Try   HackMD

Essentials - A questionable Minecraft Mod

A couple of months ago, a friend of mine showed me a mod called "Essentials"
This mod sets out to fix many shortcomings of the Java Edition of the game, specifically in the Cosmetic and Social departments.

It did this by implementing the following features:

  • A Friends System
  • World-joining accross the Internet, with Friend-invitations
  • Player cosmetics (Wings, Hats, Clothing, etc)
  • Inbuilt Cloud-synced chatting functionality
  • A Partnership program for the Cosmetics Store
  • Account switching without leaving the game

On the surface, this seems alright, and the features are all very well integrated, albeit not following Minecraft's general UI Design.

However, once you start reading their Privacy Policy, things begin to getweird

There is a couple of statements the Privacy Policy makes, I have selected the ones of the "Data we collect" statement which I find problematic:

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

As you can see, that's quite a lot.
Let me break it down a little
Essentials can access the following Data:

  • Your Essentials chat history
  • How long you've used Essentials for precisely
  • Your Time Zone
  • Your system's language
  • Your Screen Resolution
  • "Other Usage Preferences"
  • Device keyboard settings
  • Minecraft Version
  • Mod Loader Version
  • "identifier" (?)
  • Other loaded Mods
  • Search terms you type anywhere in the mod or their Website
  • Referrer URL (what page you were on before visiting theirs)
  • "The search terms you entered into a Search Engine or App Store that may have lead you to the platform"
  • Your service provider
  • Browser Type
  • Your Operating System
  • IP Address
  • "Other unique device identifiers"
  • Notification token

Now, why most of this data would be strictly needed for Essentials to function is beyond me, as standalone Open-Source mods have already done these kinds of things without invading privacy like this.

What does Essentials do with your Data?

The Privacy Policy of course doesn't only cover what gets collected, but also how it is used, but here, the wording is somewhat vague (as is usual with Privacy Policies).

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

It covers all the usual things
"Improving the product", "Maintain security", "Test new features"

On their own, these things aren't anything I would usually bat an eye at. Though, with the amount of data they are collecting, it makes me question some things:

  • Why would Essentials need to register for a Notification Token?
  • Why would it need to know my Browser Type?
  • Why would it need to know URL Referrers?
  • Why would it need my Search Query to find the site?

There's tons of questions unanswered as to how these things actually aid in the creation of the mod, the website, or their backend servers. And even with some technical background, I struggle to understand myself.

Red Flag : Essentials can read your Chat History

Note: I do not mean Minecraft's inbuilt chat, but rather Essential's Chatting feature

Essential has a chatting feature built-in. It is available from their main menu, and is tightly integrated with their Friend-System.

The messages are all-text, meaning images, videos and alike aren't sent, though, the messages are entirely un-secured.

Infact, Essentials has access to your chats.

That's right, within 1.1: "Personal Information", they state the following:

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

This essentially means that they CAN access your chats at any time, and thanks to their vague wording, they can do so for pretty much any reason.

I am not trying to say they should E2EE their chats, though, them stating that they have access to your chats is a concern to many privacy-friendly folks out there.

How would they fix this?

  1. React to "Do Not Track" requests by following the W3 Standard for responding to DoNotTrack Signals.
    Simply saying "Many other websites don't respond" is not an excuse to not do anything. even GitHub does it.
  2. In the long term, an E2EE feature could be introduced, but as I said, this isn't necessary
    Alternatively, if someone had enough time, they could program a sort of "Addon" to Essentials which can do this on their own.

Conclusion

Whilst there isn't any concrete evidence that the Essentials team wants to harvest data, I still do not put enough trust into them, as their practices are quite unusual for a Minecraft Mod.


The Essential Privacy policy is available here, and has been accessed on the 1st of August 2022 when writing this post.