As millions of PC gamers jump onto the Battlefield 4 open beta today, most will simply skip over or ignore the fact that PunkBuster anti-cheat software is being installed on their machines as a requisite for playing the game. Battlefield 3 veterans might not even bat an eye considering PunkBuster is a part of BF3's installer and most won't question a cheating countermeasure that has become par for the course for the Battlefield series.
Battlefield 4 has drawn some concern on player forums for its use of PunkBuster as a countermeasure for competitive multiplayer cheating but it's likely EA and DICE will continue to use the software going forward. Upcoming titles Watch Dogs and Assassin's Creed: Black Flag from Ubisoft will also likely continue the publisher's tradition of using PunkBuster. Cheaters are reviled in all forms of competition sure enough, but it's shocking that software like PunkBuster has existed for over ten years and is still a go-to solution for major publishers like EA and Ubisoft.
Just how bad is PunkBuster and why are major developers and publishers still using it? The answers really aren't all that complex. Let's start by dissecting PunkBuster's Terms of Service as an example. The following is an official statement taken from Even Balance, the developer behind PunkBuster:
In order for games having PunkBuster integrated to be more secure, the part of PunkBuster that needs full access to the computer for scanning purposes now must run all the time at the system level.
This is truly frightening. I've spoken to many IT professionals over the years and none of them see why any anti-cheat device would have to persistently run in the background as a start-up program and scan local files let alone run at any time other than when a game is actually launched and being played.
Even worse, PunkBuster's ToS openly admits to scanning all parts of the user's operating system and hard-discs.† While Even Balance claims that it does not collect personal information, the fact that it scans and has access to such files is hardly reassuring.
Licensee understands and agrees that the information that may be inspected and reported by PunkBuster software includes, but is not limited to, devices and any files residing on the hard-drive and in the memory of the computer on which PunkBuster software is installed. Further, Licensee consents to allow PunkBuster software to transfer actual screenshots taken of Licensee’s computer during the operation of PunkBuster software for possible publication.
The really scary bit is at the end there. Since PunkBuster openly admits to running even when games are not being played, users are granting the software free reign to take screenshots at any point of system operation. This includes private e-mails, online banking statements, photos, classified company documents, and any other private and sensitive information a user may access while using their personal computer.
It's wild that a software developer would expect users to be compliant with what they openly describe as the "invasive nature" of their software. PunkBuster justifies this by asserting that gamers should care more about cheating countermeasures than they do system security.
Licensee agrees that any harm or lack of privacy resulting from the installation and use of PunkBuster software is not as valuable to Licensee as the potential ability to play interactive online games with the benefits afforded by using PunkBuster software.
That's right, the ability to play a game where some percentage of cheaters are caught outweighs any user's personal privacy and security. In what world is this trade-off worth it? It's hard to imagine that most anyone who reads the ToS word-for-word wouldn't find this at least somewhat, if not totally, unsettling. Most invasive software applications get away with such reprehensible practices because they rely on the vast majority of users simply skipping over and agreeing to the ToS because they can't be bothered with the time it takes to get through all the technical and legal jargon.
The intrusive nature and open access on the part of PunkBuster is particularly worrying because the software has a history of being hacked. Hackers who gained access to the PunkBuster software at the master server end on one occasion and were able to manipulate and exploit the software on individual users' machines. That hackers could potentially scan and gain full access to all files on an individual system makes anyone who runs the software a very enticing target.
This is not to say that other anti-cheat measures aren't flawed in some way in their own right. GameGuard, a go-to solution for many Asian MMO's, installs as a rootkit on user machines and has been known to cause numerous system issues. FairFight doesn't snoop on player's computers or scan their hard-discs but its algorithms have drawn some criticism from some highly skilled players who were banned because their performance was so good it was deemed to be the result of cheating. Incidentally, Battlefield 4 is using a combination of PunkBuster and FairFight during the open beta.
More than anything, these issues reveal a severe lack of well-designed and effective anti-cheat tools for PC games that developers can turn to. PC gaming has certainly seen a major resurgence in recent years thanks in part to content services like Steam and the diligence of developers to optimize for the platform. Hopefully, one or more viable and effective anti-cheat solutions will present themselves to faithfully suit this renaissance and provide an alternative to current options.
The real question is, why don't big entities like EA and Ubisoft who have become increasingly reliant on PunkBuster over the years develop their own anti-cheat software? They would save plenty of money down the line and would have their very own proprietary software to boot. Heck, they could even license it to other developers and make a nice return on investment in the process. It's actually quite surprising that the market for anti-cheat middleware isn't bigger when so many big publishers and developers are desperate for solutions.
Other developers and content publishers have utilized their own proprietary anti-cheat solutions to fairly good effect. Blizzard has used Warden for its online titles over the years and has kept the competitive StarCraft II scene clean. Valve Anti-Cheat (VAC) is used for over 60 games on its Steam service, including DOTA 2, one of the most highly played competitive games worldwide. Red5 Studios, the developers behind Firefall, announced development of their very own anti-cheat software cleverly titled RedHanded.
While alternatives may be developed down the road, major issues with PunkBuster remain. But game developers shouldn't accept PunkBuster's ToS and players shouldn't stand for it. No single game will ever be worth the trade-off in security and privacy. Players can actively contact EA and Ubisoft and express their concern on official forums over PunkBuster by stating that they're not willing to sacrifice security and privacy for the sake of a game. How and when they can offer alternate solutions, on the other hand, is entirely up to the developers and publishers themselves. So long as cheaters exist to ruin the fun of online multiplayer, developers will likely continue to see PunkBuster as a necessary evil in providing a level playing field.