Gaming

GOG debuts profiles feature, users flip out

Commentary: To a gaming community that many joined as an oasis from Steam, GOG's execution of its new user profile feature feels like it's worth a battle royale.

This is not a great time to be tone deaf about privacy. Between Facebook's rapid fall from grace to the grand launch of the EU's GDPR (General Data Protection Regulation) privacy legislation next month, people are more sensitive than ever about their personal information. 

Into this climate, Warsaw-based GOG -- Good Old Games, owned by CD Projekt Group  -- launched a user profiles feature that many feel lacks important privacy guards, such as the ability to completely hide your profile, as well as the fact that it's opt-out rather than opt-in, and that the site announced it in a forum post (where many won't see it) rather than a blast email.

gog-profile

When you've got all the privacy settings set to maximum, this is what other users can still see -- including the user name and profile photo, which I've grayed out. Unfortunately, the only way to maximize privacy is to not to connect with any friends, because there's some leakage through that vector, and play without the GOG Galaxy client, so it doesn't track personal gameplay stats like achievements, time played and milestones. 

Screenshot by Lori Grunin/CNET

Complicating the issue, GOG's earliest announcement of the rollout was buried in another forum about a week ago, to a subset of its users  (which I sadly can't find now), and the reaction was pretty much the same. The fact that GOG commenced the rollout with no acknowledgement of these issues is a pretty big indicator that it's taken an all-too-common approach we've seen from companies: wait for the furor to blow over, and if it doesn't tank the user base, then woo hoo!

Or, as one poster eloquently put it:

So we have a New Account System déjà vu -- make a non-distinct thread a few days prior, leave our questions unanswered, thanks us for feedback that you're just throwing away, then proceed with your original plan on Monday without prior adequate communication to your users, leaking personal data of even people that had gotten wind of the unofficial thread and changes their settings to the full privacy. (HypersomniacLive)

It feels like a double whammy coming from GOG, which has made its name and continues to highlight its commitment to offering only DRM-free games. There's a significant overlap between people who care about DRM and who care about privacy, so this backlash really doesn't come as a surprise.

The site's privacy policy, which was last updated in December 2017, states "any information you post publicly using GOG services (e.g. your public profile) will be publicly available to GOG users." So, in theory, GOG hasn't done anything wrong except betray the trust of its users.

Which leads us to the real issue we're facing these days: what's considered personal information vs. public information as interpreted by the law? We tend to conflate our personal definitions of privacy with the legal or policy-based definitions, and we usually consider a lot more information to be private than it actually is in the real world.

In part, it's because to a corporate entity, at best a username seems like such an innocuous piece of information and at worst the company disingenuously pretends it is. But individuals may consider a username as one element in the weaponizable toolkit for bad actors (like online stalkers) or a link between personas they don't want marketers to have.

But companies are going to push the legal line as much as they can, and what we think really doesn't matter unless we can prove our information is being used illegally. Or if we abandon these companies en masse, which just doesn't seem to happen, because these invasions quickly become the new normal.

Check out all of CNET's gaming coverage

Follow CNET's privacy news