Data breaches cost a lot of money, consumer satisfaction, and trust. In the MMO world, the trust that exists between the game's developer and the player is a tricky relationship to navigate and extremely fickle. Any number of wrong moves or postures can turn your profitable subscription MMO into a public relations nightmare forced to turn the wagon around mid-trip. Security compromises a large part of that MMO trust.
Blizzard has had its fair share of security issues and trust problems between the players and itself. As the first MMO to have to battle hackers and not just gold farmers to the scale present in WoW, Blizzard had to invent its own way to do business in the world as it was -- an insecure place dominated by gray-market gold sellers and account hackers looking to sell to an eager, ready-to-spend playerbase. While WoW isn't the astronomically large service that some others affected by recent and notorious hacks are, it serves as an example of one of the big guys in the industry doing their best to navigate a minefield.
Greg Boyd and Gary Kibel wrote an article for Gamasutra discussing seven steps to improved security in the online and gaming space. After reading over the article, I felt that many of the points discussed had Blizzard and WoW-specific analogs and real-world examples that might shed some light on the security concerns still out there, what WoW has accomplished in the MMO security space.
Take inventory ...
The overarching theme of Boyd and Kibel's article is that the best security decisions and practices begin at a policy level, not an action level. By instituting good security policies, enforcement immediately drops in concern because the security protocol is doing its job. It's cheaper to rewrite the rules than to hire someone whose sole job is to enforce the broken rules.
Taking inventory of what types of personal information and data are collected and stored is one of those "issues of scale" problems that plague MMOs. How much do you have? Where is it? Who is in charge of it? What can we do with it? Imagine your own hard drives in your home computers and how you never clean them. Well, now imagine if you had to find something on the World of Warcraft servers. The company needs a team of people.
I don't know what role information managers play at Blizzard, if they do at all. However, with the recent API releases and armory updates and Mobile Auction House, I would imagine that a good-sized group of people are manning the information pipes, watching intently.
... and then reduce it
In a game like WoW, getting rid of information is as much a boon as storing it. The less you warehouse, the better. However, with the aforementioned APIs, storing fun, off-kilter data could be incredibly rewarding in quirky ways, so it's kept and displayed in various ways. WoW reduced inventory, ironically, by giving players more of it; the Void Storage system works by stripping out data from an item and leaving you only with the notation that you have an item, essentially cutting down on a huge amount of database space for items locked away in the nether.
What Boyd and Kibel are saying about MMOs is that the best way to reduce inventory is to only collect data associated with revenue gains. When you're starting out, maximizing revenue gains is pretty much the only way to survive at the onset. However, it is wise to slowly start opening up information channels, especially ones that you can control relatively easily, because players appreciate a little openness. Control is obviously key, along with player goodwill.
Blizzard knows about the process of evolving security concerns more than any other company in the MMO business, quickly transitioning a support team from dealing with gold farmers and harassment to an all-out hacker attack on accounts, emails, phishing scams, and more. Authenticators hit the scene with the promise of better security.
Over the years, Blizzard has inoculated itself to various types of security issues by practice and exposure alone. Just by dealing with the problem do you begin to understand how to combat and solve it. New MMOs that crop up are hit immediately with a full swing of the bat, aimed at WoW but connecting with the rookie on the team. It can hurt, believe me.
Look at WoW's system and ask questions. It's stood the test of time so far, with over seven years of viruses and bacteria squirming all over its surface. It puts proverbial hair on your chest.
Write it down
Write out what you do with the information you collect and stick to it. It's as simple as that. Why is it written out? So you can be totally, utterly transparent about it.
Dealing with data about children is such a tricky subject. In fact, data about kids is what scares me the most about the internet because, as a denizen of the internet, I understand how easy it is to get all of this information. It is a fact of life, however, that kids are going to go online and play video games whether parents like it or not, so teach kids to be safe and safeguard their data.
Blizzard's Battle.net account system is a great example of keeping kids' data safe while putting the onus on the parent to parent with included parental controls as well as owning the account until the child is of age to take it over. By keeping the parent involved, Blizzard has added the most crucial step in the security process -- parenting. Force parents to do their jobs in every possible way that you can. That also might be my own opinion seeping through. Never.
Audit user terms on a regular basis
Luckily for us, there are plenty of players out there watching the EULA and Terms of Service for changes, as well as programs that scrape out text from these types of documents and report on the changes. It might be annoying, but forcing players to constantly review important documents, even if the new stuff is at the top changed and in bold, is better than no communication at all. Be honest with players.
In fact, the real key here is communication. Updating and reviewing policies internally and externally show a commitment to player and business interaction. You want to be reviewing your policies because it opens up the door to better, iterative policies.
Data breach response plan
Back when some of the larger networks were being taken down by hacker groups, Blizzard's WoW servers stood up against the onslaught. Tom Chilton even referenced the company's ability to thwart hacker attempts back in 2011.
Boyd and Kibel recommend creating a data breach response plan that includes a team of professionals at the ready for when the ship springs a leak. I must emphasize the last point first because I believe it is the most salient. Tell the community that there is a problem immediately. Do not wait to figure out how bad the problem really is. Inform your customers to change their passwords and security questions. Quick, clear communication about people's private data is essential. Blizzard let the players know that all was good on their front during a time of internet upheaval. Keep people informed.
All of the steps that Boyd and Kibel discussed in their article are essential to the future of MMO security and good strategy when dealing with the unsavory elements of the MMO world. As time goes on and the need for these types of systems wanes, you will see the nature of MMOs change fundamentally to allow for new types of advancement and gameplay.
Development is where good security starts. Good policies, good oversight, and good planning will make dealing with security issues into a positive teaching moment versus a sad mess. Remember the Crytek leaks and security breach? You have everything to lose if your security is broken -- be quick about protecting it. And good on Blizzard, so far, for not utterly failing to keep my personal information away from unsavory gents. (Zarhym doesn't count.)
Not losing players' data, as it turns out, means a lot to us.
This column is for entertainment only; if you need legal advice, contact your lawyer. For comments or general questions about law or for The Lawbringer, contact Mat at firstname.lastname@example.org.