Session keys and the TOS
The TOS are not there to beat up players who are not harming the game. They’re there to try to cover as many mechanisms as possible that could be used to harm the game so that ANet can legally terminate an account.
If you have a question about something you’d like to do, do what the creator of gw2spidy did and have a conversation with ANet. There may be implications to the game you didn’t consider, or it might not be a problem. You won’t know until you have the conversation about something specific.
He might start thinking he knows what’s right for you.
—Paul Williams
Yeah that’s what I’m trying to do here, but I also don’t want to be posting things which may or may not be considered exploitative on the forum. I’ll put this out as a specific request, since what I’m posting is publicly available in the gw2spidy API readme, which Anet seems okay with.
Just as you can get a session key by looking into the game data for that session, you can also get a character ID that identifies the character that’s logged in. Using this information, it would be pretty easy to write something that sends a request for a character’s buy and sell history. Alternatively, you could use it to write something that checks the prices of all the items in your inventory. Those types of things.
As you say, the TOS isn’t there to beat up on people, and I don’t think either of those two possible functions would give you an unfair advantage or hurt the game. On the other hand, I can also think of other things you could, in theory, do using this sort of data, and I think some of those things would clearly negatively impact the game in general or specific players, so I wouldn’t be surprised if Anet wanted to regulate this. That’s why I’d like better general guidance as to what is and isn’t appropriate.
I would talk to them directly through the support system. That will make sure that your question gets the attention of the right folks without making it too public before things have been hashed out.
You’ll probably have to wait a bit before you get hooked up, but I think the signal to noise improvement will be worth the wait.
ANet would be crazy to post anything publically that might be construed as them giving folks a free pass on some provisions of the TOS, even though they are willing to make specific exemptions.
He might start thinking he knows what’s right for you.
—Paul Williams
Hmm that’s a good point, so I’ll do that. I do think they need to make clarifications, since it’s patently obvious to anyone who looks into it that the rule against accessing memory is violated by gw2spidy, and they don’t seem to care.
… Alternatively, you could use it to write something that checks the prices of all the items in your inventory.
No this isn’t possible, you can only access Trading Post information and not character info unless you data mine the application itself which is most likely against the TOS. I should also point out that selling things using methods such as you describe is not possible.
And btw gw2spidy doesnt access memory, the session key can be retrieved using a the anet account authentication (which is a http protocol), this key allows you to access all the information visible on the gw2spidy site. Also the character id itself is available externally and doesnt require data mining the application.
(edited by aeneq.1760)
Hmm that’s a good point, so I’ll do that. I do think they need to make clarifications, since it’s patently obvious to anyone who looks into it that the rule against accessing memory is violated by gw2spidy, and they don’t seem to care.
It may be obvious if you’re using common sense, but it’s a completely different story when you get lawyers involved
He might start thinking he knows what’s right for you.
—Paul Williams
… Alternatively, you could use it to write something that checks the prices of all the items in your inventory.
No this isn’t possible, you can only access Trading Post information and not character info unless you data mine the application itself which is most likely against the TOS. I should also point out that selling things using methods such as you describe is not possible.
And btw gw2spidy doesnt access memory, the session key can be retrieved using a the anet account authentication (which is a http protocol), this key allows you to access all the information visible on the gw2spidy site. Also the character id itself is available externally and doesnt require data mining the application.
Yeah I didn’t want to talk specifically about how to get the data, as I’m not sure if that would be frowned upon. Regardless, what you’re talking about doing almost certainly violates the letter of the law with respect to parts (ii) and (iv) below:
[You agree to not…] Use, obtain or provide data related to operation of the Game, including but not limited to:
(i) software that reads areas of computer memory or storage devices related to the Game;
(ii) software that intercepts or otherwise collects data from or through the Game;
(iii) software that redirects communications from any Software or Service; or
(iv) software not provided by NCsoft which creates or maintains any communication to the Software or Service, including but not limited to any software that emulates the Software or any part thereof as well as any server that emulates the Service or any part thereof;
I do think that checking your inventory requires you to move farther into the wrong, instead of residing in a grey area, but I’m about as sure as I could be that you could obtain a buy/sell order history in the same way as you get prices, which would be without “mining the game client”. And while selling things is not actually possible using merely the http protocol, buy orders are(I haven’t done this myself, of course, but the gw2spidy API itself attests that it can be done, if you don’t believe me). I would be shocked if sending buy orders from outside the game would not result in a ban, but it’s why I can see them being very cautious with allowing people to access character IDs.
(edited by Rev.1453)
True (iv) would probably cover it, however (ii) is not since its the same session key that’s used for accessing your account when logging into the web portal.
Sell/buy lists and actually submitting buy orders require you to identify a character and that itself might be more “wrong” than the TOS grey area allows but with regards to gw2spidy their service doesn’t make use of said functionality.
(edited by aeneq.1760)
The session key you can obtain out of game by going directly to the webpage is different and only lets you access the cached search listings.
The session key the game uses grants you access to the buy and sell listings. Using the character ID in combination with the session key allows you to access your transaction history and place buy orders.
I doubt ArenaNet actually gave gw2spidy specific confirmation that grabbing the in-game session key was ok. They probably just said that what they were doing (parsing the TP) was ok, and since they were using the session key to do it, it was assumed that must also be ok. Giving a public exception to the rules isn’t something you do lightly, so I doubt they would further confirm anything.
Programs that do probably everything you’re thinking and then some already exist. Some even fully automate (bot) the TP, and since placing sell orders and picking up must be done through the client, those programs would be classified as botting.
It is possible to pull the data on all sellable items in your inventory, but only when you click the sell tab in game, at which point the request is made giving the ID of every item. You can then pull all the live data, rather than the cached data it shows and calculate whatever you want to know.
Yes but what I wanted to point out was that gw2spidy doesn’t use character specific information which might be why its “ok” for now, and as such they wouldn’t necessarily need the in game key. Since the gw2spidy code is online it should be quite easy to verify exactly how they are accessing the service…
gw2spidy uses the in-game key. It’s the only way you can get volume listings and what the item is actually going for. The out of game key can only retrive the data you see when searching, which is basically just the cached sell and buy prices.
The character ID, like the session, can be obtained out of game by watching the HTTP requests and judging by history, ArenaNet probably doesn’t care if you use it. Using it to place buy orders though gets a little iffy since it can be seen as botting from an in-game perspective, but if they intended it to be an accessible webpage and/or moddable (in theory you should be able to proxy and rewrite the TP allowing for your own custom interface), it really isn’t. Playing with sell orders is the only thing that can’t be done through the TP directly, and automating it would definitely be considered a violation.
gw2spidy of course has no reason to use the character ID, since the only data that requires using it is your own personal data.
On another note, never give out both your in-game session key and your character ID. With both of those keys, in theory, I can steal your gold.