On July 5, 2016, Pokémon GO was released in the United States for iOS and Android. Since launching, it has quickly become to most successful mobile app on both platforms, beating out the likes of dating app Tinder and social media app Twitter. However, concerns over the technology used in the game as well as early issues with Google account permissions have left many people, like US Senator Al Franken contemplating the privacy and security implications of the game, which I will address in this post.
I've been a fan of the Pokémon franchise since it hit the market in the United States in 1998. However, I have yet to be sold on Pokémon GO - I simply have no interest in the game. Nonetheless, it is a global phenomenon, even popular in regions it has yet to see a release in. The game is not without its quirks, including an early issue of requesting full account access to the player's Google account when using Google to sign in. This has caused concern for a number of players when they discovered the permissions they handed over.
Niantic, the developer of Pokémon GO, and The Pokémon Company released a statement to Engadget explaining that this particular issue was a bug and was quickly fixed in a subsequent update. For users who are still concerned about this, I urge you to review Google's guide on controlling and revoking app access to your account and check your account to see what permissions the game has. If it still has full access to your Google account, you can simply revoke access, then sign-in to the game again using your Google account. Your data will be safe and you can ensure your Google account is safe as well.
Even fairly high-profile techies have speculated that Pokémon GO's "full access" request was used to leech data from users who didn't pay attention until they changed it in the subsequent update. However, various sources have tried using the same token used by the game and were unable to access any other aspects of their Google accounts. Gizmodo even published a piece to ease players' concerns amidst the uncertainty. So rest assured, even if you haven't updated your permissions, the game has not spied on your emails. Additionally, Niantic told Gizmodo that Google would soon reduce Pokémon GO's access to basic access as outlined above, for those who have not yet done so.
I've seen people suggest using a "throw-away" Google account for accessing the game. This is nonsense and overkill and offers no real privacy protection. Once you have ensured that the limited permissions - basic account information and email, are granted to Pokémon GO, your account information is just as secure as it would be without playing the game. The Google API protects the rest of your account and only grants the access explicitly granted to the app.
Similarly, I've seen suggestions made to use a new username/trainer name/screen name for the account that you don't use elsewhere. This suggestion is certainly useful for online dating, being active on the dark web, as well as other activity you want to proactively keep private. If you are concerned about someone finding out that you play Pokémon GO, I would suggest following this advice. If you're like the majority of players, even if privacy is important to you, there is no real threat in using a username you've used elsewhere.
The very nature of Pokémon GO mandates the game to track your GPS location. While it can be debated that playing a game or using any app that tracks your location is a serious privacy threat (and it can be), it's hardly more dangerous to you than carrying a smartphone in the first place. Your smartphone can track you any time it wants. Additionally, owning ANY cellular phone in your name instantly diminishes your privacy because most mobile devices can be tracked - powered or unpowered - by the carrier's cell towers. Playing Pokémon GO on such a device hardly puts you at greater risk of intrusion.
If being geo-tagged is a concern for you, close the app before arriving at a given location. For example, if you don't want to be tracked at home, close the app when you're at least 2-3 miles away. If you work for the government, military, or other organization swamped in secrecy and you want to ensure the location of a given facility is not deduced by potentially leaked data, close the app before arriving to the facility. Pokémon GO is requests your location from the device only while using the app.
Pokémon GO uses a technology called augmented reality, which is a fancy way of saying "a view of the world with computer-added elements". When playing the game out-of-the-box, and you encounter a wild pokémon, you will see the world around you, as your device's camera sees it, with the pokémon standing in the middle. This feature also allows you to take pictures of pokémon in real-world situations and locations to save to your device.
While it's a bit outlandish to think that Niantic collects the video streams from every device, it is always a possibility that cannot be completely ruled out. This means anything your camera sees could, in theory, be stored by Niantic. Some conspiracy theories suggest that Niantic is collecting this video footage and sharing it with the NSA in an attempt to gain further details on the public. I personally find this theory to be a bit "out there" but it certainly can't be ruled out. With that in mind, I suggest some common sense tactics that apply to all cameras and video streams when using the AR mode of the game.
It's also possible that metadata could be embedded in the image and made available if the image is shared publicly.
Moreso a personal safety issue, it should go without saying that you shouldn't be walking down the street with your eyes glued to your screen. There have been many reports of players walking into traffic, light posts, and straying into bad neighborhoods only to be mugged. Likewise, an alarming number of wrecks have been reported in which the driver was trying to catch a pokémon instead of being an attentive driver. No pokémon (or anything else for that matter) is worth being a distracted pedestrian or driver. Like the game itself warns, stay aware of your surroundings.
When visiting a real-world location to interact with a Gym or Pokéstop, stay in your vehicle and keep the doors locked. Let common sense prevail. More often than not, you can interact with the location from the curb, parking lot, or even across the street. Do not enter restricted areas. Do not trespass onto private property. Do not wander into dangerous neighborhoods. Do not do anything stupid...this is really just common sense stuff.
The Pokémon franchise has enjoyed a long, rich, and successful run over the last twenty years. Pokémon GO seems to have taken the obsession to a whole new level for many long-time fans as well as bringing people who would otherwise never play the game into the mix. Despite the hype, the fears, and the conspiracy theories, I say go out and catch 'em all while being smart and being safe. Just please, for the love of all that is good and decent in this world, do not cross the border in pursuit of Pikachu and spark an international incident!
I will be starting a newsletter soon that will include the latest news and issues regarding privacy and security from around the world. The newsletter will also include my latest blog posts, guides, and links to other websites where you can find more information. Once in awhile, I will also send out important information regarding changes to privacy laws and similar matters. I do not want or need anything but your email address to send it to you. You can unsubscribe at any time.