Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Restrict Grim Access to Patreon Subscribers #194

Open
sugitime opened this issue Jul 5, 2024 · 1 comment
Open

Restrict Grim Access to Patreon Subscribers #194

sugitime opened this issue Jul 5, 2024 · 1 comment
Labels
feature New feature or request

Comments

@sugitime
Copy link

sugitime commented Jul 5, 2024

What problem are you trying to solve?

Misuse of additional accounts to gain information about the Grimoire has become more common as the game has grown in popularity and population. Here is a recent issue that occurred on 7/4/24, with some names redacted and pronouns changed for privacy reasons (I will give them to TPI on request):

So I was speccing a game that Trace and Jon were STing. Lex was the Yaggababble with the phrase "witch check," and he had not yet said it that game. [Player 1] was the Gossip, and there was a new spec in game named [Spec 1]. I [compared the user ID to a list of users/user ID pairs we maintain privately] and it was [on the sheet under a different name than they were using today]. Day one, [Player 1] gossips incorrectly. Splits the grim, has the wrong half. Sometime that night, [Spec 1] winds up with grim. Oopsie poopsie! So day two, first thing out of [Player 1]]'s mouth is "So what's your Yagga phrase, Lex?" And then gossips that Lex is the demon.

Jon was... yeah. Decided that we needed to test this. There was a Witch, the male Marz, who hadn't procced. Jon went to him, said something like, "Look, please don't say anything. You're the Scarlet Woman. You've always been the Scarlet Woman. Tell nobody." Marz just said "okay," and they revoked grim from [Spec 1] and then swapped the token.

Lex wound up on the block. Said the phrase spamming it 24+ times (LOL that was a fun reminder token). I think he survived that day? It may be that I have it backwards and it was after that where they decided not to pull the trigger yet on him because who would be that obvious? At any rate. Eventually STs eventually kill all but 3 people, Lex dies, and Marz the new Scarlet Woman catches it. As soon as that happens, [Player 1] goes mute and puts up the middle finger hand.

Not sure if anyone who was in that game can confirm that anything was said, but apparently afterwards in a private chat Jon entered into, [Player 1] told [someone else] to just leave her alone and left the chat. [They] know we're on to [them] now, OR [they] don't and [they] just thinks Trace/Jon is an asshole STer with no token integrity.

This is one of a handful of issues we've identified over the last several months where it appeared that some spectators with Grimoire access may have actually been players in the game.

Describe the solution you'd like

Let me first say that I don't take this solution lightly, and I recognize that what I am suggesting may be quite difficult for TPI to implement, from a public relations standpoint. I hope it is given careful consideration, as I'm sure it will be.

My solution is to limit Grimoire access to Patreon (Townsfolk+) accounts, or potentially opening a Patreon level that is even lower and more accessible which only has the benefit of getting Gromoire access.

Collecting payment information for accounts has historically been used as a security measure when combating duplicate accounts or account abuse issues across all platforms and industries.

Alternatives you have considered

Users could be asked to tie a phone number to their account prior to receiving Grimoire access, but this now puts TPI beholden to regulations which control PII, including GDPR laws in Europe, which are notoriously strict and costly to maintain.

The same issues arise when attempting to use the application to verify any data (phone number, email, address, payment info, etc); BoTC.app and TPI then become responsible for the collected data.

Allowing Patreon to manage all PII and PCI data shifts all liabilities to organizations already going through the appropriate regulatory checks and balances, and allows TPI to continue operating as they currently do.

Comments

No response

@sugitime sugitime added feature New feature or request triage This issue still needs to be evaluated labels Jul 5, 2024
@bra1n
Copy link
Member

bra1n commented Jul 8, 2024

Hi Kevin,
thanks for your feature suggestion! We are aware of the risk of cheating that allowing spectators to get Grimoire access brings with it. However, this will always be a Storyteller decision and if it becomes are more common problem, we hope that the Storytellers will be able to regulate it, for example by not giving Grimoire access to people they don't know.

That said, I also think that getting some kind of account verification in place at some point will be the way to go forward. Limiting Grim access to players with Patreon subscription would be a first (and easy) step. In fact, this is something that can already be done today: on the user list, you can see whether someone has a Patreon subscription or not, by looking at the color their username has. If it's gray / white, then they don't have an account. So my suggestion here would be to ask your Storyteller to not simple grant Grimoire access to everyone that asks, because you've had issues with that in the past.

@bra1n bra1n removed the triage This issue still needs to be evaluated label Jul 8, 2024
@bra1n bra1n moved this from Backlog to Planned in Blood on the Clocktower App Jul 8, 2024
@bra1n bra1n changed the title Restrict Grim Access to Townfolk+ Patreon Subsribers Restrict Grim Access to Patreon Subscribers Jul 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature New feature or request
Projects
Development

No branches or pull requests

2 participants