Both Microsoft and Sony maintain their next-gen offerings will only record and transmit user data when console owners allow it to; but does this account for the technology already at the disposal of hackers and wiretapping government officials that pose a potential threat to the privacy of console owners?
Speaking to Polygon, a security expert said the ability to access images and data through camera-based peripherals is already in use "at every level of government" and often misused. And for those hoping to purchase a new console outside of Europe, they tell us, current American surveillance laws do not act in the favor of those potential customers concerned with privacy. It's a concern that peripheral manufacturer PDP is tapping into with its recently announced camera covers.
Among gamers, Microsoft's decision to turn Kinect into an integral feature of Xbox One continues to raise concerns when details of the new console first came to light earlier this year.
With each system capable of using an advanced camera capable of listening for voice commands, potential buyers wondered whether this technology can pose potential security and privacy risks. In the run up to the Xbox One launch, Microsoft has already stated it will not use Kinect to spy on its user base, nor will it cooperate with the government by giving out access to the technology.
PRISM: A global electronic surveillance program operated by the United States National Security Agency since 2007.
Kinect can capture images and video similar to a webcam built into your PC; however, it will not do so unless the user is actively using a feature that makes use of the sensor like a Skype video call or Upload Studio, a Microsoft representative told Polygon.
"There will be clear indicators — both on the screen and on the sensor — when it's recording or transmitting," said the representative. "In addition, any recorded images do not leave your console unless you specifically choose to allow it to do so. Your privacy and your ability to control what you and your family share with others when using the Xbox Live service are of paramount importance to us."
It's worth noting, however, that prior to its buy out from Microsoft, communication service Skype was already linked to the controversial PRISM surveillance operation, according to leaked documents made available by ex-NSA contractor Edward Snowden.
In early 2011, the service was reportedly served a directive to comply with NSA surveillance signed by the U.S. attorney general. Days later, the NSA reported it successfully listened in on a Skype call. According to one report, if an NSA analyst believed there was a likelihood a conversation through Skype involved a foreign national, it could record both audio and video communications.
'Microsoft was later accused of changing the underlying architecture of Skype and potentially paving the way for government snooping.'
Prior to this, Skype assured its users that it was simply technologically impossible to wiretap the service. Following its takeover by Microsoft, the company was accused of making changes to the underlying system architecture that would make it feasible. Microsoft itself was later accused of changing the underlying architecture and potentially paving the way for government snooping.
Microsoft denied these accusations; however, it recently suggested Skype would be updated in compliance with the law.
"When we upgrade or update products legal obligations may in some circumstances require that we maintain the ability to provide information in response to a law enforcement or national security request," reads a portion of Microsoft's response.
Microsoft has similarly claimed Kinect is not capable of recording or transmitting audio or video to Microsoft's servers without the consent of the user.
"Xbox One does not understand or try to capture conversations in your room," Microsoft told us. "When Xbox One 'listens,' it is waiting to hear very specific voice commands; all other conversation is irrelevant.
"For example, the words 'Xbox Off' cause the console to power down, while 'Xbox On' causes it to power up. In order for Kinect to respond you must first say 'Xbox' followed by your request, for example, if you just say 'pause,' Xbox One will not pause until you say 'Xbox Pause.' Xbox does not listen to, track or store conversations of people talking in the room. We'll share more about specific voice commands and tips to control your Xbox One using voice closer to launch."
The company states that Kinect can be turned off entirely, adding that any data collected is anonymous and that while it does process a number of its voice commands through Microsoft's servers these are converted to text prior to leaving the console.
'Legal obligations may in some circumstances require that we maintain the ability to provide information in response to a law enforcement or national security request, says Microsoft.'
In a privacy statement updated in advance of the Xbox One launch, the company offered clarification of how its new Kinect will use the data collected. According to Microsoft, data collected with Kinect's skeleton mapping is temporarily stored as a set of numeric values that are destroyed once a gameplay session ends, while both data and gestural features cannot be used to identify players. Similarly, users can delete their cache of data stored by Kinect, while adding that the company does not listen in on Skype calls via the console.
Xbox One owners can, however, choose to share data with Microsoft.
"With user consent, samples of voice commands occurring while using Kinect will be collected and periodically sent to Microsoft for product improvement," reads a statement from the company. "We also collect voice samples to provide the voice search service and, with user consent, for product improvement."
Microsoft added in a statement to Polygon that the company "created Kinect and Xbox One from the ground up with built in privacy controls and safeguards. You are in charge of your entertainment experiences, and you decide how your personal information or data is or is not shared."
It's a policy shared in principle by Sony.
"We cannot monitor the whole of Sony Entertainment Network and make no commitment to do so," reads Sony's security statement in light of the upcoming PlayStation 4.
"However, we reserve the right in our sole discretion to monitor and record your online activity and communication throughout Sony Entertainment Network and to remove and/or delete any content from Sony Entertainment Network at our sole discretion, without further notice to you, and you expressly agree that we may do so.
Despite clarification of policy, Joshua Fairfield, professor of law at Washington and Lee School of Law, tells Polygon the technology needed to remotely turn on a camera and report back to the manufacturer or an independent third party still exists and could be used against consumers.
"This is fairly routine security software by institutions that want to limit thefts," He said. "And this always-on video monitoring is growing as technologies like the Xbox One shift to gesture control. You can control the computer just by gesturing at it, which means its camera must be on."
Americans must opt out of surveillance, according to U.S. law.
According to Fairfield, privacy laws differ between Europe and the U.S., and as such users on either continent will face different consent laws. Therefore the legality of living room surveillance depends on "your view of the role of consent."
"Broadly, Americans can consent to anything, including surveillance of their living room by their Xbox One," he says, adding that while Microsoft now allows you to turn off your Kinect camera, "there was no question that people could consent to the always-on monitoring; most Xbox One owners will. Europeans think that the right to privacy is more robust, and require consumers to affirmatively opt in to monitoring programs, rather than opting out, which is the U.S. rule."
This capacity, once built in, is easily accessible by people for nefarious purposes, he adds.
"[It] has already been used by governments, at every level of government," says Fairfield. "There was a case in the United States of a school that misused this technology to take pictures of students who had been given laptops by that school to do homework at home."
While Microsoft states the technology is not in place for this to happen on Kinect, an officially licensed a Kinect sensor hood is already underway from manufacturer PDP. The peripheral, an update to an earlier camera cover created for the Xbox 360 Kinect, is "a mounting device. Not a security device," PDP's European managing director Chris Spearing told Polygon. "Some users have mentioned they do not like the idea of an uncovered camera lens or the idea of switching the camera on by mistake." Despite security being described as tangential to the peripheral, the company's marketing images state it is designed in part to "address privacy concerns."
'It has already been used by governments, at every level of government.'
"This question will only get bigger," Fairfield says. "Google's new Android version, and Apple's current iPhone operating system both include voice activation — this means that the microphone is always on. The Xbox One was the first example of an always-on video monitoring system. As voice control and gesture control replace mice and keyboards as our input and pointing technologies, the capacity for computers to engage in always-on monitoring will expand, as will the inevitable use of that technology by manufacturers, bad actors, and governments.
According to Fairfield, the technology is difficult to control "given that this kind of always-on video and voice monitoring will be the basis for how we control computers in the future." However, Fairfield looks to current European privacy laws for guidance.
"The best way is for Europe to clearly apply its opt-in requirements, as well as its requirement that data can only be used for the purpose for which it was originally gathered, to American companies in the negotiations surrounding the draft Data Privacy Regulation. That means that data used for gesture control can only be used for controlling the computer and nothing else. And it means that if U.S. companies want to access the European data market, they must build meaningful opt-in systems that inform consumers of exactly what is going on, instead of hidden opt-out systems, that seek to hide the privacy controls from consumers.
"Or you could do what I do. Put a sticky note over your webcam."
This is part of Polygon's Gen Next series, stories that will examine the transition from current-generation to next-generation consoles, what it means if you don't make the transition and if and when you should. Follow along here.