Privacy Advisor

Will Kinect 2.0 and COPPA Play Well Together?

September 18, 2013

By David Tashroudian

The age of the Internet of Things is upon us. Interconnected devices that gather, aggregate and transmit personal information autonomously are pervasive throughout households. Your next generation gaming console is one such device. The Kinect 2.0—which ships this fall with Microsoft’s Xbox One gaming console—has the unprecedented ability to recognize faces, track a user’s position in space, observe vital signs and relay this information to Microsoft and others. Although this technology enhances gameplay and user experience, the costs are great.

Namely, the costs are paid by sacrificing a user’s privacy. Gone are the days where parents could passively allow their children to play the latest iteration of Super Mario with little supervision. Rather, the Xbox One and Kinect 2.0 have heralded the unprecedented need for constant monitoring of how much personal information consumers are willing to sacrifice for enhanced gameplay.

The challenges presented by the Xbox One and Kinect 2.0 to gamers’ privacy are at least twofold. One, young gamers—under 13 years of age—are at great risk of having their personal information shared without their parents’ consent. And two, the risk of the Kinect 2.0 being hacked and commandeered by third-parties compromises the secrecy and sanctity of household conversations.

To fully understand the privacy implications of this new technology, a basic understanding of what the Xbox One and Kinect 2.0 are and can do is necessary.

What Are the Xbox One and Kinect 2.0?

The Xbox One is an eighth-generation video gaming console touted by Microsoft as an all-in-one entertainment system. Microsoft seeks to have the Xbox One be the focal point of home entertainment systems by allowing the console to link to existing set-top cable boxes and a user’s computer media library. The Kinect 2.0, for its part, is seamlessly integrated into many Xbox One functions.

According to Microsoft, the Kinect 2.0 peripheral will allow users to operate the Xbox One with voice commands and hand gestures. In order to allow for this functionality, the Kinect 2.0 will be “always-on,” sitting in a dormant observation state waiting for user commands. Kinect 2.0 functionality will surely be incorporated into many Xbox One video game titles to enhance user experience.

Privacy Risks to Young Gamers—Compliance with the Amended COPPA Rule

The recently amended COPPA rule requires operators of websites or online services directed to children to obtain parental consent when collecting personal information from a child under the age of 13. Network connected video games may fall under the ambit of the COPPA Rule if the game collects personal information and uses that information for commercial purposes such as in-game or online advertising.

Games subject to the amended COPPA rule share a common archetype. One, the game is directed to children by employing a child celebrity or popular children’s cartoon characters. Two, the game has an online component which allows the child-user to enjoy either a multiplayer experience or upload content to a related website. Three, the game collects personal information such as a child’s picture taken with the Kinect 2.0. As an aside, under the amended COPPA rule, a child’s picture is now considered personal information regardless of whether the picture is accompanied by any other identifying information, partly because of the very technology that allows for facial recognition by the Kinect 2.0. And four, the game commercially exploits the personal information by either supplying targeted in-game advertisements or using user content on a related website to attract visitors who are delivered targeted advertisements.

Although a child user’s privacy may be protected by obtaining the requisite parental consent, the Xbox One creates new consent challenges. Say, for example, a child whose parents have consented to a game subject to the amended COPPA rule invites her friend over, and both play the game. If the game uses the Kinect 2.0 to collect and exploit the personal information of the consenting user and the friend, the friend’s privacy is at risk precisely because her parents have not consented. This problem is particularly acute because the Kinect 2.0 collects information from everyone in the room. And unless the game can discern from the information collected by the Kinect 2.0 exactly which user is providing personal information—and whether that user has the requisite parental consent—then there is a violation of the COPPA rule.

One way for Microsoft and game developers to assuage the fear of rampant COPPA rule violations is to require users to sign in to a Microsoft-maintained profile that verifies a user by using some sort of Kinect 2.0 observable biometric. The user profile would be accessible on different consoles and have information on exactly to which titles a user’s parent has given consent. This way, no matter what console a child uses, he or she can login to her profile and divulge information only to a handful of preapproved games. And games where the child does not have permission to share personal information will recognize this fact and not allow the user to participate in those aspects of the game.

Kinect 2.0’s “Always-On” Feature and Hackers

A basic Internet search reveals how simple it is for hackers to install malware on a user’s machine to commandeer the machine’s web camera and microphone. The same process could be used by hackers to gain control of the Kinect 2.0 and eavesdrop on household conversations—or worse, to surreptitiously video-record the user in her home.

This problem is compounded by the fact that the Kinect 2.0 is always on and ready to observe. Thus, the peripheral has the potential to observe and monitor at all times—giving hackers unfettered access to a user’s home. And the push for access to free Wi-Fi internet in major cities over unsecured networks gives hackers ample opportunity to sniff out and control unsuspecting users’ machines.

The security and integrity of the Kinect 2.0 should be paramount. One way for Microsoft to protect against hacking is to employ technical protections—such as firewalls and malicious software detection protocols. The Kinect 2.0 should come packaged with some sort of dedicated firewall to protect it from being hacked, even if the Xbox One the peripheral is connected to is compromised. In addition, Microsoft should either package the Xbox One with malware detection software or systematically update the console’s software to ensure all bugs are fixed and all back doors are closed.

In sum, the Xbox One and Kinect 2.0 have the potential to revolutionize both gaming, and the way we interact in our living rooms. The privacy implications of such a revolution though should be thought out first. And if they are thought out thoroughly, policies that protect privacy will surely make the revolution easier for us all to embrace.

David Tashroudian is an attorney in Los Angeles, CA, practicing intellectual property litigation and privacy counseling.