An Invasion Of Privacy Policy?

I live in a strange and naive world, one where a man can drink water straight out of the faucet, where it is assumed that fellow drivers populating the genius of Eisenhower's interstate highway systems understand the fundamental rules of driving, and where a corporation publishes its Privacy Policy to explain how your sensitive information is respected and protected. One might call it a fairy tale land of such delusional fiction as to be ridiculed and beat up for its lunch money, which is why the recent story from the consistently outstanding Dubious Quality regarding Electronic Arts' Privacy Policy as it relates to those playing EA Games over Xbox Live was not entirely unlike being punched in the stomach. As I read it, Electronic Arts takes the Privacy Policy position that by playing EA games online you are actively authorizing Electronic Arts to extract whatever data it deems pertinent from your system and from Microsoft's Xbox Live customer database. Further, this sharing of customer information seems to happen without any effort to make the casual user aware that a stream of tiny, data-fat bits full of juicy private information is issuing forth through the online ether into the waiting and hungry servers at Electronic Arts.

Which is all to say that, if you've ever played an Electronic Arts game over Xbox Live, EA may already have your email address, phone number, birth date, and credit card information filed away without you even knowing it.

{Edit: Tuesday, August 22, 2006 - Electronic Arts responded to this article and my inquiries, with important clarifications of their policies. Read their response: Here}

Here is what EA has to say on the matter by way of their ironically named Privacy Policy:

If you sign up to play EA games through Microsoft's Xbox Live Service, Microsoft will provide your Xbox Live user account information to EA so that we can establish an EA Online account for you. You need an EA Online account to play EA's Xbox Live titles. By signing up to play EA's Xbox Live titles, you agree that Microsoft can transfer your user account information to EA.

Information collected will vary depending upon the activity and may include your name, e-mail address, phone number, mobile number, home address, birth date and credit card information. In addition, we may collect demographic information such as gender, zip code, information about your computer, hardware, software, platform, media, Internet IP address and connection, information about online activity such as feature usage, game play statistics and scores, user rankings and click paths and other data that you may provide in surveys or online profiles, for instance. We may combine demographic information with personal information.

As I read the referenced quote, it is the policy of Electronic Arts to create an EA Online account for you when you log onto an EA game through Xbox Live, and by creating the account they are granting themselves the authority to retrieve your private credit card information and much more from Microsoft in the process.

This mention of EA Online as being something to which I am registered seemed odd, as I don't recall having seen the brand EA Online associated with my Xbox Live gaming experience in the past, and certainly don't recall authorizing or even being made aware that an account was being made with EA Online on my behalf. I suppose it's possible that at some point over the years I played an EA game where it was made at least vaguely clear to me that I was registering with EA Online, but they've certainly not made a point since of reminding me that my playing EA games online represents my membership in something called EA Online or that I've authorized the extraction of private information such as my phone or VISA card number. To verify this, I fired up my copy of NCAA Football 2007, and hunted high and low within the game, in the provided instruction manual, or on the retail box for any mention of EA Online or the necessity of having such an account for Xbox Live play. As far as I could tell, the EA Online brand is not mentioned even once, nor, certainly, the rights you will relinquish by playing.

Whether Electronic Arts is actually gathering credit card numbers, demographic information, click paths, birthdates, or any of the other multitude of chocolate covered data nuggets at their disposal when you actually log onto an EA Online game is not entirely clear. That is why I contacted their provided email address at [email protected], identified myself and expressed my interest in clearing up any possible confusion for our readers. I was certain Electronic Arts would want to elaborate on the important and well-intentioned methods they employ in protecting sensitive customer information, which must be why they contacted me immediately with a clear and detailed response that reasonably explained their lusty needs for such comprehensive data. Also, they sent me flowers and candies, and invited me to the prom.

Unfortunately, those last two sentences are entirely false. What they actually did was not respond to me in any fashion. Not a "˜no comment', a "˜piss-off', a "˜we don't like you in that way', or even a callous and terse form letter that answered a question seven degrees removed from the ones I actually asked. So, after a week of stony silence, I pressed on and contacted a Corporate Communications Manager at EA for clarification on precisely what information they are gathering on their customers and for what purpose. Again, I received no response at all.

This seemed odd. After all, Electronic Arts had, not six months prior, given us excellent access and coverage at E3, with a PR staff that was keenly interested in our site, our community, and what we thought of Command and Conquer 3. But faced with questions about privacy policies, and credit card numbers, all of our contacts and sources were suddenly very very quiet.

I tried Microsoft next, beginning with researching their privacy policy statement, which is much more with the warm fuzzies and offers a distinct sense that they are very concerned about making certain your private information is kept secure and used only for the forces of good. There's lots of talk about opting out, and blocking the transmission of information from your Xbox, leading one to the impression that here is a company far more interested in at least offering artificial platitudes about privacy options. Or, so it seems until you get to the extremely brief and information-deficient section on "Co-branding", which reads as follows:

Some Microsoft services may be co-branded and offered in conjunction with another company. If you register for or use such services, both Microsoft and the other company may receive information collected in conjunction with the co-branded services.

Presumably, this is exactly what is happening when Electronic Arts grants itself authority to suck Microsoft dry in siphoning information about you. And here Microsoft makes no mention of opting out, or blocking those co-branding companies that decide to lay claim to your email address, street address, telephone number, gender, birthdate, or credit card info. It's not even made clear that the user has any opportunity to be aware of the data transfers.

I proceeded to contact Microsoft's Privacy Policy support through the provided web form, indicating that I'd be interested in any further information they could provide on how co-branding works, what co-branding companies are authorized to extract, and whether customers could opt out of sharing information with those companies. Having already learned a good lesson from my experiences with Electronic Arts, I also went on to put the question to some of our other MS contacts. Despite the web form's assurance that I would have some kind of response within 24 hours, I have yet to hear back from a representative of either company with even a form response.

Clearly, Microsoft and Electronic Arts are not talking about EA Online or what information gamers are sacrificing to play games online like Madden, NCAA Football, or Tiger Woods.

And, of course they aren't interested responding right now. After all, they both have a significant stake in a widely publicized game to be released in the next week, and the last thing they need is some pesky questions about who is getting whose credit card numbers. Ok everyone, all eyes on Madden! No, don't look over there; ocular orbits up front.

Except that this isn't a new story, and despite numerous websites reporting on the troubling phrasing of EA's Privacy Policy since 2006, Electronic Arts is taking a page out of the book written by many an ex-girlfriend in simply not returning even the most impassioned phone call.

EA knows that they can only turn this otherwise quiet discontent into a significant news story by responding publicly. Silence in the specifics of how your information is handled when playing Electronic Arts games is, by far, their best possible policy, because they count on the ignorance and passivity of their consumers. As long as the most significant players in the retail game, consumers in general, don't demand a response, then there's simply no reason to provide one.

That Electronic Arts is heavy handed in their business practices is not a new piece of information. There's simply no reason to be surprised that the company would be stretching every available avenue in collecting any possibly pertinent or profitable information. You might as well be shocked that Michael Jackson had more plastic surgery, or your favorite baseball player is on the juice. We give such corporations no reason to change their practices, because, when push comes to shove, and that new game is so shiny and enticing on the shelves, we conveniently forget our righteous indignation.

And so, when Madden 2007 crashes into retail outlets next week you will again be faced with a choice. How will you choose?

- Elysium

{Again, EA responded to this article: here}

Comments

Elysium wrote:

1) PSO is a subscription game.

EA makes subscription games too. They are coming to Live. The will sell you Battlefield upgrades on Live. They will one day need your credit card info if you want to buy such things. Nobody said they were getting it before they need it...I believe the exact wording is: "Information collected will vary depending upon the activity"

Elysium wrote:

2) Sega was upfront about the information they were retrieving.

Sounds like EA is being upfront and you are flaming them for it. Hypocrisy anyone?

Elysium wrote:

3) It was made clear that you are signing up for a sevice outside Xbox Live when logging in.

Everytime I play Burnout online it says "CONNECTING TO EA SERVERS" I don't know how you get much more clear than that.

Elysium wrote:

the real problem here is that the gamer is being removed from the equation, and apparently can't even find out what information EA has.

You could always try the time honored approach of asking them before you roast them for it. I know it is not as easy as hopping on the bandwagon.

Elysium wrote:

Oh, and just to be clear, comments like the 'sad silly creatures' nonsense is a good way to be removed from our site.

Do whatever you want. It is your site after all. Cater to the haters if you want to be that way. Sounds more like you are mad because I disagree with your rant.

You could always try the time honored approach of asking them before you roast them for it. I know it is not as easy as hopping on the bandwagon.

You might want to read the article before posting.

Have you only just started reading the articles? The writers on these boards don't just post anything, they do their homework. Elysium specifically states in the article he has tried to talk to some one at EA and Microsoft, not cold calls either mind they have contacts at the companies, and no one responded.

Do whatever you want. It is your site after all. Cater to the haters if you want to be that way. Sounds more like you are mad because I disagree with your rant.

You have been registered here for three years according to the site. You should know the rules of the site by now, but the first post you made in this thread included a derogatory comment about anyone who didn't agree with your opinion. Than you post that, as if you have the moral high ground?

I would blame MS more than EA. AFterall they are the ones you originally give your data to. And even then I honestly don't see a big deal here. I guess I expect this and I don't feel like my privacy is invaded nor do I suddenly feel less secure.

FuriousBroccoli wrote:

Buncha stuff that makes it apparent the original article was unread.

Rule number one: Read the article you're commenting on.

Rule number two: Don't be a unnecessarily agro.

Rule number three: See Rules One and Two.

No comment.

[quote=duckideva]

FuriousBroccoli wrote:

Buncha stuff that makes it apparent the original article was unread.

hahaha my bad I just got teh slashdot version. EA has the worst PR ever. Still don't hate, they have several cool games coming out that I want to play, and this sounds like an MS policy issue anyway.

hahaha my bad I just got teh slashdot version.

Yeah the slashdot post cut away a lot of the meat of the article to get the point across and in doing so certainly changed the mood of the original article by Elysium.

EA has the worst PR ever. Still don't hate, they have several cool games coming out that I want to play, and this sounds like an MS policy issue anyway.

I have played many EA games in the past and enjoyed them, I was also looking forward to playing some of the new stuff they have coming out. If EA and Microsoft change the policy or we find out what we think is happening isn't, than I will gladly look at picking up the new stuff they have coming out. Until than though, I stand by my boycott.

Gaald wrote:
FuriousBroccoli wrote:

EA has the worst PR ever. Still don't hate, they have several cool games coming out that I want to play, and this sounds like an MS policy issue anyway.

I have played many EA games in the past and enjoyed them, I was also looking forward to playing some of the new stuff they have coming out. If EA and Microsoft change the policy or we find out what we think is happening isn't, than I will gladly look at picking up the new stuff they have coming out. Until than though, I stand by my boycott.

Ditto here. There are several licenses/franchises that EA has that are great. I'm still going to continue my standing boycott of roughly 1-2 years (I don't recall exactly when I started, but it was either very early 2005 or late 2004).

I write privacy policies for a living. Seriously. It's one of my many talents.

I don't think the issue is whether EA is capturing and storing credit card information or what type of information has been -- or is being -- transmitted to EA from MS services (XBOX Live or otherwise), I think the issue is what do the privacy policies say. Because if they permit it (READ: if they can reasonably be interpreted to permit it), then it is an issue. Think of the privacy policy as a unilateral discussion of your contract with EA -- it is EA's discussion of its rights and obligations with respect to the data it may collect or receive from your participation/receipt of a service. If they don't require an opt-in, then you are "in" until you are "out". If the language allows it, then they may do it at anytime without further notice to you.

Privacy policy language should clearly describe how the company/site will collect and use your information (personally identifiable information and otherwise) and expressly limit its collection and use of such information to only what is disclosed in the privacy policy. If there is ambiguity -- and if the collection or use (arguably) described by the ambiguous language would be of concern to you if it was actually taking place -- then you are right to be concerned.

For me, it is not the question of whether the collection, storage or use is taking place. Rather, the issue is what the privacy policy permits. Because, if it isn't taking place now, but the policy permits it, then it may well be taking place in the future without further notice to you . . . .

So, Edgar Newt's post is what inspired the "Certis got pwned" thread?

Disclaimer: Last night, Certis pwned me several times. And vice versa.