Blizzard Entertainment Hit With Class Action Lawsuit Over 'Deceptive' Security Tools

Blizzard Entertainment, the developer of popular video games like “World of Warcraft,” “Starcraft II” and “Diablo III” and subsidiary of the publishing giant Activision Blizzard Inc. (Nasdaq: ATVI) has been hit with a lawsuit by two customers claiming that the company's online security tools are deceptive and coerce users into paying more money for protection that should be offered as a free service.

At issue in the suit is Blizzard's Authenticator service for its Battle.net servers, which support multiplayer gameplay for all of the company’s major PC games. The authenticator service is a security measure used to prevent potential hacks into player accounts, which was launched around the same time that Blizzard peformed a massive overhaul of Battle.net in 2009 to centralize all player information into a single account.

Putting all user information for several games with massive online audiences understandably added to the risk of any given account being made vulnerable to hackers from any of Blizzard’s games. Players could then purchase a keychain authenticator for $6.50 that will randomly generate a new password every time a user signs into Battle.net. The authenticator was also made available as a free smartphone app, but it is only compatible with Blizzard’s most recent games.

The suit, "Benjamin Bell et al. vs Blizzard Entertainment," was filed in California late last week by Arkansas native Benjamin Bell and Los Angeles resident Christopher Spellman. Both Bell and Spellman allege that Blizzard has "failed to take the necessary measures to secure the private information of their customers, as stored on a website owned and administered by [Blizzard]."

The lawsuit alleges that Blizzard “fails to disclose to consumers that additional products must be acquired after buying the games in order to ensure the security of information stored in online accounts that are requisites for playing,” according to a press statement from the law firm Carney Williams Bates Pulliam & Bowman, PLLC. “This deceptive upselling, coupled with Blizzard’s negligence in maintaining proper security protocols, compromised millions of customers’ email addresses, passwords, answers to personal security questions, and other items of sensitive information.”

"The authenticator greatly reduces the chance of someone else gaining access to your account, and we strongly recommend you add this measure to your account today," Blizzard said on its website. "It's available both as a keychain device and an app for various mobile phones."

But Bell and Spellman reason that these added security measures should be provided to all users. Pointing to the continued “Diablo III” hacks that have plagued the game since its release earlier this year, they argued Blizzard failed to inform their users of the danger their accounts faced.

Blizzard's website "has suffered multiple instances of theft of the private information of its customers and [Blizzard has] added extra, hidden, post-sale costs onto their products, namely in the form of auxiliary security devices that customers must purchase to ensure the sanctity of their private information when using defendants' products," the suit said.

In a statement, Blizzard said that the suit was "without merit and filled with patently false information,” adding that “we will vigorously defend ourselves through the appropriate legal channels."

Blizzard countered that it took immediate steps to notify Battle.net about this summer’s security breach, calling the the allegations against the authenticator completely untrue and apparently based on a misunderstanding of [its] purpose.”

"Not only did Blizzard act quickly to provide information to the public about the situation, we explained the actions we were taking and let players know how the incident affected them, including the fact that no names, credit card numbers, or other sensitive financial information was disclosed," the company said.

The statement called the Authenticator “an optional tool that players can use to further protect their Battle.net accounts in the event that their login credentials are compromised outside of Blizzard's network infrastructure.”

Understanding the inconvenience of added security measures and the controversy that video game publishers wade into whenever they try to enforce enhanced digital rights management (DRM) policies to protect against piracy, Blizzard thus reasoned that the authenticator should be left as an optional feature.

"Considering that players are ultimately responsible for securing their own computers, and that the extra step required by the Authenticator is an added inconvenience during the log in process, we ultimately leave it up to the players to decide whether they want to add an Authenticator to their account," Blizzard said.

"However, we always strongly encourage it, and we try to make it as easy as possible to do."