#Why does MetaElite need your Frontier ID?

No third-party application should need your Frontier ID, especially not in connection with your IP address. MetaElite collects both.

The Privacy section on Raxxla.org states that the MetaElite app "requires your credentials (FID + AuthKey) for access: It stores your FID, Cmdr Name, and the AuthKey hash.

Only Frontier should ever need your FID. EDDiscovery, ED Market Connector and SRV Survey use API keys to connect players with their accounts on third-party websites like Inara and the Elite Dangerous Star Map. They also use Frontier's Companion API, which reroutes players to Frontier servers for login. Neither of these gives the third-party apps direct access to your FID.

MetaElite does none of this. Moreover, the application stores data on a backend server, but because the software isn't open-source, no one but the developer knows what data is stored.

Simply put, this is a privacy violation waiting to happen. Multiple players got doxxed a few years back when the creators of EDRecon used data from that app in violation of Frontier's Terms of Service, and while I doubt MetaElite's developers have the same intentions in mind, they shouldn't be asking for players' FIDs in the first place.

Wow, someone is dumb enough to give them their number, with which they can be impersonated before Frontier, e.g. someone could create support tickets in their name to unknown result? To me it's like giving someone rights to access your mailbox unattended... You are right, no one should require someone else's FID.

Cheaters have used other people's FIDs to impersonate them in game. If you have someone's FID, you can basically become them.

What's more, if you have someone's FID and their IP address, I'm fairly certain you can doxx them. There's a fair chance MetaElite's developer is violating Frontier's Terms and Conditions, and potentially the GDPR, by storing that data in combination.

No comment otherwise, but "third-party websites like Inara [don't have] direct access to your FID" is just flat-out wrong. Inara shows your FID (in My Profile > Settings > what Inara knows about me > Frontier ID), and any third-party site that you allow Frontier API access as well can know it if it wants, because there's a CAPI endpoint for fetching journal files, and the FID is near the start of every journal file.

Good thing I've never created any accounts using frontier companion API. Also stopped using ravencolonial ever since they started requiring login using this. I'm not good finding exploits myself, but my paranoia caused by things I saw throughout my IT career told me this can't be good.

Sorry, but your comment is flat-out wrong. My "Frontier ID" on Inara is a six-digit number. My FID in game is seven-digit alphanumeric.

I have exactly the same 8-digit decimal number in Inara "Frontier ID" as in game journals "FID" field, disregarding an extra "F" prefix in the latter. 🤷

(I guess you could technically characterize that as being 8-digit number in Inara, and 9-digit alphanumeric in game, but they're effectively the same anyway.)

The Frontier OAuth2 consent screen also says that the approved app "will have access to the following: Email, Name, Account ID, Product IDs, linked account IDs, Customer platform", and the Frontier OAuth2 docs mention a /me endpoint that returns a customer_id which sounds same as the FID (the docs aren't a model of clarity), so I'm reasonably convinced granting something CAPI access is equivalent to telling it your FID (you may well want to avoid doing either, of course).

Right, but you can also use other third party apps like EDDiscovery and EDMC without providing a Frontier CAPI. MetaElite doesn't give you that option.

Incidentally, you can't use EDMC with Inara without revealing your FID to Inara, even ignoring CAPI. It's part of the Inara API header (commanderFrontierID in Inara API docs), and EDMC sends it without asking (I mean, obviously only if you enable updating Inara in the first place, and give it an Inara API key). Ditto with EDSM, by virtue of it seeing the LoadGame journal event, which includes FID, though it might well not actually do anything with it.

But sure, you can use EDMC in general, and upload to EDDN or whatnot, all (somewhat) anonymously, unlike MetaElite.

(And I did see that there's also that other, more alphanumeric "Frontier ID"; it shows up in Frontier user portal and maybe also in-game, can't check now. Might just be a different encoding of the same ID, or might not. But I don't think MetaElite has anything to do with that one if it's different, since I don't remember MetaElite asking for it.)

OK - so there's an FID stored in the logfiles, and then there's this one, on the splash screen. Now I'm curious as to the difference between the two?

Mm, internet doesn't seem to know if it's just a different encoding for the numeric one or not (but since both that and the journal one are called "FID", maybe). That's the format that also shows up on user dot frontierstore dot net under "account information".

They have a discord you could prob ask them directly

The frontier ID displayed at the game's menu screen is used in contacts with Frontier, e.g. when creating a personal support ticket. My guess is they identify you by this, while the FID, which appears in the logs, was specifically designed for use by companion API, therefore is a thing they will never identify you by. It's for us to play with. In other words, no one can impersonate you in game or before FDev just by possessing this FID that is found in the logs and everyone has access to. So in the end, I said stuff above about my Paranoia, but I think safety of this MetaElite is no worse than that of Inara, RavenColonial, etc.

Whether MetaElite, RavenColonial or any other 3rd party companion app vendor does some nefarious things with this number (whatever these could be, I can't think of anything), they have the same things to go by that others do, and you're the one giving all this to them by using their apps that connect to locations on the internets. It's one's choice and consequences to use the apps, that's what my conclusion is on this matter. Maybe because they've disclosed what they collect and why, we should instead regard them as more transparent than any other app vendor that doesn't do this?