The dark side of videogames
Telemetry and analytics services have become an integral part of today's technology world. They help developers to gain valuable insights into the use of their products and to make improvements on this basis. But as is often the case, the devil is in the details.
Unfortunately, in practice, it can be observed that the use of telemetry and analytics often goes beyond what is necessary for the proper functioning of a product or service.
The topic continues to raise many privacy questions and privacy concerns, as many telemetry, advertising, tracker, and analytics services act without users' knowledge or consent, collecting and monitoring data across platforms, such that these mechanics can be considered spyware depending on how they are implemented. Whether running games and programs on consoles, mobile devices, and desktop environments or websites.
The problem is exacerbated by the fact that many users are unable to understand or track the extent of this data collection or how their data is actually being used, or simply don't care.
The repertoire ranges from unimportant details to sensitive data that is captured and sent via plain text and without "https" encryption.
Players are aware of little or nothing of these processes, as they are rarely informed sufficiently. Of course, they also have no opportunity to object to any data collection. In that case, it is a violation of the GDPR.
Trackers and session heatmaps are powerful tools used by developers to monitor user behavior in real time.
Trackers can record player movements, interactions, and decisions, while session heatmaps visualize gameplay (similar to live or night vision cameras with infrared) to give developers insight into player interactions. On websites, session heatmaps are a popular way to determine which areas of a page users are paying attention to.
While these services can be useful in game development to inform design decisions, there are significant concerns about their privacy practices. For example, Mouseflow, another session heatmap service, has been criticized in the past for recording users' passwords, credit card information, and personal data.
In reality, however, many crash reports are already automatically generated and sent at the start of a game or program, or cloud services such as the Perf Cloud from Unity Technologies are automatically fed with data during the game session, even though no crash or other errors have occurred and developers therefore already have all the data without conscious active participation by their users.
In recent years it has become common practice in the industry to collect system and player data for crash reports when using digital products. When a game or program crashes or experiences problems of any kind, it is common to generate crash reports to determine and fix the cause of the problem.
However, some developers abuse this mechanic instead of traditional telemetry services, as crash detection programs are regularly whitelisted by firewall and anti-virus applications, allowing traffic data to leave end users' systems unhindered.
First of all, "crash reports" are popular among gamers because they assume that they will help the developers and do them a favor to improve the existing product. The term "crash report" is also more widely accepted than "telemetry", "analytics" or even "spyware", which are perceived negatively by users.
In reality, however, many crash reports are generated and sent automatically when a game or program is started. The Unity engine as an example makes use of its own CrashHandlers which only provide a cloud server with user data in case of crashes, but the service in question is also happy to be active independently during the game session. And that even though no crash or other error has occurred.
An self-runner that requires no active involvement by its users and developers can sit back and relax without having to deny direct customer contact.
While TrackJS is increasingly found in games made by Paradox Interactive AB, Sentry's service appears in a wider range of products.
Another privacy violation with regard to crash reports that is increasingly seen in computer games is the surreptitious uploading of user data to third-party structures. Some developers have crash reports sent directly from a game via SMTP protocols directly to their email address such as Google G-Mail.
In only a few cases is hosting done by the company itself. If data flows are tracked, it quickly becomes apparent that it is predominantly the dominant tech companies that are at the end of the chain, offering services for data processing and acquisition on the one hand, and providing developers with the corresponding tools on the other.
For example, the Google pages for Crashpad state the following
The passage from Google Crashpad highlights what has unfortunately become commonplace in the industry.
Self-legitimized automatic collection and recording of data without consultation and consent. The overall context leads to the conclusion that users are not taken for granted, and they feel this every day on the respective entertainment and distribution platforms.
Automated uploads can include information, game history, purchases, system data and more. When such data is transferred to third parties without the knowledge or consent of the players, privacy is at risk, as is digital self-determination, which is lost bit by bit.
The loss of digital self-determination goes hand in hand with the restriction of the control individuals have and can exercise over their personal data and digital information in the networked world, thus negatively impacting individual freedom and privacy.
Loss of digital self-determination is characterized, among other things, by
In the era of the digital age in which we currently move on a daily basis, our privacy is increasingly becoming an illusion. A seemingly endless flood of data is constantly flowing through the World Wide Web every day, and the idea of anonymity is rapidly disappearing. Companies like GameAnalytics boast of being able to track everything and everyone as we move across platforms - whether it's watching videos, opening links or launching games.
Thanks to unique identifiers like AccountIDs, GUIDs and UUIDs, it's no longer even necessary to actively log in to services. Combined with our IP address and habits, much of the data collected is anything but anonymous. Technology giants like Amazon.com, Inc. offer their own infrastructures for developers to store, process, prepare and link these massive amounts of data.
Examples for Amazon services: Kinesis for real-time data processing, Redshift for Analytics and Data-Warehouse
Like the metadata examples, this can quickly create a comprehensive habit profile. In video games these days, there are always elements in which players are faced with situations of making moral, ethical decisions or even performing sexual acts in games like in Mass Effect or Baldur's Gate, which are incorporated into the data set in the creation of psychometric profiles of players.
Distribution platforms and social networks such as Steam or Facebook also rely on the characteristics of their users and have designed their infrastructure in such a way that users feel they are voluntarily disclosing their data.
Users don't need to be told twice, either, and fire up these platforms with plenty of information about their private lives, photos, details about their sex lives, religious beliefs, political views and much more. In return, they are outraged when certain content is missing or functions does not work properly.
Edward Snowden's revelations in 2013 showed that even the NSA (National Security Agency) created personality profiles based on player data to assess players' behavior in relation to terrorist activities.
ImpressionID' and CorrelationID's are seemingly inconspicuous identifiers that appear in player data sets, but can be globally unique like MAC-Addresses or other hardware identifiers.
But what do these terms actually mean?
Impression data is information that is often used to serve targeted ads and analyze player behavior. This means that the games and programs we use in our daily lives and work with may be watching us more closely than we think. Our preferences, habits, and even our response patterns can be captured and used for marketing purposes without us knowing.
One program that specifically collects and sends impression data is Microsoft Corporation's Game Bar.
An even more worrisome element is CorrelationIDs. These can be used to track user activity across different platforms. While this sounds like a useful feature, it can become a massive privacy violation if collected and used without sufficient transparency or consent. In such cases, players' privacy is put at risk, and it may even violate the General Data Protection Regulation (GDPR), which ensures the protection of personal data in the European Union.
Epic Games, Inc. serves as an example - a unique CorrelationID is in use in every game with the Epic Online Service and accompanying online compulsion with the Unreal Engine.
If a computer game has only English usage and privacy policies and is available in Germany, the usage and privacy policies must still comply with the applicable German laws and regulations.
If you are from another European country and are reading this article, you can find your competent authority and further information on requirements and contacts on data protection topics in the listing of data protection authorities.
The following applies to Germany: In principle, an English version of the privacy policy and terms of use should not be sufficient, as it is not understandable for most users in Germany and must meet the requirements of the General Data Protection Regulation (GDPR).
According to the GDPR, users in the European Union (including Germany) must be informed about their data protection rights and the use of their data in clear and understandable language. In short, if a game is available in Germany or another EU country, the usage and privacy statements must be provided in the local language or a language that users can understand.
The term data leak is defined as the unintentional or unauthorized disclosure of sensitive or confidential information that should not normally be available to the public or specific individuals.
Unfortunately, these leaks or sales of data sets are not uncommon these days. Over and over again, we see headlines of companies being sloppy with customer data, failing to secure databases, or engaging in other shenanigans.
There seems to be little awareness of injustice as in the case of companies like Epic Games, Inc. or Avast, which sold customer information in the hundreds of millions or even stole data from other platforms. An apology and everything is forgotten.
On the consumer side, data leaks are the norm. Whether it's leaked patient data or stolen accounts for gaming platforms.
Rarely is the loss of data worth more than a headline on relevant news portals or a brief excitement. Even less are serious consequences drawn to ensure the security of data or even to reduce the amount of data collected back to a healthy level.
At a time when customers are increasingly relying on their data being handled consciously and responsibly, it happens time and again that this trust is abused. Requests for information or even deletion of data are often rejected, ignored or not answered at all. Responsibility is shifted to others and sometimes even lies are told.
Users should be aware that once data has been entered, it is out of their control. Whether they play a game, watch a video, or visit a website, they are constantly monitored and their data serves as a resource for an industry that legitimizes itself by taking what it wants.
Developers should use data collection and use mechanisms responsibly and adequately inform their customers to ask for their consent. Otherwise, they risk not only legal consequences under the General Data Protection Regulation (GDPR), but also losing the trust and satisfaction of their users.
Despite the strict requirements of the GDPR to protect consumer privacy and rights, both large and small providers often ignore the issue and talk about a "legal risk" if they get caught.
Violations of the GDPR can result in substantial fines that can significantly impact the reputation and financial success of developers. In addition, customers whose data protection rights have been violated can claim damages, which can cause additional costs.
Unfortunately, the penalties and enforcement measures often seem insufficient, and since data protection is the responsibility of individual countries, it becomes a complex problem. Companies based in other European countries often care even less about data protection and the privacy of their customers.
This is unfortunately the reality we have to deal with in today's digital world.
Use of telemetry and analytics in computer games
Telemetry and analytics services have become an integral part of today's technology world. They help developers to gain valuable insights into the use of their products and to make improvements on this basis. But as is often the case, the devil is in the details.
Unfortunately, in practice, it can be observed that the use of telemetry and analytics often goes beyond what is necessary for the proper functioning of a product or service.
The topic continues to raise many privacy questions and privacy concerns, as many telemetry, advertising, tracker, and analytics services act without users' knowledge or consent, collecting and monitoring data across platforms, such that these mechanics can be considered spyware depending on how they are implemented. Whether running games and programs on consoles, mobile devices, and desktop environments or websites.
The problem is exacerbated by the fact that many users are unable to understand or track the extent of this data collection or how their data is actually being used, or simply don't care.
- Example services for telemetry: Google Analytics, Adobe Marketing Analytics
- Engines for Analytics: Unity Analytics, ET/Datarouter Analytics
The repertoire ranges from unimportant details to sensitive data that is captured and sent via plain text and without "https" encryption.
Players are aware of little or nothing of these processes, as they are rarely informed sufficiently. Of course, they also have no opportunity to object to any data collection. In that case, it is a violation of the GDPR.
Trackers and session heatmaps: The invisible data spies
Trackers and session heatmaps are powerful tools used by developers to monitor user behavior in real time.
Trackers can record player movements, interactions, and decisions, while session heatmaps visualize gameplay (similar to live or night vision cameras with infrared) to give developers insight into player interactions. On websites, session heatmaps are a popular way to determine which areas of a page users are paying attention to.
- Example services for Tracker: Mixpanel, GameAnalytics
- Example services for Session Heatmaps: Yandex Metrica, HotJar, CrazyEgg
While these services can be useful in game development to inform design decisions, there are significant concerns about their privacy practices. For example, Mouseflow, another session heatmap service, has been criticized in the past for recording users' passwords, credit card information, and personal data.
In reality, however, many crash reports are already automatically generated and sent at the start of a game or program, or cloud services such as the Perf Cloud from Unity Technologies are automatically fed with data during the game session, even though no crash or other errors have occurred and developers therefore already have all the data without conscious active participation by their users.
Gathering system data for crash reports
In recent years it has become common practice in the industry to collect system and player data for crash reports when using digital products. When a game or program crashes or experiences problems of any kind, it is common to generate crash reports to determine and fix the cause of the problem.
However, some developers abuse this mechanic instead of traditional telemetry services, as crash detection programs are regularly whitelisted by firewall and anti-virus applications, allowing traffic data to leave end users' systems unhindered.
First of all, "crash reports" are popular among gamers because they assume that they will help the developers and do them a favor to improve the existing product. The term "crash report" is also more widely accepted than "telemetry", "analytics" or even "spyware", which are perceived negatively by users.
In reality, however, many crash reports are generated and sent automatically when a game or program is started. The Unity engine as an example makes use of its own CrashHandlers which only provide a cloud server with user data in case of crashes, but the service in question is also happy to be active independently during the game session. And that even though no crash or other error has occurred.
An self-runner that requires no active involvement by its users and developers can sit back and relax without having to deny direct customer contact.
- Example service for Crashreports: Sentry, Windows Problem Reporting (wermgr.exe), Valves' Steam Error Reporter
- Example service for systemdata: TrackJS
While TrackJS is increasingly found in games made by Paradox Interactive AB, Sentry's service appears in a wider range of products.
Secret uploading of user data to third-party servers
Another privacy violation with regard to crash reports that is increasingly seen in computer games is the surreptitious uploading of user data to third-party structures. Some developers have crash reports sent directly from a game via SMTP protocols directly to their email address such as Google G-Mail.
- Example companies for third-party servers: Akamai Technologies, Google, LLC, Amazon.com, Inc.
- Example services for user data: Epic Online CrashReporter, CrashRPT, Crashpad, Breakpad
In only a few cases is hosting done by the company itself. If data flows are tracked, it quickly becomes apparent that it is predominantly the dominant tech companies that are at the end of the chain, offering services for data processing and acquisition on the one hand, and providing developers with the corresponding tools on the other.
For example, the Google pages for Crashpad state the following
Google CrashPad
Fixing bugs and incompatibilities in client software that ships to millions of users around the world is a daunting task. User reports and manual reproduction of crashes can work, but even given a user report, often times the problem is not readily reproducible. This is for various reasons, such as e.g. system version or third-party software incompatibility, or the problem can happen due to a race of some sort. Users are also unlikely to report problems they encounter, and user reports are often of poor quality, as unfortunately most users don’t have experience with making good bug reports.
Automatic crash telemetry has been the best solution to the problem so far, as this relieves the burden of manual reporting from users, while capturing the hardware and software state at the time of crash.
The passage from Google Crashpad highlights what has unfortunately become commonplace in the industry.
Self-legitimized automatic collection and recording of data without consultation and consent. The overall context leads to the conclusion that users are not taken for granted, and they feel this every day on the respective entertainment and distribution platforms.
Automated uploads can include information, game history, purchases, system data and more. When such data is transferred to third parties without the knowledge or consent of the players, privacy is at risk, as is digital self-determination, which is lost bit by bit.
Digital self-determination
The loss of digital self-determination goes hand in hand with the restriction of the control individuals have and can exercise over their personal data and digital information in the networked world, thus negatively impacting individual freedom and privacy.
Loss of digital self-determination is characterized, among other things, by
- Data collection and processing: Companies and platforms incessantly collect large amounts of personal data, including location data, search history, social interactions, and more. This data is often collected without users' knowledge or explicit consent and used for advertising, personalized content, and other purposes.
- Profiling and personalization: based on the data collected, companies create detailed profiles of users. These profiles are used to serve personalized content and advertising, which can result in users being trapped in so-called filter bubbles with limited exposure to diverse information and opinions.
- Surveillance and state interference: Surveillance and government interference: governments around the world use digital technologies to monitor and control their citizens. This can include mass surveillance of communications, tracking movements, and restricting freedom of expression.
- Hacking and data breaches: The constant threat of hacking and data breaches can lead to personal information and data being stolen or compromised, further undermining digital self-determination.
- Lack of transparency and consent: There is often a lack of sufficient transparency about how data is collected and used, and a clear opportunity for users to consent or opt out of data collection and processing.
- Monopoly of large technology companies: Large technology companies often have monopoly-like control over digital platforms and services, which increases their ability to influence and control information and data.
The highest data quality is achieved with voluntarily submitted information
In the era of the digital age in which we currently move on a daily basis, our privacy is increasingly becoming an illusion. A seemingly endless flood of data is constantly flowing through the World Wide Web every day, and the idea of anonymity is rapidly disappearing. Companies like GameAnalytics boast of being able to track everything and everyone as we move across platforms - whether it's watching videos, opening links or launching games.
Thanks to unique identifiers like AccountIDs, GUIDs and UUIDs, it's no longer even necessary to actively log in to services. Combined with our IP address and habits, much of the data collected is anything but anonymous. Technology giants like Amazon.com, Inc. offer their own infrastructures for developers to store, process, prepare and link these massive amounts of data.
Examples for Amazon services: Kinesis for real-time data processing, Redshift for Analytics and Data-Warehouse
Like the metadata examples, this can quickly create a comprehensive habit profile. In video games these days, there are always elements in which players are faced with situations of making moral, ethical decisions or even performing sexual acts in games like in Mass Effect or Baldur's Gate, which are incorporated into the data set in the creation of psychometric profiles of players.
Distribution platforms and social networks such as Steam or Facebook also rely on the characteristics of their users and have designed their infrastructure in such a way that users feel they are voluntarily disclosing their data.
Users don't need to be told twice, either, and fire up these platforms with plenty of information about their private lives, photos, details about their sex lives, religious beliefs, political views and much more. In return, they are outraged when certain content is missing or functions does not work properly.
Edward Snowden's revelations in 2013 showed that even the NSA (National Security Agency) created personality profiles based on player data to assess players' behavior in relation to terrorist activities.
Impression and CorrelationID's
ImpressionID' and CorrelationID's are seemingly inconspicuous identifiers that appear in player data sets, but can be globally unique like MAC-Addresses or other hardware identifiers.
But what do these terms actually mean?
Impression data is information that is often used to serve targeted ads and analyze player behavior. This means that the games and programs we use in our daily lives and work with may be watching us more closely than we think. Our preferences, habits, and even our response patterns can be captured and used for marketing purposes without us knowing.
One program that specifically collects and sends impression data is Microsoft Corporation's Game Bar.
An even more worrisome element is CorrelationIDs. These can be used to track user activity across different platforms. While this sounds like a useful feature, it can become a massive privacy violation if collected and used without sufficient transparency or consent. In such cases, players' privacy is put at risk, and it may even violate the General Data Protection Regulation (GDPR), which ensures the protection of personal data in the European Union.
Epic Games, Inc. serves as an example - a unique CorrelationID is in use in every game with the Epic Online Service and accompanying online compulsion with the Unreal Engine.
Terms of use and privacy agreements
If a computer game has only English usage and privacy policies and is available in Germany, the usage and privacy policies must still comply with the applicable German laws and regulations.
If you are from another European country and are reading this article, you can find your competent authority and further information on requirements and contacts on data protection topics in the listing of data protection authorities.
The following applies to Germany: In principle, an English version of the privacy policy and terms of use should not be sufficient, as it is not understandable for most users in Germany and must meet the requirements of the General Data Protection Regulation (GDPR).
According to the GDPR, users in the European Union (including Germany) must be informed about their data protection rights and the use of their data in clear and understandable language. In short, if a game is available in Germany or another EU country, the usage and privacy statements must be provided in the local language or a language that users can understand.
Data leaks and sale of data
The term data leak is defined as the unintentional or unauthorized disclosure of sensitive or confidential information that should not normally be available to the public or specific individuals.
Unfortunately, these leaks or sales of data sets are not uncommon these days. Over and over again, we see headlines of companies being sloppy with customer data, failing to secure databases, or engaging in other shenanigans.
There seems to be little awareness of injustice as in the case of companies like Epic Games, Inc. or Avast, which sold customer information in the hundreds of millions or even stole data from other platforms. An apology and everything is forgotten.
On the consumer side, data leaks are the norm. Whether it's leaked patient data or stolen accounts for gaming platforms.
Rarely is the loss of data worth more than a headline on relevant news portals or a brief excitement. Even less are serious consequences drawn to ensure the security of data or even to reduce the amount of data collected back to a healthy level.
Conclusion: What's gone is gone - data protection in the gaming world
At a time when customers are increasingly relying on their data being handled consciously and responsibly, it happens time and again that this trust is abused. Requests for information or even deletion of data are often rejected, ignored or not answered at all. Responsibility is shifted to others and sometimes even lies are told.
Users should be aware that once data has been entered, it is out of their control. Whether they play a game, watch a video, or visit a website, they are constantly monitored and their data serves as a resource for an industry that legitimizes itself by taking what it wants.
Developers should use data collection and use mechanisms responsibly and adequately inform their customers to ask for their consent. Otherwise, they risk not only legal consequences under the General Data Protection Regulation (GDPR), but also losing the trust and satisfaction of their users.
Despite the strict requirements of the GDPR to protect consumer privacy and rights, both large and small providers often ignore the issue and talk about a "legal risk" if they get caught.
Violations of the GDPR can result in substantial fines that can significantly impact the reputation and financial success of developers. In addition, customers whose data protection rights have been violated can claim damages, which can cause additional costs.
Unfortunately, the penalties and enforcement measures often seem insufficient, and since data protection is the responsibility of individual countries, it becomes a complex problem. Companies based in other European countries often care even less about data protection and the privacy of their customers.
This is unfortunately the reality we have to deal with in today's digital world.