• United States



Senator prods Niantic about Pokemon Go privacy and security issues

Jul 13, 20164 mins
Data and Information SecurityMobile AppsSecurity

Pokemon Go privacy, permissions and inappropriate places to catch 'em all

Personally, I’m just watching the Pokemon Go craze unfold. If I had considered checking it out by playing, seeing the unbelievably long list of access permissions the app required would have put a stop to it immediately before installing.

Although you may or may not agree that Pokemon Go is a “government surveillance psyop conspiracy” that has a “direct(-ish)” connection to the CIA, if you play the game then you better grab the latest update. Niantic claimed it pushed out “emergency fixes” since a “coding error” allowed the app to get full access to your Google account.

If you’ve wondered why the heck the app needs access to “things like your precise location, your email address, IP address, the last website you looked at,” then you’ll be glad to know that Sen. Al Franken (D-MN) has your back. He added that the app may even be able to access “the contents of your email.”

“I am concerned about the extent to which Niantic may be unnecessarily collecting, using, and sharing a wide range of users’ personal information without their appropriate consent,” he wrote in a letter to Niantic. His letter asks for “greater clarity on how Niantic is addressing issues of user privacy and security, particularly that of its younger players.”

Franken wants answers to seven specific questions by August 12. Some of the things he wants to know: why Pokemon Go needs all that access; the list of third-party service providers with whom Niantic shares users’ information, as well as how that data is anonymized; and how the company informs parents that Niantic is collecting all that info from their kids. He’s also prodding Niantic to consider making the collection opt-in as opposed to the no-privacy-by-design opt-out.

Franken wasn’t the only person in an uproar about Pokemon Go’s full Google account access, but it didn’t stop over 7.5 million people from installing it.

As mentioned previously, Niantic blamed some of that access via the iOS app on a coding error. It explained more in a post about the permissions update, which supposedly rectified that privacy problem.

Although the permission update announcement points toward the privacy policy, both it and the Terms of Service (TOS) linked at the bottom of the web page now lead to a 404. Taking down the pages doesn’t seem like the best solution to address Franken’s concerns.

Luckily, the privacy policy and terms of service are archived thanks to the Wayback Machine. That is, if anyone even bothered to read them.

It’s not like most people actually read TOS agreements. As David Kravets pointed out on Ars Technica, a recent study showed that users agreed to a TOS that said they would give up their first born and agreed to share data with the NSA—and even their employers. The study claimed, “This brings us to the biggest lie on the Internet, which anecdotally, is known as ‘I agree to these terms and conditions.’”

Pokemon pop up in Arlington Cemetery, Holocaust Museum, National Memorials

We already looked at some of the Pokemon Go hysteria, but the wildly popular app is also causing a different kind of problem, one that has officials issuing statements about being respectful instead of playing in some locations.

Although the National Park Service isn’t against attempting to “catch ‘em all,” and even intends to run a ranger-led “Catch the Mall Pokemon Hunt” soon, it does believe there are some places where playing Pokemon Go is simply inappropriate.

The National Mall and Memorial Parks said on Facebook, “Yes, it might be tempting to go after that Snorlax near the Vietnam Veterans Memorial, or the Venusaur hanging out in the chamber of the Jefferson Memorial, but remember that there are places of solemn reflection here at the National Mall where playing Pokemon just isn’t appropriate.”

Another potentially inappropriate site involves the Holocaust Museum, which has three PokeStops, according to the Washington Post. Arlington National Cemetery also believes playing there is just rude.

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.