The gaming company cross-referenced a user's name with a terror watch list and blocked him incorrectly.
Epic Games, developer of the successful Unreal series of game engines, had to deal with an especially bizarre PR nightmare Sunday evening.
A customer trying to register an account with the game developer in order to beta test a game had his attempt flat-out rejected and was shown an error message that said his name matches that of someone on the US Treasury's "Specially Designated Nationals and Blocked Persons List."
The customer was Zakir Khan, professor and executive director of the Transparency and Accountability Project. Khan was registering under the name Muhammad Khan and received the following message:
This is especially puzzling because the name Muhammad Khan is extremely common (which is a possible reason for why Zakir uses a different first name professionally). Khan's name is indeed on the list not once but several times, emphasizing exactly how commonplace the name is, especially abroad.
Epic's founder Tim Sweeney has addressed the issue on Twitter, apologizing to Khan and explaining that the block was based on an "overly broad filter related to US trade restrictions." Sweeney also said that Epic Games' database is updated whenever the Treasury Department "circulates a new list of foreign commerce restrictions," and that the reason for the snafu was that the filter blocked people solely on name, without taking location into account. It was also intended to be only for the use of Unreal Engine 4, and not simple game registration.
"They just didn't think about what they were doing. It's like programming without conscience, which to me is very scary." Khan and I agreed that this has probably happened before, given that the list is a thousand pages long. "How is a parent supposed to explain that to their child?" Khan asked.
Khan also clarified that he goes by Zakir because it's family tradition for people to use middle names.
As of now, the problem is reportedly fixed, with Epic working to update its filter to block only when a combination of a name and billing address is flagged. Epic seems truly apologetic about the incident, but it raises some deeply weird concerns, like: Why is a gaming company cross-referencing names with a terror watch list at all?
With past (mostly ridiculous) rumors about ISIS using video games to train members and leave secret messages, it calls into question whether gaming companies are implementing certain strategies in cooperation with federal authorities. The Specially Designated Nationals list is maintained by a branch of the Treasury called the Office of Foreign Asset Control, and the language on their website is confusing, so I reached out to them by phone.
An OFAC representative named Eliott who declined to give his last name for security reasons explained that though technically all US citizens are required to comply with OFAC sanctions, the agency realizes instituting a compliance program is not a reasonable request to make of most businesses.
Eliott told me that if "a terrorist purchased a candy bar" at my gas station, for example, OFAC would regard that transaction far differently than discovering an American bank was handling that terrorists' funds. But even banks aren't legally required to use a compliance program—they sort of just have to, because the potential damage to them if OFAC ever found them in violation of a sanction would be catastrophic.
So based on what Eliott told me, it seems likely that Epic Games simply decided it was worth it for them to crosscheck registrants with the SDN list. Maybe they were worried extremist groups would use the Unreal Engine to develop training games, or maybe they considered it their patriotic duty. Either way, they should have been more careful with the parameters for blocking access.
Motherboard reached out to Epic Games for further comment, but a representative said they were unwilling to comment beyond Sweeney's tweets.
Updated to include comments from Khan.