REPHRAIN Blogs

Blogpost 1: Serious Games, Serious Aims: Privacy Education Through Play

Roman Shkunov – Computer Science student at University of Bristol

Disclaimer: all links to third-party content are not an endorsement of said content and are included to provide examples. Moreover, we cannot be responsible for the contents of these external sites.

As more of our lives goes online, the issue of online privacy is becoming ever more important. Controversies such as the Cambridge Analytica Facebook scraping scandal have highlighted how users’ personal data is being harvested and abused, often under the guise of ‘legitimate interest’. In response to such issues, a variety of actors including governments, news outlets, academics, and activists have been developing interventions and educational tools for informing lay users of the Internet how to protect their online privacy. These range from videos explaining privacy concepts/technologies and journalistic reporting on data brokers to practical tools such as browser extensions for blocking trackers and advertisements. However, many privacy explanation guides lack effectiveness as they are not interactive: they only describe issues and prescribe solutions. For educational tools to be maximally effective, they also need to engage the user.

Educational privacy games offer a fun and interactive way of engaging with issues of online privacy. While traditional privacy education strives to convey information in static form, games allow users to become part of the action. By making decisions within the game’s virtual world (such as with whom to share personal data), the user can simulate the impact of their actions, which can be highly useful for the user’s understanding of real-world phenomena like how decisions about what data you share can impact yourself and others.

There are many ways of implementing educational privacy games and this blog post will explore four such games with different gameplay styles and approaches to teaching players about privacy. At first, we will look at games with simpler mechanics, and how such mechanics constrain their effectiveness in teaching online privacy. Then we will examine more complex mechanics and discuss why they can better convey how to think about online privacy. However, for any educational privacy game to be effective, it must also be available to the public, and so our analysis concludes with argument for developing the capabilities of universities to develop and maintain games.

Privacy Games #1: Data Defenders and Shop Dash

Data Defenders and Shop Dash are educational privacy games with similar but somewhat different goals: Data Defenders teaches teenagers about the harms of sharing personal data online (especially social media); Shop Dash is a game about managing one’s privacy on smartwatch devices. While these games have different game mechanics – Data Defenders is a reskin of Candy Crush and Shop Dash is a standard 8-bit 2-dimensional Role-Playing Game (RPG) – what unites these privacy games is their learning mechanism, where a question about online privacy is asked in exchange for progression in the game. For example, to continue playing Data Defenders after running out of moves, one must share personal information, while in Shop Dash, your path to the shop is blocked by Non-Player Characters (NPCs, computer-controlled characters) asking privacy questions. This provides a clear incentive for players to engage with the issue of online privacy. However, the issue with this learning mechanic is that it is bolted on to an existing game model and hence may feel like an annoyance rather than a fundamental part of the game. As a result, the online privacy questions in Data Defenders feel redundant to playing the game, which makes for a game mechanic that is simple to implement yet ineffective for learning about privacy.

Privacy Games #2: Datak and Immaculacy

Other games utilise a different approach for educating players about online privacy, most notably, through role-playing and interactive narratives. In this genre, Datak and Immaculacy are good examples of games that attempt to integrate the real-world dynamics of data privacy into their core game mechanics. In both games, you play as a character navigating an imagined world in which data has a large impact on life; by interacting with characters and taking decisions about what to do with your and others’ data, you are taught how privacy works. In Data Defenders and Shop Dash, the player acquires specific knowledge by answering questions on data collection by smartwatch apps and social media sites; in these RPGs, the player learns about the broader impact of online privacy (in)action, and how it is situated in other practices.

Games Must Be Kept Alive!

Games have great potential to provide engaging education on crucial topics like online privacy. Such games can not only provide guidance on specific behaviours that can preserve one’s privacy (such as not sharing personal information on social media), as exemplified by the first set of games, but also raise awareness of broader issues tied with online privacy. To this end, the latter two games – Datak and Immaculacy – show that, by embedding the real-world dynamics of privacy into games, the player can learn about the impact their actions can have in the context of data collection, privacy, and surveillance.

What’s more, these games do not have to be virtual. Although the examples presented here are all online games, boardgames and card games also provide a highly effective medium for learning about a variety of issues. A good example is the educational game ‘Decisions and Disruptions’ (link), developed by members of the University of Bristol’s Cyber Security Research Group, which provides an engaging way to learn about how to defend a business from cybersecurity threats on a budget.

The effectiveness of any educational games is limited, however, but by its availability to the target audience. This issue is especially pertinent for games that are developed in academic environments; games are developed as part of time-limited projects, after which their maintenance and dissemination is halted. This is exemplified by Immaculacy, a promising game that is not publicly available and whose gameplay footage cannot be accessed just five years after the publication of the research paper. If games developed in universities are to have a positive impact for longer, capabilities must be expanded for the development, maintenance, and accessibility of such games to a wider range of users.