This article is the first of two parts. Part one outlines the nature, scope, and uses of various forms of data collection in video games. Part two surveys the U.S. legal landscape regulating data privacy in video games.
“The Biggest Online Security Breach Ever”
On April 17, 2011, an unidentified group of hackers executed one of the most sophisticated and extensive data security breaches in history. The hackers targeted the multinational technology conglomerate SONY. Over several weeks, SONY revealed that hackers accessed the personal information of over 100 million users. This information included names, addresses, passwords, security answers, e-mails, birthdays, purchase histories, and possibly even credit card details and bank account information.
In 2013, the United Kingdom’s Information Commissioner’s Office fined SONY £250,000 under the Data Protection Act for its wholly inadequate security measures, stating that the hack “could have been prevented.” This incident ultimately cost SONY ¥14 billion Yen, approximately $125 million USD, to cover identity theft insurance for its users, improvements to its security systems, customer support, and investigations into the breach. After numerous class action lawsuits across multiple countries, the company reached a preliminary settlement by offering users roughly $15 million USD in digital merchandise.
The unprecedented breach occurred over an online video game network.
Today, the video game industry has extended into every demographic and medium, becoming available on game consoles, desktop computers, and mobile phones. In 2020, organizations estimated that the video game industry generated roughly $175 billion worldwide – a figure that will surge to nearly $218 billion in 2023. With the advent of online gaming, many video games have evolved into “games as a service”. Rather than merely developing, producing, and releasing a game as a complete and fully packaged product, developers are using online games as an ongoing vehicle to collect and store player data. This data-driven approach may increase player retention, as well as introduce dynamic gameplay features. Critics, however, note the deleterious effect of in-game surveillance on game design, as well as its potential misuse to exploit players into senseless gameplay loops.
There are three major categories of data collected by video game developers: behavioural data, social data, and biometric data. Alongside the recent emergence of augmented reality technology in mobile phone games, developers have also started to collect players’ geolocation data.
Behavioural data, otherwise known as “in-game telemetry”, encompasses players’ virtual responses to stimuli within the game world. This type of data tracks a player’s in-game identity and how they choose to proceed through a game. For instance, behavioural data includes players’ movements, virtual purchases, the amount of time they spend on particular tasks, and how they interact with the game’s characters and user interface.
Since the number of registered players in some video games may exceed the populations of most countries, game developers are able to collect an ever-expanding amount of player data. Active users in some triple-A multiplayer titles, for example, generate approximately a terabyte of behavioural data each day.
Similar to online networking platforms such as Facebook, modern video game consoles track users’ social activities, game preferences, and the amount of time they spend on particular games. The console assembles this information to build a public gamer profile. Beginning with Microsoft’s Xbox 360 in 2005, players could also unlock in-game achievements while progressing through a game. The Xbox 360 aggregated achievement points across multiple games as a “gamerscore” under a single user profile, which players could proudly display online.
Console gamers can also integrate their gamer profiles with their real-world identities on social media platforms. Some console systems, such as the virtual reality headgear Oculus Quest, require users to do so. After Facebook acquired Oculus in 2014, the company announced in 2020 that users needed a Facebook account to access their newest VR device, the Quest 2. Users retain some control over this integration, such as whether other Quest users could discover their real names through Facebook and whether Facebook acquaintances could view their VR activities. However, Oculus developers gained access to facets of a user’s real-world identity through Facebook, such as events they organize on the platform, photos, comments, groups they join, and Pages they like. Both Oculus and Facebook use these insights to personalize user content on their respective platforms.
Uses for Behavioural and Social Data
Behavioural and social data help the video game industry deliver more engaging and interactive games. For instance, game developers have integrated a player’s in-game personalities into unique gameplay mechanics. In the 2009 survival horror game Silent Hill: Shattered Memories, an in-game system keeps track of the player’s psych profile based on their decisions and actions. For example, the game classifies players as “apathetic” if they are often distracted from the task at hand and frequently examine mundane objects in the game, such as virtual movie posters. A player’s psych profile affects their character’s appearance and how they interact with other in-game characters, as well as the game’s plot, themes, and ending.
Behavioural and social data also help game developers adjust certain game properties, such as glitches and overly challenging or lacklustre level designs. For example, the developers of the popular mobile game Candy Crush Saga observed that a disproportionate number of players abandoned the game at a particular level. After the developers identified and removed a single out-of-place element in the level that inhibited progress, players flocked back to the game.
Game developers may also collect behavioural and social data as a source of revenue for their games. Publishers may sell player data to third parties, such as marketers or social media platforms. In 2018, researchers from Oxford examined over 950,000 phone applications in the Google Play Store and concluded that the median developer shares an individual’s data with ten third parties. Over 90 percent of analyzed applications included at least one third-party tracker.
Alternatively, free-to-play games often feature dynamic in-game advertising. Analysts forecast that, by 2024, the market for mobile phone in-game advertisements will be worth roughly $11 billion USD. This figure ballooned over the past year as users on average spent more time on mobile devices during COVID-19 lockdowns. In 2005, Google even attempted to patent an in-game advertising system that analyzed players’ behaviour, interests, and actions to deliver ads that target their psychological profile. The patent disclosure provides an example of how this technology would apply in the context of a racing game. In particular, the in-game advertisement system could analyze the player’s driving habits, such as whether they are aggressive or risk-averse, to place a commercial of a car that would suit their preferences.
Free-to-play games also generally allow players to purchase virtual items or services with real-world currencies, a feature known as “microtransactions”. The company Activision, for instance, generated $3.36 billion U.S. from microtransactions in 2019, which comprised approximately 53% of its total annual revenue. As a result, mobile game developers will often employ propensity modeling techniques on players’ virtual spending habits to identify and target players who are more likely to spend money on their games.
Furthermore, game developers have collected player analytics to prevent users from committing fraud or exploiting their games. For example, researchers have applied machine learning techniques to distinguish between the movement trajectories of human players and computer-controlled, automated “game bots” which merely simulate human behaviour. However, video game anti-cheat software has garnered controversy as a potential privacy risk. Players labelled the anti-cheat program from Valorant, for instance, as intrusive after they discovered that the program ran in the background of desktops at all times, monitoring other processes even when the game was not running.
Through various sensors and observation equipment, consoles can measure users’ physiological and emotional responses to gameplay as biometric data. Biometric data may come from electroencephalograms, which measure brain activity, as well as devices that quantify emotional arousal through the galvanic skin response. Game developers can also derive less obtrusive forms of biometric data. In particular, developers can track eye movements through infrared cameras, record a player’s voice, employ facial recognition software, and monitor a user’s heart rate using an electrocardiography device.
Uses for Biometric Data
Biometric data is particularly useful during the game development process. Game developers traditionally appraise their games prior to release by asking playtesters to verbalize their opinions on a game while playing it. However, this method compels playtesters to divide their concentration between playing the game and providing feedback to the developers. On the other hand, biometric data helps playertesters provide standardized, precise, and uninterrupted reactions.
Developers can also integrate a user’s physiological responses into unique forms of gameplay. For example, the puzzle horror game Bring to Light adjusts players’ in-game experiences in real time based on their heart rate. If the player has a normal heart rate, the game will increase the frequency and intensity of scares. Additionally, the game NBA 2K14 incorporated biometric data to introduce immersion and address the issue of player-to-player harassment over voice communications. While challenging another player in a virtual court, NBA 2K14 issued “technical fouls” to players if the game detected that they used excessive amounts of profanity. Developers have also promoted immersion in games by using artificial intelligence to reconstruct users’ 2D photos of themselves into photorealistic 3D playable characters within the game.
Lastly, video game companies have used biometric data in games that promote health and wellness. GainPlay studio, for example, created the game MindLight to help children manage anxiety-related symptoms. In Mindlight, players use a headset that measures brainwaves to control the game’s environment. To progress through the game, players must employ various mindfulness and relaxation techniques to remain calm. A Canadian researcher, Isabela Granic, explained that Mindlight was “as effective in reducing anxiety as cognitive behaviour therapy, the gold standard psychotherapy. But it did it in half the time and one-tenth the cost.” Similarly, one of the best-selling games of 2008, Wii Fit, measured a user’s body mass and movement data over time to provide fun player-tailored workouts and weight-management goals.
Consoles and mobile phone applications can track players’ locations through a mixture of Wi-FI, mobile cell tower triangulation, and GPS. Based on this geolocation data, developers can discern information such as the duration players spend at particular locations, the distance players travel, and even the amount of calories a user may expend during a play session. According to an investigation by Kotaku, some mobile phone applications may collect and store geolocation information up to thirteen times per minute. Viewed as a whole, this geolocation data may generate an accurate portrait of a player’s daily routines, such as their home address, place of employment, and other recreational hotspots.
Uses for Geolocation Data: Augmented Reality Games and Pokemon Go
Developers are beginning to use geolocation data in new forms of augmented reality games. Augmented reality technology superimposes digital information onto the physical world through a user-operated device, such as a headset or mobile phone. The device captures information from the real world through cameras, sensors, or microphones, and sends it to a computer network. The computer network subsequently alters this information and returns it to the user’s device. In an instant, the digital information will appear on the user’s device as if it were a real and tangible object. For example, the Dulux mobile application helps users select a colour of paint for their rooms through a digital paint catalogue. The application uses the phone’s camera to view a desired coat of paint and imposes virtual colours onto the walls of a real room.
In 2016, a small startup company named Niantic brought augmented reality technology to the mainstream spotlight through the international phenomenon Pokemon GO. Pokemon GO is a free-to-play mobile phone game where users collect virtual cartoon creatures, otherwise known as “Pokemon”, in the real world. Pokemon GO relays a player’s geolocation data to Niantic’s online network, which places various Pokemon near the player to collect. The player’s physical surroundings are represented by an in-game map overlay on their phones, which is derived from a GPS program called “Open Street Map”. Players must travel to these predetermined locations to interact with Pokemon on their mobile phones. As users travel to different locations in the real world, their virtual avatar moves with them on the in-game map. When players interact with Pokemon on their phones, the application places an animated virtual image of the Pokemon through the phone’s camera onto players’ screens. As a result, the Pokemon appears as though it existed in the real world.
Pokemon Go was a viral success. In its first two days of release, the game boasted as many active daily users as Twitter, accruing over 550 million total downloads after three months. Over the past two years, roughly six million users play Pokemon Go each day. Niantic also reportedly earned over $5 billion U.S. as of 2021 on Pokemon Go through in-game purchases. Eager to follow in the wake of Pokemon Go’s success, tech companies began developing their own augmented reality devices. A year after Niantic released Pokemon Go, companies like Intel and Google doubled the size of their augmented reality teams.
In part two of this article, we will break down some of the U.S. federal laws applicable to video game data collection.