It’s the Pokémon-mania! The Pokémon Go game is taking the world by storm. This unbelievably huge game can now claim the title of most popular mobile game in United States history. This new game, jointly developed by Nintendo, Google-spinoff Niantic, and Pokemon Co., was released on July 5 and rapidly boasted 21 million daily active users in the U.S., topping a game like Candy Crush Saga. The game has even been downloaded more than Tinder, the “find love” app. But is this app putting your privacy at risk?
This mobile game, that already have been downloaded at least 15 million times on Apple's App Store and Google Play, features characters called “Pokémon” that players capture in the real world using a combination of GPS and augmented reality.
However, in terms of data privacy protections, the application is not as successful. Some concerns are raised about the extent to which Niantic may be unnecessarily collecting, using, and sharing sensitive user data without their appropriate consent.
The main issue occurred when iPhone users signed in to Pokémon Go through their Google account and Niantic was getting full access to many users’ Google accounts. According to Google’s Privacy and Security controls (Apps connected to your account):
“When you grant full account access, the application can see and modify nearly all information in your Google Account (but it can’t change your password, delete your account, or pay with Google Wallet on your behalf).
Certain Google applications may be listed under full account access. For example, you might see that the Google Maps application you downloaded for your iPhone has full account access.
This "Full account access" privilege should only be granted to applications you fully trust, and which are installed on your personal computer, phone, or tablet.” (emphasis added)
Unlike other apps and/or websites that only grab permissions for some personal data (e.g. email address, phone number, etc.), granting such a broad permission over all information linked to the account, including the contents of Gmail, Google Docs, Google Drive and Google Calendar as underlined by the Wall Street Journal, represents a dangerous overreach and a real privacy concern for all the users.
Moreover, at no point in the sign-in process, the mobile application notified the users that full access was being granted.
On July 12, 2016, Niantic issued an updated version of the application and released an official statement regarding the Pokemon Go iOS (iPhone version of the app) permissions problem:
“We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.” (underlined added).
With the update, Niantic is only requesting access to basic account information, such as a user’s name and email address. However, according Pokémon GO Privacy Policy, the app collects and stores much more than personal data. Information may include “user’s Internet Protocol (IP) address, user agent, browser type, operating system, the web page that a User was visiting before accessing our Services, the pages or features of our Services to which a User browsed and the time spent on those pages or features, search terms, the links on our Services that a User clicked on, and other statistics”.
The app also needs the users’ location because it’s what Pokemon Go is all about; a location based game. There’s however no mention of any camera data being stored.
Many app developers collect data from smart devices which is unrelated to the app itself and is then distributed to third parties. App developers should be aware that consent does not legitimise excessive data processing. We recommend that developers proactively inform users about the type of data collected, any data breaches, and ensure full and integrated compliance with data protection law.