Another Software Spy

quakeaddict writes "LinuxQuake is now reporting that ID Software has indeed embedded some code to send, among other things, information about our PC's to ID Software. They should ASK before they start gleening information from my system." John Carmack's explanation on the page is unconvincing - video card data is sent independent of support requests and would be impossible to link to some user's email address, so it's useless for support purposes. (more) (update:This isn't as big of a deal as it sounds. read the update)

No, the second writer on LinuxQuake has it right when he says "It's market research." id doesn't care about current support, they want to know what cards to support in their next software release.

But the reason doesn't matter. The important part is that the software is doing something that it doesn't advertise and that isn't necessary for the operation of the software - sending information about your computer back to id software, which is mentioned nowhere in documentation, readme, EULA, website or installation. id calls it research - I call it a trojan horse program, and if I went into id's offices and installed a similar program that reported back to me on their machines, I would go to jail for it. If I convinced id to download and run it, by disguising it as, say, a video game, I'd go to jail for plain old fraud as well as the computer crime. That's 18 USC 47 section 1030, for the curious. It's been used against a number of 1337 d00dz who weren't quite 1337 enough.

So why does id think this is fine and dandy for them to do?

I like id's games, but this is not a joking matter. Software which performs functions beyond its stated activities is uncool (read: illegal), especially when those functions are spying on their users. Any sort of collection of data from user's machines, even relatively mundane data like the type of their video card, should be announced by the software and in the docs, and users should be able to opt out of it. How much bad press is it going to take before softwre companies get a clue? Or will the first hint they get be when an ambitious prosecutor serves a search warrant on them one day?

Update: 11/28 10:41 by michael : From various posts below and email received by yours truly, it looks as though id did have notification of the data-collecting activity in previous releases of the demo test; but not in the most recent one, for whatever reason. Perhaps the story should be about quality control on readme files. The basic point - companies need to be very open and upfront about things like this, even for benign purposes, and give people the option to opt-out - still stands, but it seems that id just made an error rather than tried to hide anything.