Data Collection Notice

This game collects data, in this post I will explain what data is being collect, how it's being collect, and why.

What is Collected

The following data is collected during the game and send once every minute.

• Items bought
• When the player starts/stops moving
• Current points and points per second

If you want to know which data exactly is being collect, you can see that here (the whole game is open source).

How it's Collected

The data is being buffered and send once every minute. If the server responds with an error, the data will be stored and send with the next batch, otherwise the stashed data is cleared. This could result in memory issues if you hit errors every time, but you would need to play the game for dozens of hours for this to actually become a problem.

The payload is being hashed using HMAC + API KEY. The server will reject any data with mismatching keys. This is to prevent people from sending nonsense. I really doubt that anybody would do that, but I lowkey just wanted to see how I could implement this.

Actually, people did some shenanigans in another project. I had a public leaderboard that just accepted raw POST requests without any API key hashing. People could theoretically just curl arbitrary data to the server, and they did!

Note that this is by no means completely secure, there are ways to obtain the API key and because all of the software is open source it's quite trivial to figure out how to hash the payload and the API key, but oh well, it's better than nothing.

In order to know which data belongs to which user, an UUID is generated for every user when they first play the game. This UUID has absolutely no link to the users itch account, in fact you can't even access the itch data from within a wasm game. In that sense, the data is completely anonymous.

There are NO third-parties used for collecting, storing, or transmitting the data. I handrolled the whole process. Every minute the game creates a POST request to my server, which will listen for game telemetry and store it on the server in a separate location from the opened port. This means no third-party has access to the data (and, ideally, nobody except me can access it).

Just like the game, the telemetry service is written in Rust. And just like the game, the telemetry service is open source.

Why it's Collected

I made this game for my Bachelor Thesis. And because the Bachelor Thesis is study, I need to collect data to answer the thesis's hypothesis. The data is only used for research purposes.

The game actually consists of two builds, one with building elements (you place the vegetables), and one without (you just buy the vegetables). Which build you get depends on your UUID (the least significant bit is used, if it is odd than you get building elements (i.e. 1) and if it is even you don't get building elements (i.e. 0)).

To this end, the game collects data to analyze player engagement. My original hypothesis was that adding building elements will increase player engagement, and so to test this the two different builds are being used.

There is also a survey about the game. In case you played, you can answer the survey in the game's menu (pressing ESC while in game) and click Open Survey. The reason I don't link it here is very simple: I want to know which UUID corresponds to which survey, so I parse the UUID (which is stored in the game) to the survey URL, that is what the ?id= is for.

In case you have any questions, or just want to talk about something, feel free to reach out.