Listen to the media and Pokémon Go is the worst thing since Brexit, Trident, and Donald Trump.
The app has caused people to crash their cars, waste police time by reporting stolen Pokémon, and wander down dark alleyways unaware of their surroundings. Some good has come out of it too though.
For those with an eye on their own privacy, however, concerns were raised over the game’s permissions, and exactly how such data is stored…
What’s All This About App Permissions?
The troubles began when iOS users noticed a worrying clause in the app permissions that seemed to give developers, Niantic Labs “full access” to your Google account. That would mean they could peruse your Inbox, send emails, rifle through your contact list, change your password, take a look at your browser and location histories, and do as they wish to documents and photos saved on Google Drive.
— Royal Opera House (@RoyalOperaHouse) July 19, 2016
If all that were true, millions of people would’ve just handed the keys to their lives to complete strangers in exchange for recapturing a bit of their childhoods. In one brilliant bit of subterfuge, Niantic would’ve achieved what our governments’ surveillance services have always wanted.
Fortunately, in this case, full access doesn’t actually mean full access.
It sounds unbelievable, but it comes down to a mistake. The problem stems from Niantic accidentally using an old version of Google’s shared sign-on service, which streamlines the signing-up process. Oops. Google and Niantic assure their user base that only basic permissions are granted to the app, with the latter issuing this statement:
“We recently discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user’s Google account… Google has verified that no other information has been received or accessed by Pokémon Go or Niantic. Google will soon reduce Pokémon Go‘s permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves.”
Phew! We can all sleep soundly now — especially if you download the update, then sign out and back in again; this corrects the permissions so your no one can legally root through your private information.
— Tom Burns (@TomRPI) July 20, 2016
Still, this was a surprising mistake, and testimony to the fact that most of us don’t actually check what we’re signing up for. Android Marshmallow does at least spell out exactly what the game wants permission to use.
Okay, So What Data Does Pokémon Go Actually Collect?
In that same statement, Niantic assured us:
“Pokémon Go only accesses basic Google profile information (specifically, your user ID and e-mail address) and no other Google account information is or has been accessed or collected.”
Whichever you sign in — using a Google account or joining the Pokémon Trainer Club — you’re giving away your email address and username. This is fairly standard practice when logging into games.
There are a couple of further obvious permissions Pokémon Go needs in order to actually work: primarily, that’s location data and storage access. This is a GPS-based game, so without knowing where you are and how far you walk, it’s pretty useless.
It will also require access to your camera because that’s how augmented reality (AR) works. But while seeing a Poliwag sliding around the bath is good fun, it’s not necessary. Indeed, if you’re worried about your battery life, turning off AR should help and sidestep Go’s need to access your camera.
— Joe Bae (@JoeThePoohBear) July 20, 2016
Nils Tracy, head of technology, media, and telecommunications at the Washington-based Height Securities, warns:
“It doesn’t record video to your phone, but the capability is there to do it.”
That’s the most concerning thing right now: the app’s potential to be used to infringe your privacy.
Before thinking of expanding the Pokédex to include Cyndaquil, Swablu, and beyond, Niantic plan on addressing a few other items on users’ “most wanted” lists, namely multi-player capability. That would explain why Pokémon Go wants access to your contacts. But it appears that permissions for upcoming updates have already been built into this early version; right now, there’s absolutely no need for collection of that information.
What Happens to Your Data?
Everyone can calm down: third parties and hackers can’t access your email via Pokémon Go. So there’s nothing to worry about… right?
— PizzaExpress (@PizzaExpress) July 20, 2016
Actually, Niantic can still pass some data onto third parties, including potential buyers (in the event of acquisition or bankruptcy, for instance) and law enforcement agencies. That doesn’t include your inbox because the app never had that permission anyway. Instead, it’s Personal Identifier Information (PII), like your telephone number, date of birth, and email address. That’s all still very valuable information, considered a business asset. Fortunately, The Pokémon Company has taken on Nintendo’s policy:
“We don’t share, sell, or rent your personal information to third parties without your prior consent.”
There are ways around that, however. Prior consent, in most cases, just means you’ve agreed to the Terms and Conditions, which you have to do anyway in order to actually start playing.
— Tom Wood (@thomas_wood_) July 20, 2016
Data including your location, operating system (OS), settings, and device identifier (a number unique to your smartphone or tablet) can be used to improve Pokémon Go services — but what actual services that includes is unknown right now. Location-based advertising, for instance, could be viewed by some — specifically Niantic — as an improved service. Water-based Pokémon already appear when you’re near the sea or river, but imagine a Machamp popping up when you’re by a local gym…
While Niantic admits to storing location-based data, there’s no mention of what actually happens to the pictures you might take of Pokémon, and their AR backgrounds.
What we really need to know is: is our data safe?
— Pokemon Go (@PokemonandChilI) July 20, 2016
With so much data gathered from millions of users worldwide, the Niantic servers are massive targets for hackers, and the company won’t (rather understandably) reveal the security measures they’re taking to keep your information private. They’ve already been victim to a Distributed Denial of Service (DDoS) attack, if two hacker groups can be believed.
When the app failed to load for hours on end last weekend, the obvious conclusion was that the servers were under too much pressure to cope; instead, PoodleCorp and OurMine both claimed responsibility. The latter supposedly executed the DDoS so Niantic would note that their servers aren’t secure enough, vowing to end the attack when the firm contacted them to find out how to protect data. PoodleCorp has threatened to do it again on 1st August, for less noble reasons than OurMine:
“We do it because we can, nobody can stop us and we just like to cause chaos.”
Is There Anything Else You Should Be Worried About?
Conspiracy theorists will read a lot into the Kremlin’s apparent warning that Pokémon Go is secretly collecting vast amounts of data; already, President Vladimir Putin is reportedly set to ban the app. That should annoy any users who’ve heard that there’s an Aerodactyl soaring around Red Square or Muk in the Imperial Palace.
— Pokemon Parody (@Pokemon_Parody) July 20, 2016
The Kremlin’s suspicions stem from the past of Niantic CEO, John Hanke. He was previously CEO of “geospatial data visualization applications” firm, Keyhole Inc. (creator of Google Earth), which was partly funded by In-Q-Tel, the CIA’s venture capital arm — but more specifically by the National Geospatial-Intelligence Agency (NGA), which supports the USA’s intelligence and defense departments.
Admittedly, that’s a bit worrying, but more evidence of Hanke’s continued links to the CIA needs to be found before we can start accusing Pokémon Go of being a nefarious tool of the Illuminati.
The app isn’t available in Russia yet, but that didn’t stop fans in the UK downloading it early regardless, either by changing their region in the App Store or using Pokémon Go APKs (Android Application Packages); if you downloaded the latter or have accidentally found an unofficial version of Pokémon Go, you need to worry about malware.
— PokemonGo (@PokebalIGo) July 20, 2016
Back to the real game, though, and we can find something funky in the Terms of Service, which nobody actually reads anyway. There’s a rather interesting clause that stops you from filing a lawsuit, or joining others wishing to proceed with class action against Niantic.
In other words, Pokémon Go is taking away your legal rights.
If you’ve only downloaded the game within the past 30 days, you can still opt-out by emailing the company. Dig into the Terms of Service of many firms and you’ll find near-identical clauses.
Should You Panic?
— Siefe (@Siefe) July 19, 2016
No. That’s the simple answer.
While we permanently need to question app permissions, those you grant Pokémon Go are needed for the app to work, and are similar, and in many instances the same, as other apps. Facebook knows a lot about you, but most people are perfectly happy to throw mounds of data onto the social network. The same goes for Google. As John McAfee says:
“Why pick on Pokémon Go when a quarter of a million apps have been doing this for years?”