Richard Lewis: Can we trust Valorant’s anti-cheat?
ELEAGUE / Riot GamesThe first week of the launch of the new title from Riot Games, first-person shooter Valorant, has been something of a mixed one for the developer. The almost unprecedented hype around the game saw the closed beta launch reach a peak of 1.7 million viewers on Twitch as people vied for a drop so they could too participate.
The views expressed in this opinion piece are those of the author and are not necessarily shared by Dexerto.
Initial impressions of the game were met with praise from veteran gamers on social media. Then came the revelations that maybe the game’s anti-cheat, which was a big part of the marketing push to attract players of other games, wasn’t all it was cracked up to be with working private cheats being sold in the first few days of the closed beta’s release.
If Riot had egg on their face after that the coming days would bring worse PR their way. On April 12th a post on popular subreddit r/pcgaming would claim that the Vanguard anti-cheat system, which has kernel-level access on the computers that install it, would be launched on booting up your PC regardless of whether or not you were playing Valorant.
The post, made by Reddit user u/voidox, read:
The thread quickly filled up with people confirming this to be accurate and expressing their concerns. The finding spread across social media like wildfire and made its way to the official Valorant subreddit. Eventually, Paul “arkem” Chamberlain, the anti-cheat lead, commented on Reddit confirming the claims made by the now many users who had tested out the method detailed in the Reddit post.
While I was working on this they also put out another clarifying statement, one that assured their players that their anti-cheat absolutely has to run the way it does and no changes to it are likely. If you want a TL;DR for the whole post it basically states “trust us, we’d never do anything bad to our fellow gamers.”
Right out the gate let’s establish something. Anyone acting surprised about the level of access that Vanguard has is either uninformed or disingenuous. Two months prior to the release of the closed beta the development team posted a blog detailing exactly how the anti-cheat would operate. As the original Reddit poster acknowledges kernel access anti-cheat isn’t anything new and has been utilised by multiple companies in the past. Indeed, it is the only thing that can give an anti-cheat system a fighting chance because most high-level cheats have that same level of access.
What must be said is that someone who is adept in reassuring people should have given this a thorough proofread. While the sentence “this isn’t giving us any surveillance capability we didn’t already have” might seem benign if you take it to mean the capability is zero, given Riot’s history and the company that funds them, it’s a statement that is incredibly difficult to be relaxed about. It also seems to inadvertently contradict what Chamberlain said in his Reddit post because it implies there is surveillance capability there. If the intent was to communicate that there is no capacity to spy on you once the software is installed then this was a ludicrously ominous way of expressing that. This conclusion seems an impossibility when the following sentence states “if we cared about grandma’s secret recipe for the perfect Christmas casserole, we’d find no issue in obtaining it strictly from user-mode and then selling it to The Food Network.”
We can all appreciate when a game’s developer has a sense of humour, both about themselves and their projects. It can lead to great things. Think Devolver Digital. One area you probably don’t want to joke about though is having the potential to spy on your customers. The sinister overtone of “we’d find no issue” as a phraseology can’t be overlooked either. Do they mean technically, morally or both?
Still, most people let it slide because there is a growing sentiment among online gamers that they’re willing to take the risk of a big company violating trust with their data to ensure a cheat-free environment. It’s certainly not a sacrifice I would be willing to make and I think anyone willing to do so should probably assess their life priorities, but provided people are informed I believe it is a choice that should be up to the individual. It comes down to a matter of trust. So the only question that matters is how comfortable are you in allowing Riot Games that level of access to your computer?
Some things to consider then. Riot’s history when it comes to data breaches is less than stellar. In 2014 I detailed how they had kept a major hack, one that compromised millions of accounts, secret and then downplayed the details when it became public. The hacker behind that incident was able to continue to gain access after it was brought to the public attention after a warning for players to change passwords wasn’t heeded by a senior Riot employee. Even the President of the company, Marc Merrill, had his Twitter account compromised during this time. It was a hugely embarrassing and costly lapse in security.
Given that this took place between 2011 – 2013 you might be inclined to give them a pass and say it was early in the company’s history. It is worth remembering then that in July 2018 when Riot Games were legally obliged to comply with requests to share data with their customers under the newly adopted General Data Protection Regulation (GDPR) in Europe, they also had a security lapse. Some players were sent other people’s data, which included name, phone number, email and date of birth. While Riot were quick to respond and said it was only a “few” who were affected, the scope of the problem will never be known.
It also doesn’t help alleviate fears when you consider the fact that invasive anti-cheats have been abused in this space before. The Counter-Strike pick-up game system ESEA decided to secretly turn their kernel access anti-cheat into a bitcoin miner, violating their consumer’s trust and damaging user’s machines in the process. They would receive a $1 million fine for this malicious activity, two thirds of which would be scrubbed if they avoided any other violations for a ten year period. In court, the company would blame a “rogue employee” for doing it despite evidence of the owner of the company having made public comments about how they could turn their anti-cheat into a bitcoin miner without customer’s knowledge prior to the incident. Some of the staff that worked on the ESEA anti-cheat are now working on Vanguard.
Then there’s the elephant in the room… China. Riot Games is now wholly owned by Chinese mega-corporation Tencent. It is career suicide in the gaming industry to talk about how Chinese money and influence directs many of its biggest companies. Whether it’s Activision Blizzard punishing a player for expressing solidarity with the Hong Kong protestors, Mesut Ozil disappearing from PES and FIFA Online in China due to his comments about the persecution of Uyghur Muslims or game stores adhering to Chinese government censorship in order to sell their products in that country, China gets what it wants and games developers let it.
Tencent has become ubiquitous across all of gaming and tech. They own a piece of practically everything it seems. Where their money goes sympathies towards the authoritarian Chinese government seem to build. Indeed, Tencent enjoys a close relationship with Chinese government officials and has been exposed as having used their software for gathering information on their behalf. In March last year, a Dutch hacker revealed that 300 million private messages had been gathered through Tencent applications and stored on a database that could be accessed by police stations in cities and provinces across China.
Now, doubtlessly you’ll say “but that’s in China and there’s no way an American company would ever sign off on people’s data being used that way.” I’d hope you are right but it is hard not to believe that Chinese government influence isn’t present already. For example, last October, League of Legends players found that the game was censoring iterations of the word “Uyghur” and “freedom”. Riot staff took to social media to explain this away as a censoring error and that explained that sometimes the system just bans words by mistake. Interesting then that one of those words would happen to be the name of a minority group persecuted by the Chinese government who wants the atrocities committed against them to be hidden from the eyes of the world. What a crazy coincidence.
Put all this together and at best you should be healthily sceptical about deciding to give across such access to your computer. I’ve seen the arguments made that anything you sign up to can be subject to a hack. Of course, this is right but not everything you sign up to can be used as a surveillance tool without your knowledge and you should absolutely weigh up whether or not you want to opt into this simply to play an online game.
A final consideration… Maybe you are the type of person who is so frustrated with cheaters that you’d be willing to roll the dice on your personal data being used for something nefarious or a malicious entity gaining access to your computer files. So far the anti-cheat has fallen well short of the expectations it was generating before the closed beta launch. We had working private cheats being sold two days into the closed beta and the embarrassments keep coming.
Spanish CS:GO pro Oscar “mixwell” Cañellas was locked out of playing while streaming for charging his mobile phone via his USB port. He wasn’t the only player this happened to (Riot has since addressed the issue, and stated that Mixwell was in fact not banned, but instead hit by a bug that affected digital bootcamp participants who were accidentally still using the alpha build to play the closed beta).
Indeed, some cheats in the past have operated via injection from an external device. This false-positive suggests that at best, the anti-cheat is being overcautious and needs some fine-tuning. Meanwhile, T1 player Braxton “brax” Pierce had two cheaters in one of his games while streaming. Currently, it seems we are relying on manual bans to keep cheaters out of the closed beta, which makes a mockery of the whole idea of having this “revolutionary” anti-cheat in the first place.
So, to conclude, you guys can make your own choices. I personally think Riot Games should yield ground on the idea that Vanguard needs to be working on start-up as this would bring it in line with other kernel access anti-cheats we already have. The argument that it “helps” their fight against cheaters is lame when you consider the potential cost and the fact that so far the anti-cheat software looks like a false bill of goods. Failure to compromise or do more to reassure their players could be a not insignificant factor in the game’s potential success when it leaves this beta phase.