Cover-Credits:
AFK Gaming
Gaming was originally disconnected from data and it was something that was a purely single-player experience. But with the advent of esports titles that connect millions of players, developers can now collect substantial amounts of data through in-game behavior or external sources like surveys and feedback in forums. Just like social media platforms and online services, games are no exceptions to data leaks.
If you slap on factors like anti-cheats that have kernel access, China’s facial recognition and social credit systems, and games like Valorant recording your voice data “to curb toxicity”, online privacy in gaming can be a scary topic. AFK Gaming talked to a data analyst, on the condition of anonymity, who offered their insights based on their experience working in the industry and how gamers can secure themselves online.
Why is cybersecurity so important for a gamer?
Cybersecurity seeks to protect all types of sensitive information which includes personally identifiable information, protected health information, intellectual property data, and more. You might think that even if your data did get leaked, hackers would get access to your contact information and maybe some gameplay analytics data. What’s the worst that could happen if a hacker had access to your name and date of birth? Well, it turns out that it could have drastic consequences. Your basic personal information could be cross-referenced with other databases that have been compromised and the next thing you know is your entire personal life is out on the internet and sold.
When it comes to your gameplay data, it could very well be used to create your psychological profile. In an interview with Polygon, Silent Hill: Shattered Memories writer Sam Barlow talked about how intrusive games can be. The game was released over a decade ago and it altered outcomes and incidents in the game depending on player choices. He told the publication, “I was capturing all this data and then analyzing it later, and it honestly felt like you were spying on someone.”
Esports titles are even more “intrusive” when it comes to collecting player data. Battlefield 2042 is set to include advanced AI (Artificial Intelligence) bots and the devs claim that it will be hard to tell them apart from players. While how good or bad the bots turn out is yet to be seen, but the idea could only be conceptualized in the first place based on player behavior. The bots are expected to have the intelligence to decide between engaging with you via enemy fire, flanking, throwing grenades, or even reviving a downed squadmate.
Player personas or personality profiles can be created by developers and the data can be used to improve the AI in games. It is not some high-tech implementation that could lead to the birth of Skynet either. Creating customer profiles in marketing is one of the most common practices. Businesses are essentially able to identify market segments by using data that includes identifiers like demographics, location, hobbies, preferred social media channels, likes/dislikes, credit background, psychographics, and more. Games are no different either as games are able to create profiles of their audience and understand their behavior.
Quantic Foundry is a data company that supplies data to clients such as Tencent and Wizards of the Coast. Its founder, Nick Yee, published a study called “The Expression of Personality in World of Warcraft,” highlighting how player models could be created to identify and create personality profiles. According to it, games can identify your personality traits with a certain degree of accuracy. The study collected data for four months and found personality traits coinciding with in-game behavior. For example, extroverted players were more likely to engage in group activities in-game. His study was able to identify and measure traits like extraversion, agreeableness, conscientiousness, emotional stability and openness to experience. The fact that such data could be stolen, cross-referenced, leaked, or sold online and be used for malicious purposes should be concerning to players.
How are security concerns in gaming different from other online services and apps?
What makes gaming different from any other form of social media platform or online service where your data can be leaked? The global online microtransaction market is expected to grow from $33.4 billion in 2020 to $34.59 billion in 2021 at a compound annual growth rate (CAGR) of 3.6%. Almost all esports titles are free to play with a few exceptions like Overwatch and previously Rocket League, which after five years of its release moved to a free-to-play model last year. These titles are also home to microtransactions, which means that your credit card information, billing information, and personal information are recorded when purchasing items in-game.
This data is typically collected by third-party payment gateways and it is up to the developers to decide which payment service provider and their reliability can vary. Indian payment gateway Juspay was compromised in the past with Economic Times reporting "if the hackers can find out the Hash algorithm used to generate the card fingerprint (for credit cards), they will be able to decrypt the masked card number."
Then we have potential concerns about data that is collected by developers. Even if we assume no developer out there will misuse data for unintended purposes or transfer it to third-parties, it does not mean that the data cannot be stolen or leaked. Here are some instances of data leaks that have been reported over the past decade:
Bethesda Game Studios: 200,000 accounts hacked in 2011.
Bethesda Game Studios: Accidentally leaked names, addresses, contact details of Fallout 76 accounts in 2018.
Blizzard Entertainment: 14 million accounts hacked in 2012.
Nintendo: 240,000 accounts hacked in 2013.
Nintendo: 160,000 accounts hacked in 2020.
Sony Online Entertainment: 24.6 million accounts hacked in 2011.
Sony PlayStation Network: 77 million accounts hacked in 2011.
Ubisoft: Unknown number of accounts hacked in 2013.
Addressing potential personal data security concerns
AFK Gaming spoke to a senior data analyst, who currently works at a big pharmaceutical company, and has worked with global data firms in the past. On the condition of anonymity, they gave us some valuable insights on what kind of data is collected, how data can be misused and how safe your data really is.
What kind of data is collected by online games?
Our source revealed that generally your PC configuration, crash reports, network statistics, game data like load time, and security data for anti-cheat programs are usually tracked by games. They revealed that the risks are lower on consoles due to the closed ecosystem, which prevents a lot of the above mentioned metrics from being collected by games.
Can developers sell your personal data and should you be concerned?
Reputed developers are highly unlikely to compromise your personal data and the potential risks of getting caught in the process are not worth it according to the analyst. They have never seen gaming or non-gaming companies trade data but while your data is not sold by the developers themselves, it does not mean that they do not buy data from third-parties. He stated that Quantic Foundry was one of the bigger players in the data market that supplies data to League of Legends developer Riot Games, which is owned Tencent. However, this is not personally identifiable information and there is no real reason to be alarmed according to them.
How risky is giving out your facial or voice data?
Developers are deploying face recognition measures to abide by China’s anti-addiction measures to keep minors from gaming at night. This could be viewed as highly invasive and restrictive of personal freedom. Earlier this year, Valorant developer Riot Games revealed that it would start recording voice comms to curb toxicity. Our source stated that “giving up your voice or facial data is a huge privacy breach. Unless a company can prove that the data can never be traced back, which is highly unlikely. It is not something that should be the norm.”
They added, “while the intent of publishers when using such data is not malicious, the average hacker will not think twice before selling your data. The security of your data is not guaranteed as some of the biggest organizations in the world like Yahoo, LinkedIn and Facebook have been breached. Some of them have been breached on multiple occasions. Even if a publisher removes your data after verification, the data is still being sent to the servers and it could still be stolen, intercepted or leaked before deletion.”
Should there be guidelines enforced globally that are in line with the GDPR in Europe?
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union (EU). On being asked if something similar would be beneficial at a global level for gamers, our source said that “companies should explicitly break down and inform players what data is collected and for what purpose. Any form of data collection except raw gameplay stats should be opt-in. The GDPR has been a welcome addition for anyone concerned with privacy but something like that is yet to be implemented globally. Governments should impose strict regulations and require publishers to be more transparent and accountable in case of leaks. Until then, it is up to the players to safeguard their privacy.”
Conclusion: Protecting yourself as a gamer
Using two-factor authentication is strongly suggested for all games. Avoid using the same or similar passwords for multiple games or online services. The analyst also suggests maintaining a separate email for gaming instead of using the same email for school, banking services or work. “Using two-factor authentication goes a long way,” they said. “While password managers can be helpful to memorize your login credentials, popular options like LastPass have been compromised. Using open-source password managers available that do not connect to the internet can be an option but it’s just best to remember all of your login credentials.”
They went on to add that, “keeping your online credentials safe also involves not clicking on suspicious links that can bait you into giving up your login details. The suspicious email trying to give you free V-bucks in Fortnite is not legit, so please do yourself a favor and keep your information safe.”
Are kernel-level anti-cheats something to be concerned about? Or does the average gamer blow things out of proportion?
The analyst states that “kernel-level access essentially means giving the anti-cheat the ability to delve into the core of your operating system. For the longest time cheating software booted with your system and was undetectable after your system fully booted up, making it nearly impossible for anti-cheat programs to detect. This led to games opting for kernel-level anti-cheat software.
With Windows 11, Kernel Data Protection is being added which should alleviate some security concerns. While the OS is not mainstream yet, all I can say without using technical terms is that players will need to be less concerned about their data in the future whether it’s from hackers or the developers themselves. But currently, kernel-level attacks can easily compromise all player data. Modern anti-cheats are unlikely to be compromised and games from reputed publishers should generally be safe. However, players should be wary when letting anti-cheat programs get installed from less reputed publishers.”
