search

ThePandemoniumInstitute / botc-release

The Official Blood on the Clocktower App
https://botc.app
34 stars 2 forks source link

Restrict Grim Access to Patreon Subscribers #194

Open sugitime opened 4 months ago

sugitime commented 4 months ago

What problem are you trying to solve?

Misuse of additional accounts to gain information about the Grimoire has become more common as the game has grown in popularity and population. Here is a recent issue that occurred on 7/4/24, with some names redacted and pronouns changed for privacy reasons (I will give them to TPI on request):

So I was speccing a game that Trace and Jon were STing. Lex was the Yaggababble with the phrase "witch check," and he had not yet said it that game. [Player 1] was the Gossip, and there was a new spec in game named [Spec 1]. I [compared the user ID to a list of users/user ID pairs we maintain privately] and it was [on the sheet under a different name than they were using today]. Day one, [Player 1] gossips incorrectly. Splits the grim, has the wrong half. Sometime that night, [Spec 1] winds up with grim. Oopsie poopsie! So day two, first thing out of [Player 1]]'s mouth is "So what's your Yagga phrase, Lex?" And then gossips that Lex is the demon.

Jon was... yeah. Decided that we needed to test this. There was a Witch, the male Marz, who hadn't procced. Jon went to him, said something like, "Look, please don't say anything. You're the Scarlet Woman. You've always been the Scarlet Woman. Tell nobody." Marz just said "okay," and they revoked grim from [Spec 1] and then swapped the token.

Lex wound up on the block. Said the phrase spamming it 24+ times (LOL that was a fun reminder token). I think he survived that day? It may be that I have it backwards and it was after that where they decided not to pull the trigger yet on him because who would be that obvious? At any rate. Eventually STs eventually kill all but 3 people, Lex dies, and Marz the new Scarlet Woman catches it. As soon as that happens, [Player 1] goes mute and puts up the middle finger hand.

Not sure if anyone who was in that game can confirm that anything was said, but apparently afterwards in a private chat Jon entered into, [Player 1] told [someone else] to just leave her alone and left the chat. [They] know we're on to [them] now, OR [they] don't and [they] just thinks Trace/Jon is an asshole STer with no token integrity.

This is one of a handful of issues we've identified over the last several months where it appeared that some spectators with Grimoire access may have actually been players in the game.

Describe the solution you'd like

Let me first say that I don't take this solution lightly, and I recognize that what I am suggesting may be quite difficult for TPI to implement, from a public relations standpoint. I hope it is given careful consideration, as I'm sure it will be.

My solution is to limit Grimoire access to Patreon (Townsfolk+) accounts, or potentially opening a Patreon level that is even lower and more accessible which only has the benefit of getting Gromoire access.

Collecting payment information for accounts has historically been used as a security measure when combating duplicate accounts or account abuse issues across all platforms and industries.

Alternatives you have considered

Users could be asked to tie a phone number to their account prior to receiving Grimoire access, but this now puts TPI beholden to regulations which control PII, including GDPR laws in Europe, which are notoriously strict and costly to maintain.

The same issues arise when attempting to use the application to verify any data (phone number, email, address, payment info, etc); BoTC.app and TPI then become responsible for the collected data.

Allowing Patreon to manage all PII and PCI data shifts all liabilities to organizations already going through the appropriate regulatory checks and balances, and allows TPI to continue operating as they currently do.

Comments

No response

bra1n commented 4 months ago

Hi Kevin, thanks for your feature suggestion! We are aware of the risk of cheating that allowing spectators to get Grimoire access brings with it. However, this will always be a Storyteller decision and if it becomes are more common problem, we hope that the Storytellers will be able to regulate it, for example by not giving Grimoire access to people they don't know.

That said, I also think that getting some kind of account verification in place at some point will be the way to go forward. Limiting Grim access to players with Patreon subscription would be a first (and easy) step. In fact, this is something that can already be done today: on the user list, you can see whether someone has a Patreon subscription or not, by looking at the color their username has. If it's gray / white, then they don't have an account. So my suggestion here would be to ask your Storyteller to not simple grant Grimoire access to everyone that asks, because you've had issues with that in the past.