Is Pikachu Reading Your Email?
A mega-popular smartphone game is raising significant questions about privacy and legal rights, as it allegedly accesses a startling amount of data on users’ phones, including GPS locations, contacts, document files, and email.
Niantic, Inc.’s Pokémon Go was released less than a week ago in the United States, downloaded by millions of Americans and confusing millions more as their social media feeds became overrun with posts from friends talking about catching “Bulbasaurs” and “Squirtles” and other oddly named creatures (“what is Pokémon Go is currently Google’s top autocomplete suggestion when you start typing “what is”).
The way the game functions is only possible thanks to today’s smartphone technology. CNN has a detailed explanation here, but the basic idea is that instead of moving a character around a map in a video game, you are the character and the real physical world is the game map. The goal is to catch Pokémons (short for “pocket monster”), adorable little cartoon creatures with various abilities, and to complete certain tasks at designated locations, like gathering useful items and battling other players. The game interacts with the GPS and camera in your phone to help you find the Pokémons and other items as you walk around your neighborhood.
Pokémon Go is being praised for getting gaming enthusiasts — normally an indoor and fairly sedentary activity — outside exercising, as well as providing a positive incentive for depressed or isolated people to leave their homes and interact with other people.
The problem is the immense amount of personal data that the game is able to collect from players’ phones. Items can’t be collected unless the app is left running, giving game developer Niantic nearly constant access to players’ locations, how long they stayed there, what route they traveled to get there, and what other players were there with them.
That would be enough for privacy watchdogs to have concerns, but the Pokémon Go privacy policy also grants Niantic permission to collect your email address, IP address, web page you were using before logging into the game, and, perhaps most alarmingly, your entire Google account if you also access it on some iOS devices.
Buzzfeed notes that this means that Pokémon Go can have read and write access to players’ email accounts, contacts, and documents and photos in their Google Drive. The temptation that this massive data collection of personal information creates for hackers is obvious, an especially worrisome concern with so many children playing the game.
The broad privacy policy also says that Niantic may share your personal data with third parties and law enforcement. “[I]t seems likely that at some point police will try to get Niantic to hand over user information,” reports Buzzfeed. “And if Google’s track record is any indication — a report earlier this year showed that the company complied with 78% of law enforcement requests for user data — they are probably prepared to cooperate.”
Think about that for a moment — should law enforcement be able to access the emails, photos, and other files on your phone just because you played a video game?
Gawker called Pokémon Go’s privacy policy flat-out “Orwellian,” and noted Niantic’s ties to government efforts to invest in intelligence gathering through geospatial location data and social media. “Pokémon Go is an ideal vessel for [the government’s] many, many eyes,” wrote Gawker’s Ashley Feinberg.
Feinburg goes on to describe in detail how the game could be used to create a network of spies unaware that they are acting as spies. It sounds like some tin-foil-hattery at first glance, but it’s easy to see how if people controlling the game wanted to gather intelligence, high resolution images with precise geolocation data could be gathered by sending players to a specific physical location or possibly even targeted after an individual person.
Techcrunch notes that the level of data access Pokémon Go demands from users is far outside the norm, and beyond what is actually needed for game play, in addition to raising concerns about the lack of adequate notice to players or transparency about how players’ data is being collected and shared. Finding Pikachu may require access to your location and camera, but the little yellow critter doesn’t need to read your email.
Even if Niantic isn’t part of a diabolical government conspiracy to trick Americans into spying on themselves, and they’re just gathering data for purposes of targeted marketing, there are still ample causes for concern, hackers being chief among them.
So what’s the solution? Gawker suggests using a spare phone or buying an extra one. A bit of a middle ground approach comes from Lifehacker: set up a separate Google account and use it just for Pokémon Go, so that your main account remains blocked from them. Lifehacker also includes instructions on how to revoke any prior Google permissions granted to Niantic.
Anyone who has already downloaded and played the game would be well-advised to check what level of access you’ve granted to your Google account, which can be done on the Google security permissions page.
Other than some in-app purchases that aren’t necessary to enjoy the game, Niantic has made the game available for free. What they’re asking game players to give them instead of money could prove to be far more costly.
Follow Sarah Rumpf on Twitter: @rumpfshaker.