Does Pokemon Go Pose A Threat To Your Cyber Security?
Be mindful of how your sensitive information is used when granting permissions to your favourite apps.
It’s hard to think of a recent internet sensation that has sparked such excitement as the Pokemon Go app. Within the space of just a few days, the augmented reality app exceeded the usership numbers of the mega popular dating app Tinder, and soared to the top of the download charts. Somewhat counter to its nature as an online game, it has sent enthusiastic users onto the city streets to walk around and look for exclusive Pokemon to capture.
If you’ve managed to get this far without knowing what the game is, allow us to provide a brief explanation. As The Guardian describes it, Pokemon Go is “a massive-multiplayer, location-based spin-off from the role-playing fantasy series.” Utilising the smartphone camera and GPS capability built into every smartphone, users wander outside looking for hard-to-capture Pokemon, injecting reality with a dose of imaginary.
The rollout of the app caused great excitement, but also great controversy. Serious privacy concerns were raised when it came to light that iOS users who signed up for the game using their Google Account as a form of authentication had potentially granted “full access” to their information. However after about a day of internet hysteria, the BBC reported that the developer of the game, Niantic Labs, said that “it had only ever logged user IDs and email addresses”, even though the language it used was outdated and misleading. As The Guardian pointed out: “While it was Niantic’s choice to use an outdated log-in method for no obvious reason, it was Google – the much larger, more security-conscious company – that misrepresented the limited permissions granted as “full access”.
As The Guardian suggests, it’s surprising that such a high-profile product overlooked such a basic and important aspect of the user opt-in experience. And while the more sinister assumption that Niantec was using the game to access users’ Google Accounts did not come to fruition, some questions still remain. The nature of Pokemon Go is that it’s using and collecting metadata about where users are moving around a city and, in order to do this, it has to be granted a long list of permissions on a user’s smartphone. These include: GPS connectivity (which includes approximate location access), full network access, activity recognition, the ability to prevent the phone from sleeping, access to Google Play billing service, access to Bluetooth settings, and the ability to view network connections, among other permissions.
The most significant effect this long list of permissions will have on a user’s phone will be to suck the battery life due to constant GPS activity coupled with preventing the phone going to ‘sleep’. However, these expansive data-capture permissions are worth contemplating deeper when you consider that the company who oversees Niantic’s operations—none other than Google—has a business model that’s “powered by data-mining its users,” as TechCrunch put it.
What this means is that while Niantec may not be reading the contents of your Gmail account, Google itself could very well be using the metadata you collect by using an app with such expansive permissions for purposes we don’t know anything about. As TechCrunch reported, “Niantic’s privacy policy for Pokemon Go notes it may share “aggregated information and non-identifying information with third parties for research and analysis, demographic profiling, and other similar purposes.”
This situation drives home the importance of life as a digital citizen and being informed about just what you are opting into when you get caught up in the latest digital trend. While Pokemon Go maybe the immersive experience that everyone is talking about, responsible users must be aware of the risks associated with handing over their metadata, even if it’s not giving away their personal data.
Now go out and catch ‘em all.