You've seen them wandering around, everyone from tweens to grandparents, their eyes stuck to their smartphones, mumbling "gotta catch 'em all." They're not zombies, they're just playing Pokémon Go. The new, "augmented reality" game based on the classic 90's Nintendo game, allows users to roam their streets, capturing and fighting Pikachus, Squirtles, Charmanders, and worthless Zubats.
If it looks weird, it's because it is. It's also a lot of fun. But as tens of millions of Pokémon trainers look to find their next catch, Niantic, the games developer could be collecting their personal information, thanks to Pokémon Go's downright frightful terms of service.
A Cultural Phenomenon and Major Privacy Risk
The goal of Pokémon is simply to "collect them all," to find and imprison the hundreds of Pokémon creatures scattered throughout the game's universe. And with Pokémon Go's augmented reality, that universe is now our universe. When you play Pokémon Go, the game opens a map of the area around you, which you follow from block to block, finding creatures, challenges, and rewards grafted on to real life. Your phone buzzes and there's a Magikarp flopping on the seats of a city bus. Go to the beach and there could be an Eevee sitting in the sand.
Having been available for just one week, Pokémon Go is predicted to have more users than Twitter's 65 million. To call it a phenomenon is an understatement.
But while Pokémon Go is becoming increasingly popular, its treatment of user privacy should give attorneys (and really, anyone else) pause.
From Google Accounts to Disclosure of Private Information
When those millions of Pokémon Go users sign up for the game, many of them do so by using their Google log in information. What many of them don't realize though, was that in the early days of the game, Apple users who accessed the game through their Google account allowed the developers at Niantic full access to their Google account. That's access to emails, attachments, Google Docs, even what YouTube videos you've liked.
Pokémon Go never asked for permission to access your Google account so fully, the gaming website Kotaku reports -- it just took it.
Thankfully, a recent update has reduced that access, providing Niantic only basic Google profile information.
It's not just anonymized data that Niantic could be handing out, however. Niantic's policy allows it to turn over user information, including that of children:
to government or law enforcement officials or private parties as we, in our sole discretion, believe necessary or appropriate: (a) to respond to claims, legal process (including subpoenas); (b) to protect our property, rights, and safety and the property, rights, and safety of a third party or the public in general; and (c) to identify and stop any activity that we consider illegal, unethical, or legally actionable activity.
As many have noted, that could make it very easy for Niantic, the government, or private parties to use the app to track a person of interest -- which means you might not be the only one using Pokémon Go to "catch 'em all."