Pokémon Go Privacy & Security Lessons
The first blockbuster augmented reality (AR) game is here, and with it has come profound real-world privacy and security issues. Pokémon Go’s unique blend of nostalgia for the late-90’s media sensation with the popularity of mobile gaming has rocketed the app to the top of every list. On July 12th, 2016 it became the most active mobile game ever, with over 21 million active users. What’s interesting to note about Pokémon Go’s release, however, is how fast privacy and security concerns became one of the hottest topics of conversation surrounding the game.
Revealing Personal Data
At the core of the privacy outcry was the scope of access Pokémon Go requested of users logging in with their Google account. Initially, the app appeared to have free access to a Gmail user’s email, Google Docs, and other information associated with the user’s account. (The company has since issued a patch to restrict access to only basic account information.)
But augmented reality games on mobile platforms still aggregate a substantial amount of real-world information. According to this article on Buzzfeed,
“Like most apps that work with the GPS in your smartphone, Pokémon Go can tell a lot of things about you based on your movement as you play: where you go, when you went there, how you got there, how long you stayed, and who else was there. And, like many developers who build those apps, Niantic keeps that information.”
What’s more, Niantic (makers of Pokémon Go) “may share this information with other parties, including the Pokémon Company that co-developed the game, “third-party service providers,” and “third parties” to conduct “research and analysis, demographic profiling, and other similar purposes.” The sweeping popularity of the game and the simultaneous outcry over data collection and usage questions has provoked Senator Al Franken of Minnesota to request Niantic explain, “how the data is used and with what third party service providers that data may be shared.” Niantic is also potentially facing a lawsuit in Germany for non compliance with German privacy and consumer protection laws.
Wildfire Malware Opportunities
Further complicating privacy and security concerns is the manner in which the game was released. While it was officially launched in a restricted number of markets, the intense demand created an opportunity for malicious actors in other international markets to release malware versions of the app. Android players eager to jump the gun on the company’s phased roll-out of the app found themselves infected with the DroidJack Trojan, malware which “requests permission to read web bookmarks and history, change network connectivity and disconnect from Wi-Fi, view Wi-Fi connections and retrieve running apps run at startup.”
Augmented Reality Brings Real-World Pitfalls
There are other “socially engineered” dangers associated with the app as well. Given that the game encourages users to get out in the world and visit real locations to collect virtual rewards, savvy criminals have lured players into remote locations in order to rob them. One of the greatest hazards with augmented reality games is the degree to which they can cause players to lower their natural defenses and decrease their common sense awareness of their surroundings. Players have even attempted to access restricted areas of hospitals, fallen off cliffs, and been shot at. CommonSense media, a nonprofit based in California that works to promote the safe use of media and technology by kids, has also asked for Niantic to answer safety concerns about the app, especially given its popularity among minors.
The Pokémon Go Learning Opportunity
Despite all of the questionable data gathering practices and real-world hazards of a runaway success like Pokémon Go, the game’s meteoric rise has created an excellent opportunity to raise privacy concerns and elevate user awareness of the ways seemingly innocuous forms of entertainment can have profound effects on our lives.
There will always be early adopters, but it’s clear that the leading edge may also be the bleeding edge. Using Pokémon Go as a conversation starter, privacy advocates have a perfect opportunity to talk about the importance of protecting privacy when choosing and using apps. There’s plenty to be aware of when it comes to these highly addictive and gamified methods of getting us to share our information.
Companies should also take away a few lessons from Niantic’s implementation and launch strategy. From apparent poor vetting of the initial data scope request to the malware hazards of not shipping an app simultaneously, Niantic is a perfect case study of what to avoid and how important it is to integrate Privacy by Design into app development. Understanding backlash is important. Long-term viability can depend on not overreaching, as an app can die as quickly as it spreads if users find it creepy or abusive.
Pokémon Go will not be the last blockbuster augmented reality game. As popular as the app has been, many reviewers have found room for improvement. You can be sure that developers will quickly adapt to create more immersive and addictive AR games. Make sure you’re ready. There’s nothing wrong with “catching them all” as long as what you’re trading for them is in line with your personal privacy practice.