DRM Supplier Denuvo Suffers Website Leak

Denuvo is an anti-piracy company that become semi-famous last week when Resident Evil 7, a title for which they supplied the copy protection, was cracked by piracy group “CPY” in just five days – a record.

If you thought that was bad though, things have just taken a turn for the worse for Denuvo.

It’s been revealed that for some reason formerly private parts of their website were made open to the public for a short period, and crackers have wasted no time in downloading the contents.

The leak appears to have first been posted on 4chan with the primary piece of data being an email archive. It contained emails sent to Denuvo from as far back as 2014 and includes all sorts of correspondence. For example one angry gamer wrote that their DRM software is “bullshit” and that if implemented in games, those games will lose thousands of potential sales.

Another email was from a would-be pirate who was struggling with their copy protection and actually asking for help:

Hello everyone at Denuvo,i would like like to ask that i have downloaded a window game ( Dragon age Inquisition ) from utorrent and it is not running properly,i asked from internet and my friend said me it is because of denuvo, please solve the issue as soon as possible, the dvd version is not there in my country so it is only option for me.

People involved with some very well-known game titles also appear to be caught in the leak as this email apparently reveals (the emails are from a contact form, so the details of any supposed sender could be used):

My name is Graeme Jennings and I’m the Executive Producer on the Halo Wars brand at 343i (Microsoft). Would be grateful if someone can contact me in regards to Denuvo pricing etc.

This email on the other hand, in which the sender attempts to gain access to the original executables of a video game (ie minus DRM) so that they could pirate it, is highly amusing. We’re assuming that his or her attempt at social engineering didn’t work though…

Hello, I am the developer of ABZU game, thanks to your Anti-tamper system that prevented our game from getting cracked as of now. We have started working on another great game, and we plan to use Denuvo on that game as well. However, in our development process, we have come at a situation that we need our ABZU game’s original executable files since our new game is based on that, could you send us the original executables of our game that we sent to you for implementing Denuvo?

Enquiry emails from employees supposedly at Capcom and Google, among others, also appear in the archive. Additional, larger files, the contents of which is not currently known, have also been discovered.

We’ll post more info, including any responses from the company, as and when we receive it.

Old Emails, Social Media Posts & Files To Receive Additional Protection

The 31 year old Electronic Communications Privacy Act (ECPA) could soon be updated, an event well overdue given the extent to which the electronic communications have changed over its lifetime.

Under the ECPA, as it currently stands, there are there two possible outcomes when determining whether law enforcement agencies require a warrant to search data (such as emails or social media posts) stored on a third parties’ servers or in the cloud:

  1. If the data has been stored for less than 180 days, then a probable cause criminal warrant is required.
  2. If the data has been stored for longer than 180 days then only a subpoena is required. Subpoenas are usually issued by a Court clerk or sometimes even lawyers, and are not something that a Judge needs to approve in advance.

In the evening on Monday February 6, the US House of Representatives unanimously approved the Email Privacy Act (EPA). The Act will amend the ECPA and require that law enforcement agencies get a court ordered warrant to search data that has been stored for more than 180 days, bringing “old” and “new” data into line with one another.

Given Trump’s nominees… the stakes for privacy have never been higher. It’s crucial Congress act on ECPA reform so that Americans can feel safe in their 4th amendment rights.

Robyn Greene, policy counsel at the New America Foundation’s Open Technology Institute

One of the key motivations for the change is due to the fact that the costs of computer storage space have dropped drastically since 1986. At the same time, storage capacity has increased exponentially. This means that while in 1986 service providers were not expected to keep electronic data for extended periods of time (due to the cost) the norm nowadays is for such data to be kept indefinitely.

For example, services such as Dropbox and Gmail allow a large amount of data (a lifetime of emails, for example) to be stored online either at no cost to the user, or for a very low monthly fee. Facebook and Youtube allow users to upload essentially unlimited amounts of high definition video, all of which must be stored on servers somewhere and does not get deleted.

The amount of data and information that members of the public are now making available online, whether by their posts to internet forums like Reddit, via email, or on Facebook or Instagram, has never been greater or more personal. And with that, concerns about who has access to that information and how are paramount.

If the government wants to read your emails, then they should be required to obtain a warrant just like they would need in order to read your letters, search your hard drive or listen in on your phone calls. Technology has made incredible advances over the years, but the privacy laws for digital communications just haven’t kept pace. Right now, the rules governing how and when the government can access a person’s emails, photos, documents and other online communications are outdated and do not provide for the same Fourth Amendment protections given to on-paper or in-person communications.

Representative Darrell Issa (R-Calif.)

Critics of the change, on the other hand, say that it will become tougher for law enforcement agencies to swiftly and efficiently carry out their investigations. However given that this change simply aligns to two types of data (either older than 180 days or not) we think that’s a pretty weak argument.

Ensure you stay tuned to SafeMonk for further updates on the progress of the EPA as it now heads to the Senate.

Evernote Reverses Policy On Reading User Notes

Here’s an example of how not to handle privacy policy changes.

On December 14 Evernote announced that it would be updating its Privacy Policy with details around new machine learning tools that were to be implemented. As part of said update and in order for the machine learning to function properly, we also learned that a human review of your notes could be required along with several other reasons why employees at Evernote might need to read your notes.

According to the post, which you can read here, in order to help Evernote verify that the machine reading is functioning as expected, it would sometimes be necessary for employees to manually check the machine output versus the contents of your notes.

Employees could also read your notes for a host of other reasons and while some are perfectly valid and acceptable (like as a result of Evernote being served with a valid Court order or warrant), others are pretty loose, like if they need to “maintain and improve the service”.

Of course not every employee would have the ability to read notes though, and while you could also opt-out of the “reading for machine learning purposes” part that didn’t exclude your notes being read for the other, aforementioned reasons.

As you might have expected, there has been an outcry and Evernote has been forced to back-track and post the following:

After receiving a lot of customer feedback expressing concerns about our upcoming Privacy Policy changes over the past few days, Evernote is reaffirming its commitment to keep privacy at the center of what we do. As a result, we will not implement the previously announced Privacy Policy changes that were scheduled to go into effect January 23, 2017.

Instead, in the coming months we will be revising our existing Privacy Policy to address our customers’ concerns, reinforce that their data remains private by default, and confirm the trust they have placed in Evernote is well founded. In addition, we will make machine learning technologies available to our users, but no employees will be reading note content as part of this process unless users opt in. We will invite Evernote customers to help us build a better product by joining the program.

Great, they admitted they screwed up and said they won’t do it again, but their choice of words is amusing. Instead of Evernote “reaffirming its commitment to keep privacy at the center of what we do”, given that they broke that commitment in the first place, shouldn’t Evernote be “re-committing” instead?

The thing is, once a company has actually said that they could/would invade your privacy for the reasons given, saying that “of course we’d never do it without your express permission” doesn’t carry all that much weight. And it’s not like there isn’t a plethora of note-taking alternatives to choose from. That said, you may want to take a look at the alternatives’ privacy policies also!