Some PlayStation users have asked Sony to send them their personal data and the results are quite shocking. Twitter user @AlexCheer1 found out that Sony had records of him running custom Adrenaline PSP firmware on his PS Vita, for example.
Sony knows you’ve been running hacks
AlexCheer1 has shared some screenshots of what his data looks like (screenshots below). It found that Sony knows, among other things:
- Which controllers/handheld consoles do you connect to your console
- What games do you play online and if it’s F2P/Free Weekend or on PS Plus
- What parts of the system menu have you navigated
Their systems also log every type of game you start, even offline (data is sent the next time you connect), and even if it’s homebrew. As such, it’s not entirely surprising, but interesting, to see that they know he’s been using Adrenaline (identified as PSPEMUCFW).
In addition, they keep a long history of all this data. In the package that was sent to AlexCheer1, his entire history had been kept back to 2012!
There’s nothing really surprising there, but it’s “funny” to see that PlayStation knows about hacking usage, and overall it’s a surprisingly massive amount of data.
What Sony records about you
It probably won’t come as a surprise to most people who follow this blog, but Sony monitors a lot of information when you use a PlayStation console, and in particular when you connect to the PlayStation Network.
In theory, that kind of information is aggregated and anonymized in most cases internally before being used to monitor various metrics (whether for marketing, legal, or engineering purposes). At the individual level, data is also collected for some legal reasons, as set out in PlayStation Terms and Conditions.
Although the terms may vary depending on your country, all versions of the PSN rules that we review have a variation in “We are not responsible for recording or monitoring any activity on PSN, although we may do so to investigate violations or enforce this Agreement, or to protect the rights and property of SIE, its partners and customers.”
For more details on what is being logged, one has to go to PlayStation legal pageselect your country and go to the Privacy Policy page. (examples: for Europe Y the United States)
There, you can see a list of what is collected: your name, username, address, payment methods, of course, as well as the content that is stored in their databases, such as purchases, voice messages, content from chat, posts and more. generally any user-generated content that is stored on your endpoint.
The metrics and monitoring part (“We may also automatically or passively collect information about your use of our Services”) is where it gets interesting. They say:
Whenever you use a PlayStation console or a PlayStation application on a PlayStation console or other devices (such as a mobile phone or PC), we may automatically collect information about your use of that device and application. If you sign in to an Account, we may combine it with other information we have for that Account.
A list of the kinds of things that are logged follows (emphasis ours). We only reproduce some of them below, you will have to consult the official document to see the complete list.
- Device identifiers, such as your PlayStation console ID, mobile device IDs, cookie IDs, or serial numbers
- Network identifiers such as your IP address and MAC address
- Account authentication tokens that save you from having to log in repeatedly
- Content and advertisements downloaded to your device for the online services you access
- Your current and recent locations (for example, on PS Vita)
- Trophies, scores and rankings achieved online and offline
- Information about the device you are using, any connected peripherals (such as controllers and VR headsets) and how you have set them up
- Information about how you use the software installed on your device (which may include information about your offline use of the software), such as the date and time of use, what games or music you play, what content you browse, share or download, what services you access and why how longincluding how often you use chat and other communication apps
- Actions you take within SIE-published games or apps (for example, what obstacle you jump and what levels you reach)
- Software bugs and load time detailsand if you have the “Automatically report system software errors” option turned on, Detailed information about the accident, including screenshots and videos captured before the accident.
Again, hackers have known for some time that Sony monitors a great deal of information and may have used such telemetry in the past to patch vulnerabilities while they were being worked on. This is why most hackers looking for vulnerabilities always make sure to block some specific network communications for your device (for example, on PS5 we block specific IPs when running the kernel exploit).
How can I request my PlayStation data from Sony?
It turns out that Sony logs every title you launch, it recently requested my personal data from SIEE, it has my entire PlayStation history from 2012 to now.@frwololo pic.twitter.com/y5Jm3OpIlK
— Alex Cheer 🐝 (@AlexCheer1) November 1, 2022
If you are interested in finding out what PlayStation knows about you and your activity, please follow the instructions below.
Whether or not you can ask Sony to send you your PlayStation data depends on the country you live in. In general, please refer to your privacy policy for details on this. In Europe, Australia, or New Zealand, you can send an email siee.dpo@sony.com with the request (you will then need to be able to prove your identity, usually by submitting your PSN ID along with some other form of identification). In the US, you can Follow the instructions on this form or use the phone number provided.
