Hello. I was looking to join a corp and they requested that I give them an API key to ESI so they can effectively spy on me. I’m a developer so obviously this raises huge red flags. While this is obviously majorly messed up apparently a lot of corps do this.
But my concern is not with the spying (which is still insane) but the fact that ESI may have more powers than it lets on. Publicly documented on the Swagger interface (https://esi.evetech.net/ui/) it doesn’t show anything about the skill training system, however the Eve Portal mobile application is supposedly built on the same OAuth 2.0 + ESI combo but allows me to change my skills around.
How do I know that giving a corp this spying privilege (which is still insane) doesn’t also grant them undocumented powers over my account? Is there some guarantees from CCP that these endpoints are not usable/accessible by regular applications? Perhaps it’s OAuth2 grants that only CCP apps can request?
Don’t know exactly where to post this question either, so I’m just sort of winging it here in hopes of getting a response that can at least could get me a slap on the wrist and point me to where I should be asking.
Another thing to bear in mind is that ESI isn’t all or nothing. Access to the endpoints is governed by scopes that are shown to you before you agree to grant those scopes to an application. Read the scopes being requested, and if any of them have write access without your understanding why, cross examine the corporation for justification. If there is an undocumented scope, that scope should still appear on your list if requested. Developers have to declare the scopes their application can access on the Eve developer website as part of gaining access to the ESI API, so an undoumented scope would have to be surreptitiously included somehow with web form trickery. Abuse of this nature would be easy to track down and such an abuser would likely face harsh penalties that begin with a lifetime ban from Eve Online.
Write access is not automatically terrible. For example, Eve Marketer has write access to my autopilot destination so that I can have it plot a course to a station with goods I wish to purchase and pick up. It’s always a good idea to understand what you are agreeing to, why you need to agree to it, and to request clarification if you are uncertain.
Then, don’t send nudes via eve mail? Or you are spy? They ask for that just to get minimal protection and control over information exchange. No one forces you to join that corp, join one that don’t ask for ESI or use alts, discord, whatever to communicate outside of the game.
Many large corps and alliances ask for such information because every single new applicant is a spy until proven otherwise, and spies are more devastating to a corp/alliance than an entire supercapital fleet.
If you are not comfortable with giving out ESI information, don’t join the corp/alliance. Corps need to read your in game mail so that if you have any communications with enemies of the corp you will be rejected, they need to read your contacts to see who you’re blue to or red to. They need to see your wallet transactions to see if you’ve transferred or been given money by their enemies.
welcome to eve, i don’t think that many other mmos can provide this kind of story. And personnally, i find it amazing
So, OP, corps are perfectly right to ask you these infos, and CCP provided the tool for that. If you don’t want to join a corp which asks you that, no problem, that’s YOUR choice. This is a sanbox.
The game and official app, you actually log into your account hence it is a 2 way communication
Every other thing, you use the ESI API, which is a read only option
And most respectable corps will do a background check on possible recruits, for the sole reason that spying, theft and awoxing is legal in EVE, so you want to know who you invite in your group
