WIRED / iStock / pikepicture

PC gamers are an inquisitive breed – if a developer inserts a file into their games, even without announcing it, one adventurous player diving through the game’s directories will eventually find it. That's been the case with Red Shell, a tracking service that sleuthing gamers have found inside PC games.

Since the tracker – which largely collects information about player's consoles and habits – was discovered in a number of games, publishers have faced a backlash from their customers. The complaints have led to several game studios removing, or at least promising to remove, the offending software.


The Red Shell software has seen players complaining on the forums of games such as Conan Exiles, The Elder Scrolls Online, Dead by Daylight, Civilization VI, several Total War games and Holy Potatoes! We’re in Space?! since March.

They have demanded to know why the developers they paid and trusted were trying to harvest data from under their nose – some going so far as accusing them of installing spyware on their machines. "On their website they [Red Shell] formulate it all in very harmless language, but the fact is that this is software from someone i don't trust and whom i never invited, which is looking at my data and running on my pc against my will," Reddit user Alexspeed75 wrote.

Read next The NHS Test and Trace app has two flaws: QR codes and people The NHS Test and Trace app has two flaws: QR codes and people

While publishers and developers are removing Red Shell in response to fan pressure, they have claimed the software was completely benign, and that they hope to use it in future when a more transparent approach is figured out. Red Shell has defended its system saying it helps advertisers to properly target their ads at gamers. So, what exactly is Red Shell, why do game developers use it, and is it legal and ethical to record player data like this?

This streaming startup wants to make high-end PCs obsolete Gaming This streaming startup wants to make high-end PCs obsolete


What exactly is Red Shell collecting?

Red Shell, named after the opponent-seeking projectile from the Mario Kart series, is a kind of attribution service, which allows marketing teams to see which adverts lead to sales of their product, and which don’t. There are many services like this for apps on mobile devices, as the App Store and Google Play let developers see which links are driving traffic to the store page, even down to individual advertisements and posts.

On desktops, attribution is dominated by Google Analytics. However, because the majority of PC games are sold via Steam, (which only tracks the website which contained the link) and are then played away from the browser via the desktop, developers have less information about if their advertising campaigns are working or not.

Therefore, Red Shell’s method tracks a different set of data points when users interact with adverts. These are generally data points about the user’s device, such as its operating system, installed fonts, browsers (and versions) used, timezone, language, the user’s in-game ID, and screen resolution. This is what Red Shell calls a ‘fingerprint’, which can also be made on games consoles as well as PCs.

Read next These Chrome extensions protect you against creepy web tracking These Chrome extensions protect you against creepy web tracking

When someone buys a game, the chosen parameters are checked again when the player starts it up. With the two fingerprints matched, the developer once again can work out if certain forms of adverts or certain websites are providing value for money.


The data is sent to Red Shell via an encrypted SSL protocol, and typically kept on their servers for 13 or 25 months, depending on the client’s specific policies.

Adam Lieb, CEO of Innervate, the Seattle startup that operates Red Shell, believes the data the service collects is within the rules of Europe's General Data Protection Regulation (GDPR), which came into force at the end of May.

"People can have their own opinions on it but our data is not personally identifiable information (PII)," claims Lieb. "We don't want PII, we don't care who these people are, and nor do our customers, what they care about is knowing if this is the same computer or person, not who that person is."

While Lieb says it would be possible to get the same attribution using less information from gamers and their devices, "the more data points we strip away, the less accurate it is, which is therefore less useful."

Read next The best VPN services tested for speed, reliability and privacy The best VPN services tested for speed, reliability and privacy

He expressed his frustration with the response online, which he says painted a false picture of Red Shell as a spyware programme trying to sell data for malicious purposes. He said that people’s worries were “unfounded”, especially since some forum users had decompiled the Red Shell code and had shown there was nothing malignant within it.

For him, the situation has been “frustrating on our side because those [spyware accusations] are patently not true." He also explains that Red Shell is the name of an old Trojan virus, a claim repeated on the Red Shell website, which has possibly people additionally anxious. Despite Lieb's defence, publishers have still pledged to remove Red Shell from their products.

Games studios take fire

Believing that the developers making their games were in the wrong for using Red Shell, gamers have been making complaints for some time, initially confined to individual game forums, but recently intensifying and centralising on more general forums such as the r/steam subreddit.

Faizan Abid, a producer at the Singapore-based Daylight Studios, which has promised to remove Red Shell from one of its games, says it was initially installed to help with marketing. On June 8, Daylight updated the rogue-like adventure game Holy Potatoes! We’re in Space?!, explaining in a Steam community post that it was adding Red Shell to the game.

“We have been trying to improve the marketing for our games," Abid says. "On Steam, it’s very hard to get visibility for small games like us. We need a way to get visibility on our own, and the only way to do that is paid marketing. The only problem is there is no way to know if they actually bought the game due to an ad they saw.”

Read next Free VPNs are a privacy nightmare. You shouldn’t download them Free VPNs are a privacy nightmare. You shouldn’t download them

Due to the strength of the player response to the post, Abid, and a programmer, uploaded another patch less than a day later to take Red Shell out again. He was happy to do as the players requested, but not completely. “I totally understand and respect these feelings, and I want our players to feel comfortable. This does mean that we can't use the Red Shell service, and that leaves us blind when it comes to marketing so we can't actually use paid marketing, it won't be efficient without having this data.”

On the Elder Scrolls Online forums, administrator ZOS_MattFiror apologised “for the confusion over the integration of Red Shell into ESO”, confirming that the programme had been added, but not activated. Although he wrote that the team would be investigating the technology again in the future to help grow the game: “we never should have done this without giving everyone a heads up it was coming, and we will learn from this mistake.” Red Shell was removed from ESO in a patch on June 4.

What is GDPR? The summary guide to GDPR compliance in the UK Privacy What is GDPR? The summary guide to GDPR compliance in the UK

Funcom, developers of Conan Exiles, removed the service on May 15 in a hotfix patch. Its players were the first gaming community to notice the presence of Red Shell in the game files. In a reply to a concerned user on May 8, community manager AndyB wrote: “We’ll fully disable and remove Red Shell for now, but please understand that we may still continue using analytics services for Conan Exiles in the future.”

Abid also pointed to Google's Analytics, and how people seem to have accepted that they process large amounts of data, suggesting that the only difference is brand recognition. "Google tracks a lot more things than Red Shell, but people never complain about it. The only thing is Red Shell is not as well known as Google."

Read next Forget Google Maps. It’s time to try a privacy-friendly alternative Forget Google Maps. It’s time to try a privacy-friendly alternative

Abid also considered how many other games were using Red Shell, but people only complained because Daylight told them what it was doing, which then led to one of the larger threads on the issue on Reddit. "I feel I did the right thing, but [other games with Red Shell like Civilization VI] were doing well and never had any backlash, while we were just honest about it, and we got the backlash."

Creative Assembly, developers of the Total War said: “Whilst Red Shell is only used to measure the effectiveness of our advertising, we can see that players are clearly concerned about it and it will be difficult for us to entirely reassure every player. So, from the next update we will remove the implementation of Red Shell from those Total War games that use it.”

Behaviour Interactive, which makes Dead by Daylight, has also promised to remove Red Shell but declined to comment any further on its usage.

When asked about the actions of these developers, Lieb said he understood that “they're doing what's right in their community,” and was looking to work on marketing attribution in PC games with them going forward.

Is the data collection allowed?

Players clearly feel that the use of Red Shell in their games is not right. Unfortunately for them, the legality is somewhat debatable. Paul Bernal, a lecturer in information technology, intellectual property and media law in the UEA School of Law, believes that while Red Shell’s activities feel ethically wrong, the law is not as clear, even with the recent passing of GDPR, which is designed to protect a user’s data and privacy.

“This is a very blurry area here, so the interpretation of GDPR is key here” he explains. “One of the things that's important here is it's not whether data can be identified that makes it personal data, it's whether it's identifiable that makes it that."


"There could be a sufficient number of variables to identify an individual user from their data. The fact they call it a ‘fingerprint’ makes it clear that it identifies someone."

GDPR has had an impact on online gaming. The privacy law has seen some games – most notably Ragnarok Online – shut down their services due to data collection fears. Multiplayer battle game Super Monday Night Combat, which has been running since 2012, also shut down its service after deciding its back-end systems would cost too much to meet the requirements of GPDR.

“They can't escape GDPR,” he continues. “There's a spirit behind it, a sense of logic and the idea should not be that you go against the spirit of the GDPR by trying to avoid it by the letter, it was intended to be written in such a way that if you tried to do that, you would still get caught. In practice we don't know if that's the case, it's only been in force for a matter of weeks, but that's the intention."