Last year, Roblox launched a version of its game in China called LuoBuLeSi. Like other Western gaming companies that have entered the lucrative but heavily regulated Chinese market, it had to partner with a Chinese company, Tencent, who would operate the game in the country, and Roblox had to host user data on local servers, as required by law.
But newly released internal documents reveal that Roblox assumed and prepared for the possibility that any Chinese partner it worked with could try to hack Roblox. On top of that, Roblox expected Tencent to copy the game and create its own version of it.
“Expect that hacking has already started,” one slide in a presentation from 2017, called “China MVP Ideas from Aug Trip; CONFIDENTAL,” read. The slide dates from before Roblox ultimately announced a partnership with Tencent. “Expect it to ramp up after a deal is signed, possibly even by partner.”
The documents also show the steps Roblox had to take in order for its game to comply with Chinese censorship laws: any maps created in the game had to “respect the integrity of the country and not misrepresent the Chinese territory,” including by recognizing Beijing’s claim of self-ruled Taiwan as part of its territory, according to a presentation given to Roblox by Tencent. Users and developers also “must not tamper with historical facts” and “must not appear any images or names of national leaders.”
There is no evidence that Tencent did target Roblox. The documents were originally obtained and then published online this month by a separate, criminal hacker who attempted to extort Roblox. Motherboard is publishing details from the documents despite them being obtained by a criminal hacker because of the overriding public interest in understanding the highly controversial steps major companies might take in order to break into markets in authoritarian countries.
Roblox also expected a group of hundreds of people to be working on reverse engineering any code that the company placed on Chinese servers.
“Will need heightened security globally,” the Roblox slide on security continued.
Do you work at Roblox? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email firstname.lastname@example.org.
In 2017, the Chinese market seemed wide open for Roblox. Although Tencent was likely to create a similar platform, and seemed to have one in the works in the wings, Roblox had no copycats in China yet, according to the slides. Roblox also pointed to Tencent’s repeated failures at launching user-generated content (UGC) gaming in the past few years.
Roblox, meanwhile, had a massive back catalog of user-made content it could bring to China. After games were translated to Chinese, Roblox could then make some of them visible in the country. The company had its own engine that developers around the world used to create their own virtual worlds. Roblox also had a strong social component, something that Chinese gaming company NetEase strongly recommended strengthening through top creators, the slides add. “Educational angle is a big advantage for us,” one of the slides reads.
“Strategically important to strengthen social networks,” another slide starts. “Best defense is a good offense—network effects will thwart copy cats.”
One slide that listed what Roblox needed to do to launch in China noted that the requirement that would take the most effort would be setting up local web servers. All personally identifiable information for Chinese players was not allowed to flow at all across the Great Firewall, the slides said. Other tasks included implementing phone authentication with SMS validation, something that Roblox was “doing anyway,” it reads. This authentication would use a “government validation API” and Roblox would also gather national IDs, the slides add.
“All players have national ID and real name, so less concerned about bad behavior towards children—easy to find the predators,” a related slide reads. Child predators are something that the main Roblox company fights off constantly.
Roblox had to carry out all of this preparation in part because the government review process takes 8 to 9 months, according to the slides. “Some missing translations are OK, but all critical features are required for both efficiency and government relations,” one slide reads.
At least in the short term, the plan was to entirely segment the Chinese version of Roblox from the international one. Although Chinese law allows non-Chinese players to play on the Chinese servers, those international players would also be subject to all Chinese laws, including those around data usage, the slides read.
“Conclusion: Do not allow in near term—kids won’t understand this, and will likely lead to other concerns or difficult decisions,” one slide reads, adding that this could change over time.
The internal Roblox documents published by the hacker also detailed Roblox’s content moderation strategy, including teams of human reviewers and technology to assess user-generated content such as games, as well as the contents of messages between players. Given China’s intense censorship efforts, especially around user created content such as social media posts, Roblox would have to export that moderation effort to the country and potentially bring in another operator.
“Need fast-track moderation of games identified as bad. We have this internally—worth reviewing the tool for utility and security by third-party operator,” the slide says. A similar system would be needed for in-game items for the characters. “Like Games, all Catalog Items must be approved for China,” another slide reads.
For the moderation, Roblox’s potential partner of either Tencent or NetEase could help out as both had solutions at various states of maturity, the document says. There would be a cultural clash though: “Chinese companies err on the side of moderating content, not growth,” the slide adds, something that is generally unusual to U.S. firms.
In its internal presentation, Roblox weighed the pros and cons of working with Tencent or NetEase respectively. Tencent, on one side, is a “big player and knows it, seeking to leverage Roblox using their playbook, less flexible, likely requires us to keep our guard up,” one slide reads. Tencent would control the day-to-day operations if Roblox was to launch in China, and had a mission to “own all entertainment time across all devices,” it says.
NetEase had a different approach, in that it was specifically a gaming content company. “Direct, down-to-Earth, flexible problem solvers, acting in the interests of a joint venture,” the slide on NetEase reads.
Despite the apparent reservations in the slide presentation, Roblox eventually partnered with Tencent and announced their work together in May 2019. In its own presentation also included in the hacked documents, Tencent spelled out what sort of content was and was not allowed in games in the country. The November 2018 presentation was called “China Government Policy” and had Roblox characters on the first slide.
Games weren’t allowed any mistreatment of corpses, couldn’t display horror characters or scenes, and couldn’t contain revealing characters or pictures.
“Must not promote or go against basic moral values,” they continue. “Must not promote polygamy or one-night stands. Must not promote the values of money is all, power is all and so on.”
With historical figures, companies “must not tamper with historical facts, cultural events and historical figures,” the Tencent slides continue. The slide includes two images of Adolph Hitler marked with a red X.
“The map in game must respect the integrity of the country and must not misrepresent the Chinese territory,” it added. The slide shows a map of China, and four areas marked in red circles that are “prone to errors.” Those areas highlight Taiwan, the South China Sea, Tibet, and Aksai Chin.
“Must not appear any images or names of national leaders,” the slide adds.
The leak also included a spreadsheet of terms for different languages. In the Chinese spreadsheet, words included under a tab labeled Risk Level 5 included words like “abortion,” “Hitl3er,” and “victoria secret.”
On religion, games in China “must not incite national hatred, promote ethnic discrimination or undermine national unity.” As widely covered in media, government, and NGO reports, the Chinese government has embarked on a systemic and widespread cultural genocide against Uyghur muslims in the western region of Xinjiang.
Roblox was also expected to collect and authenticate the real names of players in China. “The main purpose is to provide necessary safe guard for minors,” the presentation reads. And, it had to comply with China’s anti-addiction policies, such as only allowing people to play the games for a few hours every day. In one of its own documents, Roblox said that this feature was a “must in China” but that is also presented a “great option globally.” The idea was to create this feature across the entire Roblox platform, and then make it a requirement in China and an option for parents in the rest of the world, another slide says.
Tencent also pointed to China’s rules on in-game purchases, and how they would specifically relate to Roblox. “There needs to be a cap on the amount that underage can purchase both every day and every month,” the slide read, next to a screenshot of a Roblox interface offering the sale of Robux, the platform’s currency. The slides also include images of Roblox cosmetics and other microtransactions.
Then in July 2021, Roblox launched LuoBuLeSi, the Chinese version of its platform. Other documents show some of the mechanisms it had in place for complying with Chinese regulations, including a game “whitelist” and moderation features for display names in the country.
Roblox’s time in China was exceptionally short lived. In December 2021, the company closed down LuoBuLeSi without going into detail about why. Soon after it shut down, the company said that it was working to relaunch after making “necessary investments” to its “data architecture” but did not provide any additional information about closing..
Some of the slides then document the fallout: In the wake of the shutdown, Roblox refunded all player spending and made sure that existing players could no longer login. The company planned to delete Tencent player personal identifying information, but at the time the exact scope and timing of that was to be determined, the slides read. Roblox also scaled back its Chinese team while retaining enough staff to recruit in the country, the slides read.
Regarding the possibility Roblox saw that Tencent may hack the company, a Roblox spokesperson told Motherboard in an email that “The slide you reference was from 2017, before we had a formal joint venture relationship in place. As normal for a company entering into a new market, we consider risks and opportunities and plan for them.”
“Roblox policy is to comply with the laws of the regions in which we operate, including China,” the spokesperson added.
When, or if, Roblox does launch its game again in China, it plans to give players a free avatar and spending rebate, the slides add. When asked if Roblox has a date for when it may relaunch in China, a Roblox spokesperson told Motherboard in an email that “at such time that we can provide an update on when the application will be available to us.” Roblox said that, as of writing, the company still has a presence in China, including an office, employees, and Roblox Studio.
Tencent did not respond to a request for comment.
“Tencent & Roblox stay fully committed to long-term China & Luobu success,” one of the hacked Roblox presentations reads. “Keeping current license paramount for future relaunch.”
Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.