EVE Evolved: How much trust is too much in EVE Online?

Of all the headlines to come out of EVE Online over the years, the biggest and most far-reaching have been the stories of massive thefts and underhanded scams. The MMO community has grown up hearing these tales, from the embezzlement of EVE‘s first public bank in 2009 and the estimated $45,000 US Titans4U scam in 2011 to the trillion ISK Phaser Inc scandal and beyond. EVE has been embedded with this narrative of mistrust and betrayal for most of its life, the most famous example still being the Guiding Hand Social Club heist from all the way back in 2005.

Yet when a player recently stole three extremely rare ships using social engineering, the victims expressed only disappointment that they had lost a friendship they valued. The question for players and the wider MMO community today is simple: How much trust is too much to give someone in an MMO? To what degree should the game mechanics automatically protect your assets and privacy, and how much of that protection should you be able or expected to give up in order to make progress or join a group?

It’s been a long-held belief of mine that part of what makes EVE Online‘s communities so tightly knit and the friendships you make there so rewarding is the fact that your comrades could steal from you or betray you in any number of ways but choose not to. On the other hand, the possibility of betrayal has also led to some extreme risk-mitigation strategies and corporations sometimes ask for uncomfortable levels of information as part of their recruitment processes.

In this edition of EVE Evolved, I explore the role that trust plays in EVE Online today, look at the harsh recruitment requirements some corporations have and ask how much trust is too much to give someone in an MMO.

The role of trust in building MMO societies

I’ve often argued that you need the anti-social element in a sandbox MMO in order to build a cohesive society, that the possibility of betrayal must exist if you want trust between players to mean anything. Early wormhole corporations will know this all too well, as they were forced to use open starbase hangars and shared ship maintenance arrays to store their assets and any corp member with access could have run off with a lot of stuff. The same is true of any activity in which you’re forced to rely on someone else, from small-scale PvP right the way up to territorial alliance warfare.

Allowing people to lie, steal, and cheat creates a space for both people who want to engage in these activities and those who oppose them, in the same way that the presence of a villain can inspire the birth of a hero. Sakanne wrote an interesting article on this back in 2014 arguing that the balance between villain and hero is skewed toward villains in EVE, but EVE is not entirely without heroes and worthy individuals. In a universe in which trusting the wrong person could get you killed or cost you a lot of ISK, earning trust and building a reputation over the years can open some big doors. I personally used my reputation in the community years ago to run public investment schemes, and others have used theirs to lead powerful alliances and launch impartial third party services to secure complex trade deals between players.

Mitigating risk and the need for trust

If there’s one thing EVE Online players are good at, it’s mitigating risk. Hundreds of players lost their ships in the first few days of the Sansha incursions in 2011, but it wasn’t long before we’d documented every detail of the new gameplay and developed strategies to remove all danger. We have entire websites dedicated to rigorously cataloguing the threats in PvE sites, and third party services such as Chribba’s are designed to eliminate the risk of theft in trade deals and investment schemes.

Even PvP is a game of sizing up the capabilities of enemy fleets and measuring the risk of engaging, with groups using scouts and spies to gather intel and always leaving themselves safe exit routes when possible. It should be unsurprising then that corporations will use every tool at their disposal to mitigate the risk of recruiting spies and saboteurs.

One such tool is the EVE API, which was intended to let player-made programs pull data about your characters directly from the game servers but can also be used to perform a forensic examination of your account. Corporations will often ask for an API key as part of the recruitment process, and the levels of access they ask for can vary. Some smaller corps just want the names of your characters and access to see your skills in order to make sure you’re not an obvious alt character of someone else, but often they ask for access to some considerably more private information.

Giving out your API key

Reader kgptzac contacted me recently after he found himself reading the recruitment requirements for Brave Newbies, a popular corp for new players with over 4,000 active members. Like many large corporations in EVE, Brave Newbies asks for an API key as part of the application process.

The application page supplies a link to an API template that essentially asks for full access, allowing them to see things like all market and financial transactions you make in the game, all of your assets throughout the game, your private contact list, and the full text of all personal in-game EVEmails. Brave isn’t the exception here either, as many large corps will now ask for full account-wide access to this information as part of recruitment.

“I was outraged. Among those permissions, some are totally irrelevant for recruiting purposes, some I am reluctant to give out unless it’s for an internal investigation of spy/theft.  Then there are the evemail and contact list permissions… which I will never give out for any reason whatsoever, and I take offense for anyone ask me to let them see my mails and friend list, even more so when they are trying to trick me of giving these info during application stage.

I suddenly feel this game just alienated me.  I don’t know about you or anyone else, but I play games, especially MMOs, because they offer degrees of freedom that is impossible to experience in real life.  But if an MMO’s guilds/clans/corps can’t trust me to the point that they have to infringe on my right to privacy, then I have to seriously question the sanity of people who both impose, and accept, these repressive measurements.” – kgptzac

How much should you trust people?

We’ve come to accept that corporations will ask for our API keys to weed out potential spies and awoxers, but many of the permissions they ask for are totally unnecessary. Reading my private EVEmails isn’t going to make your corp more secure, and neither is knowing all of my purchases and market orders in Jita or where I have my tech 2 blueprints and capital ships stored. Not to mention that every large alliance is already riddled with spies and a real spy will just bypass these checks by creating a clean account.

The bottom line is that information on people’s assets and skills can be strategically useful in EVE and alliances will take all the information on their members that they can get their hands on. As long as the API dishes out this kind of information for use in apps, large corporations will almost universally ask their members for the maximum level of access. The practice is so commonplace that CCP even warns players that their EVEmails should not be considered private. It’s up to the individual player to decide whether to trust a corporation with that level of information or if the price of admission is just too high.

Trusting individual players is a different matter entirely though, and it’s something that you really can’t avoid when you’re living in a sandbox with so many other players. You just have to trust your corpmates won’t try to screw you over, that the logistics pilot in your incursion fleet isn’t going to let you die, that your fleet commander in PvP knows what he’s doing, and that the scout you sent up ahead isn’t secretly working for the enemy. While it’s definitely possible to play EVE solo and avoid trusting anyone at all, doing so will limit what you can achieve and robs you of forming the kinds of friendships that MMOs are typically a catalyst for.

A large portion of EVE‘s gameplay is group-oriented and relies on putting your trust in other players. On one hand, that approach promotes more tightly knit social groups because you can’t help but make friends with other people when you’re relying on them every day. On the other hand, forced socialisation is a touchy subject, and it’s led to corps asking players to give up an excessive amount of privacy in order to join.

So how much trust is too much to give someone in EVE? Can you really get along in EVE without trusting anyone at all, and would you let a corp read your EVEmails and see a full list of your assets?

EVE Online expert Brendan ‘Nyphur’ Drain has been playing EVE for over a decade and writing the regular EVE Evolved column since 2008. The column covers everything from in-depth EVE guides and news breakdowns to game design discussions and opinion pieces. If there’s a topic you’d love to see covered, drop him a comment or send mail to brendan@massivelyop.com!
SHARE THIS ARTICLE
Code of Conduct | Edit Your Profile | Commenting FAQ | Badge Reclamation | Badge Key

LEAVE A COMMENT

15 Comments on "EVE Evolved: How much trust is too much in EVE Online?"

Subscribe to:
Sort by:   newest | oldest | most liked
Reader
talaen

When I was playing I ran one of those corps (a wormhole corp) that would ask for everything in the API. We didn’t do it because we wanted to monitor people in an ongoing way – once they were in, the risk was accepted, and none of us had time to go be secret police. But things like contracts and EVE mails really did help us identify people who were just joining up looking to steal from us, or worse, who were trying to infiltrate in order to help another corp evict us from our wormhole.

We took as many precautions as we could outside of that as well, obviously. There was always a balance between keeping our stuff secure and allowing people to play the game, and we tried not to do things that made it super difficult for people to play. It probably also helped that we had a really lucrative profit-sharing strategy – anyone who joined our corp and took part in regular ops was raking in tens, sometimes hundreds of millions of ISK every week – so no one really wanted to put that in jeopardy.

In all the time we were there, this recruitment policy helped us turn away dozens of potential thieves – often, after failing to get in with us, we would see them join other wormhole or hi-sec corps and steal billions of ISK worth of stuff. The truth is most thieves in EVE are lazy, and they’re pretty easy to spot if you have full API access. We caught people in our screening based on contracting with their other accounts, from mails they sent to people, from other characters on their account, and even in a few cases because they did silly things like use the same last name and portrait on all of their different accounts. We were only successfully infiltrated once, by someone who was smart enough to make it past all of our security checks. That person did manage to steal a fair amount of ships. It honestly could have gone a lot worse had one of our members not just happened to log in right after they had gotten started and sounded the alarm. There’s nothing like having your cell phone go off at 5 am to tell you that someone is stealing your ships and it may be a prelude to an invasion in the MMO you play. (I called in sick to work that day).

Maybe now with the additional protections on citadels, such extreme security checks are unnecessary – in our case it was really a reaction to just how easy it was for someone to take everything from us – but I don’t regret our recruitment policies at all. They protected us from people who were just out to ruin our gameplay experience on dozens of occasions, and EVE is a hostile enough place most days that you don’t give people chances to grief you if you don’t have to.

Reader
Loyal Patron
Kickstarter Donor
Patreon Donor
kgptzac

I’d like to offer my anecdotal as well. I’ve also been in a wspace corp, done recruiting, and at times part of the management. We lived in a C2 with static C4 and HS, so it’s probably isn’t as “hardcore” as you guys, from the sound of it.

We didn’t really have enemies who would organize heists against us. We didn’t try to be assholes and evicting people from their systems for shit and giggles, and we always honored ransoms. Whatever resemblance of “honor” there is in Eve’s wspace community at that time, I think I can say, now in hindsight, that we do upon others for what we didn’t want others do to us.

I personally hold this mentality as true, today, as an Eve player even though now I just log in to queue a new skill when my 1-day queue is finished. I joined my wspace corp when there were only Limited and Full API. During that time, everyone in recruitment and management was in unspoken consensus that limited API, plus rigorous manual background checking on the applicant characters, was enough.

And I stand by that assessment even today. We’ve turned down applicants that were suspicious of unsanctioned RMT and other activities. We accepted most when we could get a personal recommendation from their past corp leaders.

Most importantly, we trusted. We by default, trusted folks who applied to us with the basic dignity that supermarkets trust vast majority of their shoppers aren’t thieves. I think it’s important because trust should be mutual, and shouldn’t be asymmetrically demanded by one side unto the other. Not saying that we had 0 corp thief incident, but in hindsight, the very few incidents we had couldn’t really be prevented by full API access, provided those very few people aren’t too stupid.

The most memorable among those incident was committed by a veteran corp mate who was in very good standing with all of us, flew together in pvp fleet frequently. One day he just snapped, I guess. There’s no way preventing it from happen. Maybe if there’s someone who screen every corp mate’s mails, contracts, contact lists, and could connect that dots saying ‘oh shit this guy is gonna screw us over’. I don’t know; maybe we could have a mind-reading psychic handling internal security.

So, yeah, that’s my story I’d like to tell. I didn’t strip people’s dignity when they applied under me, and I sure as hell won’t give mine away when I’m applying to a corp in Eve.

Reader
talaen

So I can tell you’re pretty passionate about this subject but I’d counter that API access is a tool – and it’s the people using the tool that determine whether it’s used for good or for ill. I can pretty confidently say that my corp never abused that access to monitor our members, mostly because it was me and one of my officers doing the screening, and our members all trusted us not to abuse it. It’s also worth mentioning that even with tools like EVEMon it was work to check all that stuff about someone – especially if they were coming from hi-sec and had been in multiple corporations since starting.

If we were talking about a big nullsec alliance, I’d be right there with you – I could never trust a group that big. There’s too many people that I wouldn’t know and would never really see except in big fleet ops. But a smaller, tight-knit wormhole corp where everyone flies together all the time? A small group of pilots that wants to fly together or do industry in highsec or lowsec and is just trying to leverage the features the game gives to corps? That’s different. You can get to know those people, even before joining up. You can decide whether they’re trustworthy or not.

Our corp was a lot like yours – we had a C2 with a static HS and a static C4, and really what we were about was farming our wormhole and occasionally raiding into whatever our C4 connected to. Because we had the HS static though, we were constantly fending off invasion/eviction attempts whenever it was opened. We probably dealt with at least one eviction attempt every couple of months, and there were weeks where we’d spend every day playing cat and mouse with whatever scouts had managed to get into our hole. In spite of all that it was super lucrative for us and we grew at a pretty steady pace. When I stopped playing and turned over the corp to others, we had a good 35 active pilots living in the wormhole, and mining, sleeper, or raiding ops were happening every day just depending on what was spawned and what people felt like doing. We even had six-carrier capital fleet with two dreadnoughts in reserve in case someone managed to get a foothold. We deployed that capital fleet exactly once, to tear down a tower that someone had managed to anchor and online (after we’d podded all but one of them). But regardless, that wormhole was our home. It was where we lived in EVE, and we weren’t going to let anyone take it away from us, or take all the stuff we’d spent literally years building.

In all the years I was leading that corp, we never once had anyone complain about the API check. Not saying your concerns aren’t valid but from our point of view, the trust worked both ways. If we’re going to trust you enough to let you into our home, you should trust us enough to give us the API key and that we’re not going to misuse it.

Now all that said, I think it’s absolutely true that the EVE of today is different from when I was playing. When I was playing we had like 2 dozen ship maintenance arrays anchored at 3 different towers just to hold all the different ships with some semblance of organization. One of the big reasons we gave people so much access is that anyone trying to be a quartermaster, as Brendan suggested, would have basically had to treat it like a full time job and be online 23/7. So we compromised. Obviously our capital fleet and a few other things were locked down so that only a few highly trusted people could access them, but the bulk of our subcaps were in shared storage because it was more important to us that our members be able to easily reship and run ops together. Heck, we even had an entire SMA full of disposable, doctrine-fit T1 battlecruisers and battleships to help make it so people didn’t have to risk their own pride and joy. It was a nightmare to keep organized even with permissions as loose as they were.

Nowadays, with citadels, it’s a totally different game. Would we need to have the same level of scrutiny on applicants with everyone having private hangar space? Honestly, I don’t know that we would. Either way though, it’s my opinion that flying with a corp in EVE is a privilege, not a right. If a corp is going to ask for API keys because they want to protect themselves and their assets, it’s up to the person applying to decide if they want to take that leap of faith and trust the corp they’re applying to. I don’t think that corp is necessarily full of terrible people because they asked, just like I don’t think that the person applying to the corp is in the wrong if they’re not willing to provide the key. Everyone takes on the level of risk that they feel comfortable with.

I think sometimes we have to remember that 95% of the people that play EVE really just want to fly shiny spaceships and do cool things (usually involving lasers or explosions), maybe with their friends. Yes, there’s the bad apples – the thieves, the griefers, the scammers, the bored vets who want to “meta” everyone else into submission. But they really are the minority, even if it doesn’t always seem like it.

Reader
Loyal Patron
Kickstarter Donor
Patreon Donor
kgptzac

CCP says Eve is Real. But when is this “real” gets too real? What’s being said here is the exact mirror mindset that governments around the globe are justifying all-encompassing surveillance and backdoor to encryptions. So not only an Eve player has to watch out for worst of individual asshattery one end of the spectrum, and on the other, the worst manifestation of authoritarian overreach in social groups.

Ends don’t always justify means. Not in real life, and even less so in video games.

Reader
talaen

I think it’s a little bit of a fallacy to draw an exact parallel between EVE and the real world here. There are definite similarities, but in EVE, you are voluntarily giving that access to other players (or not). Sure, if you choose not to, you may not be able to join their corps or alliances, but you always have the ability to choose not to. Likewise, you have the ability to revoke that access at any time.

In the real world, often you don’t even get a choice.

Privacy is a big deal – there’s no arguing that. And because people on Earth are generally terrible to each other, the governments of Earth will always be in a constant struggle between the desire to protect individual privacy and the desire to provide collective security. The sad part about that is that the individuals whose privacy is at risk often don’t get a say in what happens.

EVE is also a place where people can generally be terrible to each other. And thus, EVE corporations and alliances also have to decide on a balance between the privacy of their members and the security of their own assets and communities. However, in EVE, players always have a choice of what they expose and who they expose it to.

I think it’s also worth mentioning that in EVE, the only thing that’s at risk are your in-game assets, generally. Things that you can replace with time and effort. In the real world, having your private information compromised can have far more serious consequences.

Reader
Loyal Patron
Kickstarter Donor
Patreon Donor
kgptzac

Thanks a lot Brendan for the piece :)

I’ve not given a more detailed read about the new SSO thing, but hopefully logic and common sense would ultimately prevail, and CCP would wake up and recognize that by no means their collective community would be better off if reading other people’s mails becomes a even more mainstream practice.

Meanwhile, let’s recognize this for what it is: a massive abuse of power by the corporation recruitment departments. Those API permissions are obviously meant to for 3rd party applications that doesn’t expose the fetched information to anyone else’s eyes but the account owner’s. Any intelligent persons can and have noticed the thief/spy/whatever can easily bypass such “security check” by full API, and all you’re left with is a bored corp director/recruiter reading their memebers’ EveMail for entertainment and further blackmail purposes.

Reader
Robert Mann

As far as I am concerned, there should be a line that people cannot cross for screwing me over. So long as I am not asked to trust outside that line, I will not leave the game for that reason. If somebody is a jerk within that restriction, then I count it as a matter of them not actually having been the type of person I really wanted to spend time around, and the fact that I need not waste another moment on their existence with regard to positive relations… is to my benefit, since that would have been wasted time. I won’t regret being decent to them for however long. Instead I will just spend more time with other people who continue to treat me (and others) fairly.

Reader
Schmidt.Capela

The main reason I couldn’t continue playing EVE, the reason my time playing EVE was probably the worst gaming experience I ever had, was exactly this. In games, more so than in the real world, I’m borderline paranoid, always assuming everyone else is out to get me; what allowed me to enjoy other MMOs was the limitations on when other players could harm me and how much harm they could cause me, which created some breathing space, allowing me to relax from time to time.

When playing EVE, on the other hand, I was completely tense all the time, no breathing space at all. It was worse than boot camp; at least there I knew the drill sergeant wasn’t (just) a sadist that found pleasure in seeing others suffer.

This is why EVE convinced me to never again even try any game where non-consensual PvP exists. It convinced me that I absolutely *hate* having to keep watching my back in order to not have other players backstab me, and as such I will never again accept that kind of experience.

Reader
Kickstarter Donor
Patreon Donor
Loyal Patron
BalsBigBrother

I accept and have made peace with the fact that I am not going to be part of any major corp operations or be a mega billionaire as I think the price of admission is too high imo. I am not comfortable with the access that is asked for by most corps as Bredan outlines. So I have just scaled back my expectations of what I can do or achieve while I play Eve

Fortunately I have found a lot of enjoyment / excitement in exploring wormholes, something I don’t necessarily need anyone else for. I just need to be realistic about what I can achieve, plan accordingly and not get upset when it all goes wrong :-)

Reader
Robert Mann

Yeah, that… I would never do that. The moment a game even offers that (which is news to me about Eve) I’m out. WAY too much into things that are my private concerns. In fact, it almost tempts me to get together a bunch of people to send odd coded messages around with free trial accounts in such corps. Because that much control freak screams for some measure of anti-control action, and as much as I normally detest trolling this particular case sounds fairly fun and harmless (as the topics would be things like planning dinner, just encoded with odd keywords that would make anyone nosing through them want to scream.)

For example: I went out and got some laser justice sauce, so when I go to finish operation golden biscuit I won’t have to freak out. I suggest you obtain twin havoc rockets before you start work on your toaster, as anything less will leave you with only partial combustion and you will certainly regret the supernova more.

wpDiscuz