Dear Blizzard, Let Me Give You Protips re: Hack Statements

First of all let me reprint in its entirety without my comments, Blizzard’s comments in regards to potential Battle.net hacks:

Battle.net® Account Security & Diablo® III

We’d like to take a moment to address the recent reports that suggested that Battle.net® and Diablo® III may have been compromised. Historically, the release of a new game — such a World of Warcraft® expansion — will result in an increase in reports of individual account compromises, and that’s exactly what we’re seeing now with Diablo III. We know how frustrating it can be to become the victim of account theft, and as always, we’re dedicated to doing everything we can to help our players keep their Battle.net accounts safe — and we appreciate everyone who’s doing their part to help protect their accounts as well. You can read about ways to help keep your account secure, along with some of the internal and external measures we have in place to help us achieve our security goals, at our account security website here: www.battle.net/security.

We also wanted to reassure you that the Battle.net Authenticator and Battle.net Mobile Authenticator (a free app for iPhone and Android devices) continue to be some of the most effective measures we offer to help players protect themselves against account compromises, and we encourage everyone to take advantage of them. In addition, we also recently introduced a new service called Battle.net SMS Protect™, which allows you to use your text-enabled cell phone to unlock a locked Battle.net account, recover your account name, approve a password reset, or remove a lost Authenticator. Optionally, you can set up the Battle.net SMS Protect system to send you a text message whenever important changes occur on your account.

For more information on the Authenticator, visit http://us.battle.net/support/en/article/battle-net-authenticator-faq

For more on the Battle.net Mobile Authenticator, visit http://us.battle.net/support/en/article/battle-net-mobile-authenticator-faq

For more on Battle.net SMS Protect, visit http://us.battle.net/support/en/article/battlenet-sms-protect

We also have other measures built into Battle.net to help protect players. Occasionally, when Battle.net detects unusual login activity that differs from your normal behavior — such as logging in from an unfamiliar location — we may prompt you for additional information (such as the answer to one of your security questions) and/or require you to perform a password reset through the Battle.net website. World of Warcraft players might be familiar with this security method already, and Diablo III players may begin to encounter it as well.

As always, if you think you’ve been the victim of an account compromise, head to the "Help! I’ve Been Hacked!" tool at http://us.battle.net/en/security/help for assistance

As far as these things go, it’s well constructed.  It’s long enough to seem transparent, and detailed enough in guidance to result in every single online gaming press to reprint it without question.

But let’s look at it.  Let’s really look at it.

Battle.net® Account Security & Diablo® III

Good title, a tried and true practice of framing the issue clearly without seeming like there’s anything going on.  “Hey!  We just thought we would do a post about account security and Diablo 3!  No reason!” Note also the distinct brand separation of Battle.net from Diablo 3. I would imagine this is intentional. If Battle.net’s brand has to take a hit, most people don’t equate that name with Diablo 3. Yet.

This is the first most important thing you can do in perception manipulation: frame your response at the outset to be making it seem routine and breezy, protect your money making asset and throw the obscure one under the bus. Even the title is critical.

We’d like to take a moment to address the recent reports that suggested that Battle.net® and Diablo® III may have been compromised.

Highlights are mine.

These highlights are not inaccurate.  But they are manipulative.  They seek to first and foremost cast into doubt any accuracy in the reports.  This is typically indicative of an investigation either underway or one that has resulted in facts that make the people crafting this message keenly interested in muddying the waters.

Let’s stop for a moment for me to say this: I have no idea what is going on.  I am not trying to say Blizzard is doing one thing or another.  I am trying to show you how the careful crafting of language (sometimes by lawyers and PR firms) permeates statements in crisis situations.

Look at the words “suggested” and “may have been.”  These statements, from my understanding, go through multiple revisions by committees of people to craft a plausibly disputed description of the response.

Why plausibly disputed?  Well in my well learned opinion, to avoid legal liability. The possible presence of lawyers in the crafting of the message in this case means that legal advice was being dispensed.  So, during a lawsuit discovery phase the crafting of the total statement cannot be shown in court because lawyers were providing legal advice on how their clients should communicate. That’s protected under attorney client privilege.

Already, merely a few words in, the idea of communicating without really giving information is established.  I won’t bore you with the rest of the statement to this level of detail.  Instead I will simply denote what every gaming site on the Internet will gloss over:

Historically, the release of a new game — such [SIC] a World of Warcraft® expansion [/SIC] — will result in an increase in reports of individual account compromises, and that’s exactly what we’re seeing now with Diablo III.

*This happens to everyone, it’s not our fault for not preventing it. Also we wrote this in a hurry and messed up our grammar.

We know how frustrating it can be to become the victim of account theft, and as always, we’re dedicated to doing everything we can to help our players keep their Battle.net accounts safe — and we appreciate everyone who’s doing their part to help protect their accounts as well.

*Subtle hint that if we didn’t clearly communicate the risk or provide enough incentive in using our security features, this is kind of your fault. But we thank those who deciphered the arcane settings instead of playing the game to help lower our instances of fraud.

**Special bonus free protip to companies: Offer unique DLC or bonus upgrades for people who “proof up” their accounts to become verifiable.  This is how you get people to use features that add friction to the log in process.

You can read about ways to help keep your account secure, along with some of the internal and external measures we have in place to help us achieve our security goals, at our account security website here: www.battle.net/security.

We also wanted to reassure you that the Battle.net Authenticator and Battle.net Mobile Authenticator (a free app for iPhone and Android devices) continue to be some of the most effective measures we offer to help players protect themselves against account compromises, and we encourage everyone to take advantage of them. In addition, we also recently introduced a new service called Battle.net SMS Protect™, which allows you to use your text-enabled cell phone to unlock a locked Battle.net account, recover your account name, approve a password reset, or remove a lost Authenticator. Optionally, you can set up the Battle.net SMS Protect system to send you a text message whenever important changes occur on your account.

For more information on the Authenticator, visit http://us.battle.net/support/en/article/battle-net-authenticator-faq

For more on the Battle.net Mobile Authenticator, visit http://us.battle.net/support/en/article/battle-net-mobile-authenticator-faq

For more on Battle.net SMS Protect, visit http://us.battle.net/support/en/article/battlenet-sms-protect

This is good guidance.  But it’s buried in the overall defensiveness of the opening.  There’s no real incentive to take these actions for the customer.  My eyes glazed over by the time I read it.  Whoever the potential lawyers and PR people who crafted this, seriously guys: you were so concerned with protecting yourselves you made words words words.  I know you know every gaming site will simply reprint it.  But you are giving guidance here. The guidance part?  That’s the meat.  Not the “Reports” that “Suggest” there “may be” a problem.

We also have other measures built into Battle.net to help protect players. Occasionally, when Battle.net detects unusual login activity that differs from your normal behavior — such as logging in from an unfamiliar location — we may prompt you for additional information (such as the answer to one of your security questions) and/or require you to perform a password reset through the Battle.net website. World of Warcraft players might be familiar with this security method already, and Diablo III players may begin to encounter it as well.

As always, if you think you’ve been the victim of an account compromise, head to the "Help! I’ve Been Hacked!" tool at http://us.battle.net/en/security/help for assistance

Again, good stuff.  Bravo!  But, words words words at the end of a lot of words words words. All of the guidance should have been up front.

All right. So, since I’m Mr. Brilliant Mcsmartypants here, how would I have done it?

Easy. I would have unlocked a unique item in Diablo 3 for anyone who enables the security features and I would have said this:

(PLEASE NOTE NONE OF THE BELOW ARE STATEMENTS ISSUED BY BLIZZARD. THIS IS ME JUST OFFERING ADVICE. DO NOT CONFUSE THIS WITH ANY OFFICIAL STATEMENTS REGARDING DIABLO 3, THIS IS JUST A LESSON IN CUSTOMER RELATIONS AND PR.

SERIOUSLY.)

We’ve heard from our customers that there are issues involving Battle.net account security in Diablo 3.  Before we address those complaints we want to remind all our customers of the following:

Battle.net account security can be increased by using secondary authentication:

For more information on the Authenticator, visit http://us.battle.net/support/en/article/battle-net-authenticator-faq

For more on the Battle.net Mobile Authenticator, visit http://us.battle.net/support/en/article/battle-net-mobile-authenticator-faq 

For more on Battle.net SMS Protect, visit http://us.battle.net/support/en/article/battlenet-sms-protect

If you enable these options, your Battle.net is eligible for a unique Diablo 3 [Insert level appropriate reward]

*Cut to the reason to increase your account security up front with helpful guidance.

Secondly, if you think you’ve been the victim of an account compromise, head to the "Help! I’ve Been Hacked!" tool at http://us.battle.net/en/security/help for assistance.

*Next, immediately validate people’s concerns by offering help. The last thing people want to hear are “isolated reports” that “suggest” there “might be” a problem. They want to know where to go if all their items are gone.

Last? address the issue:

We’re concerned about the customer posts and details regarding negative impact to their accounts. We’ve taken the reports seriously and assigned teams to investigate. However that takes time. Please understand we’re not dismissing or shrugging off a situation that might result in the hard work we’ve done to make Diablo 3 such a great title to be undone. We will provide further updates on a 48 hour basis to [THIS LOCATION]

*Then, you take a competent community spokesperson and make that person available 24/7 to press. Issue the statement, but allow it to be challenged and explored by press.

See how many less words?  See how much more the statement assumes the mantle of responsibility without blaming the customer while still noting the investigation is ongoing? Plus, you get a real human to answer questions that challenge the statement.  The human might not be able to truly answer all the questions again due to legitimate concerns about liability, but a journalist can feel that they did their job challenging the issue with a real person instead of having to dissect and speculate about a statement.

This isn’t rocket science.

To see another analysis of blanket statement fail, here’s my breakdown of John Edwards’ admission of his affair.

7 comments

  1. Meh, both versions are ineffectual. If some wants to be upset, they’re going to be upset, regardless of what statement Blizzard releases. I could care less what some BS company statement says — all that matters are results, and I’m confident Blizzard has the resources and talents to correct these problems.

  2. I think you’re ignoring one of the main goals of the release, though, which is that Blizzard had investigated the claims, found they were false (essentially, a member of the press had lied about his authenticator status and ginned up theories that Blizzard had itself been compromised), and was informing the community of that fact.  I think the problem is that in their effort to be diplomatic about the fact that the reports they were responding to were bullshit, they concealed what they were trying to say.

  3. Matthew Brug says:

    The reports weren’t accurate tho as far as I know, which is why they are casting doubt on them. It’s a simple common case of account stealing same as every other game with a login.
    Everyone with an iphone, android, windows phone 7, blackberry, or even an ipod touch have access to an authenticator, I highly recommend one. Got mine after my WoW account was comprimised years ago.

    • Stepto says:

      Oh the FIFA issue wasn’t ignored by a long shot. I gave many interviews on that. But it’s definitely a case where, turning my own critique on myself, I should have pushed harder to be more transparent. But your point is correct.

      While my post is about Blizzard, its really more a problem with all companies providing services these days. Once an issue arises, the lawyers and PR people jump in to frame the issue. In trying to protect the company providing the service from bad PR or liability, they totally forget the main point: their customers are being impacted.  Too often, the customer impact part gets tacked on at the end as an after thought.

      I’ve certainly been involved in my fair share of it, which is why I’m so critical about it.

  4. Ted Milker says:

    At one point(I don’t know if they still do), Blizzard offered an incentive to get account authenticators for World of Warcraft in the form of an “exclusive” in-game pet if you linked one to your account.  However, I can see from a sales point of view that offering authenticators right out of the box(literally or figuratively) for Diablo 3 could cast doubts on Blizzard’s security from a consumer’s point of view.

Leave a Reply to SteptoCancel reply