By: Alex D’Aloisio
Though a dedicated rule-breaker has various means of gaining an unfair advantage on any gaming platform, the premier medium for cheating is a personal computer (“PC”). On a PC, a simple Google search followed by a few clicks is all that is needed to turn the average player into an artificially-enhanced nightmare for others. In addition to being the easiest platform to cheat on, PC is also the most popular gaming platform, boasting an estimated 48 percent of global video game consumers, with about 1.5 billion players. This combination of PC popularity with ease of access to cheats presents game developers with a serious problem: how to keep the games they sell fair, fun, and consequentially – profitable.
Many cheaters amounts to an even larger number of non-cheaters having their experience negatively affected; and players who do not have fun do not continue playing. While years ago it may not have been as important for developers to keep consumers playing after they purchased a game, it is now vital for developers to keep them playing so that more microtransactions occur. The bottom line for game developers: cheaters drive players away and are bad for business.
Preserving the competitive integrity of online video games often falls on the shoulders of anti-cheat software. Anti-cheat softwares are designed to prevent players from gaining an unfair advantage when playing a game. To effectively guard against more complex cheats, anti-cheat systems have become more invasive. Some developers have turned to client-side anti-cheat software. Client-side anti-cheat softwares operate in various ways, but are necessarily invasive to some degree because they run on the player’s machine. In an increasing number of cases, software has been designed to operate at the kernel-level in a consumer’s PC. The kernel-level is the most privileged level of a PC; a program running at the kernel-level has virtually complete access to the entire PC system.
While deeply-rooted anti-cheat softwares are adept at preventing many forms of cheating, they can also pose a great security risk. In addition to concerns about the potential damage that a malfunction in the software could cause, data privacy concerns have arisen. Developers have great incentive to keep the details of their anti-cheat methods a secret because cheat developers and recreational hackers can use this information to circumvent the programs. Making the specifics of an anti-cheat software available would essentially provide a roadmap as to how to beat it. As a result, it is not clear to the public what kind of surveillance they are under when these programs are running. Even if consumers do not have a problem with developers having invasive access to their machines, there are still concerns about the consequences if a company utilizing invasive anti-cheat software were to fall victim to a cyber breach. Hypothetically, this could allow a malicious entity substantial access to consumer’s information.
As the legal landscape of data privacy evolves, the future of invasive anti-cheat software is unclear. In the Europe Union (“Eu”), sweeping data privacy legislation exists that seems to limit the reach of client-side anti-cheat programs. The General Data Protection Regulation (“GDPR”) is considered the strictest privacy regulation legislation in the world, and more regulation is likely forthcoming. The GPDR outlines requirements including client consent to having data collected, the right for the client to access that data, and even a right for that data to be “forgotten” upon request, subject to limited exceptions. However, even applying EU law to anti-cheat programs is a thorny task. Facially, EU law seems to restrict client-side anti-cheat methods because they collect personal data, but in practice there has been little legal deterrence of even the most invasive anti-cheat methods. For example, despite user backlash, the highly invasive client-side and kernel-level Vanguard anti-cheat system has not been subjected to any significant legal action.
There is no GDPR equivalent in the United States, and US data privacy law consists of a mixture of various state and federal laws. The closest federal legislation is likely the Computer Fraud and Abuse Act of 1986 (“CFAA”). The CFAA prohibits accessing a computer without authorization or in excess of authorization, though what constitutes a transgression is not well defined. The United States Supreme Court recently indicated that the CFAA’s excess of authorization provision is to be construed narrowly. In Van Buren v. United States, a police officer was paid $5,0000 to access a law enforcement database for personal reasons. The court found no CFAA violation, holding that use of a computer for an improper purpose beyond the scope of authorized access is not barred by the CFAA. Though the ramifications of this holding are not yet clear, one implication is that consumers who authorize a company to have invasive software on their PC may not be protected by the CFAA if this same company accesses their data beyond that authorization.
While the need for data privacy solutions grows greater, United States data privacy legislation is in danger of lagging behind. Some states, led by California who passed the California Consumer Privacy Act in 2018, are taking steps to establish stronger data protection laws. However, as evidenced by the invasive anti-cheat software that operates even under stricter EU law, this sector is complex, secretive, and difficult to effectively regulate. Our legal system has the unenviable task of defending innocent consumers from privacy violations while also supporting the gaming industry in its task to ensure its games are as fair as possible. Until the time comes that anti-cheat technology becomes capable of keeping cheaters at bay without significant privacy risks, privacy is most likely the best policy. Specifically tailored data privacy legislation ensuring that company’s anti-cheat programs have limited access to consumer PCs would best protect millions of players from real-life harm.
Student Bio: Alex D’Aloisio is a second-year law student at Suffolk University Law School and a staffer on the Journal of High Technology Law.
Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.
