Legal hacks to eliminate cheating in games

In the face of rampant cheating, it's time for game developers to hack the hackers.

For video game developers, a large portion of revenue comes from additional purchases made by the player base, including purchases of expansions to the base game and purchases of in-game microtransactions. Maximizing this revenue stream requires the game to retain players over long periods of time.

One component of player retention can include offering a competitive multiplayer experience. However, as in any competitive endeavor, there is always the incentive to find a way to cheat to win. In this article, we will share some legal hacks game developers can use to push back on developers of cheating software.

Unfortunately for game developers, the sale of software designed to cheat in these competitive matches can be a relatively lucrative industry. One group, known as 'Chicken Drumstick,' made more than $70 million selling cheats for a mobile version of the game PlayerUnknown's Battlegrounds, for example. Such cheating software ('hacks') pose a risk to the game developer.

Hacks compromise the competitive integrity of the game, which can lead players on the receiving end of such software feeling unsatisfied because they are playing at a relative disadvantage. If such hacks become widely adopted, large portions of a player base will inevitably stop playing the game, which, consequently, can result in lost revenue for the game developers.

While game developers typically act to ban the accounts of known cheaters, the effectiveness of such actions is often limited and inherently relies on being able to readily detect the hacks.

In the face of rampant cheating, it's time for game developers to hack the hackers

Almost all games use some form of cheat-detection software, such as Riot Game's Vanguard or Activision Blizzard's Ricochet, which look for certain third-party programs or modifications to the underlying game files. Even so, these 'anti-cheat' programs have their limits. For example, as with any security software, as the detectors are updated to identify new hacks or new updates to well-known hacks, the developers of the hacks begin to adapt and make their programs less detectable. This puts the game developers in an arms race with the more 'reputable' and successful hackers; one that often leaves the game developers woefully behind as they attempt to react.

Game developers can ban the players that use known hacks and sometimes succeed in 'killing' a known hacking program, but so long as there is a market for these hacks, someone will invariably step in with a new, better, and more difficult to detect program. So, if more robust detection programs and banning actions cannot adequately solve the issue for the game developers, what can?

The fight to stop hackers

In recent years, game developers have looked to copyright law for respite. For example, companies seeking to protect the competitive integrity of their games have taken to the courts and filed suits against the hack developers directly.

One recurring tool used by game developers is the Digital Millennium Copyright Act (DMCA). In particular, 17 U.S.C. § 1201 ("Circumvention of copyright protection systems") has been used. For example, game developers have made use of §§ 1201(a)(2) and 1201(b).

Section 1201(a)(2) reads, in relevant part:

(2) No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component or part thereof, that...

• a) Is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under this title;
• b) Has only limited commercially significant purpose or use other than to circumvent a technological measure that effectively controls access to a work protected under this title.

§ 1201(b) reads much the same, but also addresses technology designed to circumvent "a rightof a copyright owner under this title in a work or a portion thereof." (emphasis added). In effect, § 1201(a)(2) protects methods that control access in any form to the software and § 1201(b) protects against the circumvention of other rights such as the right of reproduction.

Game developers argue that their anti-cheat programs:

1. are technological measures that effectively control access to a work protected under this title (for § 1201(a)) or…
2. effectively protect a copyright afforded by the underlying game (for § 1201(b))

Then, developers go on to contend that:

1. the hacking software is designed with the purpose of circumventing their anti-cheat programs (for § 1201(a)(2)(A)) and/or…
2. any non-circumvention applications of the hacking software are comparatively very limited

As examples, the plaintiff game developers in each of Bungie, Inc., v. Aimjunkies.com, Activision Publishing, Inc. v. EngineOwning UG, and Riot Games, Inc. v. Cameron Santosalleged violations of §§ 1201(a) or 1201(b) as part of their cases against the hack developers (in addition to trademark violations).

Alas, none of these cases have gone to trial, either due to the anonymity of the hack developers (making it hard to do much more than get the website through which the hacking software is sold shut down) or due to the cases being arbitrated outside of court. Bungie, for instance, didsuccessfully settle for $14 million with Aimjunkies outside of court, but whether or not the § 1201 claim would have succeeded is hard to judge.

Where are game developers having success?

Fortunately, though, this angle of attack in litigation has had some success in the past. In a suit arising from the extraordinarily popular game World of Warcraft, publisher Blizzard was awarded $6.5 million due to the hacker's DMCA violation under § 1201(a)(2).

Two major takeaways from this case were:

1. that, based on the facts at play, the use of cheating software was not copyright infringement under § 1201, and therefore Blizzard's claim under § 1201(b)(1) could not be sustained, but…
2. the software nonetheless bypassed Blizzard's ability to "control access" to the "dynamic nonliteral elements" of the game, which are covered by the DMCA, thus creating a cause of action under § 1201(a)(2)

"Dynamic nonliteral elements" are the aspects of gameplay that can only be experienced when the player connects to the WoW server. Importantly, per WoW's operating protocol, in order to connect to the server, a player had to allow the Blizzard anti-cheat program Warden to scan their computer for cheating software and would, if such software were present, deny the player access to the server.

Bypassing this check is thus "circumvent[ing] a technological measure that effectively controls access to a work protected under this title." Still, this victory does not necessarily mean each of the recent cases mentioned above would have the same level of success.

A shadow hanging over MDY v. Blizzard is a defense that MDY was not allowed to raise (for procedural reasons) when the case was remanded, that of § 1201(f). Section 1201(f) is an exception to §§ 1201(a)(2) and 1201(b) for reverse engineering for the purposes of achieving "interoperability." In effect, § 1201(f) allows someone to circumvent technological measures that control access to a first program if such circumvention is necessary for an independently created second program to interact with the first program.

The only prerequisite for the § 1201(f) exception is that the developer of the independent program must have "lawfully obtained the right to use a copy of a computer program." In MDY v. Blizzard, the appeals court held that WoW players are all licensees, and while licensees do have fewer rights compared to true product owners, they still arguably have a right to use the licensed software.

The court of appeals further ruled that, as licensees, players have access to and can interact with the offline elements that are downloaded when installing the program. While Warden controls access to WoW's online features, it does not control access to these locally stored parts of the program and thus software that modified these local files were not considered as part of the violation of § 1201(a)(2) in the verdict.

Developers are in an arms race with successful hackers, [and] often woefully behind as they attempt to react

While yet untested, an argument can be made that if a hacking program needs to bypass anti-cheat measures used in online play in order to interact with locally stored elements of the underlying game, the hack does not violate § 1201 based on the § 1201(f) exception.

On the other hand, § 1201(f) may not be quite as much of a silver bullet for cheaters as it might initially seem. Section 1201(f) only protects software that bypasses access control measures for the purpose of interoperability. It does not necessarily protect software that is primarily designed to intentionally bypass such security software, an issue that was addressed in Universal City Studios, Inc. v. Reimerdes.

If the hack is advertised as being undetectable, and its ability to bypass the anti-cheat programs is promoted as a main feature of the program, then it will be difficult for the hack seller to argue that the bypass was done for the "purpose of interoperability."

Protect yourself from hackers

Given all the above, what can game developers do to ensure that they have access to § 1201 protection? One option would be to use anti-cheat software that controls not only access to the online elements of the game, but to the offline elements as well (aspects of the game that are stored locally on the player's computer when downloading the software).

Programs like Denuvo – which functions by encrypting and obfuscating local files – are commonly used to verify that a version of a game is legitimate before purchasers can play the game. Such programs typically require an online connection to perform the verification before even being able to launch the game. By creating a first layer of access control via such programs, any cheat developer wishing to bypass this control must also now also develop tools capable of being used for piracy.

It bears noting, however, that the dissemination of such tools may run afoul of interpretations like that of Universal City Studios, Inc. v. Reimerdes, wherein if the program can, and likely would, be used for such a purpose then the reverse engineering exception may not apply.

While developers typically ban known cheaters, the effectiveness of such actions is often limited and relies on being able to readily detect the hacks

Another important note is that, if § 1201 protection proves insufficient, there remain other fallback options for game developers, as well. For example, Bungie cast a wide net of potential claims that included, in addition to the § 1201 claims, trademark infringement and breach of contract. Since most of these hacks actively use trademarked properties from the games as part of their advertising in order to lure buyers to their products, this strategy makes good sense. Further, many terms of service for games also bar the development or use of such tools by those who play the game.

It is unlikely that we will get a definitive answer to the question of how strong § 1201 actually is when considering § 1201(f) anytime soon unless a larger hacking company is caught in the crosshairs and thinks it necessary to fight this in court. Still, for the time being, the threat of litigation under § 1201 has been more than enough to, in the language of the youth, pwn some n00bs.