Assassin's Creed maker faces GDPR complaint for forcing single-player gamers online
- Reference: 1745510347
- News link: https://www.theregister.co.uk/2025/04/24/ubisoft_noyb_complaint/
- Source link:
Noyb has [1]asked Austrian data protection authorities to investigate the French game studio, which publishes titles in popular series including Far Cry, Assassin's Creed, Watch Dogs, and others, for violations of [2]article 6(1) of the EU's General Data Protection Regulation (GDPR) for forcing players online when a game doesn't have any online functionality.
"Imagine if the Monopoly man sat at your table and took notes every time you want to play a board game with your family or friends," said noyb (none of your business) data protection lawyer Joakim Söderberg. "Well, that's the reality of video games … as long as you have an open internet connection when you play, your data is collected and analyzed."
[3]
Most folks who have played modern video games know the problem: Boot up a title without multiplayer elements – or only seeking to play the single-player portion of a game – and you're faced with having to sign in to some service or another.
[4]
[5]
Ubisoft might be the poster child in this instance. However, lots of game studios are guilty of similar customer-frustrating behavior. Microsoft requires Halo Infinite to be online even if the player is just going it alone, as does Activision-Blizzard, which did the same with Diablo III, published years before its purchase by Microsoft. Electronic Arts, Sony, and other publishers have also followed suit with past and present titles.
In this case, the complaint stems from an individual being represented by noyb who became frustrated after being forced to go online to play a copy of Far Cry Primal they purchased on Steam – a game with no multiplayer or online functionality.
[6]
The unnamed complainant is reportedly a tech-savvy individual, and when examining the data being sent to Ubisoft with the game online they noticed 150 unique DNS packages being sent over the course of just ten minutes. Additional analysis of the captured network traffic revealed that Ubisoft was sending some of the data to servers controlled by Google, Amazon, and US-based cloud analytics firm Datadog. It's not clear what was being transmitted, per noyb, as the data was all encrypted.
When asked, Ubisoft informed the complainant that there was an offline mode available, but the [7]help page Ubisoft linked them to offers scant information that noyb told us was largely unhelpful to their client.
"For Far Cry Primal, the complainant wasn't able to make it work at all," a noyb spokesperson told The Register. "He's a tech professional, so if he can't do it, it's definitely too complicated or it just doesn't work at all."
[8]
Noyb is asking Austrian officials to find Ubisoft guilty of infringing on GDPR article 6(1), which noyb says the company is violating both by collecting data when it doesn't need to, and by not giving users an explicit option to opt out of. It's also asking that Ubisoft be forced to stop such processing, and that it be fined for its bad behavior.
"Based on Ubisoft's turnover of more than €2 billion, the data protection authority could issue a fine of up to €92 million [$104 million]," noyb said.
[9]Microsoft ad subsidiary Xandr accused of violating GDPR
[10]Google's Privacy Sandbox more like a privacy mirage, campaigners claim
[11]Microsoft wants Activision so badly, it's handing streaming rights over to ... Ubisoft?
[12]OpenAI slapped with GDPR complaint: How do you correct your work?
But what of other video game studios who do the same – can they expect a noyb complaint to follow? Probably, we're told.
"For GDPR complaints, we can only go after one company at a time, because we are always representing a data subject whose right to data protection has been violated," noyb said in an email.
Ubisoft was singled out for a couple reasons, noyb explains, namely that it's among the worst offenders for this type of behavior, and because it's a European company, so going after it is simpler than pursuing a US-based company.
"This probably won't be our last complaint against gaming companies," noyb told us. "Ubisoft isn't the only gaming company with questionable practices."
Sorry, US gamers – you'll probably be stuck going online to play your single-player titles for the foreseeable future, unless a favorable EU decision ends up being imported. Given the history of [13]EU-directed software changes , that's unlikely. ®
Get our [14]Tech Resources
[1] https://noyb.eu/en/play-alone-ubisoft-still-watching-you
[2] https://gdpr-info.eu/art-6-gdpr/
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aAq0jwsD13qlhmT_Qvn0NAAAAAc&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aAq0jwsD13qlhmT_Qvn0NAAAAAc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aAq0jwsD13qlhmT_Qvn0NAAAAAc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aAq0jwsD13qlhmT_Qvn0NAAAAAc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://www.ubisoft.com/en-us/help/connectivity-and-performance/article/offline-mode-in-ubisoft-connect-pc/000063188
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aAq0jwsD13qlhmT_Qvn0NAAAAAc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[9] https://www.theregister.com/2024/07/09/xandr_gdpr_complaint/
[10] https://www.theregister.com/2024/06/13/noyb_gdpr_privacy_sandbox/
[11] https://www.theregister.com/2023/08/22/microsoft_activision_ubisoft_cma/
[12] https://www.theregister.com/2024/04/29/openai_hit_by_gdpr_complaint/
[13] https://www.theregister.com/2024/03/12/apple_update_eu_devs_can_distribute_from_websites/
[14] https://whitepapers.theregister.com/
Re: Alternative
Given the current state of AAA gaming I have to agree, most of the newer titles offer little but additional eye candy (IF you have the required high-end hardware) and massively reduced optimization.
Re: Alternative
GOG.com has been my one source of games for a few years now.
No DRM, very reasonable pricing, offline installers... it's converted this former shameless pirate into a paying customer.
Take note, other publishers.
Re: Alternative
Heh. Wonder if my downvoter will have the balls to explain his/her reasoning.
Re: Alternative
Ubisoft are evil, they will never get my money again. When I paid for AC: unity, logging into the steam acct I purchased with was good enough. My dual core CPU however, was not enough. So a year later when I dropped in a 4-core chip, now they required my to make a "uplay" account AND install the uplay client spyware in order to start the game... as long as I was online and their servers graced me with permission. So I looked for a crack... nope, nothing (at least at the time). Even the scene release of the original version refused to run without updating....
Re: Alternative
"Why not use what some browser plugins (adnauseum et al) do, add massive noise to the data so it becomes anonymous and useless?"
Or, and I know this is off-the-wall thinking, they can turn off their illegal and unnecessary data scooping to avoid a massive EU fine. Crazy, I know.
Thanks to the EU. They have emerged as the only adult in the room taking personal privacy seriously. Tech Guy is right, you don't need this crap to play a single player game, just as Google does not need location services turned on for a Android app. This is a clear violation.
The EU should fine company board members directly, not the corporations, with no reimbursement from the companies to cover it. That will stop this horse plop very quickly.
Data subject access request
Hit them with one of these, it does not cost the game player anything and they must reply within 30 days.
If everyone was to do this it would cost Ubisoft ...
It would be nice if Mr Söderberg wasn't lying to sensationalise his point.
Any game I play that has online data collection also has a switch to turn it off, and I use it. So no, when I play my data is not collected and analysed.
(assuming the game company abides by the switch, obviously, but that is not what he said)
Did you even read the article properly? Or are you just a shill for Ubisoft?
They emphatically do not let you opt out! Maybe try playing some games released after 2010 and see for yourself.
Sorry, I don't care
I've just completed Assassin's creed: Shadows (an excellent game) on the PS5 and frankly I don't give a damn what data they upload about my game play, hopefully they might use some of it to improve the game's performance or features. I have no personal information on the PS5, only stored saved games. I note that occasionally some saves are actually done online rather than to the console storage, but so what? This sounds very much like a storm in a teacup.
However, if telemetry from my (Linux) PC was being syphoned off and passed on to third parties, that would be an entirely different matter as it holds a significant amount of personal data.
Re: Sorry, I don't care
"I have no personal information on the PS5"
No. But it can provide information that can be used to usefully extend the profile of data that the data thieves already have from other sources. The whole MO of private sector mass surveillance is to link multiple different sources, different technologies and then extrapolate, infers, and guess. And then they'll use that imperfect data and stick it all on you.
Re: Sorry, I don't care
I accept what you are saying, but even so, pretty much all they can infer is that some unknown person sometimes likes to play games on the PS5. They may also infer that I breathe air, eat, drink and piss too, but fat lot of benefit it will be to them. I'm strongly in favour of GDPR and do the best I can to keep my personal data offline, no facebook etc. Anything that does leak is likely from indiscreet posts by friends or family and of course the government itself, Companies House has published documents online that give my former company name, my full name, former address, date of birth and scanned copies of my (old) signature and similar details for my wife - all available to anyone in the world, free of charge! Pity I can't raise a GDPR complaint against the government.
Re: Sorry, I don't care
"I accept what you are saying, but even so, pretty much all they can infer is that some unknown person sometimes likes to play games on the PS5."
Is that so? If you often play lenghy hours or well past midnight, health insurance may consider your lifestyle as unhealthy and increase pemiums. Car insurers might too, as your supposed lack of sleep might increase your chance for being involved in a car accident. If you think it is fair that they'll increase your premiums because of your supposed unhealthy choices, wait until you don't get the benefit if they see you play games only in moderation and well before bedtime. Insurers like to conveniantly only ask you more for supposed unsafe behavior, but be very quiet about reductions when they see you have a below average risk profile.
Re: Sorry, I don't care
Maybe, theoretically you are of course correct. These buggers like to join up dots from all over. I suppose it is just as well I rarely ever play past midnight and have no health insurance. My car insurance is now the lowest it has ever been... maybe they know how adept I am at avoiding obstacles in my path (like sword wielding bandits).
Re: Sorry, I don't care
Your PS5 presumably has an Internet connection, so they have your public IP and know where you are. Your home network, Smart TV, WiFi router, cell phone, and all your other networked gear including your hyper-protected Linux PC with all your personal info uses that same IP. All of that info is then pushed, filed, stamped, indexed, briefed, debriefed or numbered. Index that with the info the government has about you (if you vote, salary, travel destinations, GPS phone location, credit card and banking details, blah, blah, blah...)
In the end, they have a good idea of who you are, where you are, when you are home, when you are on the Internet, where you go when online, who you talk to and about what, your political affiliations, if any. When you leave for work (and with proper telemetry at work they know when you arrive), what you do at work, etc. etc. etc. because it all goes into the same bucket with your name on it.
You were downvoted because with your limited knowledge you assumed you can have one private device in a world with massive surveillance and access to all of the other devices in your life. That is demonstrably false and blatantly dangerous when the wrong government comes into power.
Good Luck Andy.
Re: Sorry, I don't care
You say you have no personal data on the PS5? So Sony aren't requiring you to extensively register a "PlayStation Account" in order to use it, like they did on the PS4?
Re: Sorry, I don't care
"My" PlayStation account is under a fake name, fake DOB and throw away email address. Does that count?
Add blizzard to the list too. IIRC if you had Bbattlenet installed, and the original 2002 Warcraft 3 installed. A good stand alone game, they amended it so you could only start it now if you have internet connectivity.
Just say no
If a game that is single player requires me to be online to play it, I simply don't buy it.
At least I'm not rewarding the studios for this type of behaviour.
I fully agree with the sentiment and I hope they actually get something done, but I'm very afraid it's going to end up going nowhere.
Welp, long time coming, but lets see how far this actually gets. In the meantime Ubisioft et-al can burn for all I care.
Alternative
As correctly noted, this is all about telemetry, harvesting user data and not giving them the option to opt out, and while I hope this will end (enforced/sued), in the meantime you do need a workaround.
Why not use what some browser plugins (adnauseum et al) do, add massive noise to the data so it becomes anonymous and useless?
For extra points, make the noise adversarial or magnify it (within ddos limits).
As for me, I'm ok in the retro gaming community where they even respawn old servers to keep games alive, the AAA games do not (for me, ymmv) add much in terms of novelty beyond resolution.