Player Perspectives (Archived): A Pain in the RealID

Blizzard released its Battle.net RealID system this week, a communication tool which allows players to connect with each other across all Battle.Net games (World of Warcraft, Starcraft, and Diablo). On the surface, it's a great idea; it provides cross-game communication, and improves intra-game communication. Players can also chat cross-faction and cross-server with friends added through RealID. It's a concept many MMO publishers can follow to connect players of their games; from larger publishers like Mythic and Turbine to free-to-play companies like Nexon, Outspark, and Aeria Games. It's a fun feature, enabling friends and family to connect wherever they game, eliminating the need to roll an alt just to hang out.

Unfortunately, that's where the praise ends. The RealID system was hastily implemented, and while not necessarily broken (although many players found it disabled on their account by some strange stroke of luck), the RealID system introduces a slew of privacy concerns that one can only choose to be rid of by completely opting out of the RealID system. As it stands, the RealID system is enabled by default on all accounts except those with parental controls (more on that later), and players who want to use the RealID system are unable to make any changes or select options as to how their information is shared.

So, what's causing the fuss about the RealID system?

To elaborate, the RealID system functions by allowing players to add friends via their Battle.net user name. All Battle.net user names are now coincidentally a player's e-mail address, as Blizzard decided to transition all players under the Battle.net system which does not use custom user names for log-ins. Once you've given someone your e-mail address to find you under RealID, they can add you in-game and, once you've confirmed their friendship (unlike the standard World of Warcraft friend system, which doesn't require mutual friendship), they can now message you no matter where either of you are playing at the time.

There's a second catch besides using your log-in email: the RealID system also identifies you by your real name instead of a character name or alternate identity. Friends who may have previously known you by your character name will now know you by your real name, whether you've ever told them or not. This is information pulled straight from Blizzard's account information and billing system - information that was previously private.

Another enhanced feature of RealID is the ability to see friends of friends. Once you're on a friend's RealID list, you can now see the (real) names of anyone they have added to their RealID. The idea behind this function is to allow players to easily add mutual friends without having to ask a dozen people for their e-mail address. The potential use behind it to find out more information about someone that trusts you with their RealID is far worse.

RealID also shows your character information whenever you're online, by name and server. If you've ever had one of those moments that you wanted to "hide out" and play an alt, you won't be able to do so with RealID. Even if you give it to a friend that you trust not to bother you on alts, someone who knows they're a friend of yours might try to pry that information out of you, giving up your whereabouts. Before you say, "No one's going to abuse that," let me point out there are already World of Warcraft raiding guilds requiring players to give their RealIDs to the leadership in order to continue raiding with them.

If you're not feeling uncomfortable yet, consider the situation for parents. If a parent had already placed parental controls on a World of Warcraft account, RealID is (thankfully) disabled by default. If, however, a parent had reviewed their child's gaming habits and found World of Warcraft safe enough to not place any parental controls on the account, RealID is already enabled. Parents who aren't made aware of the changes to Blizzard's privacy settings already have their children endangered by any use of RealID on the account. As World of Warcraft is not "directed toward children," it is not required to comply with COPPA laws that other online websites do - it falls squarely on the parent to have become aware of a change in the exposure of the personal information of their children.

Step back and consider this: by participating in the RealID system, either by giving other players your RealID, or by adding someone through RealID without relinquishing to them your RealID information, you automatically agree to have your first and last name pulled from your account and shared with your RealID friends as well as their friends. This includes minors who were trusted to play Blizzard games without parental controls.

What's in a first and last name, you ask? An enormous amount of information. In just knowing a person's first and last name, you can find out their phone number, physical address, and whatever dirt the internet has to dig up on them. You can find them via e-mail address or name on various social networking sites. You can find out their birthday, or you can find out if they have a criminal record. By releasing a full name to people you play with, you open up a vast amount of social engineering opportunities. With the 'friend of friend' feature, you also open up social engineering opportunities on your friends, and the chance for players to find out who your friends are - including your family members, real life friends, spouses and significant others.

Of course, these very reasons have made Blizzard recommend players only add people they trust, such as family, friends, and coworkers. Aside from trusting these people with your real name, however, you also have to trust that they won't add anyone suspicious themselves. An honor system of trust does not work. In fact, trust is often how social engineers operate. There's a billboard, close by my house, from the Securities Exchange Commission that says "He's your neighbor. He's your friend. He's a con." This is the world of digital scamming; a little trust goes a long way in breaking a person's privacy wide open.

As for parenting, a watchful eye is always best. However, can a parent be blamed for not keeping up-to-date on every patch, or being aware the moment something goes live that it may endanger their child's privacy and safety? Many of us have played MMOs as teens with minimal supervision, but would likely have had undergone a severe scolding, at least, if it had been found out we were giving our name (or our parent's name, depending on how the account was set up) to other people online. Parents, of course, should be made aware of the change, but only parents who actively play World of Warcraft would have known about the RealID system; even parents who set up parental controls weren't informed of RealID or how it works.

RealID isn't terrible, and my aim isn't to encourage players to never use it. The problem is that RealID is poorly implemented. There are no controls to manage your RealID; you can't even disable it unless you use parental controls. You can't set your real name to display as a fictional moniker instead; you can't choose to not show up on the 'Friends of Friends' lists; you can't choose to refuse RealID requests automatically. There is no 'turning off' RealID. A player's only choice is to participate, thereby accepting all the above concerns, or to not participate at all.

These are valid concerns, all brought up long before RealID ever made it live to World of Warcraft. Players have a right to be concerned about Blizzard automatically sharing their personal identity through the system, especially when there are no other options than to simply refuse all RealID requests. Such options are doubtfully difficult to implement but, for whatever reason, Blizzard chose to ignore these requests and have yet to respond to player suggestions for more option implementations. What could be a great service is, instead, being chewed apart and forcefully ignored by many players - even at the cost of their raiding and guild spots.

RealID needs more user options and control if it is to succeed as a viable communication device instead of a potentially dangerous utility. This is certainly a case of "consumer beware," and Blizzard has done a poor job in informing its customers just what dangers its service may hold - dangers they, themselves, could help avoid simply by introducing a few user controls.