The Race for Data: Consumer Privacy in a Red Shell

Mario Kart hasn’t outsold the standard Mario formula, but it has been the most successful adaptation of the characters. The lack of multiplayer wasn’t a big deal for games on the original 80’s Nintendo Entertainment System; just running to the right and jumping on boxes was good enough. As demand for multiplayer games grew, Mario Kart proved to be one of Nintendo’s best ideas. Racing games don’t need a lot of explanation, and getting to steer your favorite characters to the finish line made for hours of fun for family game night, birthday parties, and college dorms. Nintendo also made their fun additions to their racing game easy to understand: banana peels make your opponents lose control and crash, mushrooms provide a speed boost to help you catch up (especially useful after a crash), and getting hit by a turtle shell the size of your cart is never good. The weaponized shells come in a few colors, but the red shell was particularly powerful because it follows its targets movements, making it nearly impossible to dodge.

So, when the minds of marketing, data science, and software development came together to create a way to track gameplay data and correlate it to advertising for each unique player, a popular video game weapon that followed a target seemed like a good fit for the name of the product. Maybe a representative from customer relations or ethics would have raised a concern about naming a product after something aggressive and destructive. That kind of name raises a red flag for some people—and  it raises two red flags if it also shares the name with a known malicious virus. Unfortunately, it fell to the players to explain that secretly targeting customers to collect data is an unpopular choice.

 

Red Shell Discovered

Earlier this year, a few Steam users discovered a tracking program hidden inside some game software. The tracking program was called Red Shell. I have not found any indication that users were informed (at least explicitly) of the presence of this tracking software within the games that consumers purchased, downloaded, and installed. The stated purpose of Red Shell is to track user data that can be matched with marketing data to optimize marketing strategies. Despite the fact that the data collected from a user is called a “fingerprint,” developer Innervate is on record as believing that the clandestine program that does not allow opt-in (or even opt-out) decisions is GDPR compliant because it does not collect personally identifying information- just a broad mass of data associated with a user.

Software companies got a different kind of marketing feedback as outraged customers spoke out on forums and social media, attacked games with negative reviews, and called for boycotts against the offending games. I did not find any evidence that Red Shell is harmful or pernicious in any way, and most users seem to agree with that assessment. But actual, or even potential, harm does not seem to be the problem. Rather, the issue seems to be that the customers feel betrayed, deceived, and… well… played.

 

Lessons from the Wreckage

In Mario Kart, red shells cause your opponents to crash. In June of this year, the program Red Shell caused player trust to crash. Red Shell may be GDPR compliant, but the scandal now serves as an example of why mere technical compliance is not always enough.

I think Red Shell would have enjoyed reasonable success if players were given the choice to opt-in. Other companies use clear, voluntary methods to collect data from users—from surveys to system scans. I understand the appeal of “having all of the data,” and the appeal of letting computers do the bulk of the gathering and processing automatically. The efficiency and scale would be hard to match – computers often outperform humans in efficiency, speed, and scale. But computers don’t understand the values of trust, preferences, and autonomy.

Innervate lost sight of the real, ultimate reason for gathering player data in the first place: improve a developer’s bottom line through a better understanding of the player. By failing to connect empathy with the notion of “understanding,” they overlooked what they were losing in exchange for the increased efficiency and scale of their product. The effort to understand brand loyalty undermined the trust and loyalty to the brand. Data that is properly collected and carefully understood in the right context can be a powerful tool for better products and better service. But taking a shortcut around your goals to try to achieve them is just driving faster with no sense of direction.

 

Red Shell Takeaways:

ALWAYS remember that data is not an end in itself- think about WHY you want data.

Other things matter besides the data you think you need- consider the competing values.

Consider ways to get data that don’t interfere with other goals. Consider ways to get to your goals that don’t rely on the data you are chasing.

Don’t lose sight of your larger goals/objectives during your search for data; don’t let your race for data undermine your quest for success.

 

 

 

 

Evil Vines Choking Out Unenumerated Protections (An Afterthought on Legislating for Changing Technologies)

Legislation always faces a problem of enforcement. That problem can take many shapes: lower courts or police may refuse to enforce the law, citizens may refuse to obey the law en masse, or crafty schemers may look for loopholes and technicalities so they effectively break the law without penalty. There are multiple laws, cases, opinions, and all other legal indications that children merit special and particular protection online and in digital interactions. However, there is no law specifically forbidding inflicting digital violence on a child’s avatar in a game until the child pays non-digital money— and I’m almost surprised it took so long for someone to find that opportunity. I think Penny Arcade misunderstands the problem. The problem is that all of those legal efforts to protect children could never cover every possible way that someone might try to exploit a child in a digital setting. When someone wants to exploit people for money, they only worry about the law in three ways: not getting caught, not getting tried, and not getting convicted.

This kind of example raises concerns not just in the video game industry, but across industries affected by the new General Data Protection Regulation. It would be unfairly cynical to even hypothesize that every company is nefarious, of course. A good many companies have a genuine desire to uphold the GDPR rights of their users, and their task is to work toward official compliance with the GDPR requirements– a few will even go beyond that minimum and take further measures for privacy and security. Notwithstanding, some controllers and processors still want to exploit their users, and their task is now to figure out how to sneak over, around, or through the GDPR.

 

In Both Overcooked And The GDPR, Execution Matters More Than Ingredients

I deliberately avoided playing Overcooked for a long time because so many review joked about the fights it causes with friends. Now that I’ve played it, I barely understand why it’s such a divisive experience for so many people. The game is charming and delightfully fun. Players work together in kitchens filled with obstacles (food and tables often move during the round, forcing players to adapt) to prepare ingredients and assemble meals for a hungry restaurant– though the diners are sometimes floating on lava floes and sometimes… the diners are penguins. The game is about coordinating and communicating as you adapt to changes within the kitchen. Maybe the reason so many people throw rage fits during this game is that they are not good at coordinating an effort and communicating effectively. In any case, the game isn’t about food so much as it’s about kitchens (especially in restaurants). So the game doesn’t focus so much on the ingredients as it teaches the importance of working together in chaotic situations.

People are focusing  a lot on the ingredients of the new EU data privacy law– particularly the consumer protection rights enumerated in it. However, there is very little talk about the bulk of the law, which is aimed at the effort to coordinate the enforcement and monitoring mechanisms that will try to secure those consumer rights. The rights listed in the GDPR are great ingredients– but as Overcooked teaches, it takes both execution and ingredients to make a good meal.

Supervisory Authority: How We Get From Ingredients to Meal

I’ve read a lot of articles about the General Data Protection Regulation, and I notice two common points in almost all of them: 1) the GDPR lists data privacy rights for consumers, 2) this is a positive thing for consumers. However, after reading the entire law, I think this is a gross oversimplification. The most obvious point that should be added is overwhelming portion of the statute that is devoted to discussing “Supervisory Authorities.” The GDPR may list a lot of consumer rights, but it also specifically details how these rights are to be enforced and maintained. This law prescribes a coordinated effort between controllers, processors, supervisory authorities, and the EU Board.

As described in Article 51, 1, a supervisory authority is a public authority “responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms” that the GDPR lists. Each member of the EU is required to “provide for” such an authority. I can only speculate that this would look like a small, specialized government agency or board. This supervisory authority is required to work with the various companies that hold and process data (“controllers” and “processors” in the GDPR) to ensure compliance and security. The supervisory authority is responsible for certifications, codes of conduct, answering and investigating consumer complaints, monitoring data breaches, and other components of a comprehensive data privacy program. The supervisory authority must be constantly and actively ensuring that the rights in the GDPR are made real.

If the supervisory authority can’t coordinate the effort with the controllers and processors, the rights in the GDPR are just delicious ingredients that were forgotten about and burned up on the stove.