What data does Microsoft's Xbox services collect? We break it down

Microsoft's privacy policy for its Xbox devices and services respectfully asks for as much information as you're willing to give.

Ever since a Microsoft executive turned on the Xbox One with a voice command--"Xbox on"--potential customers have wondered what Microsoft's new console will see hear, and report back to Redmond.

On Thursday night, Microsoft filed an updated privacy policy that lays it all out--in the sort of exhaustive detail that typifies a legal document. We've dug through it and tried to summarize the most relevant bits.

What's new? Microsoft offers more information on how the Xbox One's Kinect sensor uses your data, plus an explicit "Kinect Off" command in case you want to be sure the console's camera isn't watching you. And there's an explicit warning that anything you say during a multiplayer session may be heard by other players. (Well, duh.)

The bottom line: how Microsoft uses your data appears reasonable, at least to us. And at the time we wrote this, of course.

Want to know everything that TechHive knows, thinks, and has written about the Microsoft Xbox One? Check out our dedicated Xbox One page, constantly updated with new content.

How old do you have to be to use Xbox services?

Kids under 13 are not allowed on the Xbox services without a parent's permission. Kids under 17 can't create an account without a parent's permission.

What information does Microsoft collect on signup?

Singing up for a Microsoft Xbox account requires four pieces of information: gender, country, birthdate, and postal code. You'll also need to provide an email account where Microsoft can contact you, although any email will do.

When you sign in, however, Microsoft also collects a bit more: your IP address, your web browser version, and a time and date. Further, if you use a Microsoft account to sign into a device or into software that is installed on a device, a random unique ID is assigned to the device. None of this data is assigned to you, meaning you as a distinct person. Not surprisingly, it's all used to create a profile that Microsoft can sell to advertisers, who will send you personalized ads.

Apps that allow you to sign in with your Microsoft account can share that email and unique ID with other services. That unique (though anonymous) ID can only be used to complete a business transaction, though.

What information does Microsoft collect as you use its services?

Whew. Quite a bit, basically. But this should be what you'd expect Microsoft would know about as you used its services.

Once you log on and start playing games on the Xbox, Microsoft collects information regarding the number of times you sign into and sign off, games you have played, and game-score statistics. Also, Microsoft will pull Xbox console hardware and operating performance data, manufacturing codes from game discs, network performance data, and data that indicates the quality of the Xbox service itself. And, to prevent cheating, Microsoft reserves the right to collect your IP address, operating system, and Xbox Live software version. If you use Bing for searches, expect Microsoft to not only record search terms, but also samples of any voice commands you used to perform the search. This is all used to improve your experience, according to Microsoft.

Microsoft may also collect information about what you watched using the Xbox One's television service, and what music and videos you watched or listened to using Xbox Live.

And if you actually use the Xbox One to play games, this next bit may come as a surprise: "If you participate in leaderboards, live-hosted gameplay, achievements, tournaments, and gamer-profile sharing, Microsoft and such partners as game publishers and service providers may collect, disclose and share your game scores; game play sessions; your presence on the Services; the time you spend on or within particular portions of the Services; portions of the Services that are displayed on your monitor or screen and the duration of that display; rankings, statistics, gamer profiles, avatars, and content that you may submit; and other usage information.  These may be provided with or without attribution to you, your gamertag or avatar."


How does Microsoft use all this data?

In a word, advertising. Naturally, Microsoft's advertisers will also add cookies to your computer or console.

"Microsoft provides many of our sites and services free of charge because they are supported by advertising," Microsoft's privacy policy states. "In order to make these services widely available, the information we collect may be used to help improve the advertisements you see by making them more relevant to you."

In general, Microsoft won't share this data to a third party without your consent. Some exceptions include law enforcement requests, mergers, and "to protect life and safety." And if you're concerned about what data the company is accessing (and what to change those options), you can always go to the My Account page.

What data does each Xbox service use?

Kinect: Xbox One's motion camera can log you in by recognizing your face. To do so, however, it "measures distances between key points on your face to create a numeric value that represents only you". For gameplay, Kinect will map distances between your body's joints to create a stick figure--a "skeleton"--whose data will be stored on your console, then destroyed at the end of the session.

Kinect is also aware of your expressions, which can be used to control a game. Like the skeleton, this data is stored locally, then destroyed at the end of your game. Some games will also photograph you. You can choose whether to keep the photos, share them, or erase them.

Microsoft does not record Skype calls. But Microsoft takes pains to note that your multiplayer sessions can be recorded. "You should not expect any level of privacy concerning your use of the live communication features such as voice chat, video and communications in live-hosted gameplay sessions offered through the Services," Microsoft says. "We may monitor these communications to the extent permitted by law, but we cannot monitor the entire Service and make no attempt to do so.  You understand that others can record and use these communications. Communications in live-hosted gameplay sessions may also be broadcast to others."

Some games (such as Xbox Fitness) will also store fitness information on the console. You'll have the option of providing height, weight, age, and gender to improve Xbox Fitness and its estimates of your heart rate, but that information won't be shared with other Xbox users unless you allow it.

Finally, there's the option to turn the Kinect on or off by using the "Kinect Off" command, or else a similar "Xbox On/Off" command. Microsoft's said before that the Kinect sensor could be turned off, but how it's doing it is new.

Xbox Music/Video/TV: Microsoft may display reocmmandations based on the content you play. It may send your device IP address, device software version, your regional and language settings, and an identifier for the content back up to Microsoft. It's not quite clear what that ID will reveal about the source of those "shared" MP3s you acquired way back in the day. What you watch on television may be shared with your friends, but Microsoft won't collect this information for teens and children.

GameDVR: You can choose to record a gamesplay session and share it; not surprisingly, someone else can record your multiplayer game, too.

Xbox on Windows Phone: Your location may occasionally be stored. "For example, games may use your location to award an achievement based on the distance traveled between game sessions," Microsoft says.

SmartGlass: Microsoft's "second-screen" SmartGlass app may pass along what games you're using SmartGlass in conjunction wiith.

Xbox Social: This catchall term basically tells you that your Xbox Live gamertag will be shared with others, as well as any high scores. Achievements--accomplishing something cool--will be shared, while "Magic Moments" (such as a perfect dance routine) will only be shared if your privacy control allows it.

Is there anything to be worried about?

While the amount of data that Microsoft is collecting is a little shocking, much of it seems like a natural offshoot of your normal interactions with its products and services. Nevertheless, you're still "paying" above and beyond the $60 or so Microsoft and its partners will charge per game.

Still, some of you will never be satisfied. If you're worried, for example, about the NSA peering over Microsoft's virtual shoulder, consider a more drastic step: unplugging it when not in use. Or try wearing a mask.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags privacyMicrosoftgaminggamesgaming consolesXbox One

More about MicrosoftNSASkypeXbox

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Mark Hachman

Latest Videos

More videos

Blog Posts