Why I Think IAP Spoofing is Stealing
Article • 688 Words • Philosophy • 03/20/2021
This is an abbreviated version of a longer paper that I have written called, “The Ethical Status of In-App Purchase Spoofing”. If you would like to read the full paper, please contact me. In-app purchases (IAPs) are small in-app items or features that are purchasable and typically only affect in-app activities. IAP spoofing occurs when a person receives an IAP without paying for it by tricking the payment authentication system. In this paper, I argue that IAP spoofing should be classified as a kind of stealing.
An in-app purchase is some kind of small in-app item or feature that you can purchase to enhance your experience. Various examples include character skins, ad removal, or player power-ups. IAP spoofing is the act of tricking the payment authentication system to believe a valid purchase occurred, even when no money was actually exchanged. The app would not be able to tell the difference, so then the hacker would be able to receive whatever benefits from the IAP without having to pay. When a hacker routes the payment request to their server instead of the app’s payment server in order to trick the app, it is called a man-in-the-middle attack. This server sends back a legitimate looking payment receipt to the app, thus tricking the application into thinking that the user purchased something. Some apps that are made by larger companies have more sophisticated servers that do not allow for these kinds of attacks, but independent developers and smaller companies do not have the resources to protect against these kinds of actions.
My argument that IAP Spoofing is actually theft is as follows:
- Virtual objects can be owned.
- A virtual object is something stored in a database and corresponds to something that the player can use/interact with.
- A person can have exclusive access when the virtual object is stored in their portion of the database, and no one else’s.
- Ownership can be defined as exclusive access to an object.
- Therefore, virtual objects can be owned.
- For something to be theft, it must have the following necessary conditions:
- It is non-consensual.
- It deprives the owner of (exclusive) access.
- Virtual objects can be stolen.
- Virtual objects can be owned (Premise 1).
- Virtual objects can be non-consensually taken from users (i.e. hacking).
- Therefore, digital objects can be stolen.
- (Some) IAPs are virtual objects.
- There are two main kinds of IAPs: in-game items or feature unlocks.
- In-game items are represented as data in the database.
- Features are represented as code, not as data in a database.
- Therefore, in-game items are virtual objects, but features are not.
- IAPs can be stolen.
- Follows from Premises 3 and 4.
- IAP spoofing breaks the exclusive access of the owner.
- IAP digital objects are being created at the time of purchase by code that the developer wrote and as such, owns.
- IAP spoofing allows a user to use the objects that the developer owns.
- Therefore, IAP spoofing breaks the exclusive access of the owner.
- IAP spoofing is non-consensual.
- The terms of exchange are set for the IAP model: money for the digital object.
- IAP spoofing is changing the model by not transferring the money, but still getting the object.
- It is a non-consensual change of the terms of exchange because the other party cannot consent to a change if they have no knowledge of it.
- Therefore, IAP spoofing is non-consensual.
Therefore, because IAP spoofing non-consensually breaks exclusive access of the owner, IAP spoofing is stealing.
Even if you don’t buy into the idea of “virtual objects,” there is already some kind of basic sense of ownership in the way of database storage/inventory storage in apps and games. The idea of virtual objects just makes the argument’s conclusions stronger because digital objects should be thought of in the same way in regards to “realness” as physical objects.
The consequences of the conclusions of this argument mean that IAP spoofing legal rulings could fall under precedents set by existing theft laws, but also may need further clarifications to make it more specific to this cybercrime. Further inquiry into cyber and behavioral mitigation must be done to know how to effectively treat this issue.