Cheating in multiplayer games: the TTDSG as a hurdle for reading out the hardware ID?

"It’s full of cheaters"; "great game, but now unplayable"; "cheater problem."

This or words to this effect can be read in the user reviews of many so-called PvP (Player versus Player) multiplayer games, i.e. video games whose incentive is to compete online with other players in direct duels. The loss of players due to cheaters is a serious problem for game makers and publishers. Cheaters are players who gain advantages over other players in the game by using technical aids such as aim bots or wall hacks ("seeing through walls").

The common anti-cheat measures that have been used to date, such as account bans, are not particularly effective. A new account can be created quickly using a different e-mail address, and in the so-called free-2-play area this does not even incur additional costs. Publishers and manufacturers have therefore increasingly started using so-called hardware ID bans, where the unique identifiers of the components installed in the end device, such as the graphics card or CPU, are read out with the targeted aim of excluding the specific end device from accessing the (free-2-play) multiplayer game, irrespective of the account.

Anti-cheat measures and the TTDSG

The German Telecommunications Telemedia Data Protection Act [Telekommunikation-Telemedien-Datenschutz-Gesetz – TTDSG] regulates the protection of privacy when using telemedia and therefore has to be observed in addition to the GDPR when assessing whether it is legally permissible to read out hardware IDs.

The central standard for assessing the permissibility of reading out hardware IDs is Sec. 25 TTDSG: this provision regulates the protection of privacy in end devices by providers of telemedia. It applies to all manufacturers and publishers who have a business establishment, provide or participate in the provision of services or make goods available on the market that fall within the scope of the Act. The multiplayer game is a telemedium offered by the manufacturer or publisher (Sec. 2 (2) No. 1 TTDSG). Computers, laptops, tablets and mobile phones as well as game consoles are regarded as end devices within the meaning of Sec. 2 (2) No. 6 TTDSG. 

Access to the hardware ID permissible?

The hardware ID is information stored in the respective end device. Pursuant to Sec. 25 (1) sentence 1 TTDSG, access to this information is generally only permitted with the consent of the end users. With regard to the consent requirements, the TTDSG makes reference to the requirements of the GDPR, i.e. in particular voluntariness and revocability.

However, consent is not required if "the storage of information in the end user's end device or access to information already stored in the end user's end device is absolutely necessary in order for the provider of a telemedia service to be able to provide a telemedia service expressly requested by the user" (Sec. 25 (2) No. 2 TTDSG).

This means: firstly, this must involve a telemedia service explicitly requested by end users, and secondly, the reading out of the hardware ID must be absolutely necessary for the provision of the telemedia service.

Telemedia service explicitly desired?

Whether a telemedia service is expressly desired by the end user does not depend on the specific will of the respective end user, but is to be determined by an objectified end user view. The use of the multiplayer game is clearly a telemedia service that is expressly desired by the end user. 

However, it is doubtful whether reading out the hardware ID as an anti-cheat measure can be classed as a desire of the end user. In favour of this classification is the preventive nature of the anti-cheat measure: the purpose of monitoring the hardware ID is to deter potential cheaters. This "cheat prevention" thus represents an essential flanking component of the multiplayer game and is ultimately part of the objectified expectation of the end user. The user reviews mentioned above show that the use of reliable anti-cheat measures for "cheat prevention" by the manufacturers or publishers corresponds to the elementary expectations of the gaming community.

Readout of the hardware ID must be absolutely necessary

The reading out of the hardware ID must be absolutely necessary for the telemedia service to be provided. In its Guidance for Telemedia Providers 2021 [Orientierungshilfe für Anbieter:innen von Telemedien 2021], the Data Protection Conference [Datenschutzkonferenz] defines the criterion of "absolute necessity" narrowly and includes only those accesses to end devices that are technically necessary to specifically provide the desired service. 

The above argument also applies here: effective anti-cheat measures are likely to be seen as an essential component of a multiplayer game by a large proportion of end users. This is especially true in the free-2-play area, because the inhibition threshold for cheating cannot be effectively prevented by simply blocking the respective account. Second and third accounts can quickly be created. Ultimately, there is a strong case for classifying the banning of specific user hardware as an effective and technically absolutely necessary measure to meet end users' expectations of the telemedia service.

Conclusion:

The TTDSG is applicable when a manufacturer wants to access the hardware ID. Here, it can be argued that consent pursuant to Sec. 25 TTDSG does not have to be obtained for such access.

The challenge facing manufacturers and publishers in the future will remain the creation of effective anti-cheat measures that are in line with legal requirements, including the TTDSG and the GDPR. This is the only way to meet the gaming community's need for fair online competition.