Two men recently fell off a cliff while playing Pokémon Go in San Diego. Two teens accidentally crossed the U.S.-Canadian border to catch the ubiquitous Pokémon characters. A driver in Baltimore, apparently distracted by the game, crashed into a parked police car. In New York, dozens of people dashed out of their vehicles to chase a Vaporeon through Central Park. Unfortunately, these lapses in judgment are not the only disturbing issues to arise from the Pokémon Go phenomenon.

Pokémon for the Uninitiated

For those of you who haven’t downloaded the insanely popular Pokémon Go app, the game basically gets you to travel around in real life and look for Pokémon characters to capture. Well, you don’t actually see Pokémon in real life (unless you’re in San Diego for Comi-Con). Instead, the characters appear on your mobile device – which you can find yourself staring at even more intently than usual. (It’s no wonder that some players lose sight of their surroundings, and even walk off cliffs.) The goal is to capture as many Pokémon as you can. While you’re playing, the app accesses your location and camera and keeps copious notes.

Malicious hackers could obtain your Google login information as well as sensitive information you might have in your Google account.

Fans of the game praise it for getting people off the couch and exploring the world around them, and millions of players worldwide are certainly enthralled. But given the potential risks to personal data, our inner adult might say, “Put the phone down and just take a walk.”

Pokémon as Personal Assistant

[Update: According to the app store, Google has reduced Pokémon GO’s permissions so that the app can only access basic Google profile information.]

To access the Pokémon app, users must grant full access to their Google account. It doesn’t take an IT security genius to tell us that this means that someone exploiting the app could:

  • Read and delete your email
  • Send email as you
  • Read, edit and delete your Google Drive documents
  • Access your calendar, location and contacts

It also means that anyone who accesses the Pokémon servers could exploit that information as well. Malicious hackers could not only obtain your Google login information, but they could also access sensitive information you might have in your Google account, such as credit card numbers, security codes and medical information.

Pikachu Goes Phishing

Even if you’ve followed security protocols by the book and have never sent or received sensitive data via email, you’re still at risk. Because the app has access to your contacts and email, anyone who has access could send and receive emails as you.

Because the app has access to your contacts and email, anyone who has access could send and receive emails as you.

This means that Janice in accounting could get an email from “you” asking her to remind you of your bank information, or Sean in IT could get an email from “you” asking for the network login. Trusting that you’re a legitimate employee, they could send that information back via email thinking you will get it – but, unwittingly, they’ve just compromised the entire company.

Hidden in Plain Site

Niantic, the creators of the Pokémon app, will tell you that they’ve been straightforward in disclosing this broad access, and that none of this should come as a surprise. This is because the company says in its Privacy Policy that users’ Google accounts will be accessed.

The problem with privacy policies, though, is that no one reads them until something bad has happened. This is especially true when the privacy policy has the length and character of a Tolstoy novel. For those of you without the time or inclination to delve into this novel, here are the CliffsNotes:

The Pokémon app can access your personal information, including:

  • First and last name
  • Email address
  • Telephone number
  • Address and current location
  • IP address and device identifier
  • ISP name
  • School or company name

The Pokémon app can share this information with third parties that may not have agreed to abide by the terms of the Pokémon Privacy Policy.

The Pokémon App tracks your every move and uses that information to sell you things.

The Pokémon App tracks your every move and uses that information to sell you things. Oliver Stone calls this “surveillance capitalism,” and warns that this type of access can be used to further manipulate our behavior.

Parents Be Warned

One of the more frightening aspects of Pokémon Go is the potential for kidnapping. Hackers love to exploit security holes in mobile apps, and Pokémon is an ideal app for tracking and locating individuals of interest. The fact that businesses and individuals can purchase “lures” to be placed in the game only heightens concerns.

Rules of Thumb

Pokémon Go is unquestionably fun for millions of players who’ve become enthralled with the game. That said, given the privacy issues involved, there are a few basic takeaways if you’re considering becoming one of them – or even if you’re already swept up:

1.) Read the privacy policy before you download the game. Understand what information may be used and how it may be used.

2.) If you’re playing Pokémon Go, know what you agreed to. You can still read the privacy policy, and if your concerns are serious, you can delete the app.

3.) If you’re concerned about who and what may be connected to your Google account, review that information here.

About the author

Laurel Edgeworth

Laurel Edgeworth

Laurel Edgeworth is an IP attorney with seven years of experience representing businesses in the digital media, mobile, Internet, software and education industries. She counsels clients on the acquisition, protection, management and leveraging of technology and intellectual property.

View all posts

Post a Job on
UpCounsel and get
high quality legal work done

Post a Job on UpCounsel
/* ]]> */