A range of studies have shown that popular games are sending data to multiple third-party entities, and even the developers concerned may not know what data is being sent to whom.
A lengthy Vox piece summarised the problem.
Almost every app on your phone is full of third-party advertising intermediaries — at a minimum, ad software owned by Facebook or Twitter or Google, but often a couple dozen other companies you haven’t even heard of, as well […]
The way mobile games collect information about their users, and the details of what type of information they’re collecting, remains incredibly opaque. To some extent, Rovio and its peers may not even know exactly what they’re collecting about their users or how the data is being exploited, thanks to the way software has evolved in the smartphone era. Mobile games are full of other companies’ code, a more efficient way of creating something cheap and functional and cute than building it from scratch.
Privacy policies are typically vague, referring to things like ‘gameplay data,’ but this isn’t necessarily as innocuous as it sounds.
The intricacies of gameplay data can tell you a lot about what makes people tick, and what’s going on with them — studies have shown that you play games differently when you’re depressed, or dieting. “Nobody gets too upset about games,” says University of Toronto researcher David Nieborg. “But the underlying technology is really powerful. These people are really pushing the technology to the limits where the potential for abuse is massive.”
Although the data captured by popular games is said to be anonymised, that isn’t necessarily true in practice.
A recent New York Times investigation found that it’s shockingly easy to de-anonymize, and that hundreds of apps collect “anonymous” real-time location data that needs only the slimmest additional context clues to tie to an individual person. (E.g. the phone goes to and from this house and this law office every day, or this house and this fourth-grade classroom.
Rovio was given as an example of a developer which aims to be transparent about the data it captures, but was unaware of ad-related SDKs in its code.
A spokesperson for Rovio tells Vox that Rovio games use only the resettable advertising IDs provided by Apple and Google, and don’t include third-party advertiser software development kits, but the recent Berkeley study said otherwise. I ask Reardon to double-check, and he sifts through the source code of the latest version of the Angry Birds flagship app. Just as before, he finds several third-party software development kits, including those for Facebook and Vungle.
When I ask Rovio again, a spokesperson revises. The company has “always preferred” to use more transparent server-to-server connections rather than include third-party software development kits directly in their games, but that’s “not an option that is always available nor possible.”
To be fair, most data captured by apps is used for perfectly innocuous purposes, like serving ads tailored to your interests and helping developers understand which app features are most popular. It’s possible to get carried away with scare stories here.
At the same time, it’s absolutely fair to say that current data capture practices are far from transparent, and that some of the data snaffled by popular games could be misused by a developer (or hacker) if it wished to do so. Best practice is always to minimize data capture in order to reduce the risk of either inadvertent disclosure or deliberate abuse.
The full piece is worth reading.