Ubisoft in-game data collection GDPR complaint (2025): Difference between revisions
complete rewrite, was a stub with 3 citations and broken chronology. sourced everything from the noyb complaint pdf, added background on ubisoft's drm history, the crew shutdown, network traffic analysis details, and ubisoft's response. killed the slop. |
correcting things to make sure that the citations fit the article text and support it properly. reworded a couple of things for tone/neutrality. Will change the title after |
||
| Line 11: | Line 11: | ||
|ArticleType=Product | |ArticleType=Product | ||
|Type=Privacy | |Type=Privacy | ||
|Description=Ubisoft forces single-player games online to collect player data; NOYB filed GDPR complaint after user found 150 DNS packages sent in 10 minutes | |Description=Ubisoft forces single-player games online to collect player data; NOYB filed GDPR complaint after user found 150 DNS packages sent in 10 minutes during a single player game | ||
}} | }} | ||
In September 2024, a player who purchased ''Far Cry Primal'' on Steam discovered that the game would not launch without logging into a [[Ubisoft]] account, despite the game having no online features. The player monitored network traffic during a 10-minute session and found 150 DNS queries and responses exchanged with external servers including Google, Amazon, and Datadog<ref name="noyb-complaint">{{Cite web |url=https://noyb.eu/sites/default/files/2025-04/Ubisoft_complaint_EN_redacted.pdf |title=Complaint against Ubisoft: Article 6 GDPR (Case C-098) |author=NOYB |date=2025-04-24 |access-date=2026-03-27 |website=noyb.eu |url-status=live |archive-url=https://web.archive.org/web/20250424083407/https://noyb.eu/sites/default/files/2025-04/Ubisoft_complaint_EN_redacted.pdf |archive-date=2025-04-24}}</ref>. On 24 April 2025, [[NOYB]] filed a [[GDPR]] complaint with the Austrian Data Protection Authority on the player's behalf, alleging that Ubisoft collects personal data without a valid legal basis<ref name="noyb-press">{{Cite web |url=https://noyb.eu/en/play-alone-ubisoft-still-watching-you |title=Like to play alone? Ubisoft is still watching you! |author=NOYB |date=2025-04-24 |access-date=2026-03-27 |website=noyb.eu |url-status=live |archive-url=https://web.archive.org/web/20250424092126/https://noyb.eu/en/play-alone-ubisoft-still-watching-you |archive-date=2025-04-24}}</ref>. | |||
== Background == | == Background == | ||
Ubisoft Connect (formerly Uplay) is Ubisoft's proprietary launcher and digital rights management client. Even when a player buys a Ubisoft game through a third-party store like Steam, the game | Ubisoft Connect (formerly Uplay) is Ubisoft's proprietary launcher and digital rights management client. Even when a player buys a Ubisoft game through a third-party store like Steam, the game requires installation of Ubisoft Connect and an account login before it will start<ref name="noyb-press" />. This applies to titles with no multiplayer or online features. | ||
Ubisoft has a long history of always-online DRM. In 2010, the company required a persistent internet connection to play ''Assassin's Creed II'' and ''Silent Hunter 5'' on PC. A denial-of-service attack on Ubisoft's authentication servers that March disrupted access to single-player games for legitimate buyers<ref name="guardian-2010">{{Cite web |date=2010-03-09 |title=Ubisoft apologises after attackers block games |url=https://www.theguardian.com/technology/2010/mar/09/ubisoft-drm |access-date=2026-03-27 |website=The Guardian}}</ref>. Ubisoft dropped the persistent connection requirement in 2011, replacing it with a one-time launch check<ref name="gamedeveloper">{{Cite web |last=Parkin |first=Simon |date=2011-01-04 |title=Ubisoft Removes Constant Online Authentication DRM For PC Games |url=https://www.gamedeveloper.com/game-platforms/ubisoft-removes-constant-online-authentication-drm-for-pc-games |access-date=2026-03-27 |website=Game Developer}}</ref>. In September 2012, Ubisoft's Chris Early confirmed the company would no longer use always-online DRM. "They're more inconvenient to our paying customers, so in listening to our players, we removed them," Early said in an interview<ref name="slashdot-2012">{{Cite web |date=2012-09-05 |title=Ubisoft Ditches Always-Online DRM Requirement From PC Games |url=https://games.slashdot.org/story/12/09/05/1716230/ubisoft-ditches-always-online-drm-requirement-from-pc-games |access-date=2026-03-27 |website=Slashdot}}</ref>. | Ubisoft has a long history of always-online DRM. In 2010, the company required a persistent internet connection to play ''Assassin's Creed II'' and ''Silent Hunter 5'' on PC. A denial-of-service attack on Ubisoft's authentication servers that March disrupted access to single-player games for legitimate buyers<ref name="guardian-2010">{{Cite web |date=2010-03-09 |title=Ubisoft apologises after attackers block games |url=https://www.theguardian.com/technology/2010/mar/09/ubisoft-drm |access-date=2026-03-27 |website=The Guardian}}</ref>. Ubisoft dropped the persistent connection requirement in 2011, replacing it with a one-time launch check<ref name="gamedeveloper">{{Cite web |last=Parkin |first=Simon |date=2011-01-04 |title=Ubisoft Removes Constant Online Authentication DRM For PC Games |url=https://www.gamedeveloper.com/game-platforms/ubisoft-removes-constant-online-authentication-drm-for-pc-games |access-date=2026-03-27 |website=Game Developer}}</ref>. In September 2012, Ubisoft's Chris Early confirmed the company would no longer use always-online DRM. "They're more inconvenient to our paying customers, so in listening to our players, we removed them," Early said in an interview<ref name="slashdot-2012">{{Cite web |date=2012-09-05 |title=Ubisoft Ditches Always-Online DRM Requirement From PC Games |url=https://games.slashdot.org/story/12/09/05/1716230/ubisoft-ditches-always-online-drm-requirement-from-pc-games |access-date=2026-03-27 |website=Slashdot}}</ref>. | ||
A notable exception toi this change in policy was ''The Crew'' (2014), which required a constant connection even for its single-player campaign. When Ubisoft shut down ''The Crew'' servers on 31 March 2024, [[Ubisoft#The_Crew_shutdown|the game became permanently unplayable]]<ref name="vgc-crew">{{Cite web |date=2024-08-20 |title=Ubisoft says players suing over The Crew shutdown shouldn't have expected to own the game forever |url=https://www.videogameschronicle.com/news/ubisoft-says-players-suing-over-the-crew-shutdown-shouldnt-have-expected-to-own-the-game-forever/ |access-date=2026-03-27 |website=VGC}}</ref>. The shutdown prompted the "[[Stop Killing Games]]" European Citizens' Initiative, which demanded the implementation of laws that require publishers to leave games in a playable state<ref name="pcgamer-skg">{{Cite web |date=2025-06-04 |title=Stop Killing Games' EU initiative hits 1.4 million signatures |url=https://www.pcgamer.com/gaming-industry/game-development/stop-killing-games-eu-initiative-hits-1-4-million-signatures-and-if-at-least-1-million-are-valid-its-off-to-the-european-commission/ |access-date=2026-03-27 |website=PC Gamer}}</ref>. | |||
== Network traffic analysis == | == Network traffic analysis == | ||
| Line 48: | Line 48: | ||
The complaint also cites Article 5(3) of the e-Privacy Directive (2002/58/EC), which requires user consent before accessing data from their device unless the access is strictly necessary to provide a service the user requested<ref name="noyb-complaint" />. Since ''Far Cry Primal'' has no online features, the data collection doesn't meet this threshold. | The complaint also cites Article 5(3) of the e-Privacy Directive (2002/58/EC), which requires user consent before accessing data from their device unless the access is strictly necessary to provide a service the user requested<ref name="noyb-complaint" />. Since ''Far Cry Primal'' has no online features, the data collection doesn't meet this threshold. | ||
NOYB requested that the DSB declare Ubisoft in violation of Article 6(1), order the deletion of all unlawfully processed personal data, ban the unauthorized | NOYB requested that the DSB declare Ubisoft in violation of Article 6(1), order the deletion of all unlawfully processed personal data, ban the unauthorized data processing, and impose an administrative fine. Based on Ubisoft's annual revenue of over €2 billion, the maximum fine under GDPR Article 83 would be approximately €92 million<ref name="noyb-press" /><ref name="register">{{Cite web |last=Vigliarolo |first=Brandon |date=2025-04-24 |title=Assassin's Creed maker faces GDPR complaint for forcing single-player gamers online |url=https://www.theregister.com/2025/04/24/ubisoft_noyb_complaint/ |access-date=2026-03-27 |website=The Register}}</ref>. | ||
No public decision from the DSB had been reported as of early 2026. | No public decision from the DSB had been reported as of early 2026. | ||
| Line 56: | Line 56: | ||
Ubisoft responded publicly on 29 April 2025: "We are aware of the complaint and are looking into it. Ubisoft is committed to protecting players' personal data on our websites and games. For games that support offline modes, an Internet connection is required only at the initial launch."<ref name="eurogamer">{{Cite web |last=Phillips |first=Tom |date=2025-04-29 |title=Privacy firm files Ubisoft legal complaint over data collection, forced online in single-player games |url=https://www.eurogamer.net/privacy-firm-files-ubisoft-legal-complaint-over-data-collection-forced-online-in-single-player-games |access-date=2026-03-27 |website=Eurogamer}}</ref> | Ubisoft responded publicly on 29 April 2025: "We are aware of the complaint and are looking into it. Ubisoft is committed to protecting players' personal data on our websites and games. For games that support offline modes, an Internet connection is required only at the initial launch."<ref name="eurogamer">{{Cite web |last=Phillips |first=Tom |date=2025-04-29 |title=Privacy firm files Ubisoft legal complaint over data collection, forced online in single-player games |url=https://www.eurogamer.net/privacy-firm-files-ubisoft-legal-complaint-over-data-collection-forced-online-in-single-player-games |access-date=2026-03-27 |website=Eurogamer}}</ref> | ||
NOYB | NOYB noted that the advertised offline mode did not work for the complainant, and that the network traffic analysis showed data collection over longer periods, not only at launch<ref name="register" />. | ||
== References == | == References == | ||
Revision as of 19:50, 27 March 2026
In September 2024, a player who purchased Far Cry Primal on Steam discovered that the game would not launch without logging into a Ubisoft account, despite the game having no online features. The player monitored network traffic during a 10-minute session and found 150 DNS queries and responses exchanged with external servers including Google, Amazon, and Datadog[1]. On 24 April 2025, NOYB filed a GDPR complaint with the Austrian Data Protection Authority on the player's behalf, alleging that Ubisoft collects personal data without a valid legal basis[2].
Background
Ubisoft Connect (formerly Uplay) is Ubisoft's proprietary launcher and digital rights management client. Even when a player buys a Ubisoft game through a third-party store like Steam, the game requires installation of Ubisoft Connect and an account login before it will start[2]. This applies to titles with no multiplayer or online features.
Ubisoft has a long history of always-online DRM. In 2010, the company required a persistent internet connection to play Assassin's Creed II and Silent Hunter 5 on PC. A denial-of-service attack on Ubisoft's authentication servers that March disrupted access to single-player games for legitimate buyers[3]. Ubisoft dropped the persistent connection requirement in 2011, replacing it with a one-time launch check[4]. In September 2012, Ubisoft's Chris Early confirmed the company would no longer use always-online DRM. "They're more inconvenient to our paying customers, so in listening to our players, we removed them," Early said in an interview[5].
A notable exception toi this change in policy was The Crew (2014), which required a constant connection even for its single-player campaign. When Ubisoft shut down The Crew servers on 31 March 2024, the game became permanently unplayable[6]. The shutdown prompted the "Stop Killing Games" European Citizens' Initiative, which demanded the implementation of laws that require publishers to leave games in a playable state[7].
Network traffic analysis
On 13 September 2024, an Austrian user played Far Cry Primal, a single-player game with no multiplayer features, purchased through Steam. The game refused to launch without an internet connection and a login to Ubisoft Connect[1].
The user captured network traffic during a 10-minute gameplay session. The packet capture revealed 150 unique DNS packages (queries and responses) and 56 requests to initiate connections between the user's computer and external servers[1]. Recipients of the data included Google, Amazon, and Datadog, a US-based cloud analytics firm. Some data transfers were labeled "metrics" in the traffic headers. All transmissions were encrypted with TLS, so the exact contents were not visible to the user[1].
The user then exercised their GDPR Article 15 right of access, forcing Ubisoft to disclose what data it held on them. The returned file (uplay_traffic_data.csv) confirmed that Ubisoft records the user's unique ID, the exact time they launched the game, the exact time they quit, and the total session duration[1][2].
Ubisoft's own EULA goes further. It states that collected data "may contain the following, without limitation: mobile device unique identity or other device identifiers and settings, carrier, operating system, localization information, date and time spent on the Product, game scores, game metrics and statistics, feature usage, advertising conversion rates, monetization rate, purchase history and other similar information"[1].
On 27 September 2024, the user contacted Ubisoft customer support. Ubisoft replied that the data sent at game launch is "an ownership check on our servers to validate that the player's account owns the game they're trying to launch" and linked to a help page about playing games offline[1][8]. Ubisoft did not explain why data was being sent to Google, Amazon, or Datadog, and did not address the ongoing data collection during gameplay[1].
NOYB complaint
On 24 April 2025, NOYB filed a complaint (Case C-098) with the Austrian Data Protection Authority (Datenschutzbehorde, DSB) on the user's behalf under GDPR Article 80(1)[1]. The complaint targets Ubisoft Entertainment SA, headquartered at 28 Rue Armand Carrel, 93100 Montreuil, France[1].
NOYB alleges that Ubisoft violated GDPR Article 6(1) by processing personal data without a valid legal basis. The complaint makes three arguments against Ubisoft's "ownership verification" defense[2]:
- Steam already verifies game ownership at purchase and at first launch, making a second verification by Ubisoft redundant[1][9].
- Ubisoft itself offers a hidden offline mode for some games. If the game can run offline, the online check can't be "necessary"[1].
- Even if verification at launch were justified, it doesn't explain why data is collected continuously during gameplay and sent to third parties like Google and Datadog[1].
The complaint also cites Article 5(3) of the e-Privacy Directive (2002/58/EC), which requires user consent before accessing data from their device unless the access is strictly necessary to provide a service the user requested[1]. Since Far Cry Primal has no online features, the data collection doesn't meet this threshold.
NOYB requested that the DSB declare Ubisoft in violation of Article 6(1), order the deletion of all unlawfully processed personal data, ban the unauthorized data processing, and impose an administrative fine. Based on Ubisoft's annual revenue of over €2 billion, the maximum fine under GDPR Article 83 would be approximately €92 million[2][10].
No public decision from the DSB had been reported as of early 2026.
Ubisoft's response
Ubisoft responded publicly on 29 April 2025: "We are aware of the complaint and are looking into it. Ubisoft is committed to protecting players' personal data on our websites and games. For games that support offline modes, an Internet connection is required only at the initial launch."[11]
NOYB noted that the advertised offline mode did not work for the complainant, and that the network traffic analysis showed data collection over longer periods, not only at launch[10].
References
- ↑ 1.00 1.01 1.02 1.03 1.04 1.05 1.06 1.07 1.08 1.09 1.10 1.11 1.12 1.13 NOYB (2025-04-24). "Complaint against Ubisoft: Article 6 GDPR (Case C-098)" (PDF). noyb.eu. Archived (PDF) from the original on 2025-04-24. Retrieved 2026-03-27.
- ↑ 2.0 2.1 2.2 2.3 2.4 NOYB (2025-04-24). "Like to play alone? Ubisoft is still watching you!". noyb.eu. Archived from the original on 2025-04-24. Retrieved 2026-03-27.
- ↑ "Ubisoft apologises after attackers block games". The Guardian. 2010-03-09. Retrieved 2026-03-27.
- ↑ Parkin, Simon (2011-01-04). "Ubisoft Removes Constant Online Authentication DRM For PC Games". Game Developer. Retrieved 2026-03-27.
- ↑ "Ubisoft Ditches Always-Online DRM Requirement From PC Games". Slashdot. 2012-09-05. Retrieved 2026-03-27.
- ↑ "Ubisoft says players suing over The Crew shutdown shouldn't have expected to own the game forever". VGC. 2024-08-20. Retrieved 2026-03-27.
- ↑ "Stop Killing Games' EU initiative hits 1.4 million signatures". PC Gamer. 2025-06-04. Retrieved 2026-03-27.
- ↑ Laurent, Alexandre (2025-04-25). "Mandatory connection for single-player games: Ubisoft sued for non-compliance with the GDPR". Next.ink. Archived from the original on 2025-04-25.
- ↑ "Ubisoft Accused of Unlawfully Collecting Player Data in Single-Player Games". Bitdefender. 2025-04-28. Retrieved 2026-03-27.
- ↑ 10.0 10.1 Vigliarolo, Brandon (2025-04-24). "Assassin's Creed maker faces GDPR complaint for forcing single-player gamers online". The Register. Retrieved 2026-03-27.
- ↑ Phillips, Tom (2025-04-29). "Privacy firm files Ubisoft legal complaint over data collection, forced online in single-player games". Eurogamer. Retrieved 2026-03-27.