Pokémon Go has taken over the world since launching last week, sending millions of users into the streets to collect and battle virtual monsters on their smartphones.
With so many players sharing their locations and other personal data with the app, what could happen to all that information?
As users hand over access to their phones’ precise locations, storage and cameras to play the game, the company behind the game reserves the rights to share the data it collects with third parties including potential buyers and law enforcement.
In less than a week we created one of the largest personal location databases in history. But where? For who? This is a digital watershed.
— Kyle Hill (@Sci_Phile) 11 July 2016
That’s the price to “catch ‘em all” on the free-to-play game. And while companies regularly collect and profit from user data, Pokémon Go’s massive popularity and reliance on users’ locations and camera access have raised eyebrows in tech circles.
READ MORE: Pokemon Glas-Go: Glaswegians weigh in on augmented reality game
Most of us don’t read the privacy policies of apps we use. Indeed, reading all of them would take about 30 days per year, one study found. So it’s safe to assume that many players of Pokémon Go – which threatens to surpass Twitter in daily active users -- aren’t reading the fine print before logging on to chuck Poké balls, either.
To understand how the app can use data, it helps to know what data the app can collect.
For Android users, the game can access both the precise and general locations of the device as well as its camera – permissions inherently necessary to play the game. The game can also access users’ USB storage, contacts, network connections and more.
For iPhone users, the game can access users’ location, camera and photos. Many iOS users log in through their Google account, which grants the app full access. This means, per Google, the app “can see and modify nearly all information in your Google Account” including Gmail, Google Drive, Google Maps and more.
Jason Hong, an associate professor at Carnegie Mellon University’s CyLab Security and Privacy Institute, analyzes apps’ privacy for PrivacyGrade.org. He said just how Niantic uses that data will be dictated by its business model, which doesn’t seem clear at the moment.
If Niantic, Pokémon Go’s developer, decided to monetize data for advertising (as Facebook and Google do), it would be incentivized to collect as much user data as possible, Hong said, providing a larger privacy threat.
READ MORE: Pokemon Glas-Go: Pikachu spotted around Glaswegian landmarks
If Pokemon Go instead builds its business through in-app purchases, however, Hong said the app could prove safer for user privacy.
“That’s the challenge with this data,” Hong said. “It can potentially be used for good and bad as well."
The Pokémon Go privacy agreement describes how Niantic might share both users’ general and personally identifiable information with other parties.
The agreement says Pokémon Go collects data about its users as a “business asset.” This includes data used to personally identify players such as email addresses and other information pulled from Google and Facebook accounts players use to sign up for the game.
If Niantic is ever sold, the agreement states, all that data can go to another company.
Aside from being sold, Niantic has the right to share non-identifying information with third parties “for research and analysis, demographic profiling and other similar purposes.”
There are almost as many Pokémon Go players as there are Twitter users. But how many read the privacy policy? pic.twitter.com/wgqKO5Fqq7
— Zack Whittaker (@zackwhittaker) July 11, 2016
The app’s location permission enables it to track exactly where users are, their mobility patterns, where a particular user visits most often and more, Hong notes. That could come in handy for law enforcement officers should they request it via a subpoena – which the privacy agreement makes clear.
“We may disclose any information about you (or your authorized child) that is in our possession or control to government or law enforcement officials or private parties as we, in our sole discretion, believe necessary or appropriate,” the agreement states.
Many companies, including Facebook and Google, sell user data and hand it over to authorities when asked. But Pokémon Go’s constant location tracking and camera access required for gameplay, paired with its skyrocketing popularity, could provide data like no app before it.
“Their privacy policy is vague,” Hong said. “I’d say deliberately vague, because of the lack of clarity on the business model.”
Until that business model becomes more clear, Hong said he worries more about the physical threats and privacy quandaries posed by the app.
Since the game’s launch last week, armed thieves used the game to rob unsuspecting players. One man’s home was marked as an in-game destination, causing strangers to flock there. Another player wandered across a dead body.
READ MORE: Pokemon Glas-Go: Glaswegians weigh in on augmented reality game
Whether Pokemon Go can sustain its popularity in the long term comes down to how aware users are of its privacy invasions and whether they deem it a worthwile trade-off for the game’s experience.
“It’s basically an issue of time as people become aware how these technologies work and their tangible clear value,” Hong said. “If people feel it’s out of proportion, people will delete the app.”
Comments & Moderation
Readers’ comments: You are personally liable for the content of any comments you upload to this website, so please act responsibly. We do not pre-moderate or monitor readers’ comments appearing on our websites, but we do post-moderate in response to complaints we receive or otherwise when a potential problem comes to our attention. You can make a complaint by using the ‘report this post’ link . We may then apply our discretion under the user terms to amend or delete comments.
Post moderation is undertaken full-time 9am-6pm on weekdays, and on a part-time basis outwith those hours.
Read the rules here