Games are still tempting targets for hackers. Zynga’s popular online game, Words With Friends, was recently hacked and more than 218 million users had their information stolen.
And once hackers breach a game company’s defenses and get inside, they can steal identities, financial wealth, and virtual property in games that can be resold for real-world value. They can also bring an online game down and cause an uproar from gamers who can’t get into their favorite hobby.
So GamesBeat recently held a webinar to talk about the problem and how game companies can protect their players and themselves from cyberattacks. The attacks can also do massive damage to the company’s reputation, the players’ trust in you, and their faith in your security practices — not to mention the victim company’s bottom line. Reparations can be costly.
Akamai sponsored the webinar. We have extracted most of the practical advice that just about any company can benefit from, and we’ve preserved the banter between our panelists.
Dean Takahashi moderated the session, and our speakers included Scott Adams, CEO of FraudPVP (formerly of Riot Games); Lonnye Bower, chief operating officer of game startup ProbablyMonsters (formerly at Bungie); Steve Ragan, senior technical writer at Akamai; and Jonathan Singer, senior manager for global games industry at Akamai.
Here’s an edited transcript of our conversation.
GamesBeat: We have a broad question for all of our panelists here to start with. How can game studios and developers protect themselves and their users? Jonathan, could you tackle it first?
Singer: It’s a pretty simple thing, but it’s coding your login page and your APIs with OWASP. Writing secure code according to OWASP best practices, doing penetration tests on your login endpoints with reputable providers, all of these pieces — that’s the entrance point to your games. Anyone who has a lot of experience and is listening to this probably knows this already, but it bears repeating that that’s one of the things you need to be doing to protect your players.
There’s obviously a lot of concern around [distributed denial of service] (DDOS) protection, around bot management and anti-cheat, around identity. There are a lot of different pieces that need to be solved there, from a lot of different angles. I understand that lots of developers and publishers sometimes build their own solutions. They sometimes buy their own best-practice solutions. But there’s so many aspects of security to look at that really, where you want to start is just thinking about the player and what they need.
Adams: I like where you left that. That’s one of the biggest things. The first thing any game company should do is think about the players. I’ve been inside a lot of different game companies, and companies in general. One of the things that I always like to make sure, from every level, to think about is that when you’re building the game and as you move forward to continue it, you have to make sure that security and fraud and risk and all that stuff is at the table as you make decisions.
I’ve heard so many times from game developers: “I won’t be defrauded. I’m a game company.” Now we’re getting to where that happens less, but even with that knowledge, if you don’t have an expert at the table when you’re making the big decisions and planning out the game, you’re going to end up getting hurt. If you’re not used to thinking that way, you’re probably going to leave a lot of holes. As you come up with a new feature, as you come up with a new unit in your game, new ideas around how the game might play, then having someone at the table that thinks that way is invaluable.
Another thing I’d say, especially as the game launches, listen to your customer support, your player support. Those guys are the front lines. They’re seeing and hearing and talking to your players. If they see something, take them seriously. Try to solve that problem quickly, before it becomes a bigger problem.
Singer: If anyone out there has that sort of mentality in their company — “I’m just a game company” — the game industry is one of the world’s largest completely unregulated financial markets. That’s really how you need to think of yourselves. The more we move toward subscription models, you’re collecting PII. You’re collecting all the contact information. You have credit card information. Players tie up a ton of value in their accounts. The world is increasingly aware of that. It’s a juicier and juicier target for anyone who’s interested in making money. You’re not just a game company anymore.
Bower: I really feel for the players who are out there looking for an inspiring game to play. They’re trusting the studios. They’re trusting the developers that put games out. They really want a challenging and enjoyable experience. On the game side, you need to ensure that all of the teams are thinking and talking about security, really from the initial stages, which goes along with what Jonathan and Scott are saying. When you begin developing the game, it needs to be a conversation you’re having on day one.
Ragan: A lot of the criminals that I researched target two things in particular: the gamers themselves and the authentication mechanisms used to get into a game.
My suggestion is to focus on strengthening your access controls and your identity management controls for gamers themselves, and then awareness training for the players. Make sure they understand the risks of password sharing, the risks of account sharing, the risks of trying to purchase game add-ons and things from unapproved vendors or external parties, all the associated risks with that. That’s a good area of focus as game companies develop new properties and expand, because the player base is going to be the largest asset targeted.
GamesBeat: How do you offer protection without affecting the user experience or game performance?
Ragan: You have to make it so that all of the protections in place don’t ruin the gaming experience for the user, by making sure it’s seamless. I’ve played games in the background where anti-cheating mechanisms or account security mechanisms are just all part of the process. It flows smoothly from one thing to the next. In some cases, for authentication and verification, just getting into the game itself, you don’t realize you’re going through all these security hoops. You’re just logging in to go and play.
I can tell you that one of the largest gaming firms on the market right now, one that’s really popular for subscription-based services, makes security really easy and obtainable for every one of their players. They focus on user awareness training and things like that. But when you’re going through all those security hoops, you don’t realize it. You just log in and you go. All of that stuff happens in the background, so it stays out of the way.
Bower: When I think about protection for the users to ensure their experience and a great performance and experience there, I look at two sides. I look at both the client and the server side. When I say the client, it’s any console or platform that you’re playing on. Looking at that, you want to ensure that your game engineers are aware of and able to incorporate security best practices when they’re building their code, so that we prevent the ability for hackers or bad actors to reverse engineer the game on that client.
Then, when we look at the server side, this would be those services that Steve mentioned when you’re logging into the game and authenticating. Both internal and game-facing, those need to be deployed with security protections in mind. I’d really think of that as starting with the principle of least privilege, where the users on the system have enough access to do only the tasks they need to perform and nothing more. Generally, engineering that way should help with the protections for the game. Talking about the client side, if they’re engineering the game with those best practices in place, it shouldn’t really impact the performance on the client side.
Adams: I agree with everyone so far. But I would also say that you can’t, I don’t think, offer really good protection and not at least affect the experience. You can keep it manageable and keep it a good experience.
One thing we should all think about if we’re speaking to game studios and developers is that the sooner we can make it normal to, say, get some form of identification, a way of communication, like your phone number and email, when someone plays a game — or the consoles, they have hardware IDs. If it’s online, requiring either email or phone — if we can make it so it’s a normal experience for a game to use some form of two-factor authentication, that would be great. Surprisingly, we haven’t really done that. Some games do and some don’t. Once that’s a norm, it’s not a big deal. Those kinds of things can be very good protection.
There’s a lot of new technology out there coming up, things like biometrics, that can help us in a similar way, and then it’s less impactful to the experience. The sooner that we as an industry take note and make this something we all do and take seriously, the sooner things will get more difficult for fraudsters.
Singer: To cap this off, the first thing you do is hide as much as you can. Then, and this is what others have said, you can’t offer the most secure experience without affecting the user experience. What you want to do is positively affect the user experience. You want a bit of security theater to it, which may make some folks wince, but you don’t actually want it to be theater. It’s about giving them useful tools that secure the players that also make them feel secure and build trust.
If we’re talking about multi-factor authentication (MFA), if you want users to enroll in MFA, they have to trust that when they give you their phone number, you’re not selling that. You’re not using that. You can have it printed in a license agreement, but if you don’t do other things to earn the trust of your players, you’re not going to be able to give them a more secure experience. If they don’t already trust you as a publisher for other reasons, it makes partnering with your players on security more difficult. They’re less likely to work with you.
There’s something to be said for — the entire experience of how they interact with you as a company affects your security posture. That’s down to your marketing and PR, even. I know I’m going a little far afield from the technical security discussion, but you need to build trust with your users so that when you give them security solutions to use, they believe that you have their best interests at heart when you’re collecting the information you need to further secure them.
Bower: I’d like to add one comment to that, if I may. Part of fostering a culture of transparency and trust between the players and the studios is really communication. If we are going to be adding anything that would impact the performance of the game, it’s critical that the studios or the developers have that communication open with the players, so that they’re aware of what’s happening and why it’s happening. That will build on the trust that we earn from them.
Singer: I completely agree. If you take DDOS as an example, there are different types of DDOS solutions. Some might just be, the players don’t see it and they don’t know it’s happening. There are other types where you block traffic, scrub traffic, it slows things down, and all of a sudden players are having a negative experience, but it’s not completely shut off. What does that look like? Do they know? Do they understand what’s happening? That’s a basic example, but again, communicating with your players why you do things that might affect their game performance is key to building trust with them overall.
GamesBeat: Why are we talking about digital security in gaming? What’s the imperative?
Singer: Why are we talking about digital security? Because money. Gamers are a niche demographic. They’re known for spending a lot of money. Their financial status has made them tempting targets. Then you add on top of that that this industry is increasingly moving from physical to digital, to subscription-based services. That makes it more and more — you combine that with collecting a lot of PII and it’s just a really tempting target.
It’s also becoming more and more broadly known as gaming seeks to become one of the primary forms of media consumption as entertainment out there. If you look at how game companies are positioning themselves, you see — someone does $600 million in sales on the opening weekend of their game, and in a press release they compare that to a recent movie opening. “We did twice as much as they did.”
As the industry seeks to go increasingly digital, to collect more information, to collect recurring payments and assured revenue, that makes it a really nice target for folks who want a slice of that, but don’t want to participate. More and more credential stuffing attacks, more credential abuse, more things aimed and getting your data and getting your money out of the system.
GamesBeat: It’s no surprise that after Fortnite became a global cultural phenomenon, it also became a great target for hackers to go after. Every now and then we see some kind of story in the news about that.
Singer: Yeah. And if you look on YouTube, you can just watch a video on how to crack a game. You’ll see the discussion there underneath. “Hey, you just posted a 10-minute video on how to hack this game. Isn’t that illegal?” “Yeah, but try calling the police and telling them that someone hacked your Fortnite account.”
Ragan: There were a series of videos that targeted Fortnite directly, from multiple-stage attacks. The video would start off with walking the viewer through conducting SQL injection attacks to obtain fresh credentials from various websites, and then testing them against Fortnite to see if anybody was reusing their usernames and passwords and taking over the accounts from there. Compromised accounts are sold and resold constantly, traded for other things on the market. It’s no surprise that they go after the top targets.
Keep in mind, though, some of the smaller targets are still very viable marks for criminals. The goal is to try to get as many accounts as possible to later target other, bigger things. Somebody who’s reusing their gaming username and password on, say, a streaming media platform, or an email platform, or a social media platform, or heaven forbid a financial platform, all of those things become at risk. It only takes one weak authentication mechanism or weak credential on the gaming side of things, or shared accounts or what have you.
Bower: Outside of the business aspects of this and the money aspects of this, bringing it back to the players, we exist because we are providing them a story and an experience through a game. We’re inspiring them to play. Talking about digital security, our imperative is protecting company assets. For the studios that would be game IP. For the users it circles back to the first question, about how we ensure they remain secure.
I go back to the communication aspect of that. They need to be just as informed. Don’t let an online person saying “Oh, let me help you win that item you want in the game” — making sure they’re aware that those are bad actors who will just go in and compromise their accounts is critical. If we continue the conversations and communicate with the players, they’re loyal to studios. They trust us. We owe them that much in terms of communicating everything to them.
Ragan: I also want to play on — not just that, but something Jonathan touched on earlier about unregulated markets. A lot of gamers and players are targeted as a community, as a whole, because they’re known to be very generous. Not only with their time and their money for charitable causes and things like this — gamers are huge charity drivers — but they’re known to spend money on untested properties or first-run games from independent studios. They love that stuff.
Criminals take advantage of that by offering what appears to be a unique opportunity or a unique thing that lures gamers into an aspect that they weren’t really expecting. You’ll see exclusive game offers for new release titles. You’ll see fake offers for in-game perks or challenges and things like that. That’s how they start sucking them up. They take advantage of the community aspect of that. When we’re doing awareness training or talking about awareness training, that’s also something to be focused on. You’re part of a much larger community, but you have to focus on the herd. You can’t just focus on the individual.
Adams: Also, with training, it’s a good point that — fraudsters tend to go to a place where there’s the least resistance. Back to the point about things like MFA or other security measures, if we don’t do a good job of protecting the game, then fraud will go there because it’s easy. It’s a huge community.
On the other side, like Steve just said, if you think about all the scams out there — you have to remember, a lot of gamers are kids. And games are worldwide now. Every country in the world plays video games. In some countries, the currency might be weak, and so it could be really expensive to play a game. In companies I’ve worked with like Riot and Epic, you’ll see free virtual currency or loaded accounts — when I was at Riot they used to say there would be a Rioter account, unlocked and loaded with all this stuff. It’s so easy to get somebody to come in and take that bait. The good fraudsters would actually deliver for a while. But then pretty quickly you’d discover it was loaded with stolen credit cards to create all that stuff, and then you’d get shut down.
A really good way to protect the players from that, beyond technology, is what Steve said. It’s a lot of education, making sure players know that there’s only one place to buy currency for your game. Or if there’s more than one place, make sure it’s really easy to tell what’s legitimate and what’s not. If gamers know that, that makes it easier, but it’s still going to be tempting, so you have to have the technology to back it up as well.
GamesBeat: It might make you wish your game company stayed nice and small, so you could avoid all these people.
Adams: It was so much easier when it was all in boxes. But now that it’s online — it’s a lot more fun, the technology is awesome, but that opens a lot of doors. We have to make sure that we take responsibility and protect those.
GamesBeat: We’ll move on to the results of our live audience poll here. We asked the question, “How confident are you in defending your game and players from online security threats?” It looks like 12 percent of our audience here says they have top-notch protection in place. 75 percent say they have some good measures in place, but there’s room for improvement. 12 percent say there’s a lot more to do. Is anybody surprised at those results?
Ragan: I’m not surprised at all. That’s actually a very healthy mindset to have. You have some good stuff in place, but there’s always room for improvement. That’s a very stable mindset to have in security, especially when you’re dealing with an attack surface that’s wide and diverse and contains multiple little cracks and crevices that criminals love to poke at. I like that.
Adams: I’d like to know who has top-notch protection. Things change so fast in this industry that even top-notch — I think you can have top-notch security, but you should still realize that there is always room for improvement.
Bower: As technology is changing, we are also chasing new advancements in how to address those technologies.
Singer: Similarly, I’m not surprised by this. The game industry is no stranger to security and all the problems that they’ve been encountering over the last decade. I’ve met with a lot of companies and they’ve hired some brilliant security folks to do a lot of work building their own solutions. You’re starting to really see it.
If you look at Riot’s 10-year anniversary announcements, they talked about their upcoming shooter. They’re saying, “We’re building anti-cheat into this.” When that’s a way that a major game studio is going to market and talking to their consumer base — “We’re building this into our game, building this into our product. We want it to be a secure experience for you.” — you know that there’s a lot of industry focus on it. You know that the player community has responded enough that they’re ready for this.
Going back to everything we were talking about earlier, about building trust with your players and making them a part of your security solution, educating them and helping them to be more secure, the player base is ready for that too. It puts everyone listening to this webinar in a good position, because your key customers want to be part of the solution.
Adams: When I was at Riot — I can tell you that I still really love that company, and that’s one of the things I love about them. The vast majority of their decisions are player-focused. That’s what we all need to be, really. As far as the new games, they definitely, as they started to develop those — they were talking about security. I was still there at the time some of these started. We were already talking about it.
As I said at the very beginning, we have to start the development process with the idea that we have to be secure. If you don’t, you really can’t do it. You can’t be secure if you don’t have that mindset to start.
Singer: As a community, the game industry needs to come together and work, as Steve said earlier, to protect the herd. We’ve been talking about herd immunity as a way of thinking about how we need to act as a games community and as a community of both publishers and developers and platform holders and players. How do we work together to make sure we let people have fun?
Ragan: There’s an important caveat that needs to be pointed out, though. The earlier mention Fortnite is a great example of this. When we talk about protecting the herd, when we talk about protecting gamers and building things in and making the gamers a part of the security solutions, I think we also need to keep in mind the demographic of the players themselves.
A 20-something is going to look at security from one way and adopt security training and models one way, but a 50-something is going to do it differently. A preteen is going to be completely different than anybody you’ve ever expected. They inherently have more technical savvy. I know it’s an old adage — oh, the kids are so smart about the gizmos and the widgets now — but the younger generations adapt quicker to security changes and models without any kind of fuss. They just want to play their game. It’s all they care about.
But at the same time, the younger generations are also susceptible to very common scams that a lot of us older folks are used to. We’ve seen them in other places before. This is all still new to them. You have to adjust your models to address the differences and the needs within the herd, not just overall. It’s not a silver bullet type of situation.
GamesBeat: We have our second live audience poll here. What is your biggest concern when it comes to online threats? Is it keeping up with evolving threats, losing the trust of your users and tarnishing your brand, or taking a financial hit? Our audience can start mulling that over as we move on to more questions. What are the trends we’re seeing in terms of threats today?
Ragan: I’ve been doing trending for gaming threats now since our last report in preparation for the next report on gaming. Right now the trends are going toward straight account takeovers. There’s been a couple of new titles that have come out over the last couple of months, and people are trying to get in on that bandwagon. Fortnite just launched season two. That put them back in the spotlight. A couple of gaming platforms are hot commodities for account trading and account takeovers. The goal is data collection.
Some accounts are being taken over just to trade for the goodies in the account: custom skins, unlocked characters, things like that. The accounts are being traded and sold just for that. Ban evasion and ban avoidance is another goal of some of these acts, just to get around — players have been kicked off, so they steal someone else’s account so they can log in and play the game. And then there’s personal and financial information. Some accounts have payment details, Paypal accounts, things like that tied to their account. Being able to take that over gives a criminal access to financial resources that wouldn’t otherwise be available. There’s a number of trends going on, but the primary one is just straight account takeover.
Bower: Coming from the developer side, the studio side, it’s really important to leverage partnerships you have with other studios to discuss trends that you’re seeing internally with your games and your services. As we talked about previously, with advancements in technology, things are rapidly improving. Online services are being attacked by hackers in every industry. It’s important to be planning development strategies around security from day one.
And more importantly, you can’t lose sight of those risks once your game has launched. The people who are trying to game the system, they’re looking for ways to manipulate your game. With every deployment, every launch, every update, there’s potential for risk there. They’re going to be looking for ways to get into the game.
Singer: Obviously there is some information sharing. Before I make my statement, I want to turn a quick question back to you. Obviously you deal with other studios on a regular basis and talk to them about this stuff. How amenable have you found other folks in the industry to having those kinds of discussions?
Bower: I find they’re very open to it. It’s the kind of information-sharing where it’s mutually beneficial. We’re helping bring up topics that maybe other studios haven’t see, and vice versa. It’s a partnership where we’re helping each other out.
Singer: That’s great to hear because I think that the industry — this is just a personal thing — could benefit from having an ISAC, an Information Sharing and Analysis Center. The financial services industry has it, and a bunch of other industries as well. There’s a cool opportunity for the game industry to do more to support one another.
GamesBeat: Our first question from the audience came in, and this person asks, does your company contribute to or collaborate with the RH-ISAC? If so, how has that helped you?
Singer: RH-ISAC, that’s the ISAC for the retail and hospitality industries. Obviously I’m not a developer. Akamai, certainly, works with them. I don’t know how much it really fits in with the game industry’s unique problems. Game companies are obviously retailers, but I think there’s a different set of shared risks that the game industry should be working on. That’s something interesting for anyone listening to this to explore, though, so I’m glad that was brought up.
Adams: A side note on that, no one that I’m aware of works with that group, but a lot of my experience is more on the payment fraud side. Mostly where I end up getting information and sharing information is at events like the Merchant Risk Council, where it’s mainly focused on payments and fraud around that, but we also end up talking a lot about other security aspects as well.
Singer: That makes sense. Criminals are organized, and so it behooves the industry to get organized as well, I would think.
Adams: Very much so.
Bower: Also, with the studios launching games on first-party platforms, in many cases, the developers are not directly tied to financial information.
GamesBeat: Where are web attacks headed? What will happen with cloud gaming and subscription services?
Adams: Attacks are just getting more sophisticated. The fraudsters move as fast as we do, and probably faster. Things that used to be more around the payment methods — now, as we just talked about, it’s moved, quite a while ago really, into account takeovers. We’ll see a lot more of that, and it will get more sophisticated.
As we go toward cloud gaming, that gets even more interesting. In some ways, it’s harder for the fraudsters, especially on the competitive integrity side. You won’t be hosting. On your PC, you won’t have any game code. In most cases, it will just be a video coming across, a video stream. On the flip side, if the cloud gaming platforms don’t protect themselves in a lot of the ways we’ve been talking about, there’s a whole lot more risk.
Bower: If I were to look at the future in terms of where we’re going with cloud gaming and subscriptions, from the studio or developer side, I don’t really see a huge change in how we’re launching games. As I mentioned in the previous question, we’re looking to a first-party publisher to release our games. On that avenue, it’s imperative that we foster partnerships with those publishers and keep those communication channels open so that we’re able to be notified of any new threats, or anything on the security side that they’re seeing. In turn, it’s our responsibility as studios and developers to address those threats through client code changes or changes on the server side.
Singer: In addition to publishers, and obviously the platforms fill this role as well — you need to be in touch with your platforms. If you’re a developer and you’re not sure what to do next from a security posture standpoint, go to your platforms and ask them what they want out of you. Sony, Microsoft, Nintendo, Valve. What do they want to see more of?
A lot of them see developers and publishers as the weakest link in their security chain. One really important game gets taken out with a DDOS attack and then everyone starts logging into the platform over and over again, and now the platform gets DOS’d by its own players and everything goes down. That’s a bad scene. Now no one can access their game. That goes back to the herd immunity topic. A problem in one game can affect everyone.
What are the best practices that your platform owners and major channel partners worry about? What keeps them awake? What do they want to see more of? That’s an interesting question to ask if you’re looking for ways to do more internal prioritization because I’m sure you can find someone there who’s willing to talk with you.
Bower: I’d also add that — this question asks what will happen with cloud gaming. I want to be cognizant of the fact that the paradigm shift of going from on-prem to cloud-based — in reality, I do believe that many of the studios, especially the indie studios, are cloud-borne. They’ve been building in the cloud for longer than what the larger studios are seeing as that shift from on-prem to the cloud continues.
GamesBeat: How do you message the importance of security to teams that you collaborate with?
Ragan: The easiest way to get the message across to other teams that you’re collaborating with about security or how things need to be co-aligned is to find out what they expect or what they need for the product and what they need for the life cycle of the product. Explain why security plays a role in that. Figure out how to partner with them.
A lot of times security is seen as adversarial, or it’s seen as a hindrance, something that blocks traditional play, traditional development, dev roll-offs, things like this. Instead of being that kind of hurdle, make security a part of the team, a part of the success overall. Figure out how to partner up like that. You’ll get more accolades, more support than you were probably expecting.
It’s like the old adage about how you catch more flies with honey. The fact of the matter is that security is still a hurdle for a lot of companies. You work it in to where you’re a partner instead of an adversary and you’ll find that the results generally improve for you overall.
Adams: In the fraud and risk space, I like to remind people that we have access to a lot of data, which a lot of areas of the company may not know. To echo the same thing, if you can find a way to help the other areas of the company that you need to communicate with, then often you can get better collaboration. Back to what I said earlier, if you can get a seat at the table, even embed somebody from security in different teams, then it’s easier to collaborate that way.
Bower: I’d agree with Scott. It’s important to communicate with the teams on the importance of security. Internally, it goes from things as simple as no tailgating when going into the building, to looking at the code that’s being deployed for the game and making sure that everyone involved in the development of the game understands the importance of security. And what the risks are if we are exposed.
Adams: One thing I’ve done in the past that helped a lot, whenever you have all-hands meetings, get someone from the security group to speak. Don’t just go up there and tell some technical story, but tell a fun story. A lot of the time the things we do can be secret or classified internally. But if you have a story that is interesting, you’ll get engagement from the company, engagement from people. I’ve done that at a number of companies, and I always get many more people wanting to talk by telling stories about how we overcame some problems or whatever it was.
GamesBeat: Looking at our second live audience poll results, our question was, “What is your biggest concern when it comes to online threats? The poll results are as follows. 16 percent said it was keeping up with evolving threats, 66 percent said losing the trust of our users, and 16 percent said tarnishing our brand. Any quick comment?
Adams: I love those results. That’s where we should be.
Bower: That makes sense. It fits in perfectly with the conversation we’ve been having since we started. We’re here for the users. They’re looking to us to provide them with an inspiring world to play games in.
GamesBeat: One more audience question. Do the GDPR laws in Europe impact how a publisher makes decisions about privacy and security?
Bower: We’re looking at GDPR again from day one. As you build your infrastructure, the schema should include the ability to address GDPR, even if you’re not planning to have a game deployed there. Everything could change in terms of where the game is being launched and how it’s being served. If you’re prepared for it on day one, you don’t have to put in a bunch of engineering changes to address it later.
Adams: Yeah, I totally agree with that. I do a lot of work around this stuff, and it’s such a huge thing. How GDPR works, it doesn’t really matter where you deploy your game. It’ll get played pretty much anywhere. If a citizen comes over from Europe to the U.S. and plays your game, enters their email address, they’re still a European citizen. You still have to make that impact your privacy and security, and you have to do it from day one. Otherwise, there’s almost no way to do it.
Singer: To be clear, GDPR is not the first of these types of laws. It happens to be one that’s capturing global attention, which is great, because if you weren’t thinking about it before as a game developer, and then you went out into the market and you tried to go global, you’re going to meet restrictions like this in a lot of different parts of the world. GDPR just happens to be broadly encompassing and highly specific. But if you’re thinking about security from day one, then it’s less of an issue.
Adams: A lot of states and other countries are working on or have already passed laws of a similar nature. We really just need to think about this anyway.
GamesBeat: One last question here. How do you more effectively partner with players to help them protect themselves?
Bower: Communication is key, making sure you’re engaging with the players. I mentioned earlier, talking about the situation of not handing over your controller or access to a stranger. Just really being clear about what something like that do to impact you as a player. If you think about playing a game where you’ve worked 20, 40, 200 hours to earn a certain emblem or a certain article of clothing in that game, by not protecting yourself as the user — those items are currency within the game. Those items are very valuable. If the game is exploited and everyone is then able to go get those items, then they become useless. It’s important to ensure open streams of communication with the players.
Disclosure: Akamai sponsored our session on protecting game companies. Our coverage remains objective.