No Longer A Game

EVE Online is a game with few rules. Espionage, betrayal, scams and traps are part and parcel of player interaction. Most EVE players accept that, and many even embrace one or more of those aspects. As a consequence, organisations that develop beyond casual gameplay will react by putting security measures in place to protect their own. To some degree, that can be covered by in-game means like corporation roles, hangar access rights, station docking permissions, forcefield passwords or standings which mark known enemies. A large part of internal security and counter-intelligence, however, is covered by methods which lie outside the game and therefore fall under the description “metagame”.

Let us look at a few examples:

The Lines Of Defense

• Recruiting policy and background checks: Virtually every in-game group that cares at all about who they recruit will have some sort of applicant screening in place. In fact, that practice is so widespread it has become the subject of cartoons. Some will just ask a few questions and check employment history, others will look up killboard histories and cross-reference it with further information. They may check whether a prospective member is listed on any forum as a troublemaker or is mentioned negatively in blogposts. Several organisations will also only recruit from communities of people they already know. That may be Reddit, an external forum with closed membership, an established gaming group or even real-life friends only.

• API based monitoring: It is quite customary for in-game organisations to collect API keys from their members. How much access they require can vary, but full API keys are commonly requested. By gaining access to a character’s wallet history and EVEmails, recruiters and counter-intelligence operatives acquire deeper insight into a their background. It does not stop there, however. By monitoring ISK transactions, trades and communications of their members, organisations can spot potential security leaks or preparations for betrayal before they become a problem. To do so, they keep a store of API keys and task trusted people with monitoring them through third-party tools like EVEmon, APIchecker or even applications developed in-house.

• API / IP matching: This method is one step up from just checking someone’s character information. Many organisations have forums, killboards or communication channels which require an API to log in. By matching a character’s API with the login data of the player, they can then determine which IP addresses their members log in from. Certainly, some people will not have a fixed IP and others may not always log in from their home PC, but it is definitely possible to gain information about someone’s connection profile and correlate that with the API they provided. That is already enough to take things quite a bit further than game-related counter-intelligence as I will discuss later.

• IP tracking: Once a character’s API can be matched with a player’s IP address, it becomes possible to identify alts which players may want to keep secret. By collecting API and connection data related to characters who are not part of their own organisation but completely unrelated or opposed ones, the counter-intelligence specialists of an in-game group can correlate and match information from many sources. Those sources could be spies in other organisations who possess similar data, operators of a public forum or a Voice-over-IP server or even public third-party applications which collect API and connection data. That may sound far-fetched and almost unbelievable, but it really does happen.

The last two methods of metagaming counter-intelligence and player monitoring already enter territory which begins to become questionable. Collecting people’s connection data and cross-referencing it for profiling is usually the prerogative of law enforcement, licensed specialists or service providers who are legally required to inform their customers that they retain the right to monitor their online activities. Apart from being an ethically dubious practice which comes close to aiming at the player rather than an in-game character, such practices also border on paranoid obsession.

They are however only the beginning of what some people are capable of.

Further Down The Dark Path

When groups of people identify a constant threat potential from outside their own circle, they do not only bond together more tightly, they also become more vindictive against those who they consider part of the perceived threat. There are many examples of such socio-psychological dynamics in our world, and news reports often enough feature the unfortunate consequences of such tendencies taken to the extreme. It is lamentable enough when people resort to unethical or even criminal acts to uphold their personal beliefs or interests, but it becomes even more absurd when similar behaviour is expressed because of a game.

Methods which have seen repeated use over time are the so-called doxing and cyberstalking. Sometimes mild forms are conducted in the course of counter-intelligence operations I have mentioned above, but in some cases things are taken one step further.

For many people it is an unsettling idea that individuals who they do not know outside of a game and who they considered at arms length suddenly call them at their workplace, on their private mobile number or even send them letters to their home address. Some may do that just for laughs, but the implicit message remains “we know who you are and where you live” and potentially an even more sinister “you do not know who we are and what else we are capable of”. It is a form of intimidation that can be directed at opposing in-game leaders, individuals who are exposed as spies or even members of the same organisation who are suspected of deviant behaviour.

Apart from being a potentially harrowing experience for the recipient, such practices can reach the level of criminal transgression in extreme forms. Despite existing laws, responding with legal measures is difficult because legislations on such behaviour are not uniform across different nations, neither is criminal prosecution an option once the borders of a jurisdiction are crossed.

While doxing and stalking are often used as a response to perceived threats or unwanted behaviour, some even employ proactive DDoS Attacks which are definitely criminal. This can be used against websites, forums and online services of an opposing party. Most commonly it is aimed at a VoIP service that fleets are using, in an effort to make their communications impossible. Even CCP itself has become the victim of such attacks. DDoSing a service is not only illegal in itself, it also implies that large numbers of computers had already been compromised to be used for this purpose and that already constitutes a crime in many legislations.

Again, it is difficult to enforce any legislation that forbids it though. Tracing a DDoS attack back to its instigator in ways that serve legal prosecution can be very difficult and generally the affected parties in game will just switch to another VoIP service. To really take legal steps against the offenders, they would have to take things as overly serious as those who are prepared to commit crimes just to thwart their opponents in a game.

Probably the most insidious method of threatening or punishing transgressors relies on peer pressure and emotional blackmail. Humans in general derive a significant part of their self-image from the social relationships they are engaged in. That can mean a religious community, a national identity, a group of professional peers, families or for some even the membership in a close-knit gaming group. The prominent social aspect of EVE Online nurtures and entrenches a development of the latter affinity. Players wear “their colours” proudly at fan-gatherings and many will regularly meet with other members of their in-game community, like the English Veto meeting which grew into a wider London player gathering eventually.

Such relationships can become very important, especially for those who are otherwise isolated in their personal lives. Even players with rich out-of-game relationships will find it difficult to leave a group of in-game friends they have had for many years. This strong emotional connection can be leveraged by those who wish to enforce cohesion and security inside the game, by putting emotional pressure on players even outside the confines of the virtual environment or by turning friends against them. Other than cyberstalking or DDoS attacks there is nothing illegal about that, but manipulating people’s feelings is a highly questionable activity and an indicator that the people who do so have a very skewed set of priorities if they are prepared to go that far for the sake of a game.

How Bad Is It Really?

This article may sound as if EVE Online is populated by obsessively paranoid computer criminals who are as manipulative as cult leaders. Luckily that is not the case. Certainly those people exist, but that does not make EVE much different than many other MMOs or online games. DDoS attacks are also used against opposing teams in FPS games and peer pressure can be just as strong in a World of Warcraft guild. It is easily possible that an individual player will never encounter anything like what I have described in the previous section during years of playing the game. There are things which set EVE apart from other games when it comes to such unsavoury practices however.

To begin with, the stakes can be really high in EVE. This is especially true in sov-nullsec where organisational infrastructure and assets can take months if not years to develop, and a spy or traitor can do a lot of damage to the unwary. With that being the case, there can be a strong incentive for some to resort to more extreme measures for protection. To balance that out, the EVE player community is on average much more mature than in other games. Many have their own families and professional careers which put things in perspective for them. A young teenager who does not have many personal achievements outside of a game to look back on may be much more likely to become obsessive and do things which they later regret.

With that being said, I would still like to offer a few words of advice. Almost everyone who starts playing EVE Online has heard of the cut-throat in-game environment and that they should be careful who they trust with their virtual assets. To a lesser degree that also applies to personal data. If you value your privacy and peace of mind, be considerate about who you tell about yourself and how much personal information you give to others in the game. I am not telling you to be paranoid, but just apply the same amount of healthy reservation you would greet any stranger in real life with. In time you will develop a feeling about who your friends are.

Just be aware that there are people for whom this is more than just a game and stay away from them. EVE has a variety of rich sub-communities and there is no need to obsess about becoming part of a particular one.

Don’t become this person.