A way to track players across accounts

Its weird because this is possibly the most ingenious post I have seen on this site, mostly because of how obvious and simple it is to make, and yet somehow went under everyone’s nose.

I honestly don’t think this would fall under a bug as any sort because it really isn’t abusing any broken or outdated features, every piece of info given was provided by Roblox and I am sure they wouldn’t make it public without knowing that this was possible.

A problem is compliance with all countries and the ToS. I believe that you can use the timezone to get a good idea of their country/region and determine what data to save and for how long, and for the ToS as long as you are hiding all the data (via hashing, which would honestly be smartest) then you should be in compliance.

The biggest problem, however, lies beneath the ethics of this all. Of course, if performed correctly this could be a very powerful tool, but collecting data that a player might not reasonably expect to be public is sort of creepy in a way, and creating identifiers is even weirder, but you also can’t publicly announce it because then everyone will know how to bypass it as well.

I think that the smartest option would to be very careful, make sure nothing intercepts the data requests or anything, and make sure you make hashing your data a priority, so in the least its irreversible. Not only that but saving data should be very sensitive and you should go to the upmost to keep this safe from other people, and preferable not even viewable by yourself.

Alternatively, you could hold the data in 30 day periods, which would be ideal for safety, and collect and save usernames of possible alternative accounts that you find. That way you aren’t holding a personal identifier on users forever and it isn’t as harmful.

Using this to identify users is walking a thin line though, and crossing it could mean you become more like the more malicious data collecting companies, which would be quite scary if they were to of spread to Roblox.

I am going to try and implement this in my own game and return the results later, once I make up my mind about how or if I can execute this without risking anyone’s data, and most importantly safety.

yeah i mean that. also some cafe games are pretty harsh so

I really don’t see a good reason to collect alternative accounts of users, unless the user was already banned.

One thing to note this is that exploiters can unfortunately bypass this quite easily, they just have to restart their computer, of course you can solely rely on other datapoints but this will result in some false flags
(depending on the amount of people living in that country, more people in the country = more false flags, just keep this in mind)

In Roblox you can only read what the Roblox settings are. And the volume setting has been corelocked meaning scripts can’t read it.

It’s been done before. Some games with anti cheats have already been doing this for a long time. (Expecially some PVP games)

GDPR law states that any information collected must be stated in a privacy policy, what such data is used for, why it’s collected, how long it’s stored for, will it be transferred, what will it be used for and where it’s stored.

One important thing I think people should know.

Do not save fingerprints and/or alt accounts of normal users! Only save fingerprints of banned users!

What you should do is only save the fingerprint when a user gets banned. And then only save the alt accounts connected with banned fingerprints! Doing otherwise is probably very illegal in many other countries.

Also you probably only should store the banned fingerprints for 30 days, to get enough alts. In this time the fingerprint usually resets to a different one so it doesn’t even matter keeping it for longer.

Also to comply with the GDPR (and possibly other laws too) one must state in your privacy policy that you collect fingerprints & device data, how long you store it, when you store it, for what purpose you store it, and how you use it, as well as how it’s stored and can it be transferred.

(Though don’t take this as legal advice I’m not a qualified lawyer.)

In Roblox you can only read what the Roblox settings are. And the volume setting has been corelocked meaning scripts can’t read it.

EU GDPR regulates that fingerprinting MUST be disclosed to the users and MUST be aware that they are being fingerprinted before playing the game, as fingerprinting is covered by the clause of personal data processing.

It can be shared, but for this reason/purpose it may not.

A notification when they join for the first time won’t be harmful.

Even if you cannot see how, that doesn’t change the fact that people can and certainly will do it. At the end of the day this is ultimately intrusive and should be mitigated by Roblox in whatever way possible.

Of course exploiters can easily bypass this, it’s ran on the client after all. This is definitely 100% more effective against regular users than exploiters by sheer nature of it.

Even just being able to read the settings of the client goes a long way. Especially with certain settings (I doubt people are fiddling with mouse sensitivity on a regular basis). If you have a good system for creating and comparing fingerprints, more datapoints will always certainly be better.

If you save a fingerprint and ban them and then you save alternative accounts with a similar fingerprint, you can ban the alts as well.

They would have to know that it exists in your game first, so as long as you don’t announce it you should be good from majority. I know that you need to announce what you are collecting though, so you might have to end up doing what big companies do and hide their privacy policy in small text and poor formatting to discourage anyone from reading it.

Doesn’t make it less ingenious and I am sure it has been done before, but its obviously not very common.

What if the player runs. Roblox main account on one pc and all alts on another?

I’ve never heard of anyone doing that at all, but I think that would be untraceable.

This should have a relatively high priority for being fixed. The fact that fingerprinting for Roblox is possible is worrying enough, and now that someone has actually done it blows my mind. Well done on this!

In my opinion, it shouldn’t be patched but needs to be regulated. For example, games need to put in the description of there game that they’re tracking user’s alt accounts for however long they retain the data. Some regulations could be:

1. the data mustn’t leave Roblox (no discord webhooks, external servers, etc)
2. the data must be deleted if the developer recieves a right to be forgotten request
3. the data can only be used to prevent exploiters/game rule breaks (such as trollers)
4. the data can’t be shared with anyone.
5. the data can only be stored for a maximum of 30 days and can only be stored once they’re banned.

This is my own opinion and I don’t work for roblox.

This may be against some privacy rules, but it would be really useful to make a great anti cheat.

Do you think it would be a bad idea to log that to an ordered datastore like that:

1. The datastore name is the timestamp the player started their cpu
2. you save a table containing the players timezone, selected language at the roblox website and maybe some additional data so lower the chance of false positives
3. if your anticheat detects someone hacking, get the keys with his cpu start time and ban all of them
4. save the cpu starting times in a normal datastore and remove them after a week (cause its unlikely that someone is gonna leave their pc running for more than a week and be exploiting at the same time)

do you think that would be against roblox TOS?

It would have been great if roblox creates IDs for specific emails then let devs have access to said IDs so that we can ban players whereas they create alts with their email. But as a security measure, we’ll have to make our games only accessible to players with email addresses.

You can easily create more e-mail accounts or use some temp mail.

I think it shouldn’t be against TOS, but it’s in a gray area so you probably should be careful.

true true, but tracking the player this way is as easy as switching devices.

I would advise against giving an anti-cheat banning capabilities. Things like lag spikes and glitches often trigger the anti-cheats; this isn’t so bad if your character is just reset.