Toxic players exist in this game, whether we'd like them to or not. With the Tribunal ever evolving, catching these troublesome individuals is improving. In my opinion, the game, at least at the higher levels, is getting better. However, this isn't to say that there aren't outstanding issues with the current system.
As of right now, there is an inherent problem that afflicts League of Legends and other similar free-to-play games. When a user gets his/her account banned, they can simply create a new one. There is no true repercussion for them. The only downside to being suspended is that a user must re-level his/her account, and re-acquire material (e.g. champions, runes, skins, and so forth) - there is a "time investment".
I believe that most players that get banned or suspended, just create a new account or play on their smurfs. This effectively circumvents their account action (they don't get the time out they deserve). There probably exists a subset of these individuals that, even after the numerous warnings and bans, don't improve their behavior.
This can cause problems for new players who might not be accustomed to this toxic behavior. Imagine the displeasure of playing one of your first League of Legends game with a toxic individual. The experience would portray League of Legends in a "bad light" to these new players. This could even cause a potential player to quit playing the game.
With that being said, why not create a system in place where you can issue hardware ID bans to individuals? No, I'm not proposing IP bans. IP bans are so 1990s. Everyone knows how to bypass them, and they cause more trouble than they are worth (e.g. sharing of IP addresses). I am proposing hardware ID style bans (similar to the way Microsoft did for Xbox 360 users to combat piracy). For this to be successful, you would need to design an algorithm to generate a unique hash. This hash would be a combination of certain characteristics of the individuals running hardware or operating system configuration. The goals of the hash: must be relatively static (doesn't change on reboot; doesn't change on installation/removal of software; (PREFERABLY) doesn't change on OS reinstall), and unique (avoids collisions).
Designing the algorithm for the hash would take some work. It's not impossible, nor is their too much time investment. An example of an archaic (and poor) implementation of such an algorithm:
Generating a SHA256 hash based on
Logged in user name (GetUserName) + Computer name (GetComputerName) + Maximum space available on the system drive + Volume Serial number of drive (GetVolumeInformation) = SIMPLE_HASH
Now, this obviously would not the best algorithm. Why?
It's way too easy to defeat. To generate a new hash, all the user would need to do is change their user name, change their computer name, alter their system drive configuration, or change their volume serial number. All these tasks are trivial to complete. This is just an example: I know there are better identifiers that are unique and static, but this should suffice to further the discussion.
SIMPLE_HASH will be associated with my machine's configuration. Regardless of what LoL account/IP address I log under to play, my computer's generated SIMPLE_HASH is always the same.
We can use this generated SIMPLE_HASH to prevent toxic individuals from playing League of Legends.
A hypothetical situation:
Let's say that I've been a terrible player. I have had countless warnings. Finally, I get banned by the Tribunal permanently.
What are my options?
1. I can quit playing the game,
2. or (the more likely of the 2) I make a new account.
To continue the discussion, let's say I choose to create a new account. I log in to the game service. SIMPLE_HASH can be computed as I log in (or, preferably, at random discrete times to make it more difficult to reverse engineer) to my new account. SIMPLE_HASH, because of the nature of the algorithm, should always generate the same hash for my machine. The login authentication module will then do a lookup in the accounts table (or perhaps to reduce the performance impact of such a large query, it would be wiser to check a small 'banned' table subset) that have my associated SIMPLE_HASH. If my SIMPLE_HASH has an account associated with it that has been previously banned, we can ban this newly created account and prevent the user from logging in. Ta-da! We stopped a toxic individual from creating a new account to play League of Legends. VICTORY IS OURS!
But, there might be problems. I'll try to address potential issues and offer solutions to them:
1. What if we wrongfully ban a user who hasn't done anything wrong?
Ideally multiple hashes (e.g. 2) would be generated using different criteria (and ideally a different cryptographic hash function). This would reduce the chances (to almost nil!) of collisions. This would greatly prevent banning an individual by accident.
2. What if the user decides to just play on a different computer?
Well, that's obviously a problem, but here is a solution that resolves most cases. Instead of immediately actioning an account, the smarter way would be to delay it. This would allow the service to collect multiple SIMPLE_HASHes (since they are logging in to their account with different computers, the hashes will be different). These multiple hashes can be associated with that account. Once that account is actioned, all the hashes associated with the account are blacklisted. Obviously, preventing corner cases is possible with a little insight (e.g. I log into my friends computer. His hash is then associated with my account. I do something stupid. I get banned. Because I logged into my friends account, he need not get banned also. To avoid this, one can look at other measures, e.g. how often I log in from that computer).
3. How does this stop me from purchasing a new computer/new hardware to play League of Legends after you banned me?
It won't! As long as this new machine generates a hash which is not associated with the banned account (which it will), you effectively beat the system. However, is it economically viable for you to purchase a new computer/new part (which may or may not be related to the hash calculation) just to play League of Legends again? Even if it was, would this repercussion at least make you think twice about what you are doing?
4. Reverse engineering: How would you prevent it?
Through smart programming practices: randomizing the times the algorithm is invoked, good use of delay, having consistency checks of the running image (scanning our own process memory to see if our function was patched), dynamically generating the algorithm (retrieving constraints from the server), etc...
5. What about my privacy?
No one will be nosing around your private data. For the most part, League of Legends already collects system hardware configuration.
Final words: Obviously, what you put into this is what you'll get out of this. If this is a small problem (which it might very well be), the solution shouldn't need to be extremely complex. This would undoubtedly make it easier to "break", but when this impacts such a small subset of the population, the likelihood of someone bypassing this greatly decreases. It should prevent most toxic players from rejoining the community, if not all.
Food for thought: There are SO MANY OTHER useful implementations of the aforementioned technology. In ADDITION to keeping toxic players out of the community, this could be used to better detect smurfs (improve the matchmaking system!), detect account intrusions, etc... THE SKY'S THE LIMIT.
I'm sure this has been kicked around at Riot more than a few times. The only reason why this isn't a reality already, and this is pure assumption, is that even people that get banned return and spend a few bucks to pick up a favorite champ or two from time to time.
I have no metrical data to support that but I would be surprised if it has never happened.
Hardware bans are you kidding me.
I am a PC tech, I have been hardware banned from some games before, in fact I grief in these games for revenge on other griefers and get banned 20 times a day if I wish hardware banned, and I manage to bypass the bans each time why?
Because hardware bans do not work.
1. There are multiple ways to use software to spoof your hardware ID's.
2. Most games work by Hard Drive Volume ID, Serial Number, or MAC address, so changing some of your hardware you get around them, I can easily do this I have a box of network cards sitting here, my pc has 4 hard drives in it, and I haveo ver 20 other hard disks in a box, Plus a bunch of routers.
CPU ID's is an idea, but then again I have spare CPU's too, although I think this is going to the extreme and wouldn't work in the long run.
Now collection fo Volume ID, Hard disk space, memory, computer speeds, these are all easily changed too just for the record lol, and it wouldn't take too much to get a HACKER, or CODER to decompile the LOL client and leak a set of insturctions or patch to bypass bans now would it?
Sure it would stop a dummy however. Maybe a 10 year old kid if that hell I was doing computer hardware since like 9 years old though heh.
© 2014 Riot Games, Inc. All rights reserved. Riot Games, League of Legends and PvP.net are trademarks, services marks, or registered trademarks of Riot Games, Inc.