"I AGREE": Informed Consent and the Ethics of Third Party Access to Game Player Data

"I AGREE": Informed Consent and the Ethics of Third Party Access to Game Player Data

Suzanne de Castell is the Professor of Curriculum and Instruction in the Faculty of Education at Simon Fraser University and a Visiting Professor in the Faculty of Education, York University.


How many users out there would click “I Agree” to play an online game if the meaning of that agreement was set out for them in plain language? With SFU Ph.D. student Florence Chee, I carried out a pilot study last year on internet research, informed consent, and the ethics of third party access to the server-side player data held by game companies.

The purpose of our pilot study was to question what ‘informed consent’ means when assent is a condition of access to an online game site. We wanted to know: do users in our automatic “I agree” era actually know what they are agreeing to, and would they agree---and would they care--- if they did know? Specifically, do users agree to a game company’s giving access to users accounts, files, and other personal information, whether to researchers or to law enforcement agencies? For purposes other than clicking through into the virtual world, is user consent obtained at all?

As games researchers, we are mostly concerned with the ethics of using data gathered under the terms of the End User Licensing Agreements (EULAs) of game software. Can the requirement of a “click-through” acceptance constitute substantive consent, as opposed to being a merely technical condition of access to a product one has purchased?

So we set out to discover whether users would in fact agree to disclose what they had previously accepted under the terms of the EULA, were the questions asked explicitly. We reasoned that if users responded negatively to a game’s EULA questions, once these were posed in terms widely understood, we could question the epistemic and ethical conditions under which these legal contracts were made. 

We obtained and analyzed the End User License Agreements (EULAs), Terms of Service, Terms of Use, and Privacy Agreements of a set of popular multiplayer online games (including World of Warcraft, Second Life, Aion, and Maple Story).  The interpretations, precedents, and foreseeable problematics in garnering consent were then used to inform a questionnaire which we gave to users of Second Life and World of Warcraft.  Respondents were university students, both undergraduate and graduate, with varying levels of online gaming experience.

Before reporting on the results of that study, here is the larger backdrop. In 2003, a report, Americans and Online Privacy by Joseph Turow, was released by the Annenberg Public Policy Center, an extensive study of online privacy and the massive failure on the part of Americans (certainly the same would be true of Canadians, we can be pretty sure) to know about or therefore to understand the ways in which their online behaviours and activities were spilling over into their ‘real’ lives. Quoted there was the dismissive remark by Sun Microsystems chief executive, admonishing those concerned about such matters, that privacy in the contemporary world is dead in any case, so we had better all just get over it. And without being overly dramatic, last fall’s tragic suicide of Tyler Clementi who “got over it” both literally and figuratively by jumping to his death off the George Washington bridge after his (homo)sexual engagement with a fellow student was covertly videoed and broadcast over the internet should serve as just one example of why defending privacy rights just might matter quite a lot.

Back to Joseph Turow’s report. The purpose of that Annenberg study was to address two critical public policy questions: what level of understanding do Americans have regarding the way organizations handle information about them on the internet? And how much do they trust social institutions to help them control their information online? (Turow, p. 4)

In brief, here is what that study found: “57% of U.S. adults who use the internet at home believe incorrectly that when a website has a privacy policy, it will not share their personal information with other websites or companies. 47% of U.S. adults who use the internet at home say website privacy policies are easy to understand. However, 66% of those who are confident about their understanding of privacy policies also believe (incorrectly) that sites with a privacy policy won’t share data. And although 59% of adults who use the internet at home know that websites collect information about them even if they don’t register, what they do not understand is that, and how, data flows behind their screens invisibly connect seemingly unrelated bits about them, making it possible for corporations, government and savvy individuals to identify them, to selectively communicate with and push both products and information to them, and to track their behaviours, both online and off.”(Americans and Online Privacy, Joseph Turow, 2003)

How this happens is described by Turow and is probably familiar enough to most folks now that I won’t detail it here. He goes on to note that: “Those concerned about the secondary use and sharing of data about individuals point to the European Union’s rather stringent prohibitions against using data in ways for which they were not originally gathered. In the U.S., no such broad rules apply” (Turow, p. 7)

So the usual kinds of protections of individual rights are not happening in these places, and this has far-reaching, in some cases CRITICAL consequences. Disturbingly for those of us who are educators, moreover, few of us even begin to comprehend our role, more precisely the roles we do not and cannot play, in addressing this critical gap in public knowledge and understanding. Turow found that people do NOT educate themselves even when information is made available to them, and far more importantly, no amount of education will be effective here--- these massively funded technologies are building faster than anyone’s ability to catch up. What people want, in fact, is some enforceable intervention, some actual structural change in the ways online affairs are regulated, including far greater transparency and intelligibility for users of online media. What citizens get from their government instead, is collusion and complicity.

With that in mind, lets get back to our little study on the ethics of consent as its currently secured in online environments in the form of the “I agree” button…

Recall our study purposes were to discover:

What does informed consent mean?

Do users realize what they are agreeing to?

Would they agree if they actually did know?

Are users agreeing to allow companies to give their information to anyone the companies see fit?

Is ‘informed consent’ truly obtained in the process of clicking through?

For us, as games researchers who have to contend with pretty rigorous Institutional Research Board (ethics board) requirements in order to do our game-based research, we were rather taken aback at the enormous advantages enjoyed by those (few) researchers who are granted access by games companies to their extensive data on players’ personal as well as game-related information, all granted on the strength of users’ clicking the ubiquitous “I agree” button required in order to actually PLAY the game they have just paid for. So we especially wanted to highlight ethical issues beyond technical liability in the treatment of user data, and, indeed, to test the waters of the traditional distinction between ethics and legality which now appeared to us to be crumbling---with legality, the larger concept of ‘the law’, further eroded to contractual agreements, and morality reduced to the elimination of grounds to pursue action for contract violation, along with any and all accompanying concerns about monetary liability.

Lets just quickly review what ‘informed consent’ is SUPPOSED to mean.  According to the US Code of Federal Regulations, "Legally effective informed consent shall:

Be obtained from the subject or the subject's legally authorized representative.

Be obtained under circumstances that provide the subject with an opportunity to consider whether or not to participate and that minimize coercive influences.

Not include any language through which the subject is made to waive or appear to waive any of his/her legal rights or any language that releases the investigator, sponsor, or institution from liability for negligence."

To see how well or badly this seemed to fit the “I agree” case, we examined how EULAS are constructed, construed, and communicated; we examined EULAs/Terms of Service from World of Warcraft and Second Life and derived survey questions from these; and we obtained user understandings from a sample of participants.

As one example, we asked players of World of Warcraft, who has already agreed to these terms, whether they would willingly consent to "...giving Blizzard the authority to surrender your personal information to law enforcement agencies, including your IP address, account information and history, billing address, online screen name, and preferred server?"

Reported in the news was an example of a player who did agree to such disclosure of his personal information, Alfred Hightower, a man wanted on charges of dealing in a schedule III controlled substance, dealing in a schedule IV controlled substance, and two charges of dealing in marijuana. A warrant was issued for his arrest in 2007. The sheriff’s department enlisted the aid of the U.S. Marshals this summer to track down a number of fugitives as part of Operation: Falcon, and Hightower was among those targeted. Unfortunately, authorities were unable to locate him. Howard County Sheriff’s Department deputy, Matt Roberson, soon found out why. The suspect had skipped the country.

“I received information from a childhood friend, who tells me the guy is in Canada,” said Roberson. “I held onto the information in the back of my head. I spoke to the marshals and asked if we could confirm the guy’s location, would they help us get him? They indicated that they would.” With the help of sheriff’s major Steve Rogers, Roberson began gathering information on Hightower through a number of sources. That is how they discovered that their suspect was a World of Warcraft fan. “We received information that this guy was a regular player of an online game, which was referred to as ‘some warlock and witches’ game,” said Roberson. “None of that information was sound enough to pursue on its own, but putting everything we had together gave me enough evidence to send a subpoena to Blizzard Entertainment. I knew exactly what he was playing — World of Warcraft. I used to play it. It’s one of the largest online games in the world.”

Blizzard did more than cooperate. It gave Roberson everything he needed to track down Hightower, including his IP address, his account information and history, his billing address, and even his online screen name ("Rastlynn", the character in armour is shown) and preferred server. From there it was a simple matter to zero in on the suspect’s location. “I did a search off the IP address to locate him,” said Roberson. “I got a longitude and latitude. Then I went to Google Earth. It works wonders. It uses longitude and latitude. Boom! I had an address. I was not able to go streetside at the location, but I had him.”

‘Nuff said, in some ways. In other ways, of course, there is much, much more that can be said and NEEDS to be said about the withering away of any meaningful sense of consent, or any meaningful practices and procedures for securing ethical approval of research or for protecting the rights of our subjects in these new ‘post-literate’ practices of a click-happy “I agree” culture that kids learn as soon as they can tap a few keys—and also learn, with that, not to think very much at all about what they are doing. But it should be enough for present purposes to just give you the conclusion that I’m sure can already be anticipated: in our pilot study, the majority of users do not read ANY of the documents before clicking “I Agree”. When asked questions explicitly and in plain language, most users were not in agreement. This surely points to a significant communications disconnect between online legal documents and practices and user “consent” (and this debate is obviously transferrable to other discussions where informed consent is assumed).

 In the words of two of our study participants:

"While I don’t read the EULA or ToS, I expect that they have the right to run the game, change it and do what they need to keep it growing.  I don’t like them using my personal information or turning it over to another party even government agencies without due legal process."

"In general, I think forcing users to scroll through a long EULA prior to playing a game is a bad way of communicating important legal information. It's a nuisance and nobody reads them. I am, in fact, willing to sacrifice many of the rights mentioned in the above survey in order to play a game such as WoW, but I have never read more than the first few words of the WoW EULA and if the above questions are representative of what I have been consenting to, then I certainly was not aware that I was doing so."

Well, as Bob Dylan noted rather a long while back, times have changed. Cultural practices of binding consent have shifted from hands-on reading and signing of material texts issued only infrequently and under rather ‘ritualized’ and thereby signified as NOT ‘everyday’ contexts, overseen by legally trained persons who insist folks read and comprehend what they are assenting to. In our post-literate, DIY, don’t-think-too-much (and read even less) world, it amounts to unethical practice on our own parts that we have not, within academia and within the legal system, devoted much energy to interrogating and re-tooling policies, practices and procedures of informed consent. There is light at the end of this tunnel, however, and it is in the careful, insightful and groundbreaking work of theorists like Helen Nissenbaum (2004) who argues for privacy as ‘contextual integrity’, and contends that within the context of an interaction there are expectations about how information is collected, about the appropriateness of that information for collection and about whether it should be shared. Time to take this issue seriously. Agree?