Edward Snowden told the Washington Post last week that he leaked the National Security Agency’s top secret surveillance programs in part because he feared the Internet becoming “a TV that watches you.”
What to make, then, of an Internet-connected household computer that requires users to install a futuristic microphone and camera able to track their movement—and even heart rate and mood—in pitch black?
The device in question is Microsoft’s Xbox One, the much anticipated gaming console hitting the market this holiday season. And while its features promise an unprecedented level of interactivity for gaming, they’re fueling concerns among gamers that they could be used to spy on the family living room.
The stakes are high for Microsoft to reassure its fan base that this scenario is a fantasy. Xbox One is the successor to the popular Xbox 360, which sold an estimated 77 million units worldwide since debuting in 2005, and Microsoft is counting on the new console to anchor its share of the $66 billion video game industry for at least the next several years. They’ll be up against some heavy competition too: arch-rival Sony is set to release its new PS4 this year, sans camera.
The Kinect is Xbox One’s most unique selling point—a combined motion sensor and microphone that allows for games like the Dance Central series, which grades users on how well they perform pop choreography routines. Microsoft made a splash last month with tech demos showcasing its ability to recognize individual users by their face, create a skeletal model of their movement down to the joints on their fingers, and even detect from their expression whether they’re excited while playing a game or distracted.
The Kinect’s introduction generated positive buzz, but also murmurs of unease about its implications for privacy. While Xbox 360 supports a less advanced version of Kinect as an add-on, the new Xbox One will require users to attach it in order to run the console. In addition, Xbox One must be connected to the Internet regularly—once every 24 hours—in order to function. Observers worry these two features could be combined into a pipeline for surveillance.
“[I] know we’re getting into the realm of paranoia here, but the Kinect sensor’s capabilities always spooked me a bit and learning about the NSA’s spying practices has just pushed me over the edge on this issue,” Brad Reed, news editor at tech site BGR.com, wrote in a post last week explaining why he won’t buy an Xbox One.
Those complaints were gentle compared to Chris Miles, an editor at millennial discussion site Policy Mic who described it as “an ‘always-on’ Xbox tracking you with the Kinect ‘eye,’ beaming info back to some Microsoft cloud [center] which, as we now know, is tapped by the government” and dubbed the machine “the future of PRISM.”
Commenters at Reddit, a site popular with hardcore gamers and techie libertarians alike (Snowden name checked it in a Guardian interview), are raising similar fears this week in dozens of discussion threads and image macros like the one below.
The company is taking the criticism seriously. Last Tuesday they released a lengthy new set of privacy guidelines for Kinect ahead of E3, the industry’s annual showcase for upcoming gaming software, a move widely seen as an effort to get out in front of the controversy. According to the document, users will be able to deactivate the Kinect’s sensor with a simple voice command and still play games. And any information the Xbox One collects using the device—they used the example of heart rate data for a fitness game that tracks progress over time—will only be transferred from the device with the user’s permission.
As for whether a device could be turned back on from afar via an Internet connection —either by Microsoft or anyone else—a spokesman told msnbc over e-mail that “Xbox One has a very robust security system to protect against such compromise provided the user doesn’t tamper with the console hardware or software.” He added that Microsoft only divulges customer information in response to a legally binding court order, does so only for specific individual accounts and that “[If] the government has a broader voluntary national security program to gather customer data we don’t participate in it.”
There are additional factors Xbox skeptics find troubling. One is that while Microsoft may have the best of intentions in securing their network, keeping data safe has been a problem in the industry even for its largest companies. In April 2011, hackers breached Sony’s PSN gaming network, exposing some 77 million users’ personal data—including credit card numbers. The company shut down its entire network for 24 days while it dealt with the aftermath of the attack. As details emerged, they endured criticism from lawmakers around the globe, including Senator Richard Blumenthal of Connecticut, who accused the tech giant of taking too long to inform its users of the breach. Sony’s European division paid significant fines after regulators in the UK determined it had not taken proper precautions to stop an attack.
Some are also voicing fears that Xbox One could create another trove for hackers to exploit by collecting data for marketing purposes. In 2010, a Microsoft executive told investors that the Kinect could help tailor advertising to individual users by determining how many people were watching television and their relative level of engagement. After an outcry, the company quickly denied that it uses Kinect data for advertising. But the issue popped up again last month when a 2011 Microsoft patent surfaced describing a system that—without naming the Kinect—would track users’ TV habits and reward them with incentives if they watched certain shows or advertisements. Germany’s Federal Data Protection Commissioner Peter Schaar told Der Spiegel in May that he wanted to know if the new Xbox could be used as a commercial “monitoring device,” although he added that talk of Orwell-style surveillance was far fetched.
msnbc asked Microsoft whether Xbox One’s Kinect might collect data either for market research purposes or to detect a user’s preferences and tailor their experience to them—and, if so, whether they could disable the feature.
“You are in control of your personal data,” a spokesman replied in an e-mail. “You can play games or enjoy applications that use data, such as videos, photos, facial expressions, heart rate and more, but this data will not leave your Xbox One without your explicit permission.”
So, based on Microsoft’s latest assurances, are gamers right to be worried that their Xbox One might pull a Hal 9000? Security experts who talked to msnbc acknowledged that they weren’t totally off base, since any device that transmits data over the Internet is at least theoretically vulnerable to tampering.
“If it’s talking to an application, whether it’s a gaming application or whether its an application that is enabling a computer to do a transaction, it is exposing that device to possible risk,” Bala Venkat, Chief Marketing Officer at Cenzic, said.
But if having your personal life monitored by the government (or anyone else) is your concern, the bigger question might be whether it’s fair to single out Xbox One as the face of digital intrusion just because it has a fancy camera.
Paul Judge, Chief Research Officer at security firm Barracuda Networks, told msnbc that the privacy complaints surrounding Microsoft’s new console are “misplaced and blown out of proportion.” Not because Kinect couldn’t be exploited by the NSA or a hacker—it’s a plausible scenario, he said—but because the same consumers criticizing Microsoft surround themselves with potential monitoring devices every day without a second thought.
“The same holds true for every other cool device that you’ve purchased recently that has a mic and a camera including your cell phone, your tablet, laptop and desktop computer,” Judge said. “They all have mics and cameras that could be turned on if the computer is compromised remotely.”