The last few days have seen the rapid takeover of the internet by augmented reality game, Pokémon Go. The game allows players to roam the world, capturing and training virtual Pokémon (the fictional creatures of the enormously successful Pokémon franchise). However since its release last week security concerns around the app’s permission requests and use of data have hit the headlines.
Before the player even begins to play the game, they are required to sign in with either their Google account or Pokémon Trading Club account (PTC). When doing so with a Google account, Apple iPhone users have been unknowingly granting the game full access to both their Google Drive and Gmail inbox. If they become aware, users can opt out of the full access, but only through accessing their Google account’s settings.
The developer Niantic has attempted to reassure users that this request for access has not caused Pokémon Go to gather any data from players’ personal files. We know they are now working on a fix to solve the problem. However it raises serious questions about the nature of the game’s development and whether enough thought was given to the account security process before it was published.
And yet, once the player has signed away access to their Google account, their privacy problems have only just begun. As with many Apps, Pokémon Go requests access to a huge list of phone functions, one of the most worrying of which is the request for access to a player’s contact list despite the game not currently allowing any in-game communication. It could be that such features are in the development pipeline but it would surely have been better for them to wait until they are ready before requesting players’ contact lists. If it’s a necessary function, then be upfront and tell us why.
This is sadly not the only area with a lack of clarity over data. For a location based game which requires you to explore the world, some form of location data gathering is obviously required. And yet despite the positive trend for companies to give users more control of their location data, it is sad to see that Pokémon Go hasn’t done this. There is no option within Pokémon Go to manage or delete user data, hiding from the user much of its location tracking with no indication of precisely what is recorded or for how long. We only know for sure that it keeps a record of where and when each Pokémon was caught. This is a super effective way of building up a detailed picture of a player’s life, where they go, what they do, who they know, etc. As the game relies on location to function, how it deals with location data should be adequately and accurately explained for the army of users.
Maybe the reason for Pokémon Go playing loose with players’ data is down to carelessness rather than malicious intent. Security researcher Adam Reeve, who first pointed out the privacy problems surrounding the Google account access certainly thinks so when he wrote on Tumblr “now, I obviously don’t think Niantic are planning some global personal information heist,”. It may be that as he suggested it “is probably just the result of epic carelessness.”
Careless or not, companies who don’t outline the reasoning behind their data are jeopardising their relationship with their users, as the sheer number of privacy concerns in the media demonstrate.
Niantic are exploring new ground when it comes to augmented reality, but they can’t say the same for data protection and their Google account blunder. The release of the game was predated by nearly 4 months of beta testing – something that surely should have included a greater emphasis on privacy testing to ensure data security from day one.
Big Brother Watch has consistently argued that privacy should be an integral part of the development process, privacy and security by design should be at the forefront of any app designers mind, not a barely considered afterthought. Niantic are learning this the hard way, let’s hope they react swiftly to ensure that the privacy and security of all Pokémon GO players is their top priority from now on.