Take inventory ...
The overarching theme of Boyd and Kibel's article is that the best security decisions and practices begin at a policy level, not an action level. By instituting good security policies, enforcement immediately drops in concern because the security protocol is doing its job. It's cheaper to rewrite the rules than to hire someone whose sole job is to enforce the broken rules.
Taking inventory of what types of personal information and data are collected and stored is one of those "issues of scale" problems that plague MMOs. How much do you have? Where is it? Who is in charge of it? What can we do with it? Imagine your own hard drives in your home computers and how you never clean them. Well, now imagine if you had to find something on the World of Warcraft servers. The company needs a team of people.
I don't know what role information managers play at Blizzard, if they do at all. However, with the recent API releases and armory updates and Mobile Auction House, I would imagine that a good-sized group of people are manning the information pipes, watching intently.
... and then reduce it
In a game like WoW, getting rid of information is as much a boon as storing it. The less you warehouse, the better. However, with the aforementioned APIs, storing fun, off-kilter data could be incredibly rewarding in quirky ways, so it's kept and displayed in various ways. WoW reduced inventory, ironically, by giving players more of it; the Void Storage system works by stripping out data from an item and leaving you only with the notation that you have an item, essentially cutting down on a huge amount of database space for items locked away in the nether.
What Boyd and Kibel are saying about MMOs is that the best way to reduce inventory is to only collect data associated with revenue gains. When you're starting out, maximizing revenue gains is pretty much the only way to survive at the onset. However, it is wise to slowly start opening up information channels, especially ones that you can control relatively easily, because players appreciate a little openness. Control is obviously key, along with player goodwill.
Network security wasn't built in a day
Blizzard knows about the process of evolving security concerns more than any other company in the MMO business, quickly transitioning a support team from dealing with gold farmers and harassment to an all-out hacker attack on accounts, emails, phishing scams, and more. Authenticators hit the scene with the promise of better security.
Over the years, Blizzard has inoculated itself to various types of security issues by practice and exposure alone. Just by dealing with the problem do you begin to understand how to combat and solve it. New MMOs that crop up are hit immediately with a full swing of the bat, aimed at WoW
but connecting with the rookie on the team. It can hurt, believe me.
Look at WoW
's system and ask questions. It's stood the test of time so far, with over seven years of viruses and bacteria squirming all over its surface. It puts proverbial hair on your chest.
Write it down
Write out what you do with the information you collect and stick to it. It's as simple as that. Why is it written out? So you can be totally, utterly transparent about it.
Dealing with data about children is such a tricky subject. In fact, data about kids is what scares me the most about the internet because, as a denizen of the internet, I understand how easy it is to get all of this information. It is a fact of life, however, that kids are going to go online and play video games whether parents like it or not, so teach kids to be safe and safeguard their data.
Blizzard's Battle.net account system is a great example of keeping kids' data safe while putting the onus on the parent to parent with included parental controls as well as owning the account until the child is of age to take it over. By keeping the parent involved, Blizzard has added the most crucial step in the security process -- parenting. Force parents to do their jobs in every possible way that you can. That also might be my own opinion seeping through. Never.
Audit user terms on a regular basis
Luckily for us, there are plenty of players out there watching the EULA and Terms of Service for changes, as well as programs that scrape out text from these types of documents and report on the changes. It might be annoying, but forcing players to constantly review important documents, even if the new stuff is at the top changed and in bold, is better than no communication at all. Be honest with players.
In fact, the real key here is communication. Updating and reviewing policies internally and externally show a commitment to player and business interaction. You want to be reviewing your policies because it opens up the door to better, iterative policies.
Data breach response plan
Back when some of the larger networks were being taken down by hacker groups, Blizzard's WoW
servers stood up against the onslaught
. Tom Chilton even referenced the company's ability to thwart hacker attempts back in 2011.
Several major gaming studios have fallen victim to hackers of late. What measure are Blizzard taking to ensure that WoW is not hit?
We have always tried to be as diligent as we possibly can when it comes to security. Certainly when hacking was going on with other companies recently there were numerous attempts against ourselves also. Fortunately, our security was good enough, so we didn't lose data or anything like that.
We always put a high priority on security, but that's not to say you can ever be impregnable. We're not resting on our laurels saying 'they can't get us'. It's always a possibility, and we take it very serious, but so far, so good.
Boyd and Kibel recommend creating a data breach response plan that includes a team of professionals at the ready for when the ship springs a leak. I must emphasize the last point first because I believe it is the most salient. Tell the community that there is a problem immediately. Do not wait to figure out how bad the problem really is. Inform your customers to change their passwords and security questions. Quick, clear communication about people's private data is essential. Blizzard let the players know that all was good on their front during a time of internet upheaval. Keep people informed.
All of the steps that Boyd and Kibel discussed in their article are essential to the future of MMO security and good strategy when dealing with the unsavory elements of the MMO world. As time goes on and the need for these types of systems wanes, you will see the nature of MMOs change fundamentally to allow for new types of advancement and gameplay.
Development is where good security starts. Good policies, good oversight, and good planning will make dealing with security issues into a positive teaching moment versus a sad mess. Remember the Crytek leaks and security breach
? You have everything to lose if your security is broken -- be quick about protecting it. And good on Blizzard, so far, for not utterly failing to keep my personal information away from unsavory gents. (Zarhym doesn't count.)
Not losing players' data, as it turns out, means a lot to us.
This column is for entertainment only; if you need legal advice, contact your lawyer. For comments or general questions about law or for The Lawbringer, contact Mat at firstname.lastname@example.org.