garrysmod-requests
garrysmod-requests copied to clipboard
Facepunch
Methods to grab hardware information about player's computer
For the sake of statistics, let Lua know hardware information about the computer it's running on.
system.GPUInfo()
system.CPUInfo()
system.MotherboardInfo()
system.RAMInfo()
system.DisplayCount()
You get the idea. Really as much harmless info we can get about our PC.
maybe even something like system.GetHardwareInfo(). I would love to collect some statistics.
Someone requested this to Garry before iirc, but he refused since he believed that info should be private. But display count is a :+1: since it can fix the font stretching issues.
I don't object to this personally, but Garry might have had valid reasons.
Steam at least asks you if you want to participate in their surveys. This is going too far.
I'm somewhat against this because any server owner would be able to gather this information from their clients. At least the big name companies ask for permission first, even if the info is not that important.
I think a clientside convar would be the only way to ask for a user's "permission." Servers could check the value, then popup a short explanation on why they should enable it for statistics. Otherwise, I couldn't really think of a more logical solution.
You could always just make a module and ask members to install it, but that would really only work for large communities.
Agreed, this would be really useful to help target weak points, as well as general statistics.
Considering this wouldn't really be useful for scripting other than info collection (except for maybe display count?), it'd be best to have all those functions condensed into one, as you really only need to call this stuff once anyway.
DisplayCount and GPUInfo would be great! I dont really think it's too malicious unless it gave out, like others have said, specific information per user. (Allowing servers to target specific individuals)
@Jvs34 I could see GPU info being useful as well in detecting whether to do certain operations (halos, setting model quality, etc), but that would be very specific and on a case-by-case basis.
@Kefta you cannot realistically do that as there are so many GPU models available.
Having the functions be freely usable by everyone would definitely be detrimental to normal user privacy. I know I'd use the information for fingerprinting. If this was implemented there should be a Do-Not-Track option in the options menu (that cannot be modified by clientside Lua in any way), that blocks access to hardware info functions and is enabled by default.
@wyozi I don't think it'd be as daunting of a task as you think, with some simple string parsing to get the 690,750,980,290 etc out of the GPU name and line it up with some general performance values for each one. That said I think tracking average fps would be better for determining graphics optimizations than that since we can't account for other resource heavy tasks the computer may be doing.
@Noiwex whatever issues you have with popular servers, you are better off acting like an adult on a legitimate feature request. There's not always an ulterior motive for everything; I just like making graphs. Ask @Kefta
I'd also like to point out that the benefit of using this to fingerprint people is.. Almost none. Imagine how many people use an i7 4820k and GTX 980. Results would be completely unreliable with the exception of people with extreme toasters or super computers. It really is harmless info.
Dude don't add this, I don't want people to know how much RAM I have. This would break privacy bro please don't add. They can give me a virus if they how much RAM I have! Please don't add! They could even end up installing extra ram without my permission!
@wyozi It's realistic: the primary thing you need to check is for Intel integrated graphics, which you could tell just by the brand string.
And the "Do-Not-Collect" option was something I suggested to KoB yesterday since that model follows Google's data collection.
@FPtje All countries to my knowledge fall onto the ISO information privacy standard: https://www.iso.org/obp/ui/#iso:std:iso-iec:29100:en
@DrVrej Thank you for your contribution to legitimate discussion.
Damnit, couldn't finish comment @Kefta that thing is mostly behind a paywall. If you look at section 2.2 of the thing linked in previous comment, you'll find examples of personally identifiable data:
Asset information, such as Internet Protocol (IP) or Media Access Control (MAC) address or other host-specific persistent static identifier that consistently links to a particular person or small, welldefined group of people
...
Information identifying personally owned property, such as vehicle registration number or title number and related information
I'd consider hardware information to fall under either or both of these categories. Some care is to be taken, at least. The thing is, people are already identifiable through SteamID. One could argue that hardware information doesn't "add" to the identifiability. One objection to that could be that it could potentially be more identifying than an IP address or SteamID. Especially people with custom builds could be identified by their hardware info, allowing servers to ban them even if they join using a VPN or on a different account.
This feature, however useful it may be, might land Facepunch in legal trouble.
Edit:
Also, NIST is American, but it's a decent source regardless. Different rules may apply to the UK, though I doubt it.
@FPtje The text you link specifically states that IP Addresses fall under said category of "Personally Identifiable Data", yet we are already able to collect these. I see your note about "even if they are using a VPN", but we are still by and large able to collect IP Addresses.
Additionally, said IP Address collection does not adhere to the practices listed in section 2.3, mainly in regards to those specifying that individuals must be able to opt out and must be notified of the collection.
If Facepunch would be in legal trouble due to some minor hardware info collection, they already would be for IP Address collection.
However, the concern for constructing hardware ID models is valid; simply concatenating all the information @KingofBeast listed and storing it in a database would be a very viable measure of identification across VPNs and accounts as @FPTje said. It would certainly be viable to reference said database whenever somebody joins, and alert admins if their hardware matches that of a banned user.
It's difficult to say that a ConVar would solve all of these problems, because a simple hardware_collection_enabled 0 would mean that servers wanting to use hardware information for legitimate usage (statistics, manipulating content based on machine capability) would also be unable to access this data. A per-server configuration ("Would you like to enable hardware collection on this server?") wouldn't work either, because you don't know if they're using your data to identify you until they already have.
I still disagree with basic hardware info being (reliably) personally identifiable, even if you combine it to form a pseudo hwid it's still nowhere close to uniquely identifiable. There's nothing unique, user-specific, or even consistent in knowing that x person uses a GTX 980. Case one and two, (insert %) of the entire userbase uses the same thing. Case three, I can change my GPU at any time making it not truly consistent.
@KingofBeast You really have no basis when you say that "you can't identify users based on builds because many users use the same builds"; I'd say that duplicate builds are uncommon enough to make personal identification possible (especially on GMod servers, which tend to have at most thousands of unique players). Additionally, users with unique builds will definitely be identifiable still. Some data would be nice.
Your point about being able to change your GPU is valid (though you can't change your steamid, and if you rejoin the server on the same account they can simply update your info), but very few people would be willing to a) have another GPU and b) swap GPUs to protect privacy when joining GMod servers.
@zerfgog You're right. An IP Address can be quite identifiable. The thing with IP addresses (and SteamIDs), though, is that the server must necessarily receive that data in order for it to function properly. Such is not the case for hardware info.
@KingofBeast hwid is short for hardware identifier. Terminology aside, you won't identify anyone running a pre-built system. You might, however, identify people with custom builds by rule of combinatorics. Take the very specific GPU model, CPU model, motherboard model, HDD/SSD model + models from other devices. Dumbing things down and assuming there are 50 GPU models, 50 CPU models, 50 motherboard models and 50 HDD models on the market. In that case there would be 50C4 = 230,000 different possibilities.
Though you're probably right in essence, @KingofBeast. You can probably leave out enough info for things not to become identifying. Some serious thought should go into this, though. I'm not necessarily against this feature. I'm just saying that some care should be taken to avoid legal issues down the road.
Then let's discuss NIST's definition on PII. For this refer to section 2.2 in the link Falco posted. Our nice neat list of examples of PII actually let us know that the sort of information that is considered personally identifiable is actually (who would have thought) information that can give away or lead to a person's identity. We may be able to identify steam accounts with the extra information we get about a computer. But that data will never create a link to our users name, address, SSN, phone number, race, religion, weight, employment, biometrics, mother's maiden name, or any of that.
It's much like HIPAA. Information that can tell you this persons ACTUAL identity is what needs to be protected.
I personally do not see "for the sake of statistics" to be a reasonable reason to add anything. Garry's Mod is a game, and Lua is meant to expand the game's functionality/content, not to collect harmless or otherwise info.
@KingofBeast
But that data will never create a link to our users name, address, SSN, phone number, race, religion, weight, employment, biometrics, mother's maiden name, or any of that.
The data cannot create a link to the things you mentioned, but it can create a link between different SteamIDs. As such they can link multiple SteamIDs to a single person, even when a proxy or VPN is used.
That combined with the fact that the data is not strictly necessary, may make it hard to defend.
@FPtje A server must receive IP Address info to function. A Lua script doesn't require IP Address information to function.
@robotboy655 That's actually a good point. The only non-statistic purposes are hwid creation and possibly tailoring content to different machine powers, which would be difficult to implement and probably not very rewarding. Statistics are great to collect, but they don't justify the associations we can create.
Currently you can see if two people are the same by checking if they have the same IP Address/If they're family sharing and other small means, But adding the ability to read hardware info we're allowing people to better detect if two accounts are of the same person.
Personally I wouldn't mind if this was added, IF we got the ability to disable them checking for the hardware info but in the end when I think about it, I wouldn't even want it added at all to a point because it just allows community owners to simply go off on the point of "Hey you HAVE to enable this to play here" . In actual reality there is no need for this feature but merely a want.
At that level the way the person speaks in game can do the same thing. But it still doesn't identify the person behind the SteamID. There's a very concise barrier where any information we have stops.
@robotboy665 if simple graphs aren't enough then I can give some use cases that we've already had in mind. I don't know how much work you've done in demographics but even in this watered down version of it statistics can be applied to nearly anything.
Using CPU and GPU to create a density chart and find about what baseline of computing power users as a whole are on. Then designing our Lua around that information to make sure you don't go overboard on literally any behavior that can become resource intensive. Or, decide that you can reasonably afford to add more flair to your scripts. QoL for players goes up.
Just as one example.
@KingofBeast I honestly don't see any other servers using this. For one thing, a large player count is required for good data. For another thing, you must understand how to actually improve script performance once you have the information. Only a select few would benefit from this, while the privacy concerns would negatively affect all.
@aStonedPenguin (below) I deleted that comment because it was dumb. You might only get feedback from the vocal minority and such.
@zerfgog Even having the current largest server in the game user feedback absurdly hard to get especially if you want it from more then just dedicated players. Most people don't give feedback, they just leave.