeing that the rules have indeed been broken and which defines the sanction.

    Would you REALLY trust an MMO company with this responsibility?

    ReplyDelete
  5. Back in the Ragnarok Online days (created by Gravity, a Korean studio) the original Korean accounts were also tied to KSSNs and you could create only male or female characters. This restriction wasn't optional so even on the international servers your account was unisex, but at least you could choose it.

    Obligatory rant that Google's new captchas are worst I've ever seen.

    ReplyDelete
  6. @Aelos, sort of.

    In my opinion, Jeff Atwood takes it too far. He jumps from having a driver's license to having a single common point of authentication.

    I don't want that. What I really want to is raise the cost of creating multiple game accounts. By tying game accounts to a verified identity account, it allows the game to ban that account for misbehavior. After that, making a new account becomes a lot harder because you need a new verified identity.

    But how one game deals with that account should be separate from other games. I don't want to link my account across multiple games or services. I don't want people to track me across multiple games.

    ReplyDelete
  7. In my opinion, Jeff Atwood takes it too far. He jumps from having a driver's license to having a single common point of authentication.

    To be fair, Rohan, in North America your driver's license basically IS a single common point of authentication. There's only a handful of other possible pieces of authorized ID, and relatively few people have them.

    And drivers licenses are frequently not actually stored after confirming your identity, either. The Korean RRN you mention is a good example of how such an "internet driver's license" would probably work; companies using the RRN to verify identities are legally not allowed to store the number, and can only use it as a verification.

    If the point of the system is to verify an identity, then why would the site need to store it after determining you are who you claim to be, after all? They would just ask for it at each point it's needed, just like when you board an aircraft, or are buying cigarettes, or any other real world situation where you're asked for ID.

    ReplyDelete
  8. To be fair, Rohan, in North America your driver's license basically IS a single common point of authentication. There's only a handful of other possible pieces of authorized ID, and relatively few people have them.

    I misspoke. I meant "single sign in", rather than authentication, which is what I don't want. I don't really want to sign into WoW with my Gmail account. I'd rather the two accounts be de-coupled from each other.

    That way, if there's a problem with one account, it doesn't affect every account I have.

    ReplyDelete
  9. Well, that's why it wouldn't be an account; an Internet Driver's License would be, at best, some manner of token that would be matched with your identity in the central database. PKI, for example (http://en.wikipedia.org/wiki/Public_key_infrastructure).

    ReplyDelete