Patch 5.4 patch notes
Virtual Realms feature revealed
The Proving Grounds are coming
The latest patch 5.4 newsReal ID security concerns
by Gregg Reece 
May 28th 2010 at 11:00AM
Yes, you do need your friend's email address to add them as a Real ID friend. However, that is the last time you'll ever see that email address in your game client -- once you hit the "Send Request" button, that's it. There is no way to look up that person's email address from the interface again. The only personal information in the client after that is your friend's name.
Just remember that this system is meant for your real-life friends and family and not for some guy who was a good healer in your ICC PUG last week. If you don't know where to go to knock on the person's door if something happens to your account, then don't share your email address.
Filed under: Account Security
Reader Comments (Page 4 of 8)
jgordon May 28th 2010 11:39AM
If it really is intended for only real life friends, then it's not something that I either need or want. If I want to play a games with those people, I pick up the phone and call or text them. If RealID weren't using real names, then you could both use it for internet acquaintances, and for your real life friends. Instead, Blizzard have chosen a system that has extremely limited usefulness.
Rylia May 28th 2010 11:43AM
"There is no way to look up that person's email address from the interface again. The only personal information in the client after that is your friend's name."
I don't know about you, but if you know my real name, you can figure out my email in a heartbeat. This is true, for example, for most academics, many public servants, etc. To a lesser extent, first+last name can get you a tremendous amount of information about most people, especially if you know any other facts about them, e.g. city of residence, career, or that they are friends with a particular person.
The upshot being, for quite a lot of people, exposing your real name to friends of friends exposes quite a lot of information.
Gregg Reece May 28th 2010 11:55AM
using some brute force guesses, I might be able to figure out the first part of your email address if it were based off of your name, but I still wouldn't know what domain it was attached to. Are you using gmail or the Purdue University email address?
However, the same can be said for the millions of people using Facebook. Oh no, a friend of a friend can see my name is Gregg Reece. And? That's all they can see. My email address might be gregg at wow dot com or it might be twix_candy_bar at myfavoritefoods dot com.
They still don't know your mailing address, security question, credit card information, authenticator id, or password. You give your real name to people every day when using your credit card at stores along with all sorts of other vital information without even blinking. Yet, using your real name associated with no other piece of information seems to cause people to suddenly freak out.
Moorit May 28th 2010 12:11PM
This is my concern, too, Rylia. I have such an unusual last name that I am probably the only person in the *world* with my name. I wouldn't be too hard to find. I have a hard time imagining the circumstances in which a friend of a friend might decide to turn psychostalker, but if he/she did they'd know where I work within five minutes. I wish I could be just "Liz" or "Liz of the Nickname" instead of Liz Crazyname.
Oteo May 28th 2010 12:18PM
@Greg
It's not that hard to use a first and last name to locate where people are, especially if they're in academics or anything like a university that would have a directory on their website (my school definitely does). Businesses and universities tend to have a format for email addresses, so if you know the format, you can easily guess my email address. Finding the email format is as easy as, say, opening up a research paper in a public database by someone at an institution and noting the primary contact information.
Here's an example: I can easily find her with just a google search of her name; in fact, she's the first result at the top of the page. If I'm someone who doesn't know her but sees her last name through the real ID network, then all she would need to do is update her RealID status to something like "Must practice flute :)" or "Working at ___ can sure be stressful," and I have enough corroborating evidence to pinpoint exactly where she works, what her email address is, and a phone number to be sure the person I googled is the same person in-game. If she were a professor, I can then easily find her academic papers, a CV, who she's worked with etc.
This wouldn't be a big deal if her name could only be seen by her primary friends (i.e. the people she added personally), but all it takes is befriending your cousin Billy McDumbass, who will RealID-friend anything with a pulse, for your full name and status to be displayed to people you don't know.
This brings me to a question I've been asking ever since I started reading the comments: while I don't think having an alias is a good idea (as I could easily pretend to be someone else), why can't we choose to display No Info to secondary contacts (friends of friends), or display First Name Only?
Oteo May 28th 2010 12:23PM
***Ugh, the "Here's an Example" section is supposed to start with "Let's say my boss plays WoW"
BB Crisp May 28th 2010 2:11PM
I really don't understand all of this fear. Every day I interact with people using my real name. I make payments with my debit card, I have co-workers that know me, I have family members and friends that likely talk about me occasionally to people that I've never met, I go to parties, I have limitless possibilities for interactions where people will learn my name. Throughout our everyday lives we share our name with many different people that we don't know and may never meet again. Why are so many people wary that a "friend of friend" is going to our name to hurt us when it's even easier for some guy at a fast food restaurant to get my name from my card (or talk to me), see my face to associate with the name, and can even see the car that I'm driving away in?! Do I have a license plate frame identifying the university I graduated from? Crap! Was I leaving work and wearing my uniform, indicating where I'm employed? Nooooo! How about the bumper sticker identifying the school where my kid is an honor student (Though that one could actually be a legitimate security risk. Just an example.)? The main difference between a "friend of friend" in Real ID knowing my name and any one of the countless other people that I interact with on a daily basis is that they all have MORE information about me. The Real ID people know I play a Blizzard game. If Real ID scares you because people are going to see your real name without knowing any other significant information, then everyday life is absolutely terrifying by comparison.
Darky May 28th 2010 9:06PM
[google search] [im feeling lucky]
srbb56 May 28th 2010 11:42AM
Easy solution would for blizzard to let you choose an Alias, like we all do on this forum. When you enter your alias first time you decide to use the feature it sticks for all games on your battle.net account. That way there is no First Name Last Name showing and no security risks or privacy invasions.
Blizzard is known for not thinking things through and it will get fixed probably 6-9 months after its released.
Amaxe-1 May 28th 2010 8:02PM
Of course this is exactly the problem the Blizzard apologists don't get. We have to choose between having our real name known to "friends of friends" or not to use it.
Now if it was *only* friends and not "friends of friends" I'd probably use it because the friends I know on WoW already know my real name.
However, I do want control over who has my personal information. I trust my friends not to blab it. I don't trust some "friend of a friend" who gets ticked because he loses a loot roll misusing the information.
The name I use here, the name my former guildies knew me under would only link a person to my comments here, on Curse and WoW Interface and my lame WoW fanfic.
My real name? Hell no. I was appalled to learn through a google search that some company I did business with must have sold information somewhere as **my real address and phone number are there on the internet** (current and one past one from another state). Thank God there are other people on the internet with my name who are not me.
So, no and HELL no i will not use this system so long as I cannot control the name others see. Even without facebook this is a security nightmare.
relmatos May 28th 2010 12:02PM
I like the idea behind this system. However, I think it should be done in a different way.
Instead of asking for emails, you should be able to right click someone on your friends list\guild\arena team and have the option to ask to add for an improved friend. Then you'd be able to comunicate with them if they were on alts or on other games.
You'd then be able to choose which name to see your friend on the friends list.
You could place his real life name, a nickname, his main's name, ...
The way it is now can be slightly confusing.
Give us more options on what we see blizzard.
Only my family and very few other people(who dont even play wow) call me by my name. It'll be confusing to my friends.
snowleopard233 May 28th 2010 11:44AM
Also, get an authenticator, kids. It won’t protect you from everything, but it will sure make a huge difference. Saved my buddy’s account just the other day.
Quixota May 28th 2010 11:45AM
I have the same concerns as Michelle, and I'm sure some of the friends I would otherwise be going the realID feature will have as well. "Friends of friends of friends" (and everyone's sheep-dog) may not have access within this system to private details, but because they will have access to our last name, they can quite easily just look you up in the phone book (for instance) if you don't have a silent number, and it goes on from there. There is no good reason at all not to either be working it on first name basis only, or better still, the alias-handle option.
Gregg Reece May 28th 2010 11:59AM
Even for a phone book, they'd need your city and state to be effective and even at that point, that presumes the phone number is under your name and not your parents, spouse, or roommate's name.
Shrike May 28th 2010 2:32PM
@Gregg,
I think part of the split between "it's okay" and "it's an invasion of privacy" is commonality of names. Here's an example.
When I look up your name at whitepages.com with your exact spelling, I get 74 results.
When I look up my own name at the same place, I get *one* result, and it's me.
This makes me understandably *FAR* more concerned about name privacy than you are.
(cutaia) May 28th 2010 2:38PM
"Even for a phone book, they'd need your city and state to be effective and even at that point, that presumes the phone number is under your name and not your parents, spouse, or roommate's name."
Just to play devil's advocate I decided to test this out...
I used a website I won't name and entered in a name I won't say. Just the name.
If this looks a little familiar to someone around here, then it's possible just a name can be used for more than you might think:
http://temp.cutaia.net/someone.png
(As I said, though...I'm just playing devil's advocate. I personally don't see Real ID as a security issue. Some folks around here have listed some good points but they seem to boil down more to functionality issues.)
Michelle Madison May 28th 2010 3:37PM
Well said Shrike -- I don't think Gregg gets it. For instance when I type in the name associated with my WoW account on the internet whitepages I get ONE result too, and with a few more clicks I uncover our home address (complete with satellite photos.) Sharing that information with my sister or cousin really doesn't bother me .. but if my dumbass cousin, or RealID clueless sister start accepting friend requests from various people suddenly the service isn't just for "MY" real life friends. The argument that someone can't do anything with your name, in this day in age, is really a tragically weak one.
Amaxe-1 May 28th 2010 8:07PM
There were 13 for me on the online white pages. One was my current address and one was me from another state.
So, sorry. I don't consider my concerns to be "Paranoia."
(cutaia) May 28th 2010 9:23PM
"There were 13 for me on the online white pages. One was my current address and one was me from another state.
So, sorry. I don't consider my concerns to be 'Paranoia.'"
More devil's advocate:
It's true that just a name can allow access to more information about you.
So, let's pretend you've used this service and only added real life friends and family members who already know who you are and where you live. This means people who your family and friends have added in turn see your name on a list of names. Is it not still a little paranoid to be worried that one of those people is going to see your name on that list and be driven to seek out information about you? For what purpose?
I'm trying to think of the scenarios where this would happen. 1) Your friends and family have added someone who is already out to get you, yet doesn't know your name and for some reason decided that World of Warcraft was the best way to figure out this piece of information. 2) They've added a complete pyschopath.
Neither of these scenarios are really likely enough to spend that much time thinking about, are they? In fact, the second one is a bit like worrying that someone out there is choosing victims by closing his eyes and pointing at a phone book.
So, what potential scenarios is it that's worrying people about their name being visible, I wonder. The only reason I've actually heard so far is some variation on, "I just don't want people to know it." That's valid enough of a reason to not use the service, but I'm not sure it amounts to a genuine concern...just a preference.
Just thinking aloud, I suppose...
StGeorge78 May 28th 2010 11:50AM
We just need to wait for the first murder to occur where someone is found via their real name in wow and brutally murdered, then blizzard can tack on a 2.99 fee to this feature to pay for legal costs