The privacy policies and practices of online games contain dark design patterns that could be deceptive, misleading, or coercive to users, says a study, revealing potentially questionable data collection practices of online game providers.

Gaming is a $193 billion industry — nearly double the size of the film and music industries combined — and there are around three billion gamers worldwide.

The new study, by scientists at Finland-based Aalto University, reveals misconceptions and concerns about privacy among players.

“We had two supporting lines of inquiry in this study: what players think about games, and what games are really up to with respect to privacy,’ said Janne Lindqvist, associate professor of computer science at Aalto.

It was really surprising for study authors how nuanced the considerations of gamers were.

“For example, participants said that to protect their privacy, they would avoid using voice chat in games unless it was absolutely necessary. Our game analysis revealed that some games try to nudge people to reveal their online identities by offering things like virtual rewards,” said Lindqvist in a paper published in the journal Proceedings of the ACM on Human-Computer Interaction.

The authors identified instances of games using dark design-interface decisions that manipulate users into doing something they otherwise wouldn’t. These could facilitate the collection of player data and encourage players to integrate their social media accounts or allow data sharing with third parties.

Buy Me A Coffee
READ
Microsoft Alerts on China-Based Quad7 Botnet Targeting SOHO Routers for Credential Theft

“When social media accounts are linked to games, players generally can’t know what access the games have to these accounts or what information they receive,” said Amel Bourdoucen, doctoral researcher in usable security at Aalto.

For example, in some popular games, users can log in with (or link to) their social media accounts, but these games may not specify what data is collected through such integration. “Data handling practices of games are often hidden behind legal jargon in privacy policies,” said Bourdoucen.

When users’ data are collected, games should make sure the players understand and consent to what is being collected.

“This can increase the player’s awareness and sense of control in games. Gaming companies should also protect players’ privacy and keep them safe while playing online,” the authors wrote.

According to the study, participants were often unaware that their chat-based conversations might be disclosed to third parties. Games also didn’t notify players of data sharing during the game.

The study showed that players are aware of the risks, and it highlights several mitigation tactics used by players.

“Games really should be fun and safe for everybody, and they should support the player’s autonomy. One way of supporting autonomy would be able to let players opt-out from invasive data collection,” said Lindqvist.