‹ Back to the blog listPokémon No

Lil.Merlin.Park.HighRes.Final.590.318.jpg

Pokémon Go has spawned several controversies, including players pursuing Pokémons in places of worship, wandering through a live TV broadcast, or putting themselves at risk walking into things, and even into traffic. 

Still, these are issues of personal or parental responsibility.  The developers of Pokémon Go, Niantic Labs, can hardly be blamed when players neglect common sense, or if parents fail to restrict play at dangerous times. 

Fortunately, these problems affect only a tiny fraction of Pokémon players...

The greater concern is the insidious privacy impact that Pokémon Go and a huge number of other apps can have on every single player.

 

Who's catching who?

You can't sign up for Pokémon Go with a simple email address and just begin playing.  What's valuable to a company like Niantic Labs is knowing who you are and a lot about you, so there are only two ways to get into the game: link it directly to your Google account1, or sign up for an account on the Pokémon web site by providing your name, age, verifiable email address, and other identifying information. 

Here's what they say about why: 

"We collect certain information that your (or your authorized child's) mobile device sends when you (or your authorized child) use our Services, like a device identifier, user settings, and the operating system of your (or your authorized child's) device, as well as information about your use of our Services while using the mobile device."

TwoBoysWithSmartPhone.png

Sounds innocent enough.  But ask yourself, what does "certain information" about me and my kids really mean?  And while we're at it, let's broaden the scope of that question to include not just Pokémon Go but also a wide selection of popular apps and services…

 

There's more going on than you think…

It turns out that it's not just Pokémon Go.  A vast number of apps request access to an astounding amount of information from your device, much of which most people simply assume is private.

For example, you probably think that your text messages (SMS) are relatively confidential between you and the people you text.  Right?  Think again.  

In the Google Play Store, for instance, there are 11,554 apps that can read all your text messages from both the device and the SIM card, regardless of content or confidentiality, and send copies wherever they like2.  

HandsAndPhones.90percent.jpg

 

Surprised?  

We were too, so we began to dig deeper, and thanks to The Pew Research Center, you can see what their researchers found when they investigated just how much information is being sucked out of users' devices without most people being even slightly aware.  Here are a few highlights:

  • Record audio: Allows the app to record audio with the microphone at any time without any notification or indication to you.
  • Take pictures and videos: Allows the app to take pictures and videos with the camera at any time without notification or indication to you.
  • Precise location (GPS and network-based): Allows the app to get your precise location using GPS, cell towers and WiFi (even from random routers you happen to be near but not connected to).
  • Create accounts; set and read passwords: Allows the app to use the Account Manager to create accounts and to read passwords.
  • Download files: Allows the app to download files via the download manager without any notification or indication to you.
  • Modify the contents of your USB storage: Allows the app to write to the USB storage. Allows the app to write to the SD card.
  • Read calendar events: Allows the app to read all calendar events including those of friends or coworkers. This allows the app to examine your calendar data regardless of confidentiality or sensitivity. 
  • Read call log: Allows the app to read your call log including data about incoming and outgoing calls.  

Visit the study results and see for yourself.  Note also that this is specifically for Android devices, representing a huge slice of the mobile universe.  For iOS devices the specifics are very different, but the same philosophical concerns apply.  

The problem is, almost no one actually pays attention to the permissions a new app requests; they simply tap OK as they install it.  

 

What does this mean?

For most of these permissions (and dozens of others), once an app has a permission it can retransmit that data as it likes.  For example, an app with permission to use the device's microphone can record audio, and it can transmit those recordings (or real-time monitoring) to whatever server or service the app wants, without your knowledge.  Likewise with video feeds from your device's camera(s).

LilMerlin.Sitting.Cropped.297.208.jpg

It hears what you hear and sees some of what you see.  It knows where you are, and by simple cross-referencing with other devices and databases, it knows approximately who you are with. 

So in a terrifyingly real way, a smart phone or tablet is also a listening device able to spy on you or your kids anytime the makers of an app want to (and that's a shockingly large number: 63,618 apps request audio permission, and 125,126 request video permission, including Pokémon Go).

Is this want you want?

 

What should I do?

It's simple: When you install a new app, pay very close attention to the permissions it asks for, and grant the least rights possible to still gain what you want from the app. Be especially wary of apps that ask for access to your text messages, or for access to your microphone and camera.

For apps that are already installed, go to Settings on your device and spend a few minutes reviewing their permissions, again granting the least rights possible.  

SettingsIcon1.66percent.png

For example, most apps that are geo-sensitive will still work reasonably well if you allow approximate location services rather than precise location. Some still work just fine if you shut it off completely. For those apps that access your audio or video, you'll have to decide case-by-case if what you get from the app is worth the privacy you risk using it.

And finally, remove all apps you don't use.  


So what about Pokémon Go?

We'll have to wait a bit longer to see exactly what capabilities Pokémon Go is actually accessing, and most especially what Niantic Labs' business partners do with the data.  

However, we already know that it uses precise GPS locations services and your device's cameras (or the game itself wouldn't work), and by their own admission, it accesses a bunch of other account information, all of which can be sent back to their servers.

And then there's the implicit knowledge it gains simply by matching up your mobile phone number with independently available background data about you. With that, it and thousands of other apps can build a stunningly detailed picture of your life, your kids, your friends, your income, your spending habits and a frightening amount of even more personal information. 


Pokémon, Stop

Many players have discovered Pokémon "Stops", places where you are much more likely to encounter characters. Far from being random, some of these are actually sponsored locations. Currently the greatest saturation is in Japan, but it's rapidly going global, with McDonalds being one of the largest paying participants, and dozens of other major corporations planning to join.

Beyond paid sponsorships, some businesses reportedly are trying to cash in on Pokemon Go simply by playing the game. They are using an in-game object called a "lure" to attract the virtual creatures — and players looking to capture them — to their retail locations.

stops2-Copy.JPG

This map will grow far more dense simply because Niantic Labs, its business partners and many other companies have a huge vested interest in knowing where you are as you catch those cute little Pokémon characters.

In the past advertisers paid media outlets if you simply clicked on an ad.  But now geo-location technology has become so accurate that advertisers can tell when you are physically present at a sponsor's location.  In the case of Pokémon, the game regularly sends your GPS location to Niantic, allowing it to determine when you are in a sponsored Pokémon Stop, thus enabling them to charge the advertiser for your visit.

That's solid gold for both Niantic and their Pokémon Stop sponsors, but an absolute nightmare for your privacy because there's really no limit to how many other locations are also recorded as you move through the world each day.  Every day.  All the time.

 

It gets worse

It turns out that third-party add-on apps can leverage  Pokémon game play to themselves also spy on users.  Here's what Niantic Labs has to say on that topic, announced on the 29th of August:

"Some players may not have realized that some add-on map apps do more than just show you nearby Pokémon. Each end-user app can be used as a collection tool by the app creator, invisibly collecting and forwarding data to the app creator with or without the knowledge of the end user".

Seriously?  Wow.

You may be right if you sense hypocrisy in that statement — it's not unreasonable to speculate that Niantic collects vastly more data than all the add-ons combined.

Did Niantic issue that warning because add-on developers figured how to use the game to also tap the golden veins of private data, but at a fraction of the investment Niantic made to do the same thing?


The future… the future?

Today the primary purpose of all this is relatively innocuous: to target advertising in a more precise and cost-effective way.

And yet, the sort of extremely detailed information these apps collect will live on in databases forever.  It can be used for much darker purposes, and not just next week or next month... that ability will stretch to a distant time when social values and legal protections may be very different than they are today. Think about that. 

And remember this: the Pokémons you're catching are worth nothing, your privacy is what's valuable.  

The day may come when it's absolutely priceless.  

 

So who's catching who?

MerlinEarthIcon-Green-10percent.png

 

If you found this blog informative please like us on Facebook... just click this button: 


1. Within a week of its release a security researcher discovered that when Pokémon Go was activated on iPhones and linked to the user's Google account, it had access  to ALL of the user's Google account information.  Niantic claimed it was a design flaw, and they moved rapidly to restrict the requested rights. Still, some people find their claims of innocence dubious because having once been part of Google itself, Niantic should have known better, especially in an app as rigorously tested as Pokémon Go.  But let's give Niantic the benefit of the doubt and focus only on what information Pokémon Go actually now has the right to access.


2. This claim is met with serious skepticism even by knowledgeable tech people.  The relevant permissions as reported by Pew Research are shown below:   
 PermissionsFootnote.100percent.jpg
When you combine full access to the internet with the ability to read your stored SMS messages, it's easily feasible to create an app able transmit a copy of every message you've ever sent or received to any place the app developer wants.  This capability could even be embedded in totally innocuous apps, like Flashlight.

Published on 2016-08-24 by:
avatar
Bob
Head Dreamer

Loves long walks on the beach, horseback riding, and dinners with friends, allies and opponents alike.