A way to track players across accounts

NotBugle · December 8, 2022, 9:25pm

This can be bypassed.

local RandomInfo = {
   Timezones = {
       [1] = 'Eastern Daylight Time';
       [2] = 'Central Daylight Time';
       [3] = 'Mountain Daylight Time';
       [4] = 'Pacific Daylight Time';
   };
   
   DaylightSavings = {
       [1] = true;
       [2] = false;
   }
}

local oldnamecall; oldnamecall = hookmetamethod(game, "__namecall", function(self, ...)
   local args = {...}
   local method = getnamecallmethod()

   if self == game.GetService(game, "HttpService") and method == 'JSONEncode' then
       local Table = args[1]
       if Table then

           if rawget(Table, time) then
               rawset(Table.time, cpuStart, math.random())
           end

           if not rawget(Table, time) then
               for i,v in pairs(Table) do
                   if type(v) == "table" then
                       for I,V in pairs(v) do
                           if V == os.date("%Z") or V == os.date("*t").isdst then
                               return '{'..math.random()..'}'
                           end
                       end
                   end


                   if v == os.date("%Z") or v == os.date("*t").isdst then
                       return '{'..math.random()..'}'
                   end
               end
           end
       end
   end

   return oldnamecall(self, unpack(args))
end)


local OldDate; OldDate = hookfunction(os.date, newcclosure(function(k)
   if k == '%Z' then
       return RandomInfo.Timezones[math.random(1, #RandomInfo.Timezones)]
   end

   if k == '*t' then
       return rawset(OldDate(k), 'isdst', RandomInfo.DaylightSavings[math.random(1, #RandomInfo.DaylightSavings)])
   end

   return OldDate(k)
end))```

InsertSkyler · December 16, 2022, 3:31pm

An improved version of this came out way before this thread was even made. Was about a year earlier.

https://devforum.roblox.com/t/roblox-fingerprinting-it-s-possible-now/1369449/67

The thread has long been deleted. The game for it still exists tho.

Sir_Highness · December 16, 2022, 8:12pm

Couldn’t a hacker just reboot their computer to reset the clock to bypass this detection?

benpinpop · January 5, 2023, 7:09pm

This is… Quite interesting. I have a few questions that I’m sure could be cleared up, but regarding all the legality and ethical morals here: I made a request to roblox support with a detailed description of the method, asking whether roblox officially allows tracking data. I’ll get back here when I get a response, but I’m not planning on using this until I do.

Very cool though.

Haxonium · January 5, 2023, 8:53pm

If they give you an answer it would be appreciated if you share it with us, I’m also thinking on adding this (as my games are usually attempted to be exploited) but I’m concerned for this to be banneable.

benpinpop · January 8, 2023, 12:38am

Since roblox support is not giving me a straight answer, I’ve decided to research the ToS.

Here’s the ToS rundown. (not legal, i’m not a lawyer, if this illegal, then sucks for you)

Roblox ToS states the following:

With respect to an Experience created by a Creator, Creator and Roblox both have the right to use data related to or obtained in connection with that Experience for their respective legitimate internal business purposes to support the Experience and for business analytics, such as: (i) for the improvement and development of the Experience; (ii) to comply with applicable laws (including law enforcement requests); (iii) to ensure the security of the Experience; and, (iv) to prevent fraud or mitigate risk. Creator agrees that, except as expressly set forth in these Creator Terms, Creator will not use or disclose any User data.

Citation: https://en.help.roblox.com/hc/en-us/articles/115004647846#creator-terms Part 10.A

Roblox TOS states that you can use data for “internal buisness purposes to support Experience and for buisness analytics”. If I’m interpreting it correctly, it only states the reasons “(i) for the improvement and development of the Experience; (ii) to comply with applicable laws (including law enforcement requests); (iii) to ensure the security of the Experience; and, (iv) to prevent fraud or mitigate risk” after buisness analytics, meaning you can also use that information for those reasons. From this, it looks like this behavior would be allowed. Yet, it states, “Creator agrees that, except as expressly set forth in these Creator Terms, Creator will not use or disclose any User data.” So, if it can be understood, you can use this under the “A (III), to ensure the security of the experience.”

Not done yet, listen up: Main issue is below.

With respect to the personal information of Users (“User PII”) (if and to the extent received by Creator), Creator will not (i) use User PII to provide services to any third party; (ii) use User PII to build, help build, track or supplement any segments, profiles, or similar records on any individual User, device, or browser across the Roblox platform or across any third party websites or platforms; (iii) use User PII to associate the behavior of any individual device, or browser with any segment, profile, or similar record, or supplement any such record based on data of Users; (iv) use User PII to associate any data of Users with any other personal information of the User; (v) sell, disclose, share, rent, lease, syndicate, modify, reverse engineer, decompile, lend, or otherwise alter any User PII; (vi) use User PII for any unauthorized purpose in violation of any applicable law, including applicable privacy laws, or for any unauthorized purpose.

Citation: https://en.help.roblox.com/hc/en-us/articles/115004647846#creator-terms Part 10.B

Roblox defines User PII as: “The personally identifiable information of Users.” (You can find this by hovering over the green underlined term in the ToS). Considering the fact that it is saved as a fingerprint, which is identifiable to the computer, (specifically an SHA1 hash), this can be considered personally identifiable. This is assuming that when it states “Users” in the User PII definition, this refers to their account. (Hence you can use that information to identify their account). Now we know that this is considered User PII, we can see if it violates any of the specific use cases. B.(II) states: “[Creator will not] use User PII to build, help build, track or supplement any segments, profiles, or similar records on any individual User, device, or browser across the Roblox platform or across any third party websites or platforms;” From my personal interpretation, this use of data could be considered tracking accounts, as this is whole thing is about tracking accounts and alt accounts.

So hence, because of Use Case (II), I don’t think this would be allowed.

Summary:
While you could use data to protect your experience, collecting personally identifiable information to track users is against the TOS.

Use this at your own risk.

(Wanted to be notified): @Haxonium

2jammers · January 8, 2023, 1:36am

hook function or simply restarting your computer could bypass, which will lead to major security issues.

Haxonium · January 8, 2023, 2:02am

Well I mean I guess it was mainly going to be issue, guess theres no other way than just not using it then, thank you man!

LuaAlbi · January 8, 2023, 5:09pm

My idea: create an actual database to use this.
Maybe I’m going to do it

2jammers · January 8, 2023, 6:20pm

As stated it’s not reliable. Restarting your computer resets the OS clock, so you would end up having a bunch of unused numbers stored in your data base for 0 reason at all. I could see the hosting price go up really quick.

LuaAlbi · January 8, 2023, 6:23pm

hosting price? i host for free lol

The idea is save id for player everytime the player joins the game. So I won’t store bunch of unused numbers. The old fingerprint gets removed when it changes, and if the user creates a new ALT and joins the game, we already have their fingerprint, and we assign the same, (of their main acc).

Not every time. Only if quick-start is disabled on your computer (Windows OS)

NexusKorthos · January 8, 2023, 10:14pm

I decided to test this and for me it doesn’t seem to work, atleast in a real game.
In studio it works fine, but even using one account doesn’t give me the same result ( CPU Start ) when rejoining.

Unless im doing something wrong.

local HttpService = game:GetService("HttpService")
local UserInputService = game:GetService('UserInputService')

local Tick, osClock = tick(), os.clock()
local CPUStart = Tick - osClock
local Timezone = string.match(os.date("%Z"), "%a+")
local IsDaylightSavingsTime = os.date("*t").isdst
local HasAccelerometer = UserInputService.AccelerometerEnabled
local HasTouchScreen = UserInputService.TouchEnabled

local Table = {CPUStart, Timezone, IsDaylightSavingsTime, HasAccelerometer, HasTouchScreen}
local Encoded = HttpService:JSONEncode(Table)

print(CPUStart, Timezone, IsDaylightSavingsTime, HasAccelerometer, HasTouchScreen)
print(Encoded)

disclosuure · January 9, 2023, 6:09pm

Because you are supposed to round to nearest 5 - it is possible for it to fluctuate a little bit. It’s in the github

Dierythros · January 10, 2023, 4:23pm

You’re missing the point. It’s not meant to be the ultimate solution to stop 100% of alts. It’ll stop the majority of them, due to them not knowing they need to restart or slipping up and forgetting. You’re not going to find a solution that’s perfect to something like this, much less in Roblox. It’s reliable enough.

unix_system · January 31, 2023, 9:28pm

I’d just like to correct some of the assumptions here, as I don’t want people getting the wrong impression from what is actually stated in the creator terms.

PII is a widely recognized legal term which is defined in data protection laws internationally. More specifically, it means data that could directly identify, without other information, the identity of an individual (person) or household. It does not mean just any data that is identifiable to a user.

Any information “that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked” with a “consumer or household” is potentially personal information under CCPA.
(Source: What is “personal information” under CCPA? – California Lawyers Association (calawyers.org))

Some examples of what might be PII under the CCPA (California Consumers Privacy Act, where Roblox is registered as a business) are:

First / Last Name
Phone Number & Personal Email Address
Mailing Address
Passport / Drivers License number
Social Security Number

These examples also could meet the requirements for PII under most jurisdictions with data protection legislation (for example, they would qualify as PII (or SPI) under the EU’s GDPR legislation).

Collecting user-identifiable data, even if it is attributable to someone’s specific hardware or time-zone, is unlikely to ever meet the standard of PII. For example, every time you connect to a website your IP address (which may give away details like your ISP, Geographic Location, or in some cases residential area) is not PII, unless it is correlated with other data which could when combined identify you personally.

To be more clear, essentially none of the information that you are given access to by Roblox in-experience would qualify as PII. Roblox giving any game you join your personal information would be highly irresponsible on their part, as Roblox have no real way to ensure you have a lawful basis for processing it.

You might ask though, why are Roblox stating this if they’re talking about data that you will likely never get? Well, in the rare event you are given actual PII by Roblox, it’s to put the responsibility on you to handle it responsibly and make it a contractual breach if you do not (rather than one on their part).

The wording in the terms are (in my view) likely concerned with people trying to collect PII for advertising purposes, which could be a violation of the Children’s Online Privacy Protection Act (COPPA) if that PII was from someone under thirteen.

I’ll add that I’m not a lawyer, nor is this legal advice you should follow. I do have corporate experience with international data protection legalities, but am not qualified to speak authoritatively on this. If you’re concerned about if you’re collecting PII, you should consult a suitably qualified professional or lawyer.

Yuriko_Tsuyuki · April 4, 2023, 8:26pm

Nobody forced anything on anyone. This is a function that comes with roblox and you’re automatically agreeing to use it whenever you open your game client. If we applied this logic everywhere else:
I’m being force to look at something because I can see.
I’m forcing players to play because they joined.
I’m forcing players’ game clients to give information to the game so something can function.

InsanityFE4R · April 5, 2023, 1:38am

Roblox is tracking them, not me.

KJry_s · April 20, 2023, 4:18pm

Honestly tick() - os.clock() will give variated results, around 6 decimals, so I suggest rounding up around there.

The image below shows what the results could look like:

Also you could possibly get their localization information, this should not be a requirement in confirming accounts are the same, but could help due to the fact that not all exploiters change their location and preferred language.

Sinkl0z · July 31, 2023, 5:56pm

Why would roblox have functions that would break their own ToS? Please answer.

RealMysticall · July 31, 2023, 7:01pm

This is, without a doubt, one of the most ambitious projects I’ve ever seen. I question the legality but love the functionality!!