Pokémon Go has spawned several controversies, including players pursuing Pokémons in places of worship, wandering through a live TV broadcast, or putting themselves at risk walking into things, and even into traffic.
Still, these are issues of personal or parental responsibility. The developers of Pokémon Go, Niantic Labs, can hardly be blamed when players neglect common sense, or if parents fail to restrict play at dangerous times.
Fortunately, these problems affect only a tiny fraction of Pokémon players...
The greater concern is the insidious privacy impact that Pokémon Go and a huge number of other apps can have on every single player.
You can't sign up for Pokémon Go with a simple email address and just begin playing. What's valuable to a company like Niantic Labs is knowing who you are and a lot about you, so there are only two ways to get into the game: link it directly to your Google account1, or sign up for an account on the Pokémon web site by providing your name, age, verifiable email address, and other identifying information.
Here's what they say about why:
"We collect certain information that your (or your authorized child's) mobile device sends when you (or your authorized child) use our Services, like a device identifier, user settings, and the operating system of your (or your authorized child's) device, as well as information about your use of our Services while using the mobile device."
Sounds innocent enough. But ask yourself, what does "certain information" about me and my kids really mean? And while we're at it, let's broaden the scope of that question to include not just Pokémon Go but also a wide selection of popular apps and services…
It turns out that it's not just Pokémon Go. A vast number of apps request access to an astounding amount of information from your device, much of which most people simply assume is private.
For example, you probably think that your text messages (SMS) are relatively confidential between you and the people you text. Right? Think again.
In the Google Play Store, for instance, there are 11,554 apps that can read all your text messages from both the device and the SIM card, regardless of content or confidentiality, and send copies wherever they like2.
We were too, so we began to dig deeper, and thanks to The Pew Research Center, you can see what their researchers found when they investigated just how much information is being sucked out of users' devices without most people being even slightly aware. Here are a few highlights:
Visit the study results and see for yourself. Note also that this is specifically for Android devices, representing a huge slice of the mobile universe. For iOS devices the specifics are very different, but the same philosophical concerns apply.
The problem is, almost no one actually pays attention to the permissions a new app requests; they simply tap OK as they install it.
For most of these permissions (and dozens of others), once an app has a permission it can retransmit that data as it likes. For example, an app with permission to use the device's microphone can record audio, and it can transmit those recordings (or real-time monitoring) to whatever server or service the app wants, without your knowledge. Likewise with video feeds from your device's camera(s).
It hears what you hear and sees some of what you see. It knows where you are, and by simple cross-referencing with other devices and databases, it knows approximately who you are with.
So in a terrifyingly real way, a smart phone or tablet is also a listening device able to spy on you or your kids anytime the makers of an app want to (and that's a shockingly large number: 63,618 apps request audio permission, and 125,126 request video permission, including Pokémon Go).
Is this want you want?
It's simple: When you install a new app, pay very close attention to the permissions it asks for, and grant the least rights possible to still gain what you want from the app. Be especially wary of apps that ask for access to your text messages, or for access to your microphone and camera.
For apps that are already installed, go to Settings on your device and spend a few minutes reviewing their permissions, again granting the least rights possible.
For example, most apps that are geo-sensitive will still work reasonably well if you allow approximate location services rather than precise location. Some still work just fine if you shut it off completely. For those apps that access your audio or video, you'll have to decide case-by-case if what you get from the app is worth the privacy you risk using it.
And finally, remove all apps you don't use.
We'll have to wait a bit longer to see exactly what capabilities Pokémon Go is actually accessing, and most especially what Niantic Labs' business partners do with the data.
However, we already know that it uses precise GPS locations services and your device's cameras (or the game itself wouldn't work), and by their own admission, it accesses a bunch of other account information, all of which can be sent back to their servers.
And then there's the implicit knowledge it gains simply by matching up your mobile phone number with independently available background data about you. With that, it and thousands of other apps can build a stunningly detailed picture of your life, your kids, your friends, your income, your spending habits and a frightening amount of even more personal information.
Many players have discovered Pokémon "Stops", places where you are much more likely to encounter characters. Far from being random, some of these are actually sponsored locations. Currently the greatest saturation is in Japan, but it's rapidly going global, with McDonalds being one of the largest paying participants, and dozens of other major corporations planning to join.
Beyond paid sponsorships, some businesses reportedly are trying to cash in on Pokemon Go simply by playing the game. They are using an in-game object called a "lure" to attract the virtual creatures — and players looking to capture them — to their retail locations.
This map will grow far more dense simply because Niantic Labs, its business partners and many other companies have a huge vested interest in knowing where you are as you catch those cute little Pokémon characters.
In the past advertisers paid media outlets if you simply clicked on an ad. But now geo-location technology has become so accurate that advertisers can tell when you are physically present at a sponsor's location. In the case of Pokémon, the game regularly sends your GPS location to Niantic, allowing it to determine when you are in a sponsored Pokémon Stop, thus enabling them to charge the advertiser for your visit.
That's solid gold for both Niantic and their Pokémon Stop sponsors, but an absolute nightmare for your privacy because there's really no limit to how many other locations are also recorded as you move through the world each day. Every day. All the time.
It turns out that third-party add-on apps can leverage Pokémon game play to themselves also spy on users. Here's what Niantic Labs has to say on that topic, announced on the 29th of August:
"Some players may not have realized that some add-on map apps do more than just show you nearby Pokémon. Each end-user app can be used as a collection tool by the app creator, invisibly collecting and forwarding data to the app creator with or without the knowledge of the end user".
You may be right if you sense hypocrisy in that statement — it's not unreasonable to speculate that Niantic collects vastly more data than all the add-ons combined.
Did Niantic issue that warning because add-on developers figured how to use the game to also tap the golden veins of private data, but at a fraction of the investment Niantic made to do the same thing?
Today the primary purpose of all this is relatively innocuous: to target advertising in a more precise and cost-effective way.
And yet, the sort of extremely detailed information these apps collect will live on in databases forever. It can be used for much darker purposes, and not just next week or next month... that ability will stretch to a distant time when social values and legal protections may be very different than they are today. Think about that.
And remember this: the Pokémons you're catching are worth nothing, your privacy is what's valuable.
The day may come when it's absolutely priceless.
So who's catching who?
If you found this blog informative please like us on Facebook... just click this button:
1. Within a week of its release a security researcher discovered that when Pokémon Go was activated on iPhones and linked to the user's Google account, it had access to ALL of the user's Google account information. Niantic claimed it was a design flaw, and they moved rapidly to restrict the requested rights. Still, some people find their claims of innocence dubious because having once been part of Google itself, Niantic should have known better, especially in an app as rigorously tested as Pokémon Go. But let's give Niantic the benefit of the doubt and focus only on what information Pokémon Go actually now has the right to access.
2. This claim is met with serious skepticism even by knowledgeable tech people. The relevant permissions as reported by Pew Research are shown below:
When you combine full access to the internet with the ability to read your stored SMS messages, it's easily feasible to create an app able transmit a copy of every message you've ever sent or received to any place the app developer wants. This capability could even be embedded in totally innocuous apps, like Flashlight.