Gaming Security

Is Pokémon Go a Privacy Minefield, Or Is Your Data Safe?

Philip Bates 22-07-2016

Listen to the media and Pokémon Go is the worst thing since Brexit, Trident, and Donald Trump.


The app has caused people to crash their cars, waste police time by reporting stolen Pokémon, and wander down dark alleyways unaware of their surroundings. Some good has come out of it 4 Ways Playing Pokemon GO Can Improve Your Life You're likely one of the many people obsessed with Pokemon Go. Did you know the game can have positive effects on your life and the world around you? Here's how! Read More too though.

For those with an eye on their own privacy, however, concerns were raised over the game’s permissions, and exactly how such data is stored…

What’s All This About App Permissions?

The troubles began when iOS users noticed a worrying clause in the app permissions that seemed to give developers, Niantic Labs “full access” to your Google account. That would mean they could peruse your Inbox, send emails, rifle through your contact list, change your password How to Change Your Password on Any Desktop or Mobile Device Your password is the only thing standing between a stranger and your most private data. When was the last time you updated your device password? We show you how to change it right now. Read More , take a look at your browser and location histories, and do as they wish to documents and photos saved on Google Drive.

If all that were true, millions of people would’ve just handed the keys to their lives to complete strangers in exchange for recapturing a bit of their childhoods 8 Ways to Celebrate Pokemon's 20th Anniversary This year, on 27th February, Pokémon celebrates its 20th anniversary. Here's how to celebrate in style! Read More . In one brilliant bit of subterfuge, Niantic would’ve achieved what our governments’ surveillance services have always wanted Tomorrow's Surveillance: Four Technologies The NSA Will Use to Spy on You - Soon Surveillance is always on the cutting edge of technology. Here are four technologies that will be used to violate your privacy over the next few years. Read More .


Fortunately, in this case, full access doesn’t actually mean full access.

It sounds unbelievable, but it comes down to a mistake. The problem stems from Niantic accidentally using an old version of Google’s shared sign-on service, which streamlines the signing-up process. Oops. Google and Niantic assure their user base that only basic permissions are granted to the app, with the latter issuing this statement:

“We recently discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user’s Google account… Google has verified that no other information has been received or accessed by Pokémon Go or Niantic. Google will soon reduce Pokémon Go‘s permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves.”

Phew! You can all sleep soundly now — especially if you download the update You Might Need to Upgrade Your Phone for Pokemon Go Will your phone be able to handle Pokemon Go? Read More , then sign out and back in again; this corrects the permissions so no one can legally root through your private information.


Still, this was a surprising mistake, and testimony to the fact that most of us don’t actually check what we’re signing up for Why You Should Read Terms of Service, Make Pokemon GO Go Away... [Tech News Digest] Everybody skips past Terms of Service, PokeGone turns Pokemon GO into Pokemon NO, Facebook keeps your conversations secret, Blizzard silences douchebag World of Warcraft players, and Samuel L. Jackson explains Game of Thrones. Read More . Android Marshmallow does at least spell out exactly what permissions the game needs to have How Android App Permissions Work and Why You Should Care Android forces apps to declare the permissions they require when they install them. You can protect your privacy, security, and cell phone bill by paying attention to permissions when installing apps – although many users... Read More .

Okay, So What Data Does Pokémon Go Actually Collect?

In that same statement, Niantic assured us:

Pokémon Go only accesses basic Google profile information (specifically, your user ID and e-mail address) and no other Google account information is or has been accessed or collected.”

Whichever you sign in — using a Google account or joining the Pokémon Trainer Club — you’re giving away your email address and username. This is fairly standard practice What Are Android Permissions and Why Should You Care? Do you ever install Android apps without a second thought? Here's all you need to know on Android app permissions, how they've changed, and how it affects you. Read More when logging into games.

There are a couple of further obvious permissions Pokémon Go needs in order to actually work: primarily, that’s location data Your iPhone Is Tracking You - How To View That Data & Turn It OFF It has come to light in the past few days that all 3G based iPhone and iPad devices are recording a complete history of your location data ever since you bought the device (or upgraded... Read More and storage access. This is a GPS-based game, so without knowing where you are and how far you walk, it’s pretty useless.


It will also require access to your camera because that’s how augmented reality (AR) works Augmented vs. Virtual Reality: What's the Difference? Augmented reality. Virtual reality. Mixed reality. What are all these "realities" and how are they going to impact you over the next few years? Here's everything you need to know. Read More . But while seeing a Poliwag sliding around the bath is good fun, it’s not necessary. Indeed, if you’re worried about your battery life Avoid These iPhone Apps for Better Battery Life Killing background apps won't save your battery — in some cases you'll have to completely avoid an app in order to stop it from draining your smartphone's energy. Read More , turning off AR should help and sidestep Go’s need to access your camera.

Nils Tracy, head of technology, media, and telecommunications at the Washington-based Height Securities, warns:

“It doesn’t record video to your phone, but the capability is there to do it.”

That’s the most concerning thing right now: the app’s potential to be used to infringe your privacy.


Before thinking of expanding the Pokédex to include Cyndaquil, Swablu, and beyond, Niantic plan on addressing a few other items on users’ “most wanted” lists, namely multi-player capability. That would explain why Pokémon Go wants access to your contacts. But it appears that permissions for upcoming updates have already been built into this early version; right now, there’s absolutely no need for collection of that information.

What Happens to Your Data?

Everyone can calm down: third parties and hackers can’t access your email via Pokémon Go. So there’s nothing to worry about… right?

Actually, Niantic can still pass some data onto third parties, including potential buyers (in the event of acquisition or bankruptcy, for instance) and law enforcement agencies. That doesn’t include your inbox because the app never had that permission anyway. Instead, it’s Personal Identifier Information (PII), like your telephone number, date of birth, and email address. That’s all still very valuable information Here's How Much Your Identity Could Be Worth on the Dark Web It's uncomfortable to think of yourself as a commodity, but all of your personal details, from name and address to bank account details, are worth something to online criminals. How much are you worth? Read More , considered a business asset. Fortunately, The Pokémon Company has taken on Nintendo’s policy:

“We don’t share, sell, or rent your personal information to third parties without your prior consent.”

There are ways around that, however. Prior consent, in most cases, just means you’ve agreed to the Terms and Conditions, which you have to do anyway in order to actually start playing.

Data including your location, operating system (OS), settings, and device identifier (a number unique to your smartphone or tablet) can be used to improve Pokémon Go services — but what actual services that includes is unknown right now. Location-based advertising, for instance, could be viewed by some — specifically Niantic — as an improved service. Water-based Pokémon already appear when you’re near the sea or river, but imagine a Machamp popping up when you’re by a local gym…

While Niantic admits to storing location-based data, there’s no mention of what actually happens to the pictures you might take of Pokémon, and their AR backgrounds.

What we really need to know is: is our data safe?

With so much data gathered from millions of users worldwide, the Niantic servers are massive targets for hackers, and the company won’t (rather understandably) reveal the security measures they’re taking to keep your information private. They’ve already been victim to a Distributed Denial of Service (DDoS) attack What Is a DDoS Attack? [MakeUseOf Explains] The term DDoS whistles past whenever cyber-activism rears up its head en-masse. These kind of attacks make international headlines because of multiple reasons. The issues that jumpstart those DDoS attacks are often controversial or highly... Read More , if two hacker groups can be believed.

When the app failed to load for hours on end last weekend, the obvious conclusion was that the servers were under too much pressure to cope; instead, PoodleCorp and OurMine both claimed responsibility. The latter supposedly executed the DDoS so Niantic would note that their servers aren’t secure enough, vowing to end the attack when the firm contacted them to find out how to protect data. PoodleCorp has threatened to do it again on 1st August, for less noble reasons than OurMine:

“We do it because we can, nobody can stop us and we just like to cause chaos.”


Is There Anything Else You Should Be Worried About?

Conspiracy theorists Top 9 Conspiracy Web Sites Conspiracies refuse to die away even in this day and age. Here are the top conspiracy forums and conspiracy websites out there. Read More will read a lot into the Kremlin’s apparent warning that Pokémon Go is secretly collecting vast amounts of data; already, President Vladimir Putin is reportedly set to ban the app. That should annoy any users who’ve heard that there’s an Aerodactyl soaring around Red Square or Muk in the Imperial Palace.

The Kremlin’s suspicions stem from the past of Niantic CEO, John Hanke. He was previously CEO of “geospatial data visualization applications” firm, Keyhole Inc. (creator of Google Earth), which was partly funded by In-Q-Tel, the CIA’s venture capital arm — but more specifically by the National Geospatial-Intelligence Agency (NGA), which supports the USA’s intelligence and defense departments.

Admittedly, that’s a bit worrying, but more evidence of Hanke’s continued links to the CIA needs to be found before we can start accusing Pokémon Go of being a nefarious tool of the Illuminati.

The app isn’t available in Russia yet, but that didn’t stop fans in the UK downloading it early regardless, either by changing their region in the App Store or using Pokémon Go APKs (Android Application Packages); if you downloaded the latter or have accidentally found an unofficial version of Pokémon Go, you need to worry about malware Did You Treat Yourself To Pokémon Go Malware? You REALLY want to play Pokemon Go, so you've installed region-free copy acquired from a third party mobile store. But did you know that you could be opening your Android device to malware? Read More .

Back to the real game, though, and we can find something funky in the Terms of Service, which nobody actually reads anyway. There’s a rather interesting clause that stops you from filing a lawsuit, or joining others wishing to proceed with class action against Niantic.

In other words, Pokémon Go is taking away your legal rights.

If you’ve only downloaded the game within the past 30 days, you can still opt-out by emailing the company. Dig into the Terms of Service of many firms and you’ll find near-identical clauses.

Should You Panic?

No. That’s the simple answer.

While we permanently need to question app permissions, those you grant Pokémon Go are needed for the app to work, and are similar, and in many instances the same, as other apps. Facebook knows a lot about you What Does Facebook Know About You? Why You Should Delete Facebook What does Facebook really know about you? One thing's for sure: if you want online privacy, Facebook is best avoided. Read More , but most people are perfectly happy to throw mounds of data onto the social network. The same goes for Google Five Things Google Probably Knows About You Read More . As John McAfee says:

“Why pick on Pokémon Go when a quarter of a million apps have been doing this for years?”

Related topics: Mobile Gaming, Online Privacy, Pokemon GO.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Eddie G.
    April 29, 2017 at 5:07 am

    Pokemon Go is the stupidest form of idiocy to strike America. People are walking around with their cellphones trying to catch imaginary animals?...and for WHAT?....some points in a game? I agree with Aishwarya Malhotra this IS crazy! In an age where nothing is as safe as it used to be, we have people walking down DARK ALLEYS?...all for a GAME!? Its like the more technology advances?....the STUPIDER mankind becomes! If you want to see what mankind will become in the future?...(and THIS is funny!) go out and buy the DVD of the movie "Wall-E"....those fat-out-of-shape-blob-like beings?...are what humanity is heading for....they will become SO dependent on machines they won't think for themselves anymore...or MOVE for themselves anymore...or LIVE for themselves anymore! And at some point?....the whole AI movement?...will "logically" come to the conclusion that mankind isn't "needed" anymore!...LoL! (Is this starting to sound like a Conspiracy Theory or WHAT!?) But think about it...there's this incessant "push" by everyone from companies and governments....from the financial sector to "automate" EVERYTHING so that our lives can be easier. But lets analyze just TWO of the so-called "beneficial" technologies that are out there and seem to be moving forward.
    First? "Smart Cars"...or cars that can drive themselves. Listen, I'm from the 70's and there will NEVER be a time when I'm getting in a vehicle that ISN'T OPERATED or CONTROLLED by a HUMAN BEING...period. I don't care if they become the standard, if they decide to outlaw human operated automobiles?....I'll ride a bike or walk. NO computer will EVER have the "experience" of a human driver....all a computer sees is zeroes and ones. A Human?...can "feel" when a turn isn't right....can "tell" (from experience!) when to give more for the technology itself? Well there are videos of people who show a car with "smart" technology BEING HACKED and the driver losing control of the BRAKES and the STEERING. What kind of MADNESS is this that says this is acceptable?
    The other tech that seems to be oozing out from everywhere is The Smart Home. Now understand...having a remote control that can: turn on the fireplace, turn on the lights....start up the MP3 player...and unlock the doors while opening the garage is great indeed. But is NO ONE thinking with their BRAIN? if a GOVERNMENT AGENCY can be hacked....what makes you think your "Smart home" CAN'T be?....all it takes is for someone to know how to gain access to ANY of the IoT devices in your home and they can UNLOCK your front door..(speaking of which what is the PURPOSE of a fridge being connected to your microwave...that's connected to your washer and dryer?...Jeezus!)...walk right in and take whatever they want because they'll have also disabled the alarm system! As far as I'm concerned?....leave me out of it. All of it. I want a STUPID car...a STUPID house...I don't even want a "smart" TV!....since that too has been proven to record activity whether its on or not. And with regards to "Alexa/Echo"..."SiRi"...and "Cortana"?...NO THANKS! they only respond when you call out their name right?....they're not LISTENING when you DON'T!...(yeah.....riiigghhhtt!) Pathetic.

    • Philip Bates
      April 30, 2017 at 2:14 pm

      A lot to unpack there, Eddie, but the main thing is, even though I write for a tech website, I agree on a few of your points The people wandering down dark alleys to play Pokemon Go are stupid. We've a few articles about safety which include that very simple rule. Remember where you are. Still, you can't underestimate a game; there's nothing wrong with playing Pokemon Go - you just need to keep your head together, and be reasonable with it. Indeed, without games and other forms of entertainment, life would be very boring.

      I think the same can be said about smart cars and smart homes too. As long as you maintain basic safety precautions, you'll be fine. Everyone should recognise that these things can and will be hacked, that data is being gathered, and then have to conclude whether the risk is worth it.

  2. Anonymous
    August 18, 2016 at 1:25 pm

    this is crazy

    • Philip Bates
      August 30, 2016 at 5:11 pm

      Care to elaborate? What's crazy, the game or the privacy worry or something else?