“Bad Actors” should not be ignored

I’ll admit – I’ve been stuck in a bit of recursive doom-scrolling behavior. There’s a lot going on, and I’ve been capturing a small small fraction of it in a goofy digital scrapbook as I continue to shelter at home (in my best effort to prevent myself from being part of any chains of transmission during a global pandemic). A reoccurring theme is that a small number of “bad actors” take action that cause grief for a disproportionately large number of other people. Anyone playing games online will be very familiar with the behavior, but under different names: “Hackers” and “Cheaters” may be more familiar.

Prior to in-game monetization being a norm there’s another label associated with bad actors in the gaming industry: “Pirates”. Business needs and game development weren’t nearly as integrated as they are now, so many a game were released that had trivial security around piracy, contrasted by games that included incredibly obtrusive “anti-piracy” software to “solve the problem”. Anyway, this isn’t a history lesson, the point is – the behavior of bad actors can have a fairly significant disproportionate effect in areas you would never expect.

Understanding the potential harm a bad actor could pose is critical in deciding how to approach it. In many RTS games for example, core underlaying peer-to-peer network strategies cause the game to fail if one computer does something the other computers don’t expect. This simultaneously solves network problems (how computers agree things are happening in the same virtual space) and also the “Cheater” category of bad actors in a multiplayer environment – but also it doesn’t disallow cheating in the single-player experience, a space where if you do manipulate the environment for your favor it doesn’t create a bad time for anyone else.

Getting to know Bad Actors

I don’t think it’s fair at all to assume all those whose behavior may fall into the group labels I’ve identified so far (“Cheaters”, “Hackers”, and “Pirates”) as bad actors. Fairly consistently – whether it’s in games or real life – the primary trait of a bad actor is to take the action knowing or suspecting the scope of damage they may cause, but either just don’t care or the damage is the intent in the first place. There are various benefits to behaviors, and when people observe other people taking action that’s advantageous to them it validates making the same decisions for themselves, jumping ahead and not even suspecting their actions could be causing damage (it’s so common so it must be fine!).

Identifying bad actor behavior in generalized cases helps build preventative measures – reactive measures are really expensive in an effort:outcome ratio (and depending on the game, those efforts may never happen as once a game is released effort may be redirected to new projects where it’s much more efficiently spent)

  • Hacking
    • Dramatically lowers the barrier of entry for cheating or piracy
      • Very disproportionate effect by enabling other bad actors
    • High risk of forcing reactive response for business desires
    • May provide benefits!
      • “Modding” unless fully supported requires quite a bit of hacking, and sometimes a modded experience is the best experience a player can have in a game
  • Cheating
    • Player vs. Player environment
      • Creates a very poor experience for players not also using cheats
      • Disproportionate effect slowly builds the more they play
      • Player vs. Player is already high anxiety for many players, even the idea others are cheating can cause players to disengage (sad times, bad experience)
      • Viral effect, to enjoy the game players may feel they must also cheat as well
    • Multiplayer cooperative
      • Reduces impact of players not cheating on the game, reduces other players challenge
      • Depending on game, may impact monetization
    • Single Player
      • Reduces personal challenge, zero disproportionate effect
      • Depending on game, may impact monetization
  • Piracy
    • May impact monetization
      • It’s really hard to say by how much, there’s no data on an argument of “Each pirated copy is a lost sale”
      • Anyone whose lived paycheck-to-paycheck knows this can’t be 100% of the cases, when you don’t have a lot of money you take what you can but don’t take what you can’t (afford)
      • Also (and completely anecdotally) people who do have the means to purchase things with what would effectively be pocket-change for them will take something for free if it’s easy enough instead of paying for it – so yes, there would be at least some lost sales
    • Potential viral advertisement
      • Epic Games explicitly uses the offer of free games (that otherwise wouldn’t be free) to draw people to their platform
    • Enables Bad Actors outside of the game
      • Pirated copies are very susceptible to hacking and may be packaged with malware/viruses etc.
      • Disproportionate effect not just within your game but now creating personal security vulnerabilities for people

It’s not an exhausted set of examples but I do hope it sets the stage that not all behavior in these realms necessarily indicate a bad actor. In fact, there’s been cases where behavior usually associated with a bad actor can have beneficial effects for a game or its community of players. I think the most succinct method of identifying a bad actor is that they have a tendency to act in bad faith, and unfortunately, attempting to meet an entity acting in bad faith with well-intentioned or good-faith actions only feeds the bad actor.

Motivations of a Bad Actor

I created this heading to explicitly say: the motivations of a bad actor are irrelevant.

This may sound strange, a lot of discussion around these topics devolve into motivations, whether someone is “innocent” of poor motivations for their disruptive actions – and from a development perspective, it really doesn’t matter. Whether someone obliviously ruins a significant number of peoples good time or maliciously takes joy in it, it’s still ruining other peoples good time. Attempting to assess motivations implies a reactive approach, so indulging in debates of motivation (for example, to apply targeted punitive measures) is a fairly exponential spend of time and energy that doesn’t prevent the damage in the first place.

Appeasing a community with punitive measures (ex: targeted banning) may yield some loyalty from that community, and in some cases that loyalty may be very important – but if the underlaying systems/rules/structure are enabling bad actor behavior, well, it will never stop and you’ve now committed to punitive maintenance.

Preventative measures

The games industry has an advantage that many other industries (or say, governing bodies) do not have – if something isn’t working, you just create a whole new virtual world from the ground up with the lessons learned. Analytics can be a powerful tool if the goals in analyzing that data are to learn (as opposed to ‘prove a point’), but they can only inform in hindsight. Lessons learned need to be applied in new work, and in a live environment that can be… tricky. But! Whole new virtual world? Much less tricky (but still tricky if creating a follow-up in a series, gotta be careful of expectations set).

There’s no magic bullet, the environment is changing all the time at a very rapid pace (one of the reasons I absolutely love creating games) – but there are a couple things I’ve learned that I’ll share

  • Don’t trust the client
    • Basic idea – if you find you’re spending a lot of energy trying to secure something on the client… just don’t, if your game gets popular enough to attract bad actors you’ve started an uphill battle in keeping the client secure
    • Reminder! If it’s not a multi-player game then the “Cheating” category are extremely limited in affecting others game experience (some online communities, like speed running, may have opinions though – be aware of your audience)
  • Don’t assume what you’ve been doing is infallible
    • Games with zero thought into security may not run into adverse effects of Bad Actors
    • I honestly believe a very small portion of humanity would fall under the Bad Actor category – chances are you could simply never have attracted them
      • All about risk management – imagine a Bad Actor will end up in your game, how can you mitigate potential damage? Not taking action and not suffering direct consequences could just mean a lucky dice-roll
      • Reminder about disproportionate effects, small numbers of Bad Actors can impact the experience of a very large number of players – a horrible situation when caught completely by surprise
  • Leverage a server for secure game logic with third-party hosting services
    • One of the massive shifts in gaming is the acceptance that networking is something that can be an expectation
    • Hosting services (ex: AWS, Microsoft Azure, there are many) need to be very good at keeping on top of their own network security (ex: preventing DDOS or other network attacks), offload that headache
  • Deterministic simulations for sensitive game areas, client presents, server authoritative
    • In Soulite Monsters the game server and client were written in the same language (C#) thus easily shared code, the client would do all the hard work of drawing images, UI/UX flow, and presentation elements for the player, even showcase rewards/combat for the player – but the server would run a very trimmed-down simulation of certain mechanics, some examples
      • Player Inventory (due to either bug or malicious intent, if the client inventory fell out of sync from an action the server had absolute authority)
      • Expedition generation (scroll consumption) and choices within
      • Monster Combination
      • Village Upgrades
      • Combat
      • Merchant Transactions
  • Learn from others experiences
    • Don’t just rely on your own games, participate in other game communities, see what kind of impacts Bad Actors have on them

Bad Actors exist outside of games

I’m pretty sure throughout our lives we’ve all been (or are even actively being) impacted by Bad Actors in all sorts of situations. Sometimes people (or groups!) simply have very strong motivations and refuse to act in good faith (even if they have learned to at least appear to be acting in good faith). I’m nearing 40-years old, I’m tired of that garbage, I can imagine others are well. I highly recommend that if you feel someone is not acting in good faith, or operating as a Bad Actor, to go beyond what is happening in the moment and dig into how to minimize that type of impact on your life.

Observe, learn, build preventative measures – actively engaging may be forced on you at times, unfortunately. With enough preventative measures preventing Bad Actors from soaking up reactive energy, well, the imagination really is the limit of where you could be putting that energy instead.

Personal anecdotes I don’t feel really impress the effect of the disproportionate effect of Bad Actors, so I shall leave you with some real-world examples

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s