Privacy and Security

Player Beware: Pokemon Go Can Place Your Personal Data at Risk

With great popularity comes great responsibility. Niantic and Nintendo have created an instantly successful smart phone app. With that instant success, though, comes significant risks, especially with the data Niantic is collecting from Pokemon Go players.

Pokemon Go is an augmented reality game based on the Pokemon Nintendo games. The GPS-based smartphone game juxtaposes animated characters over live images captured from a phone’s camera. The goal is to “capture” the animated characters, train them, and compete against other players’ pokemon.

The app’s popularity has added billions of dollars in net worth for Nintendo, but neither Nintendo nor Niantic were ready for Pokemon Go’s success. Niantic had to pause the app’s global roll out after its release in the United States, New Zealand and Australia due to overwhelmed servers. This, of course, raises a question: if Niantic was not ready for the demand, is it prepared to protect the data it is collecting?

What type of data is Niantic collecting that would make it a prime target for attacks? Taking the couple of minutes it takes to read through the app’s required permissions and the few minutes more it takes to read through Niantic’s privacy policy, both reveal Niantic is collecting an alarming amount of information about the app’s users.

According to the Andriod app permissions, those who download and play the app authorize Niantic to access the smartphone’s camera, contacts, location, storage, full network access, activity recognition, and much more, including the ability to receive data from the Internet and view network connections.

Reading further through the privacy policy, according to Joseph Bernstein,

Niantic may collect — among other things — your email address, IP address, the web page you were using before logging into Pokémon Go, your username, and your location. And if you use your Google account for sign-in and use an iOS device, unless you specifically revoke it, Niantic has access to your entire Google account. That means Niantic has read and write access to your email, Google Drive docs, and more.

The data collection problem is potentially worse for those who play the game on an iPhone or iPad. For those players using an iOS-based device, Niantic requires them to sign on either with an existing Pokemon.com account or with their Google accounts. A number of players, for the sake of convenience, elect to sign on through their Google accounts.

When players sign on through their Google accounts, Niantic requires or “full account access.” What happens, then, when a user grants an app “full account access”? According to Google:

When you grant full account access, the application can see and modify nearly all information in your Google Account (but it can’t change your password, delete your account, or pay with Google Wallet on your behalf).

Certain Google applications may be listed under full account access. For example, you might see that the Google Maps application you downloaded for your iPhone has full account access.

This “Full account access” privilege should only be granted to applications you fully trust, and which are installed on your personal computer, phone, or tablet.

In the words of another researcher, this means Niantic and Nintendo can

  • Read all your email;
  • Send email as you;
  • Access all your Google drive documents (including deleting them);
  • Look at your search history and your Maps navigation history;
  • Access any private photos you may store in Google Photos; and
  • And a whole lot more

Niantic claims it errantly requested full access to users’ Google accounts on iOS. The company claims it only accessed users’ basic information, such as username and email address. Google has confirmed this assertion. Niantic plans on revising the app’s permissions, reducing the amount of information collected.

For those playing Pokemon Go, Niantic now has incredibly minute details about their lives. This means all the players’ personal data—email addresses, Google account information, location, and other personal data—is stored by one company. This is a treasure trove of information and it makes Niantic a very attractive target for identity thieves and other bad actors that would substantially profit from selling that data.

With great popularity comes great responsibility. The app may be fun to play. Is the “fun” worth the loss of privacy, and the potential exposure of personal data to bad actors? This is a question only the player can decide. Niantic could go a long way by revising its privacy policy and the requested app permissions, defining the type of data it collects while listing how it will use that data.


In Depth: Privacy and Security

A market environment is essential for future success of the Internet. A consumer and private-sector-driven approach to privacy via self-regulation avoids undue regulatory burden that would threaten a thriving electronic marketplace. The Internet has flourished due in large part to the unregulated environment in which it has developed and grown.

+ Privacy and Security In Depth