Analyzing GeForce Experience Data Transfers with Packet Monitoring

Most times, a level-headed approach offers the best insight as to how a particular piece of hardware or software functions at a low-level. Talking to people who make that product, independently monitoring its performance, and then merging the two perspectives will create the clearest picture of both sides.

Today, we're looking into nVidia's telemetry and data collection through the GeForce Experience utility, and will be doing so with assistance from Wireshark for packet monitoring. We've also spoken to nVidia about the topic and have a statement from the company, printed further down. First, a recap of the internet's latest outrage, a look at what's actually happening in the GFE software, and then a discussion on nVidia's latest GFE changes.

A Recap

A recent reddit thread blew up for its citation of a Major Geeks article that described nVidia's driver package as "spying" on user data. This sparked users to dig-up French magazine CanardPC's publication of nVidia's updated privacy policy and EULA, which apparently (we don't read French) focused on collection of system hardware information by GFE.

The GeForce Experience 3.0 update that was just pushed has begun requiring user account registration for usage, including a sign-in requirement to fully deploy ShadowPlay. NVidia allows for connection of accounts on its own domain, through Facebook, or through Google account services. We will discuss this more later.

In the PCMR thread, users posted pull-quotes of the privacy policy and EULA, which state the following:

"When you use our Services, we may collect 'Personal information,' which is any information that can be used to identify a particular individual which can include traditional identifiers such as name, address, e-mail address, telephone number and non-traditional identifiers such as unique device identifiers and Internet Protocol (IP) addresses. [...] We may from time to time share your Personal Information with our business partners, resellers, affiliates, service providers, consulting partners and others in order to provide our Services to you."

First, note that the above citation (taken from users of PCMR) is from a EULA and privacy policy which governs the nVidia.com website. This is not the same as the EULA and privacy policy that govern the GeForce Experience application. Still, we sent all of this information to nVidia and asked for a statement prior to beginning our independent research. NVidia provided the following:

"GeForce Experience collects data to improve the application experience; this includes crash and bug reports as well as system information needed to deliver the correct drivers and optimal settings. NVIDIA does not share any personally identifiable information collected by GeForce Experience outside the company. NVIDIA may share aggregate-level data with select partners, but does not share user-level data. The nature of the information collected has remained consistent since the introduction of GeForce Experience 1.0. The change with GeForce Experience 3.0 is that this error reporting and data collection is now being done in real-time.

All of this information is included the EULA and the FAQ posted on GeForce.com."

We asked nVidia for an example of "aggregate-level data," to help better understand the specifics of what may be shared with "select partners." The company provided the following example:

"Aggregate data refers to information about a group of users rather than an individual.

For example, there are now 80 million users of GeForce Experience."

Personal-level data would include account information, like email addresses and names. From the nVidia policies, the company does not share this information ("personally identifiable information") externally from nVidia.

What is GFE Actually Doing?

Let's first make the distinction that GFE is not the driver itself. This is a separate utility which is marketed toward users who seek automatic optimization of game graphics settings (read: applies settings based on your hardware and OS), and then further marketed toward users who seek gameplay capture software (ShadowPlay).

From the above, and from our monitoring lower down, we have learned that GeForce Experience is looking at system hardware, games present on the system, crash/dump files relevant to GFE or nVidia drivers, and could be monitoring popularity of particular game titles for users. GFE is also checking for a user's currently applied settings to games on the system.

Considering GFE's intended use case, this is reasonable data to collect and store. The aggregate version would also be reasonable data to share with game developers; for example, nVidia might inform Publisher A that XX% of its users are operating on hardware which is equivalent to or better than a GTX 1070, while YY% use a GTX 1060 and lower. This information could be useful for market research in determining potential reach of a game based upon its graphics requirements. We are not saying that nVidia does this, but it is an example where the information could prove useful.

On the functional side of things, GFE uses the hardware and software data to determine which applications are installed and how to optimize those applications.

Update: There are some telemetry-related files in the raw driver package as well, but they appear to be inactive at this time and do not transact data, as far as we can tell.

Data Transactions

We allowed Wireshark to monitor GFE's packet in/out transactions over a period of about an hour. The system was left to idle for a while, but also spent some time in various games. Hardware-level information is checked at installation, but here's a preview of what's happening once the package is running in the background:

(Note: TCP is for signaling, TLS is encrypted, and ACK is acknowledges, or when the server acknowledges the PC's request and vice-versa.)

It's not the most user-friendly layout of data, but here's what's happening: The nVidia applications are transmitting to and from 192.229.210.202, which may be location-based. We're based in NC, that IP is in VA (or California, depending on which service you ask), so a CDN would mean that the server IP address to which you connect is different from ours. Regardless, that's the one we filtered in these results. We also filtered for the port range used by GFE to attempt to see if anything else was buried. Further, we looked through the "events" log generated by GFE and located within the local applications folders.

The transactions almost entirely consist of calls home, pretty standard, with additional GETs for images. The images are retrieved ("GET") from GeForce.com, and are used for game box art within the software.

Here is a direct link to one of the images transacted between us and the GFE server:

Source.

This is one of the images that plays in GFE's user interface walkthrough, used to show the UI layout. We're not data mining and packet analyzing experts, but from the data we've collected and from our conversations with nVidia, nothing here appears to be damning or personally identifiable.

GFE is also collecting the following information:

• GPU specification & vendor
• GPU clock speed / overclocks
• Monitor and display resolution
• Driver settings for specific games (e.g. G-Sync toggling, type of anti-aliasing used)
• Resolution, quality settings for specific games
• Games and applications installed (e.g. Origin, Steam, Counter-Strike: GO, Overwatch)
• Memory capacity
• CPU specification
• BIOS revision and motherboard

CanardPC has provided a sample of their own getsugar.log file, if curious about the specifics. Find that here.

At first installation of GFE, it appears that the tool dispatches hardware information from the local system to a server, which is probably then used in a similar capacity to Steam's hardware survey. This information is also used to determine what settings are optimal for games installed on the local system.

NVidia also has whatever information you used to register an account. That information would be governed under the normal privacy policy.

Our Thoughts

This seems to be a little bit sensationalized by the internet, which is now spawning conspiracy theories that the NSA is in on this. We think that it is obnoxious that GFE now requires account registration to use, but that's because it's annoying -- not because it is "spying" in a fashion which is somehow unreasonable. GFE worked well without an account. We'd like to see an option to use GFE as a guest for access to ShadowPlay in the future, but that's not really the point here.

The point is that GFE uses data to build user profiles around games. That type of data collection is not new to nVidia. Origin and Steam collect similar hardware-level data.

The data which is shared appears to be purely functional for GFE. NVidia says it may share aggregate-level data with its partners and that it does not share "personally identifiable" information with those partners. There is no way for us to independently validate that, obviously, so we'll have to assume that nVidia is abiding by its own privacy policy and EULA. Steam, as it happens, also has aggregate-level data on its game purchases. You can even view some of this publicly with the correct Chrome plugins.

The privacy policy indicates that nVidia can share data between social networks for ad placement via tracking cookies. This is fairly standard, and is done by most websites on the internet -- particularly those which have a product to sell via retail. An example would be when you see Facebook ads that are an exact item you'd been looking at earlier in the month, either through Amazon or elsewhere. We do not see this as a pitchfork-able offense in any greater capacity than we would for any other service.

We'll keep an eye on this in the future, but for now, this seems to be largely a non-issue. GFE's data collection appears to be deployed for the purposes you'd expect: Hardware-level information, plus aggregate information that may be useful to partners (e.g. most popular GPUs, CPUs, game genres, etc.). Our current complaint is just that GFE now requires an account -- but we've been vocal about that since nVidia first mentioned the idea. There is perhaps valid point to being upset at this, or perhaps at the extra software packages installed being unnecessary for power users, but that is a completely different topic and creates a moving target. The fixed target is telemetry and allegations of "spying."

Unfortunately, the nature of writing this type of post does mean that comments will undoubtedly be met with at least one poster who cries "shill" or finds mirth in asking why we're not making a big fuss about this. The internet, for whatever reason, is seemingly more divided by AMD and nVidia than by actual world events. We are reporting the facts. That is what we do. It seems simple: The data collected by nVidia through its drivers is -- as of today -- seemingly for optimization purposes, and there is no distribution of private information. We will keep an eye on this, as there's always the possibility for more information to emerge, but we do see this as an issue blown out of proportion by mob mentality. You'll have more invasion of privacy just from navigating the internet and its biggest retailers.

- Steve "Lelldorianx" Burke.