Aside from this being a breach of privacy, was any testing done on this? I setup a little project because I wanted to see for myself if this was actually viable and it appears to not work outside of Roblox Studio.
Edit: Nevermind, I forgot that Discord doesn’t allow API calls from Roblox IP’s.
I ran some tests because I was curious about how reliable it is and after messing with a few items it has shown results. I am aware it may be a privacy concern but all websites (to some extent) fingerprint users without their permission. There is always an option to have people accept to the games privacy terms else they can not play and if we really want to push then technically Roblox user IDs are classified as Unique identifiers.
Yep, literally anything on the client that carries over across sessions which can be read by scripts can be used to form a fingerprint on users. This includes:
Even just ignoring os.clock() by itself, there are numerous, numerous things you could use to build up a fingerprint on a user. Anything single thing that is saved on the client or persistent across sessions can be used.
So yeah, this is bad for numerous reasons that shouldn’t have to be explained, but simply changing os.clock() won’t outright stop this, in fact there is no way to completely patch this out. Roblox will have to take matters into their own hands and start taking moderation action against games that employ this.
No, what if on the game you own you just make a pop up appear on the first join with conditions of usage of your game, you put alot of thing and you add somewhere “By accepting you allow us to track and share your alt accounts”
99% of people with just accept without reading, so actually they were not forced to share 
This. is. GENIUS.
By far my favorite resource that I’ve ever seen on the DevForum.
I’ve always had a love for cybersecurity and this totally blows me away.
Although there are lots of concerns on privacy from others, I can definitely see this find as a great step forward towards anti-exploits.
You might think that it’ll work… but
And a lot of people just accept the Roblox ToS without reading, remember no using player’s personal data?
You can’t use exploiters, you meant exploits?
Banning trollers is a bit harsh, plus, look at Frappé Cafe 
Its weird because this is possibly the most ingenious post I have seen on this site, mostly because of how obvious and simple it is to make, and yet somehow went under everyone’s nose.
I honestly don’t think this would fall under a bug as any sort because it really isn’t abusing any broken or outdated features, every piece of info given was provided by Roblox and I am sure they wouldn’t make it public without knowing that this was possible.
A problem is compliance with all countries and the ToS. I believe that you can use the timezone to get a good idea of their country/region and determine what data to save and for how long, and for the ToS as long as you are hiding all the data (via hashing, which would honestly be smartest) then you should be in compliance.
The biggest problem, however, lies beneath the ethics of this all. Of course, if performed correctly this could be a very powerful tool, but collecting data that a player might not reasonably expect to be public is sort of creepy in a way, and creating identifiers is even weirder, but you also can’t publicly announce it because then everyone will know how to bypass it as well.
I think that the smartest option would to be very careful, make sure nothing intercepts the data requests or anything, and make sure you make hashing your data a priority, so in the least its irreversible. Not only that but saving data should be very sensitive and you should go to the upmost to keep this safe from other people, and preferable not even viewable by yourself.
Alternatively, you could hold the data in 30 day periods, which would be ideal for safety, and collect and save usernames of possible alternative accounts that you find. That way you aren’t holding a personal identifier on users forever and it isn’t as harmful.
Using this to identify users is walking a thin line though, and crossing it could mean you become more like the more malicious data collecting companies, which would be quite scary if they were to of spread to Roblox.
I am going to try and implement this in my own game and return the results later, once I make up my mind about how or if I can execute this without risking anyone’s data, and most importantly safety.
yeah i mean that. also some cafe games are pretty harsh so
I really don’t see a good reason to collect alternative accounts of users, unless the user was already banned.
One thing to note this is that exploiters can unfortunately bypass this quite easily, they just have to restart their computer, of course you can solely rely on other datapoints but this will result in some false flags
(depending on the amount of people living in that country, more people in the country = more false flags, just keep this in mind)
In Roblox you can only read what the Roblox settings are. And the volume setting has been corelocked meaning scripts can’t read it.
It’s been done before. Some games with anti cheats have already been doing this for a long time. (Expecially some PVP games)
GDPR law states that any information collected must be stated in a privacy policy, what such data is used for, why it’s collected, how long it’s stored for, will it be transferred, what will it be used for and where it’s stored.
One important thing I think people should know.
What you should do is only save the fingerprint when a user gets banned. And then only save the alt accounts connected with banned fingerprints! Doing otherwise is probably very illegal in many other countries.
Also you probably only should store the banned fingerprints for 30 days, to get enough alts. In this time the fingerprint usually resets to a different one so it doesn’t even matter keeping it for longer.
(Though don’t take this as legal advice I’m not a qualified lawyer.)
In Roblox you can only read what the Roblox settings are. And the volume setting has been corelocked meaning scripts can’t read it.
EU GDPR regulates that fingerprinting MUST be disclosed to the users and MUST be aware that they are being fingerprinted before playing the game, as fingerprinting is covered by the clause of personal data processing.
It can be shared, but for this reason/purpose it may not.
A notification when they join for the first time won’t be harmful.
Even if you cannot see how, that doesn’t change the fact that people can and certainly will do it. At the end of the day this is ultimately intrusive and should be mitigated by Roblox in whatever way possible.
Of course exploiters can easily bypass this, it’s ran on the client after all. This is definitely 100% more effective against regular users than exploiters by sheer nature of it.
Even just being able to read the settings of the client goes a long way. Especially with certain settings (I doubt people are fiddling with mouse sensitivity on a regular basis). If you have a good system for creating and comparing fingerprints, more datapoints will always certainly be better.
If you save a fingerprint and ban them and then you save alternative accounts with a similar fingerprint, you can ban the alts as well.
They would have to know that it exists in your game first, so as long as you don’t announce it you should be good from majority. I know that you need to announce what you are collecting though, so you might have to end up doing what big companies do and hide their privacy policy in small text and poor formatting to discourage anyone from reading it.
Doesn’t make it less ingenious and I am sure it has been done before, but its obviously not very common.
What if the player runs. Roblox main account on one pc and all alts on another?
I’ve never heard of anyone doing that at all, but I think that would be untraceable.
This should have a relatively high priority for being fixed. The fact that fingerprinting for Roblox is possible is worrying enough, and now that someone has actually done it blows my mind. Well done on this!