Why was the SIS agent playing Pokémon Go? Because he wanted to Pikachu. Joking aside, the Pokémon Go app is proving to be an incredible phenomenon driven by children and adults alike. But it hasn’t taken long for claims the app was also dangerous because of the amount of personal information it sought access to when users installed it on their smartphones.
And it didn’t take long for the media enquiries to arrive at our office from journalists wanting to know if the Privacy Commissioner had concerns about this new augmented reality game.
Fears about Pokémon Go were first raised by Adam Reeve, a security architect at the information security firm Red Owl. In his Tumblr blog, Reeve said he was surprised when he checked the permissions he had granted to the app. He discovered he had given it full access to his Google account - including emails and documents.
Mr Reeve said Pokémon Go, and its parent company Niantic, in theory could now read all his emails, send emails as him, access all his Google Drive documents, look at his search and Maps navigation history and access any photos he might store in Google Photos.
All that and a whole lot more, he warned ominously. “This is probably just the result of epic carelessness. But I don’t know anything about Niantic’s security policies. I don’t know how well they will guard this awesome new power they’ve granted themselves, and frankly I don’t trust them at all. I’ve revoked their access to my account, and deleted the app. I really wish I could play, it looks like great fun, but there’s no way it’s worth the risk.”
We were asked if we be investigating. Privacy Commissioner John Edwards told NBR there was no cause to do so at this stage. Consumers needed to make their own choices and they could exert a level of control over the Pokémon Go app. One way of protecting your Google data was to open a Pokémon account so you didn’t have to use a Google log-in. And there are also other ways.
Mr Edwards said it was more likely a case that insufficient attention had been given to privacy implications because the app’s developers appeared to have failed to accurately describe what functionalities the app would have access to.
That appears to be the case. Niantic has since confirmed that Pokémon Go would only access basic Google profile information - specifically, user ID and email address.
A Niantic spokesperson says no other Google account information was or had been accessed or collected. She said “once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access”.
So it appears it was all an embarrassing mistake. The Pokémon Go scare recalls last year’s Samsung Smart TV privacy row in which the South Korean appliance manufacturer was accused of selling a smart TV which eavesdropped on consumers.
It was revealed the TV’s voice-activated commands were transmitted across the internet to a company server where they were translated and relayed back to the TV. This had been inadequately described in the product’s terms and conditions and technology writers jumped on Samsung, accusing it of in-home spying. Consumer blood pressure went up and Samsung had a marketing headache on its hands.
Gartner hype cycle
Those of you familiar with the Gartner hype cycle will recognise both the Samsung Smart TV and Pokémon Go cases as two illustrative examples in action and those of you unfamiliar with the term can read about it in an earlier blog post.
There’s no doubt that apps are getting sophisticated. As our devices aggregate more and more data about our lives through new functionalities, apps are being developed which exploit those functionalities. It is a very real privacy concern.
The Privacy Commissioner told NBR that he didn’t think any privacy regulator in the world would condone - if the app was gaining access to functions it didn’t need - any misrepresentation in order to obtain access to confidential personal information.
He said the best means of protection is for consumers to exercise autonomy over how they enjoy and engage with these fun new games. “You have to grant permissions and if you don’t take time to think about what you’re granting, you really don’t have much ground to complain afterwards.” Let the buyer beware.
Image credit: Robert Biggers - How to draw Pikachu, Squirtle and Diglett.