You Should Probably Check Your Pokémon Go Privacy Settings
In the five frenzied days since its American release, Pokémon Go has become an economic and cultural sensation. Downloaded by millions, the game has boosted Nintendo’s market value by $9 billion (and counting), made a major case for augmented reality as the gaming format of the future, and led to a plethora of strange, scary, and serendipitous real-life encounters.
And as millions of users wander the country collecting Pikachus and Jigglypuffs, the Alphabet spin-off Niantic, Inc. that developed the game is collecting information about the collectors. And it’s most definitely catching them all.
Like most apps that work with the GPS in your smartphone, Pokémon Go can tell a lot of things about you based on your movement as you play: where you go, when you went there, how you got there, how long you stayed, and who else was there. And, like many developers who build those apps, Niantic keeps that information.
It also may share this information with other parties, including the Pokémon Company that co-developed the game, “third-party service providers,” and “third parties” to conduct “research and analysis, demographic profiling, and other similar purposes.” It also, per the policy, may share any information it collects with law enforcement in response to a legal claim, to protect its own interests, or stop “illegal, unethical, or legally actionable activity.”
Now, none of these privacy provisions are of themselves unique. Location-based apps from Foursquare to Tinder can and do similar things. But Pokémon Go’s incredibly granular, block-by-block map data, combined with its surging popularity, may soon make it one of, if not the most, detailed location-based social graphs ever compiled.
And it’s all, or mostly, in the hands of Niantic, a small augmented reality development company with serious Silicon Valley roots. The company’s origins trace back to the geospatial data visualization startup Keyhole, Inc., which Google acquired in 2004; it played a crucial role in the development of Google Earth and Google Maps. And though Niantic spun off from Alphabet late last year, Google’s parent company is still one of its a major investors, as is Nintendo, which owns a majority stake in The Pokémon Company. Indeed, Google still owned Niantic when the developer released its first game, Ingress, which is what Niantic used to pick the locations for Pokémon Go’s ubiquitous Pokéstops and gyms.
In a statement to Gizmodo Monday night, Niantic said they started working on a fix and verified with Google that nothing beyond basic profile information had been accessed.
We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected.
Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic.
Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.
Given the fact that Pokémon Go already has millions of users and that it has already attracted the attention of law enforcement, it seems likely that at some point police will try to get Niantic to hand over user information. And if Google’s track record is any indication — a report earlier this year showed that the company complied with 78% of law enforcement requests for user data — they are probably prepared to cooperate.