(NPR) - Pokémon Go has taken over the world since launching last week, sending millions of users into the streets to collect and battle virtual monsters on their smartphones. With so many players sharing their locations and other personal data with the app, what could happen to all that information? As users hand over access to their phones’ precise locations, storage and cameras to play the game, the company behind the game reserves the rights to share the data it collects with third parties including potential buyers and law enforcement.
That’s the price to “catch ‘em all” on the free-to-play game. And while companies regularly collect and profit from user data, Pokémon Go’s massive popularity and reliance on users’ locations and camera access have raised eyebrows in tech circles.
Most of us don’t read the privacy policies of apps we use. Indeed, reading all of them would take about 30 days per year, one study found. So it’s safe to assume that many players of Pokémon Go – which threatens to surpass Twitter in daily active users -- aren’t reading the fine print before logging on to chuck Poké balls, either.
To understand how the app can use data, it helps to know what data the app can collect. For Android users, the game can access both the precise and general locations of the device as well as its camera – permissions inherently necessary to play the game. The game can also access users’ USB storage, contacts, network connections and more. For iPhone users, the game can access users’ location, camera and photos. Many iOS users log in through their Google account, which grants the app full access. This means, per Google, the app “can see and modify nearly all information in your Google Account” including Gmail, Google Drive, Google Maps and more.
Jason Hong, an associate professor at Carnegie Mellon University’s CyLab Security and Privacy Institute, analyzes apps’ privacy for PrivacyGrade.org. He said just how Niantic uses that data will be dictated by its business model, which doesn’t seem clear at the moment.
If Niantic, Pokémon Go’s developer, decided to monetize data for advertising (as Facebook and Google do), it would be incentivized to collect as much user data as possible, Hong said, providing a larger privacy threat. If Pokemon Go instead builds its business through in-app purchases, however, Hong said the app could prove safer for user privacy. “That’s the challenge with this data,” Hong said. “It can potentially be used for good and bad as well."
The Pokémon Go privacy agreement describes how Niantic might share both users’ general and personally identifiable information with other parties. The agreement says Pokémon Go collects data about its users as a “business asset.” This includes data used to personally identify players such as email addresses and other information pulled from Google and Facebook accounts players use to sign up for the game. If Niantic is ever sold, the agreement states, all that data can go to another company.
Aside from being sold, Niantic has the right to share non-identifying information with third parties “for research and analysis, demographic profiling and other similar purposes.” The app’s location permission enables it to track exactly where users are, their mobility patterns, where a particular user visits most often and more, Hong notes. That could come in handy for law enforcement officers should they request it via a subpoena – which the privacy agreement makes clear.
“We may disclose any information about you (or your authorized child) that is in our possession or control to government or law enforcement officials or private parties as we, in our sole discretion, believe necessary or appropriate,” the agreement states.
Moreover, as pointed out by Adam Reeve, a principal architect at Red Owl analytics, nothing in the sign up process indicates that you're giving the app full access to your account. Indeed, according to the Google help page, this means that the application will now be able to "see and modify nearly all information in your Google account." That means that Niantic - and, more importantly, anyone who has access to Niantic's servers - will be able to read and access all your email, your Google drive docs, your search history, your private Google Photos and a lot more. To be clear, this wouldn't be a problem if you signed up for the game using Pokemon's own "Trainer Club" account, but Pokemon's servers appear to be down. Also, while this full access issue appears to happen predominantly on iOS, a few Android users have reported the same as well.
Whether Pokemon Go can sustain its popularity in the long term comes down to how aware users are of its privacy invasions and whether they deem it a worthwhile trade-off for the game’s experience. “It’s basically an issue of time as people become aware how these technologies work and their tangible clear value,” Hong said. “If people feel it’s out of proportion, people will delete the app.”
UPDATE (6/12/16): Niantic has released a response to Engadget over the scope of its access to players' Google accounts, clearly stating that Pokemon GO only access "basic Google profile information," such as a player's User ID and email address:
We recently discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user's Google account. However, Pokémon Go only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon Go or Niantic. Google will soon reduce Pokémon Go's permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves.