Privacy concerns about Pokémon GO

August 1, 2016 by

Daniel Dimov

Section 1. Introduction

Pokémon Go, an augmented reality smartphone game which has recently become a sensation, is created and operated by the software development giant Niantic, Inc. The term "augmented reality" can be defined in simple words as a live view which is supplemented by computer-generated input. Within the first week of its release, Pokémon Go was downloaded about 7.5 million times in the United States alone and received an immense attention from media and millions of game users.

To analyze the privacy concerns about Pokémon Go, it is important to comprehend how the game actually works. Pokémon Go is based on six major elements, namely, (1) a map, (2) Pokémons, (3) habitats, (4) Poké Balls, (5) Poké Stops, and (6) medals. The map used in the application is based on an actual real-world map of existing streets. The player of the game is always in the center of it. Pokémons are virtual creatures that have to be collected by the gamers. Pokémons mostly live in certain designated areas, the so-called Habitats. Pokémons can be caught and stored by using virtual Poké Balls. Such Poké Balls are collected in special Poké Stops. Players who succeed to catch a certain number of Pokémons or complete other tasks are granted medals. To locate the player on the application map in real time, Pokémon Go needs to collect continuously geolocation information about him/her. Moreover, the creation of a user account requires providing other identification data (e.g., email address and date of birth).

The purpose of this article is to examine Pokémon Go Privacy Policy (the "Privacy Policy") available at http://www.pokemon.com/us/privacy-policy and identify any clauses that may threaten the privacy of the users of the game. More specifically, we will discuss clauses related to collection of personal information (see Section 2 of this article); use of personal information (see Section 3 of this article); data that Niantic shares with third parties (see Section 4 of this article), security and protection of the collected personal information (see Section 5 of this article). Next, we provide recommendations on how to protect your privacy while using Pokémon Go and similar applications (see Section 6 of this article). Finally, a conclusion is drawn (see Section 7 of this article).

Section 2. Information collected by Niantic

According to its Privacy Policy, Niantic typically collects from the users of Pokémon Go certain types of personal information which may include the following categories of information: (1) first and last names, email address, and telephone number; (2) physical address and location-based information; and (3) IP address and persistent device identifier where necessary for the provision of services. Hence, the Privacy Policy does not contain an exhaustive list of collected personal information. It can be presumed that, after reading 6371 words (the length of the Privacy Policy) and spending more than 25 minutes (the average reading speed in the United States is 252 words per minute), the player of Pokémon Go
will remain unaware of the types of personal information which Niantic collects from him/her.

It is worth mentioning that, in 2014, a working group of the EU data protection authorities (Article 29 Party) prepared a common list of requirements and possible measures which can be implemented by Google to comply with the EU data protection laws. One of the requirements is the inclusion in Google's privacy policy of an exhaustive list of the types of personal data processed by Google. To be on the safe side of the EU data protection laws, Niantic should consider following the instructions provided by the data protection authorities to Google.

Section 3. Use of information collected by Niantic

The Privacy Policy
does not contain an exhaustive list of purposes for which the collected personal data will be used. It simply mentions certain exemplary purposes. Furthermore, the users of the game are assured that: "Whatever the purpose may be, we will only collect information to the extent reasonably necessary to fulfill your requests and our legitimate business objectives." Article 29 Party recommended Google to provide an exhaustive list of all purposes for which the company processes personal information. Due to the lack of such an exhaustive list, Niantic may soon become subject to similar recommendations.

Also, the Privacy Policy does not mention that the collected personal information can be used for showing sponsored locations to the players. According to John Hanke, Chief Executive of Niantic, the concept of sponsored locations is a component of the business model of Pokémon Go. Sponsored locations are locations which are transformed into Poké Stops or other game elements at a request of the operators of those locations. Some researchers have stressed that McDonalds may be one of such sponsored locations in Pokémon Go.

Section 4. Information that Niantic shares with third parties

According to the Privacy Policy, Niantic will not share, sell, or rent to third parties personal information collected from players without players' prior consent. Thus, at first sight, it may seem that third parties will not have access to the collected information about the users of the game. However, by accepting the Privacy Policy, Pokémon Go players agree that their personal information may be shared with (1) outside entities hired by the company to assist with internal site support operations and (2) delivery service providers for delivery purposes. The Privacy Policy notes that the entities and companies mentioned in the preceding sentence have agreed to maintain the confidentiality, security, and integrity of all personal information they obtained from them from Niantic. However, it is not clear what security measures those third parties will employ to protect gamers' personal information. The Privacy Policy does not explicitly state that the security measures taken by Niantic will also apply to the third parties.

Section 5. Security of the collected personal information

The Privacy Policy contains a detailed explanation of the security measures which Niantic takes to protect the data collected from players of the game. However, taking into account a large number of Pokémon Go players as well as the potential societal impact of data breaches related to vulnerabilities in Pokémon Go, data protection authorities should regularly check the practical implementation of the security measures declared by Niantic. In this regard, it is worth mentioning that stolen personal information can be used by terrorists for identifying low-security habitats and conducting mass-casualty attacks in such places. For example, a habitat in a city park may allow terrorists to conduct an attack on a large number of unprotected players.

Section 6. Recommendations on how to protect your privacy while using Pokémon Go and similar applications

Below, we provide four recommendations on how to enhance your privacy while playing Pokémon Go or other games using geolocation data.

(1) Make sure that you are downloading Pokémon Go from trusted sources. There are many malicious apps masquerading as Pokémon Go. For example, a group of security researchers found on Google Play Store a malicious app named "Pokémon Go Ultimate." The app locks the screen of the device on which it is installed. The victim has no other choice except for restarting the device by removing the battery. Once rebooted, the malicious app passively collects ads revenue.

(2) Install the latest version of Pokémon Go. The original version of Pokémon Go requested full access permission to players' Google accounts. After receiving substantial critique from privacy researchers and politicians, Niantic restricted the scope of the requested personal information. In this regard, company's representative wrote:

"We recently discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user's Google account. However, Pokémon Go only accesses basic Google profile information (specifically, your user ID and e-mail address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google account information, in line with the data we actually access. Google has verified that no other information has been received or accessed by Pokémon Go or Niantic."

(3) Scan for viruses any pieces of software designed to update your Pokémon Go.

(4) Do not provide your personal data in exchange for promises to receive Poké Coins. The only legitimate way to receive Poké Coins is by buying them within the app.

7. Conclusions

This article discussed privacy concerns related to Pokémon Go, one of the most popular current mobile games, and practical steps to avoid privacy issues while using the app. Players of Pokémon Go, who are willing to decrease the risks of privacy invasions should rely not only on the steps above but also participate in information security awareness programs. Such programs are critical for enhancing the privacy and security of players enjoying Pokémon Go and similar apps.

Information security programs can be divided into two categories, namely, informational (e.g., newsletters, websites, and booklets) and educational (e.g., presentations, lectures, and workshops). For example, informational programs can be published on the website of Pokémon Go as well as on the websites of governmental authorities all over the world. Educational programs can be provided in schools and other institutions that are attended by a large number of players.

11 courses, 8+ hours of training

Learn cybersecurity from Ted Harrington, the #1 best-selling author of "Hackable: How to Do Application Security Right."

See Courses

References

1. Abad-Santos, A. 'Pokémon Go: 9 questions about the game you were too embarrassed to ask', Vox, 16 July 2016. Available at http://www.vox.com/2016/7/12/12158372/pokemon-go-ios-android-game-questions .
2. Article 29 Working Party recommendations, 'Appendix: List of possible compliance measures', Ref. Ares (2014) 3113072 – 23/09/2014. Available at http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/files/2014/20140923_letter_on_google_privacy_policy_appendix.pdf .
3. Hawley, S., 'Jakarta police banned from Pokemon Go over national security concerns', ABC, 21 July 2016. Available at http://www.abc.net.au/am/content/2016/s4504461.htm .
4. Hudson, L., 'How to Protect Privacy While Using Pokémon Go and Other Apps', The New York Times, 12 July 2016. Available at http://www.nytimes.com/2016/07/14/technology/personaltech/how-to-protect-privacy-while-using-pokemon-go-and-other-apps.html?_r=0 .
5. Katsikas, S.K., Lopez, J., Pernul, G., 'Trust, privacy and security in digital business', Computer Systems Science and Engineering, 20.6 (2005): 391.
6. Khan, S., 'Pokemon Go: What are privacy risks and how to protect your Android and iOS smartphones from malware?', International Business Times, 15 July 2016. Available at http://www.ibtimes.co.in/pokemon-go-what-are-privacy-risks-how-protect-your-android-ios-smartphones-scams-686783 .
7. Kovacs, N., 'Fight Off Malicious Pokemon GO! Apps with The Help Of Norton Mobile Security', Norton Community, 18 July 2016. Available at https://community.norton.com/en/blogs/security-covered-norton/fight-malicious-pokemon-go-apps-help-norton-mobile-security .
8. Kovacs, N., 'Pokémon Go Cyber Security and Privacy Guidelines', Norton Community, 12 July 2016. Available at https://community.norton.com/en/blogs/norton-protection-blog/pok%C3%A9mon-go-cyber-security-and-privacy-guidelines .
9. Moidel, S., 'Speed Reading for Business', Barron's Educational Series, 1998.
10. Olivarez-Giles, N., 'Pokémon Go' Creator Closes Privacy Hole But Still Collects User Data', The Wall Street Journal, 13 July 2016. Available at http://www.wsj.com/articles/pokemon-go-creator-closes-privacy-hole-but-still-collects-user-data-1468363704 .
11. 'Pokémon GO official website.' Available at http://www.pokemongo.com/en-us/ .
12. 'Pokémon Privacy Policy'. Available at http://www.pokemon.com/us/privacy-policy/.
13. Price, R., 'Pokémon Go' is fixing a bug that gave it 'full access' to your Google account', Business
    insider, 12 July 2016. Available at http://www.businessinsider.com/pokemon-go-fix-bug-full-account-access-google-gmail-history-2016-7?r=UK&IR=T .
14. 'Sen. Franken Presses Makers of "Pokemon GO" Smartphone App Over Privacy Concerns, Al Franken U.S. Senator of Minnesota, 12 July 2016. Available at https://www.franken.senate.gov/?p=press_release&id=3512
15. Turton, W., 'Pokémon Go Was Never Able To Read Your Email', Gizmodo, 11 July 2016. Available at http://gizmodo.com/can-pokemon-go-really-read-all-your-emails-1783479136 .
16. Wig, W., 'Pokémon Go Game Guide (English Version): How to Find and Catch a Pokémon', Gamas
    Publishing, 19 Jul 2016.
17. Winkler, I., 'Pokemon Go: What security awareness programs should be doing now', CSO Online, 14 July 2016. Available at http://www.csoonline.com/article/3095878/security-awareness/pokemon-go-what-security-awareness-programs-should-be-doing-now.html

Co-Author

Rasa Juzenaite works as a project manager in an IT legal consultancy firm in Belgium. She has a Master degree in cultural studies with a focus on digital humanities, social media, and digitization. She is interested in the cultural aspects of the current digital environment.