EVE's security team called into question by corporation
An unnamed player was banned recently from EVE Online by CCP's security team for being suspected of running a bot on the marketplace. The practice of market botting involves running a script that can create buy and sell orders very quickly -- in this case, 30 orders per minute. Using any type of automation like this is against EVE's terms of service, so the account was temporarily banned from the game.
Kelduum Revaan, CEO of EVE University (a very large, well-liked corporation) and a member of EVE's player council (CSM) that the player was a part of, has tried to petition CCP about the issue. They are disappointed with the response received from the developer, so they have taken to public forums to out EVE's Security team for having a lack of oversight and transparency.
\ We've blogged about this before: read (27) back stories
Kelduum Revaan doesn't believe that the suspected player, who is being called "John" to cover his identity, was at fault. In a post on their forums Kelduum states:
...he was a station trader, and a very good one at that, playing trade markets in EVE like a professional, using the common tools available, as well as custom built tools, but never automating anything to do with the EVE client himself - the closest he ever got was probably to create custom in-game-browser pages to streamline his workflow, meaning he would log into an alt, and update around 30 orders a minute for 10-20 minutes at a time.
That's updating an order every two seconds, which to me seems really shady, but John denied botting and decided to try and escalate the the issue and he submitted the process he used to trade on the market for consideration. According to Kelduum:
His request to escalate the petition was denied, and he was asked not to petition again. No ISK or assets were removed at this time, and it was stated that the ban was the first step of their 3-strike policy.
This ban, which John believed to be in error, caused him to leave EVE for good. Before he left, he donated 317 billion ISK to EVE University. EVE University wanted to make sure it was OK to use this large sum of money so they checked in with EVE's security team:
E-UNI Director Petition wrote:EVE University received a donation of over 317 billion isk this week [...] I have transferred the bulk of that ISK to this character [...].
Due to the size of the transfer, I wanted to double check that the isk was all legal, and not due to some illicit activity. The ISK will remain on this character and not be touched until we hear back from you.
We do not usually receive donations of this size, and would rather be safe then sorry. Thank you very much for your time.
The security team responded by confiscating the money in question claiming that it was related to a security matter. I don't have the exact reply available at this time, as it's against EVE's EULA to post any response from a GM on a public forum.
Kelduum submitted his own petition on the matter:
My concerns are as follows:
1. The player where it originated quit quite publicly after returning from his ban, and biomassed his character as he felt he was unfairly 'punished for being too good' (paraphrasing). This is common knowledge in the corporation, and he was both an "Enabler" and "Instigator" to use CCP Seagull's terms.
2. It is also known within management that he donated all his ISK to the corporation before he left, and that there was a lot of it, in the region of hundreds of billions.
3. It seems unusual that the whole balance was removed rather than a portion which, for example, had been purchased via RMT or similar methods. However, removal under this way would have left a negative balance anyway.
4. Those same management players have been asking the same questions I have - if he was already punished, why was the ISK not removed at that time, rather than 1 week later, after we enquired as to its validity?
5. It's only a matter of time before the player-base find out about this, and it is going to raise more questions. Not removing the ISK at the time suggests that it was obtained legally, and that instead "CCP doesn't want E-UNI to have the money" for some reason.
All of the above quotes are taken from this post on EVE University's forum. On EVE's official forum, a thread was started on the subject, and CCP Sreegs (an EVE developer) replied with this in the thread:
There are a number of things wrong with the assertions being made in other forums, which is a topic I'm sure the author of these posts is familiar with because we discussed them prior to his rather selective reporting of the incident. Here's the facts as we need be concerned from an eve perspective:
1) John was botting. That is not even close to in dispute.
2) We committed an error in not removing the isk before it got to EVE-U. However we did rectify this problem and our logs show that it was discussed and approved prior to either them receiving the isk or petitioning. We apologized to EVE-U however the petition was escalated as high as it could be and the decision remained. We cannot typically share this information with them as it's really none of their business.
3) The only authority higher than the Director of Security for these complaints is the Executive Producer and then the CEO. This is a higher level of escalation than the Customer Service arm and IA automatically looks at our work. I'm not sure why we feel we should be able to escalate higher than the highest reasonable authority but the fact is that this team operates with significant oversight. We believe the issue here to be more that this particular CSM feels he isn't in the loop, something which is quite frankly the only proper way to do business in a unit that handles secrets.
Frankly we're a bit disturbed by the allegations made here given that the person in question waited until they exhausted every resource possible prior to posting this then lamented the lack of an escalation path. Not getting the answer you like isn't a lack of an escalation path and never will be."
The forum post is filled with people calling for more insight and transparency into the decisions being made by CCP on matters of in-game security. No one wants to play with cheaters, but people also want to know that they are being given a fair shake. CCP is in the position of being asked to disclose private messages and information, which is never a good spot to be in as a company. They aren't Congress, and it's really intense that people are being this aggressive about the issue. The have to consider the privacy agreement that CCP has with customers; they can't just put everything out in the open.
I believe sunshine is the best disinfectant when it can be used. Aside from showing you logs which include private communications and trade secrets I'm not sure how this could be done. This is why we're in this position in the first place. It's easy to insinuate misconduct when you know we're in a position where we can't put our stuff on the table. It's also petty.
The other thing players are pointing out is that if this happened to some terrible corporation like Goonswarn, no one would bat an eye about them being called out for possibly cheating. Since EVE University is widely regarded as a good corp, it's hard for people to think that one of their members would cheat. Of course, CCP has to handle the issue the same way no matter who is involved.
I think this situation really cuts to the core of actual misconduct. In this case we're actually being asked to treat EVE-U differently, which would by nature be misconduct. Our actions in this regard show exactly the opposite.
The post goes on for a while with people accusing CCP Sreegs of failing to provide sufficient proof of botting in this instance; that CCP needs to do a better job of communicating why players are being banned, and if they have hard evidence, to back up their judgements. CCP Sreegs responded to these growing allegations in the same forum thread:
I didn't make the policy. However, I don't believe the ridiculous insinuations being leveled against my team are in any way a case of someone mistakenly not being convinced of something. When I disbelieve something I don't have a need to race around the internet telling everyone about it. Disagreement I don't mind. Trying purposely to cause damage to my team, my reputation and company because you don't like the explanation you got I do.
Finally, in another post CCP Sreegs tries to clarify their current position:
We action against botters and RMTers based on actual empirical evidence provided to us by the EVE servers. We do not ban based on blogs posted on the internet, nor will we discuss individual actions whether to confirm or deny their existence as per long standing policy.
I can tell you that we've been working on botting and RMT for some time now and our numbers have shown things trending down steeply. Given that we're the only people who could possibly have access to this data anyone stating otherwise is merely speculating. No amount of articles published on the internet by third parties is going to change that, nor will it stop the conspiracy crowd from pushing turbo on their already overactive speculation machines.
If there's anything here to look into it'll be looked into. In the meantime we've been working on a blog to be published within the next few weeks with some fun new information.
Look, people -- it's not real money and we're not talking about issues of national security. Yes, EVE is hardcore and people take it very seriously, but it is just a game, and a product. The developer has an obligation to customers to not disclose every bit of information about customers. It's unrealistic to think that they can just have full disclosure over an issue like this. They decided what John was doing was wrong, and they banned him for 14 days -- which they have every right to do.
They don't need to explain every little detail about why they decided he was going against the rules. I can understand why people would get upset over this. It would take me a very, very, very, very, long time to get together 317 billion ISK. Years, probably. It's a big deal, and if I was that player, I would want to know what was going on. John isn't posting on forums about the issue, though -- it's just other players crying foul. They don't really need to know what's going on.
I was able to get in touch with CCP to comment on this issue, and this is what they had to say:
There’s not a time where we happily remove ISK from players--unless they’ve done something wrong and then it’s more of a duty as strengthened by policy. There is recourse and escalation in the event of a false positive. The security team works jointly with many departments including Legal and Internal Affairs to make sure they “get things right” and continuously evaluates their processes. In terms of “accountability”, the security team is ultimately beholden to the Executive Producer, our legal department and then of course to our CEO.
For us, it’s a best practice not to discuss specific security investigations and actions with third parties. Even though CCP is probably one of the most open and communicative companies in all the gaming industry, we simply have to keep some areas of our company a bit secret in order to be effective. Botters and RMTers will take any shred of methodology they can learn from us and alter their ways to avoid detection. For the health of EVE and the benefit of our EULA-abiding players, it’s actually best we aren’t as transparent as some people might wish in terms of tactics and strategies.
In the end it seems like CCP has everything together, and they know what they are doing with their own game. It's unfortunate that some players are upset over this issue, but if CCP did decide to say what someone did wrong, it would be easier for another player to emulate that practice. It might suck to not know all of the details, but if it makes the game better for everyone I'm all for sensitive information being withheld.
What do you think? Is CCP right to keep some things a secret to protect the game's weaknesses and player's privacy, or should players have access to all the information when it involves them or their corporation?
The EVE-UNI botting controversy [The Mittani]