I'm a little confused. I'm using NoScript with selected domain lists to access to. I've never seen gog-statics.com domain on NoScript's list, only "pure" gog.com one. The only domain which is set to trusted while I'm browsing gog.com site is gog.com. Yet, I'm able to access my library of games without any problem.

Maybe it is not GOG but your ISP who is messing around?

I'm using NoScript 11.0.6 on Firefox, set up to require explicit permission (temporary or otherwise). gog-statics.com will not show when firing up the store page, but it is exactly the scripts that are hosted on this domain that, blocked, stop the login popup from loading. It is only when you click "Sign In" that you should see gog-statics.com in NoScript listing.

Edit: I also checked it with uMatrix on Opera and "Ungoogled" Chromium fork and both list the domain as well, so can't say what's going on on your end.

Hmm.. weird. Does that mean if I never log out then I will never need to allow gog-statics.com to run its scripts?

Sorry, the whole thing soured me so much I didn't even want to check the forums.

I haven't dug into the site's code to know whether or not GOG employs any kind of expiration token to ensure re-logs after prolonged period. From security standpoint, your credentials should be reset after some time, but... well.

Technically you'd still have to connect to those servers to download the script file once. Afterwards, as long as your session is open, it will presumably not be required. Not that it helps much, since sooner or later you will need to relog anyway.

***

So, two weeks later, two e-mails sent to support@gog.com, and nothing outside of an automated "we received your message" (and presumably don't give a shit about it).

I'm seriously pissed off. This isn't the first time GOG ties in third-party scripts to critical parts of its web site, but the two previous times it prevented me from simply accessing my library at least it was fixed within a week or so. As a side note, apparently those elsewhere-hosted scripts aren't necessary for functionality's sake, either.

Now, though, it seems gog-statics.com requirement is here to stay, and not even a "fuck you and all the money you gave us over the years, much less the intangible support and promotion from you we received while still pretending to care" from GOG staff.

I actually took a look (and stored a copy as evidence if this bullshit continues) of the old Privacy Policy that was in effect while I made the bulk of my purchases. It starts with:

"GOG Limited (together with its affiliates, successors and assigns, “GOG” or “we/us”) cares about your privacy and we go to great lengths to protect it when you visit GOG.com (the “Website”)."

Funny how things changed, huh?

So... still can't access my games without allowing third-party scripts, and neither did I hear anything from GOG's support despite this being effectively contract modification that I never agreed to, and one that prevents my access to previously made purchases.

Awesome. "Thanks, GOG!"

Edit: Also, accessing privacy policy requires allowing even more data-mining access:
https://www.gog.com/forum/general/your_privacy_is_important_to_us_in_order_to_know_how_much_you_must_give_up_your_privacy/page1

"We care about your privacy, lulz stupid plebe."

Wouldn't surprise me at all if there was a major Chinese money invested in GOG, and data-mining the users was part of the deal.

It's the same company that pushed in Facebook tracking token on their page right around the time of the Cambridge Analytica mess, after all.

Anyway, got a canned response from GOG's support that amounted to "we can do whatever we want." Also erroneously claiming that their current implementation does not prevent me from accessing my games, so I suspect the person responding either did not bother to really pay attention to what I wrote (namely, that I am required to submit to third-parties scripts to log into the page), or just not giving a fuck either way. Or both.

So, GOG, at this point,

1. No explanation whatsoever was attempted as to why exactly something so security-crucial like login scripts was moved to a third-party, and how this benefits anybody, lest of all the supposed customers.

2. I am still blocked from accessing my library, assembled under contractual provisions that had no mention of such data-mining demands being part of the deal. A third-party which, incidentally, is not even identified, much less offers their own privacy policy as required by GDPR, and which GOG's own privacy policy refers to as governing the interaction between "user" computer and said hosting services.

3. It doesn't look like things are going to change (for the better, anyway).

At this point, I guess there's no recourse but go through courts. And I have had enough of everyone and their grandmother's LLC. doing this kind of "screw you stupid 'customer,' we are a corporation" to actually have a motivation to file a case.

I'll wait until mid-January as a gesture of good faith, waiting for either removal of third-party hosting of the login scripts, some alternative way to access my library without getting data-mined, or a refund, without holding my breath for either.

Then, I'll see what my regional court (because the arbitration clause that requires filing in California absolutely goes against the established rulings on principles of fundamental fairness in my state) says about this all. Especially considering the original ToS explicitly referred to user's privacy as a "core value."

I've had enough, and I did not pour all the money I had into supporting GOG just for them to turn around and spit on my face with these kind of stunts. I had often paid MORE for games available elsewhere for less, or waited several months for late GOG release, because I was naive enough to think their original claim of "customers first" was genuine.

Hell, if they made the effort of setting up some secondary login I'd probably still end up buying a few things during this sale, but it's clear this is no longer the service I spent literal years supporting in growth.

Thanks, GOG.

I haven't thought about it before so I tried blocking gog.statics and the login just spinns forever.

We already knows that Tencent have connections to the Chinese government (one-party government with a dictator), and Tencent is stretching their arms in every direction outside of China. Tencent seem to be handling most if not everything concerning entertainment.

The "fear the big red communist"-mantra is getting old...however, If someone can actually prove the files are being requested TO Tencent, and the files are physically at some Tencent owned server within a GOG subdomain, and/or data is shared/sent to a Tencent owned server, then that's not ok in my mind.

DNS traffic can be collected just like any other traffic can, but DNS is just a request and translation process. It's normal to have domain hosting one place, and the actual data another place... so there's really not much dangerous info there. The DNS you use locally or has been given you is much worse ;)

But even official Norwegian sites shares data outsides of their own domain, and even outside of the physical borders. In this case at least Microsoft. We're talking sites concerning social and medical status and information, and in many cases Microsoft handles logins, data traffic, server space and software. I haven't used Wireshark in some time but I bet it can tell some stories. :D

As long as people don't care and refuses to change their laws/policy there's not much we can do. How little is ok, and how far is too much?

This is very much my problem.

I have not been able to access my account without dealing with data-mining from GOG since they moved the scripts offsite. Before, you could at least block on your end all those Google, Facebook, and whomever else tracking elements, and the site would still work.

Now, you have to allow an unidentified third party domain or you won't be able to access your games at all.

Any corporation of notable size operating in China has ties to the Chinese government in one form or another.

Any Chinese corporation absolutely does, as soon as they have any kind of utility to CPC. It is the same regime that is already running a "thought crime" "social credit" monitoring of not just its population, but anybody outside their borders that comes under attention as propagating anti-CPC information of any kind.

They certainly target people outside their borders, both individually and as a group, and I have absolutely no intention of tolerating, much less supporting, any kind of infrastructure that helps them do so.

The information GOG's login scripts operate on, and have access to, are absolutely something that could be used in that manner.

CPC has about as much to do with communism as our current US administration with "land of the free, home of the brave." In China's case, its' simply an authoritarian regime that used specific ideology to secure power, then disposed with those elements of it they found undesirable. Currently China's closer to fascism than any precepts of Marx - their market is mostly capitalistic, but with heavy uncodified government interference and participation.

File sharing is not much of a concern. Anybody trying that (outside of targeted breaches) has to deal with the very possibility of being found out, and even in our "digital privacy is ded, lulz" brave new world people would still react strongly to actual unauthorized file pulls.

The problem is that, as far as the big business that data-mining is, files are irrelevant. Your hardware/software fingerprints aren't just that easier to obtain, most people don't even realize their value (and danger unrestricted access to them brings).

IP address alone (something that getting the login scripts to load on your page already requires handing over to whomever operates gog-statics.com) severely limits the number of individual permutations of all the variables, and most people in the West have static IP address that rarely changes in years. Combined with user-agent requests (which, from a brief skim of the scripts in question, is also accessed) allows literal individual identification.

Don't believe me, run EFF's Panopticlick to see just how easily your computer can be identified: https://panopticlick.eff.org/

I don't know who owns gog-statics.com, and GOG itself certainly is in no hurry to identify the companies involved (again, contrary to provisions of GDPR). I do know that DNSPod is a Tencent subsidiary (some information about it is in my older posts), and it's anybody's guess if they are providing the whole hosting service for gog-statics.com, outsourced it to yet another third-party, or just were the registrar for servers operated by somebody else altogether.

There's no readily available information on this, and it should've been GOG's own damn responsibility to disclose the associations in place. The fact that GOG cheerfully used any service associated the Tencent does certainly not inspire confidence in how much value they place on "user privacy" nowadays - something that was at least used as a selling point of the service early on.

What is even more aggravating about the situation is that, for years, GOG operated by self-hosting these scripts without an issue.

So, basically, why the change?

Ultimately, I feel you shouldn't have to require higher education in computer security to get your games without some undefined hooks attached.

Well, actually there are already applicable laws that make this illegal. I may be in the US, but I still have my EU birth certificate that makes me subject of GDPR's protection. It's just that there's been so little enforcement that most companies don't care about EU's own supposed privacy protection even when they operate from within EU themselves.

Ultimately, all I wanted was to have a DRM-free library collection that I could access at any time without being data-mined (even if it required some effort on my part to ensure that latter part). But now GOG denied me even that, and I don't think it was something outlandish to ask for.

Especially when they touted their service as one focusing on user privacy in the first place, and have done so in legally-binding terms.

Now screenshots and comments aren't showing unless you allow gog-statics.com.

Yes, I've noticed that too.

That's a REALLY stupid design decision... :/

GOG is a dewshbag corporation like all the other dewshbag corporations?!?!

Say it ain't so, GOG!!! lol

You also now need it to wishlist, buy games, access library, see reviews, etc. What's going on here?

Come on, Gog, pull your shit together.

If I wanted to be tracked and have my data all over the web for shady companies to do whatever they want with it I would have accounts with facebook, linkedin (MS), etc. It's bad enough that I have a Gmail account. But I've been trying to not feed the datamining machine.

And you're not only totally fine with it, you're actively forcing it to happen? Is it that costly to host those scripts yourself? Or does pushing it to a third party somehow brings you some extra "revenue"?

Now I'm regretting my last purchase - which wasn't small BTW - even if I really want those games. Lesson learned, Gog. I'll keep it in mind when I feel the itch to buy anything from you in the future

I think we should bump this thread daily to let GOG know that this IS a problem.

I do not want to use 3rd party DRM site to access my DRM-free games.

Any information on what this does and why it's suddenly required for everything?