Skip Navigation

Video Games

Modern video games collect a surprising amount of data, much of which can be used to make psychological inferences about the player. These data can be used for targeted advertising within the game and sold to data brokers to enhance existing profiles of individuals. A frightening recent trend in the video game industry is a move toward mandatory rootkits in PC games, which gain low-level access to a person’s computer under the guise of preventing cheating. Game consoles aren’t any better in terms of data collection, since they have the same problems as smart TVs with the added psychological data collection of video games.

Page Contents

Psychological Data Collection

Video gamers tend to spend quite a lot of time perfecting their skills, to the tune of hundreds to thousands of hours spent playing a single game. Each interaction that a player has with a video game can be recorded, and the sum of these interactions enables the game developer (or a third-party data collector) to glean sensitive information about the person playing. Voice recordings, movements, skill levels, and time spent playing the game can all be directly recorded by the game software itself, and this information is easily associated with the registration data the player is forced to provide in order to access the game. By measuring factors such as times of day at which the game is played, amount of time spent playing per session, and the player’s performance within each session, it is possible to determine the player’s emotional state. By tracking emotional states over time, inferences can be drawn about the player’s personality, mental health, interests, and susceptibility to advertising.1

The sheer quantity of data collected in video games is incredible. By some worldwide metrics, approximately 2 billion people on the planet gaming at any time during a single day yields over 50 terabytes (50 trillion bytes) of data that can be mined and used to build psychological profiles of players.2 Information gleaned from all this data collection could have far-reaching consequences that extend beyond the video game in which the data have been collected, since inferences made from these data could be sold to any company or government interested in purchasing it. One far-reaching example is the social credit system in the People’s Republic of China, which uses the amount of time a person spends gaming as one metric to determine how desirable that person is to society.3

Engineering for Data Collection

Games that utilize biometric sensors or augmented reality present additional threats to privacy. By utilizing biometric sensors that measure heart date and similar data, a game can directly determine when a person is experiencing fear or excitement. This determination can be used to adapt the game experience according to the developer’s wishes.4 Augmented reality games use a device’s camera and location sensors to enable the game content to be superimposed on the real world. Games like Pokémon Go collect these data and enable users to be tracked from location to location. At each location, the user’s actions (such as interacting with a physical advertisement or looking at a restaurant menu) can be measured and reported. Augmented reality games can even be used to map the insides of the users’ homes.5

An even greater threat from any video game is that it can be intentionally designed to coax users into giving up personal information that they would not be willing to share if asked directly (e.g. via a survey).3 Companies can use this tendency of people to share more information in a game for corporate advantage. One common example of this application is gamification, in which mundane tasks are turned into game-like experiences by creating a rewards or points system based on task completion metrics. Large companies such as Amazon are known to use gamification as a strategy for both motivating and controlling their workers. A bad “score” in the “game” results in termination. Similar techniques are employed by insurance companies to try to get people to exercise, lose weight, and quit smoking. Rewards can be given for achievements set by the company, while penalties (in the form of higher premiums or higher deductibles) can be applied for failing to earn enough “points” in a given time period.6

Targeted Advertising

One major use of the data collected by video games is, of course, for targeting advertisements at individuals. The large quantity of data collected can be used to try to get players to purchase both external products (and services) and in-game content.2 A major objective of this targeting is to try to identify so-called whales, or people who are willing to spend a lot of real money on virtual items that otherwise have no intrinsic value, such as virtual items or upgrades.1 However, individuals can also be targeted for out-of-game purchases based on their behavioral data collected by the game.

Targeted advertising has such a high priority in the video game space, especially in mobile gaming, that popular game engines include ad delivery mechanisms as a stated feature.7 Google even tried to patent an algorithm in 2025 that would use data collected from players in real time to select and serve dynamic ads within the game. This patent application was subsequently abandoned before a patent was granted.8

Rootkits

As is the case with any competitive human endeavor, there are some people who cheat in multiplayer video games by employing software that plays the game for them. Video game developers have responded by implementing anti-cheat software that tries to detect cheating players, enabling account bans and other remedial action to be taken. Several major gaming companies have implemented anti-cheat software in the form of a rootkit, which is software that runs within the computer’s operating system kernel and has access to information that is normally denied to regular applications. Gamers who want to play games that contain rootkit implementations of anti-cheat software are forced to install the rootkit in order to be allowed to play.9

These rootkits represent a massive security threat to the computer system and should never be installed (I’d go so far as to make them illegal). Operating system kernels deny regular processes access to privileged system information for a good reason, and rootkits bypass these restrictions, giving the video game low-level hardware access to which it is not otherwise entitled. Even if a rootkit starts out as a benign anti-cheat tool, there is no guarantee that the company producing it (or a successor company, if it is sold) will limit the operation of the rootkit to its original purpose. A frightening example of this situation may be found in the Vanguard rootkit that is required to play League of Legends and other Riot games.10 Riot games was purchased by the Chinese company Tencent in 2015,11 and the United States federal government designated Tencent as a Chinese military supplier in 2025.12 In the event that geopolitical tensions escalate, there will be a great number of American systems that have a Chinese rootkit willfully installed by their users under the premise of preventing cheating. These systems will be vulnerable to outside manipulation in the event of a cyberwarfare situation.

Game Consoles

Game consoles combine the worst privacy threats from both televisions and video games. They have many of the same issues as smart TVs when it comes to basic data collection. For example, Sony Playstation 5 consoles default to a state in which the DualSense microphone is enabled and listening, even when the voice chat feature is not in use. When using Sony’s voice chat capabilities, a recording of at least the prior 5 minutes of conversation is maintained on Sony’s servers, ostensibly for the purpose of responding to harassment complaints.13 Microsoft hasn’t done much better, as evidenced by a $20 million settlement with the Federal Trade Commission for illegally collecting information from children under 13.14 Nintendo engages in data collection as well, both through their social networking app3 and the use of Google Analytics in the Switch eShop.15

Beyond the television-style surveillance capabilities available to the consoles, console developers can also collect the same kinds of behavioral and psychological data that can be collected from PC gamers.1 A major difference between the PC and a console is that the user has more control over the software stack on a PC and could, for example, elect not to install a game with a rootkit. In contrast, the companies selling game consoles could choose to bundle non-removable rootkits into the console’s software stack at the factory or via a mandatory update.

Mitigation

The only way to mitigate the privacy threats from video games is to change your own behavior. Refuse to install, let alone play, any game that requires the installation of a rootkit. Once the rootkit is present on your system, it is always in a running state and can always collect your data, even when you aren’t playing the associated game. Avoiding the rootkits is as simple as choosing alternative games that either use userspace anti-cheat or perform anti-cheat decisions on the server. In the example described above, a mitigation might be to play Dota 2 instead of League of Legends, even though last hitting will be much more difficult.

Avoiding psychological data collection is much more difficult when playing multiplayer games, since these games are (by definition) Internet-connected. Open-source games where the servers are either self-hosted or are run by volunteers are likely to have little or no psychological data collection. For commercial games, do extensive research on what the game collects, how the game collects it, and what opt-out options you have before downloading or purchasing the game. Free-to-play games might be financed through the collection of personal data. However, even paid games might also use personal data collection as an extra revenue stream.

Single player games that are not connected to the Internet are likely the best bet in terms of commercial games. However, if these games are installed and launched via services like Steam, then the service itself can engage in at least some surveillance including launch times, durations of play, and so forth. Note that games acquired via these launcher services might also have their own privacy policies, which you need to read and understand, as they may entitle themselves to collect more data than the distribution platform collects. Games that use Digital Rights Management (DRM) are more likely to require an Internet connection, and are thus more susceptible to data collection, than are DRM-free games. Some vendors, like GOG.com,16 specialize in distributing DRM-free games. However, it is still necessary to review any privacy statements that come with the games themselves, since these games might be collecting data anyway.

Finally, open-source single player (and multiplayer) games can be found using services like Wikipedia.17 These games are less likely to contain surveillance functionality. If you’re willing to play older, retro games from the days before the Internet, systems like DOSBox-X18 and RetroArch19 enable these games to run on modern hardware. As a rule, these older “classic” games do not contain surveillance code, since there was no way to transmit personal information back to the developer in pre-Internet days. Machines were also not really powerful enough to spy on users and still perform their requested functions. For these reasons, “classic” video game consoles from the 1990s and earlier should also be safe.

Notes and References

  1. Jacob Leon Kröger, Philip Raschke, Jessica Percy Campbell, and Stefan Ullrich. “Surveilling the gamers: Privacy impacts of the video game industry.” Entertainment Computing 44: 100537. November 5, 2022. 

  2. Kevin Rands. “How big data is disrupting the gaming industry.” CIO. January 26, 2018. 

  3. Patrick Stafford. “The dangers of in-game data collection.” Polygon. May 9, 2019. 

  4. Brandi Vincent. “This video game knows when you’re scared — and it wants to use that against you.” NBC News. August 26, 2018. 

  5. Cecilia D’Anastasio and Dhruv Mehrotra. “The Creators Of Pokémon Go Mapped The World. Now They’re Mapping You.” Kotaku. October 16, 2019. 

  6. Vincent Gabrielle. “The dark side of gamifying work.” Fast Company. November 1, 2018. 

  7. Grow your mobile app with Unity Ads

  8. Shumeet Baluja. “Using information from user-video game interactions to target advertisements, such as advertisements to be served in video games for example.” United States Patent Application US20070072676A1. September 29, 2005. 

  9. Sidharta F. Rasidi. “Why You Should Be Wary of Kernel-Level Anti-Cheat.” KeenGamer. October 8, 2020. 

  10. Riot Games. /dev/null: Anti-Cheat Kernel Driver

  11. Jon Russell. “Tencent Takes Full Control Of ‘League Of Legends’ Creator Riot Games.” TechCrunch. December 17, 2015. 

  12. Peter Hoskins. “US designates Tencent a Chinese military company.” BBC News. January 7, 2025. 

  13. Peter Cao. “How to Tell if Your PS5 is Spying on You and What You Can Do About It.” SlashGear. September 25, 2022. 

  14. Lesley Fair. $20 million FTC settlement addresses Microsoft Xbox illegal collection of kids’ data: A game changer for COPPA compliance. Federal Trade Commission. June 5, 2023. 

  15. Gavin Lane. “PSA: By Default, Nintendo Now Collects Data Through Google Analytics On Switch eShop (North America).” Nintendo Life. December 3, 2020. 

  16. GOG.com

  17. List of open-source video games.” Wikipedia

  18. DOSBox-X

  19. RetroArch

Televisions

Pervasive Tracking
Voice Assistants
Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.