Our website uses cookies to give you the best experience and for us to analyse our site usage. If you continue to use our site, we will take it you are OK about this. Click on More for information about the cookies on our site and what you can do to opt out.

We respect your Do Not Track preference.

Pokémon a gogo Charles Mabbett
13 July 2016

pikachu

Why was the SIS agent playing Pokémon Go? Because he wanted to Pikachu. Joking aside, the Pokémon Go app is proving to be an incredible phenomenon driven by children and adults alike. But it hasn’t taken long for claims the app was also dangerous because of the amount of personal information it sought access to when users installed it on their smartphones.

And it didn’t take long for the media enquiries to arrive at our office from journalists wanting to know if the Privacy Commissioner had concerns about this new augmented reality game.

Fears about Pokémon Go were first raised by Adam Reeve, a security architect at the information security firm Red Owl. In his Tumblr blog, Reeve said he was surprised when he checked the permissions he had granted to the app. He discovered he had given it full access to his Google account - including emails and documents.

Mr Reeve said Pokémon Go, and its parent company Niantic, in theory could now read all his emails, send emails as him, access all his Google Drive documents, look at his search and Maps navigation history and access any photos he might store in Google Photos.

All that and a whole lot more, he warned ominously. “This is probably just the result of epic carelessness. But I don’t know anything about Niantic’s security policies. I don’t know how well they will guard this awesome new power they’ve granted themselves, and frankly I don’t trust them at all. I’ve revoked their access to my account, and deleted the app. I really wish I could play, it looks like great fun, but there’s no way it’s worth the risk.”

We were asked if we be investigating. Privacy Commissioner John Edwards told NBR there was no cause to do so at this stage. Consumers needed to make their own choices and they could exert a level of control over the Pokémon Go app. One way of protecting your Google data was to open a Pokémon account so you didn’t have to use a Google log-in. And there are also other ways.

Mr Edwards said it was more likely a case that insufficient attention had been given to privacy implications because the app’s developers appeared to have failed to accurately describe what functionalities the app would have access to.

Niantic responds 

That appears to be the case. Niantic has since confirmed that Pokémon Go would only access basic Google profile information - specifically, user ID and email address. 

A Niantic spokesperson says no other Google account information was or had been accessed or collected. She said “once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access”.

So it appears it was all an embarrassing mistake. The Pokémon Go scare recalls last year’s Samsung Smart TV privacy row in which the South Korean appliance manufacturer was accused of selling a smart TV which eavesdropped on consumers.

It was revealed the TV’s voice-activated commands were transmitted across the internet to a company server where they were translated and relayed back to the TV. This had been inadequately described in the product’s terms and conditions and technology writers jumped on Samsung, accusing it of in-home spying. Consumer blood pressure went up and Samsung had a marketing headache on its hands.

Gartner hype cycle

Those of you familiar with the Gartner hype cycle will recognise both the Samsung Smart TV and Pokémon Go cases as two illustrative examples in action and those of you unfamiliar with the term can read about it in an earlier blog post.

There’s no doubt that apps are getting sophisticated. As our devices aggregate more and more data about our lives through new functionalities, apps are being developed which exploit those functionalities. It is a very real privacy concern.

The Privacy Commissioner told NBR that he didn’t think any privacy regulator in the world would condone - if the app was gaining access to functions it didn’t need - any misrepresentation in order to obtain access to confidential personal information.

He said the best means of protection is for consumers to exercise autonomy over how they enjoy and engage with these fun new games. “You have to grant permissions and if you don’t take time to think about what you’re granting, you really don’t have much ground to complain afterwards.” Let the buyer beware.

Image credit: Robert Biggers - How to draw Pikachu, Squirtle and Diglett.

1 comments

Back

Comments

  • It is obvious that Niantic did not do a Privacy Impact Assessment to identify which data was at risk when it was accessed by or made available to the app. Clearly their development cycle does not require a PIA as an early step. I found I had to use more than a few grains of salt to make their explanation palatable.

    The Internet buyers warning applies here. “If the app is free then you are not a customer but you and your data are part of the product”. You cannot expect that a vendor will place your protection ahead of his rewards when he exploits the data you have allowed him access to.

    It would be great if we could encourage/require the various app stores at Google, Apple etc. to require a PIA in their requirements for developers submitting apps for distribution. They could also include testing for unfavourable data exposures before they accept an app for distribution.

    This might provide some protection for users who are unable/unwilling to make their own assessment of the risks they take when they choose free 3rd party apps, or use a services login instead of logging directly into the app.

    Until customer privacy rights and expectations are known and demonstrated to have been considered by suppliers and distributers of apps then they all must be considered as untrusted and users must positively limit the access rights they allow.

    Posted by Alisdair McKenzie, 28/07/2016 1:57pm (15 months ago)

    Post Reply

    The aim of the Office of Privacy Commissioner’s blog is to provide a space for people to interact with the content posted. We reserve the right to moderate all comments. We will not publish any content that is abusive, defamatory or is obviously commercial. We ask for your email address so that we can contact you if necessary to clarify your comment. Please be respectful of authors and others leaving comments.

Post your comment

The aim of the Office of Privacy Commissioner’s blog is to provide a space for people to interact with the content posted. We reserve the right to moderate all comments. We will not publish any content that is abusive, defamatory or is obviously commercial. We ask for your email address so that we can contact you if necessary to clarify your comment. Please be respectful of authors and others leaving comments.

Latest Blog Entries