“What the [Pokémon Go] app is actually doing — meaning the broad swath of information the app is collecting — is creepy. It’s not just kids playing the game, and it’s not just privacy advocates who are concerned.” — Anne McKenna, Penn State assistant professor of law
We were curious about the Pokémon Go craze that has infiltrated much of the world and wanted to get a legal perspective on the situation. Cyber and privacy attorney Anne McKenna graciously answered some questions about it from our news and research communications staff.
Research Matters: Pokémon Go seems innocent enough, but it’s causing concern among many privacy advocates. Why is that?
Anne McKenna: On July 6, 2016, Niantic, Inc., released Pokémon Go, an app game that requires users to walk around in real world locations to collect Pokémon. It’s a global obsession. According to the BBC, in the app’s first week of release, there were 15.3 million tweets about it worldwide. For perspective, there were only 11.7 million Brexit-related tweets during the week of the UK referendum. SimilarWeb, an apps analytics firm, says that Pokémon Go users are playing it on average 43 minutes a day — perspective again: that’s more time than users spend on Instagram, Snapchat, or Whatsapp.
An app that has people up and moving, walking around, and everyone is playing? Cool, right? In a time of painful political, social, and racial unrest, it’s a phenomenon that is crossing cultural and geographical borders. But what the app is actually doing — meaning the broad swath of information the app is collecting — is creepy. It’s not just kids playing the game, and it’s not just privacy advocates who are concerned.
Pokémon Go works by accessing your phone’s camera and using location data at all times, so from the outset, to play means to know you’re being physically tracked at all times. Turning over your geolocation is necessary for the function of the game. But the data collection doesn’t stop there. Within a few days of its release, privacy and security folks noted that the app had requested permission to access not just the camera and location data, but to access the app user’s Google accounts, emails, photos, calendars, stored docs, and login data.
RM: What are the risks from pirated versions of the game?
AM: The market has been flooded with phony or knock-off Pokémon Go apps. At last count, there were over 250 knock-off apps that had flooded the market. Some are simply software developers trying to make a quick buck, but others have far more sinister motives. For instance, one malicious knock-off app permanently freezes your phone, others install malware on your device, and others open porn ads or redirect the user to shady sites, generating third-party company ad revenue.
RM: Are there any warning signs to tip you off that you are about to download a pirated version?
AM: Look for key words that are out of place in the app’s title — for example, “Pokémon Go Ultimate.” If the app says anything other than Pokémon Go, it’s a good idea to avoid downloading it, especially if it isn’t offered from the Google play store or Apple store.
RM: Many children and teens are using the app. What should parents know?
AM: It’s not just children and teens using the app — it’s everyone. A whopping 40 percent of users who have downloaded Pokémon Go are adults over the age of 25.
The wild and multi-generational popularity of the app (launched only two weeks ago), has already prompted a warning from the National Safety Council pleading with drivers not to play the game while driving and cautioning pedestrians to be careful while playing it.
In a letter to Niantic, well-known privacy advocate and U.S. Senator Al Franken has raised legitimate concerns and demanded answers about Niantic’s astonishingly broad data collection. In his letter, the Senator noted: “Niantic has access to a significant amount of information, unless users — many of whom are children — opt-out of this collection.” Senator Franken wants to know if the vast data collection is necessary for the function of the game, and if not necessary, why is Niantic doing it? And what is Niantic doing with the data its collected? Plus, exactly what third parties are getting their hands on this data?
RM: Is there a possibility that criminals could use the geolocation information to stalk children? Are there other privacy or safety concerns about Pokémon Go? (Robberies, stalking, etc.?)
AM: In short, yes.
Reports have come in from around the globe that demonstrate the app’s potential for danger and misuse. Examples include:
- Four Missouri teens used Pokémon Go‘s “lure” function to attract other players, who the teens then proceeded to mug
- Police in Indiana caught a registered sex offender who was playing Pokémon Go with a child, allegedly in violation of his parole
- A man in Florida shot at two teens playing Pokémon Go in a car assuming they were burglars after he heard them asking each other, “Did you get anything?”
RM: How can we avoid these things?
AM: Physical Safety: Don’t play Pokémon Go in places that are not familiar to you, play with friends you know, play in public places, and always be alert to your surroundings and the people around you.
Parents: Since so many people playing Pokémon are adults well over the age of 25, it’s a good idea to accompany your younger children when they play to keep them safe and help them steer clear of dangerous areas.
Anne McKenna is a visiting assistant professor at Penn State Law.