Game-side Logging and Player Protection

dvoraen

This is in R&R because I imagine the subject matter could potentially turn dark, in that I half foresaw anecdotes of “people do things like X” that didn’t really make it appropriate for non-R&R areas.

At what point is server-side logging invasive to players in a MU*?

I’ve been thinking on the question of how to combat predators and other asshats in MU*s, so I’m crowdsourcing opinions here on the above query. I’ve been contemplating creating systems for Evennia that relate to the question posed (and other Ares-like systems like a cron API and RP/scene-managing API). But I also wanted to see if I could find an acceptable* solution regarding how to build player-protecting tools into Evennia as a personal programming project. My initial thought was to pattern off of how Faraday implemented Ares’ handling of communications, but I wonder if that can be extrapolated further. However, one solution I identified was easily abusable by staff (it was basically ‘suspect’ flagging).

One thing that’s been made clear from reading MSB, BMD, and hearing about it after the fact, is that problem children love to leave trails that, if logged, make it really clear what their behavior is like. BUT, one can’t simply log every communication between every player ever for retrieval, because that’s simply an invasion of privacy and absolutely NOT OKAY. However, in order for a player to report another player, there needs to be a paper trail of some sort that the game generated, notarizes, and sends to staff saying, “Yep this is legit,” as Ares does.

So what do people think is the line to walk here? It can’t be everything, but it can’t be nothing either, as I see it.

The second major query is: what tools should players have to deal with problem players? The usual communication blocks are a bit of a given, but what should players be able to report as questionable? Should it be something like a form where they say, “X is being really creepy” with possible game-generated logs auto-included? Or should it be more simple like a (slightly verbose) command so that it’s not accidentally submitted? If a player reports another, should there be automatic protections enabled such as immediate communication suppression? Notice to the offender that they can no longer communicate with the victim? Shadowbanning? Things like that.

There are other defenses that might need to be enabled on a MU*, such as prohibiting VPN connections (with a per-character whitelist?), connection logging and host cross-referencing, and so on.

I would very much like to hear thoughts.

* Acceptable is a bit subjective, I realize. Not everyone will agree with a given solution.

Polk

@dvoraen I think the only real player protection that can exist is active game runners who do something to protect players.

Players should feel free to let you know about anything off, uncomfortable, or dangerous.

By the way, IP-based protections are not nearly as useful as you may think they are. They’re a tool in the bag, but I don’t think it’s a good idea to hard-ban suspected VPNs and such. You’re going to have a bunch of false positives AND false negatives.

There’s no automating handling bad actors.

dvoraen

@Polk said in Game-side Logging and Player Protection:

@dvoraen I think the only real player protection that can exist is active game runners who do something to protect players.

Players should feel free to let you know about anything off, uncomfortable, or dangerous.

By the way, IP-based protections are not nearly as useful as you may think they are. They’re a tool in the bag, but I don’t think it’s a good idea to hard-ban suspected VPNs and such. You’re going to have a bunch of false positives AND false negatives.

There’s no automating handling bad actors.

Yes, I agree strongly that the game runners play a major role here, but even they could use as much help as they can get to deal with bad actors. While I also agree that you can’t automate all of it, that doesn’t mean you can’t implement automated solutions that analyze, rather than act. For example, is player X connecting via a lot of different IPs? That’s kind of interesting on its own, but it could also mean “multiple coffee shops” and so on. It’s something to be aware of, but not necessarily act upon, and it can be logged so that if player X does get banned, the game has a basis for potentially bad source IPs to disallow further connection from.

I’m not saying that the code needs to do all the work; I don’t think that’s possible without some serious advances in AI (and unethical and intrusive methods), and even then it should be staff taking action and not the game unless there’s something serious like DDOS attacks and external attempts to access admin accounts going on.

Polk

@dvoraen Okay on that I agree. Analysis, sure. Tools that let you check and investigate? Great.

Blacklists I’m less a fan of except when narrowly tailored and proven necessary.

junipersky

I would love if it was something I could trigger after a yucky, and then choose later to keep or discard. Eg: have my session automatically backed up - everything I did since logging in - and then when I come back later choose to keep or toss that record. Then I have spaxe and time to consider what happened. If I choose to move forward with a report I have my game-saved reference.

It isn’t fool proof, but the number of times I wished I could save an ick to review later was wow.

Yes, I know many clients come with loggers. However, mobile and chromebook clients that I’ve found most reliable do not, or do not have a file type that can be opened later.

Pavel

@junipersky said in Game-side Logging and Player Protection:

Yes, I know many clients come with loggers

While that’s true, they’re also just files that can be edited, not solid.

Though I’ve not had the need to use it as yet, the Ares feature of “send this shit to staff so they can deal with it” (I’m paraphrasing) really is the gold standard as far as I’m concerned.

I don’t know how it works down at the nuts and bolts, but I don’t think it logs everything until it’s told to. @Faraday would have to ELI5 it, though.

Faraday

@Pavel said in Game-side Logging and Player Protection:

I don’t know how it works down at the nuts and bolts, but I don’t think it logs everything until it’s told to.

The Ares tools work because the data for scenes/pages/channels is already stored in the database. Details can be found in the Ares privacy policy, but in a nutshell:

Stored data enables game features, like the web portal play screen, scene sharing, or channel recall. That data is fundamentally for players, not for staff. There are no built-in staff commands to snoop on it, and staff only gets to see it when someone uses the “report abuse” feature.

Logged data, on the other hand, is for debugging. Sensitive commands like pages, poses, etc. are not logged.

This seemed like the best compromise between player privacy and the need for validated reporting.

@Polk is right that the best defense is a staff that cares, but code can help them sort through “they said/they said” situations a bit better. I also hope the existence of such tools might prove some measure of deterrent. (Also I agree IP bans are worthless in a land of ubiquitous VPNs, though Ares does support them.)

Usual disclaimer: Any data transmitted to a server is ultimately accessible to the server owner and anyone they choose to share it with. No codebase can defend against a nefarious staff choosing to install custom loggers.

Jumpscare

On Silent Heaven, I’m open about the fact that everything is logged, and only I have access to logs. This is primarily so that I can zip up someone’s logs and send them to the player once their character has finished their time in Silent Heaven. I don’t look at logs unless there’s cause for concern raised by a player and I’ve received permission from that player. It’s been an invaluable resource when dealing with problem players.

When you launch a new game, your playerbase has little to no trust in you. They’ve been burned countless times in the past, so why would they? It’s only through repeated acts of goodwill on a near-daily basis that players can gradually begin to trust. And one wrong step can erode that trust. All you can do is apologize, take the loss, and focus on doing better.

Overall, my recommendation is to build in whatever security features you feel most comfortable with. While full logging can help in some instances, the most important thing is to be responsive to your community. When they first come to you with a problem, they’re taking a huge leap of faith that you’ll respond to their issues in a positive manner. And that’s what matters most. Even the most robust security features are pointless if you’re not out there caring for your players.