The GamesCon is taking place in Cologne. We were present at the first day in order to participate in a discussion about data protection in online games. Discussion partners were Konstantin Ewald, a lawyer and blogger (Online. Spiele. Recht) and Ulrich Lepper, North Rhine-Westphalia’s Commissioner for Data Protection and Freedom of Information.
Online gaming is tied to user accounts and personal data. It is linked with targeted advertising. Since the Sownage series of attacks the issue has arrived in the mainstream media. There is no need to name Sony or any other company as a culprit, or to shift the blame around. Just as web applications, the world of online games is complex by itself. Hardening your infrastructure is fine, but this is only a part of the story. There are other components such as browsers (or other client software) of the gamers themselves, their computers/phones/tablets and secondary/tertiary systems (web mail, portal accounts, …) involved. Most „drive-by“ attacks use a cascade of compromised accounts or systems. Some access information might also be skimmed by malware on zombie systems since there’s a black market for virtual currencies and goods.
Apart from the infrastructure there is the problem of trust. Mr Lepper suggested that companies should start to recognise „trust“ as an asset that can be sold as bonus. The problem arises in the international access to the Internet. German and European data protection laws are very strict. Selling trust is hard if you don’t need this added bonus in other parts of the world. The barriers for activating an account and starting game play is designed to be as low as possible. Once you start to complicate this process in one country, you are at a disadvantage, remarked Mr Ewald. There is no easy way out, and so we will probably see more compromises in the future.
However some online game operators try to improve the security by dedicating staff to handle abuse and support notifications, and by incorporating the players themselves. It’s s start.