By Gregory Austin

Gamers across the world are eagerly awaiting the release of the PlayStation 5 this holiday season.

But one of the device’s most popular add-ons, the new DualSense wireless controller, likely will incorporate a higher level of data-collection that could infringe upon user privacy, experts told Digital Privacy News.

The DualSense’s built-in, headset-free microphone and upgraded hand sensors could leave users vulnerable to a hack like PlayStation’s enormous network breach in 2011.

In addition, users’ stored conversations and health-related information can be used against them if breached, sold to or shared with third-party companies.

“The collection of voices, heart-rate and sweat levels is considered biometric information — which puts it in the crosshairs of a number of laws,” California attorney and cybersecurity expert Bob Braun told Digital Privacy News.

PlayStation did not immediately return requests for comment. The company, owned by Sony Interactive Entertainment, continues to update its blog with details about the new console and its accessories.

The PlayStation Network, first launched in November 2006 with PlayStation 3, has been transparent about collecting and sharing user data. 

Such personal information as user addresses and payment details are kept on file within the vast online network, while data obtained during gaming sessions is recorded and stored to “enhance the gaming experience,” according to the company.

PlayStation has roughly 94 million subscribers.

“If PlayStation chooses to collect biometrics, they’ll be required to give notice, at the time of collection.”

Bob Braun, attorney and cybersecurity expert.

Biometric Data

Companies regularly file patents to reserve concepts and to shield them from competitors.

Regarding the DualSense, the information shared on PlayStation’s blog — and the company’s history of trying to incorporate “biofeedback” in its PS4 controller — indicates PlayStation may soon be collecting user biometrics.

But this data-collection is monitored under state and global privacy laws, Braun told Digital Privacy News.

These include the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR). In addition, biodata-specific acts like the Illinois Biometric Information Privacy Act (BIPA) have been “sleeping giants,” anticipating such innovations.

“I expect (these parameters) to evolve rather quickly,” Braun said. “There’s already a provision in the CCPA that gives a consumer a private right of action to seek statutory damages against a company in connection with a data breach where the company did not exercise reasonable security.”

The DualSense likely will have built-in sweat and heart-rate sensors. Monitoring health-related statistics may line up with PlayStation’s longstanding promise to use collected data to enhance the user experience but could infringe on privacy if used for other purposes.

“If PlayStation chooses to collect biometrics, they’ll be required to give notice, at the time of collection, that they’re recording and storing sensitive date, and will have to identify what they’re using it for,” Braun explained, referencing CCPA.

PlayStation’s privacy policy, in compliance with legal statutes, discloses these rights to users and gives them the option to delete their data.

Deletion requests, however, must be executed by the company — and all third parties, given proper notice — unless PlayStation needs the materials to meet its service objectives.

“Data … should only be kept as long as it’s needed.”

Hayley Tsukayama, Electronic Frontier Foundation.

Enhanced Microphone

The DualSense also will have a microphone in the handset. Unlike the compatible headsets with the PS4, the patent’s description suggests a higher level of voice recognition, with advanced filtering technology to prevent unrelated conversations and background noise from being broadcast.

But Hayley Tsukayama of the Electronic Frontier Foundation in San Francisco raised concerns about the microphone possibly remaining on even when not in use.

“PlayStation has not divulged how long or under what method they plan to store data …, which should only be kept as long as it’s needed,” she told Digital Privacy News.

Braun said that session-by-session data collected and stored for extended periods was “particularly enticing to social-engineering hackers” who use long-term data to crack passwords.

Using session-by-session information to enhance gameplay may be the intended use, he explained, but data is far more valuable to companies when used for broader purposes.

Tsukayama added that conversations, those germane or unrelated to gaming, must be treated with transparency.

She said she understood the benefits of companies sharing data with third parties, but doing so “in the dark” could constitute a massive breach of privacy.

“Consent and transparency will always be a matter of personal responsibility,” she told Digital Privacy News. “People don’t have to be paranoid, but it’s not unreasonable to imagine asking friends or guests if they’re cool with you using (the DualSense controller).”

Gregory Austin is a writer based in Buffalo,N.Y.

Sources (external links):

• PlayStation privacy policy: Privacy Policy
• PlayStation blog: Introducing DualSense, the New Wireless Game Controller for PlayStation 5
• PlayStation Controller patents:WO2020013038 – CONTROLLER DEVICE AND CONTROL METHOD THEREOF
• Mark Cerny Stuff Magazine Interview (DualShock): Sony trialled stress-sensing DualShock 4 controller for PS4
• Mark Cerny Stuff Magazine (Full) Interview: Mark Cerny: “The PlayStation 4 will recapture gaming’s glory days”