Of Pokémon, Pikachu, parents, and privacy

“What the [Pokémon Go] app is actually doing — meaning the broad swath of information the app is collecting — is creepy. It’s not just kids playing the game, and it’s not just privacy advocates who are concerned.” — Anne McKenna, Penn State assistant professor of law

We were curious about the Pokémon Go craze that has infiltrated much of the world and wanted to get a legal perspective on the situation. Cyber and privacy attorney Anne McKenna graciously answered some questions about it from our news and research communications staff.

Research Matters: Pokémon Go seems innocent enough, but it’s causing concern among many privacy advocates. Why is that?

Anne McKenna: On July 6, 2016, Niantic, Inc., released Pokémon Go, an app game that requires users to walk around in real world locations to collect Pokémon. It’s a global obsession. According to the BBC, in the app’s first week of release, there were 15.3 million tweets about it worldwide. For perspective, there were only 11.7 million Brexit-related tweets during the week of the UK referendum. SimilarWeb, an apps analytics firm, says that Pokémon Go users are playing it on average 43 minutes a day — perspective again: that’s more time than users spend on Instagram, Snapchat, or Whatsapp.

An app that has people up and moving, walking around, and everyone is playing? Cool, right? In a time of painful political, social, and racial unrest, it’s a phenomenon that is crossing cultural and geographical borders. But what the app is actually doing — meaning the broad swath of information the app is collecting — is creepy. It’s not just kids playing the game, and it’s not just privacy advocates who are concerned.

Pokémon Go works by accessing your phone’s camera and using location data at all times, so from the outset, to play means to know you’re being physically tracked at all times. Turning over your geolocation is necessary for the function of the game. But the data collection doesn’t stop there. Within a few days of its release, privacy and security folks noted that the app had requested permission to access not just the camera and location data, but to access the app user’s Google accounts, emails, photos, calendars, stored docs, and login data.

Legal concerns abound as well, in part because of Pokémon Go’s broadly worded privacy policy and its terms of use. Its privacy policy permits a broad collection of data, and allows Niantic to de-identify user data, aggregate user data in any way it chooses, and sell this data to ANY third party it chooses for any purpose. Its terms of use significantly restrict the app user’s ability to assert legal rights and precludes any class action.

RM: What are the risks from pirated versions of the game?

AM: The market has been flooded with phony or knock-off Pokémon Go apps. At last count, there were over 250 knock-off apps that had flooded the market.  Some are simply software developers trying to make a quick buck, but others have far more sinister motives. For instance, one malicious knock-off app permanently freezes your phone, others install malware on your device, and others open porn ads or redirect the user to shady sites, generating third-party company ad revenue.

RM: Are there any warning signs to tip you off that you are about to download a pirated version?

AM: Look for key words that are out of place in the app’s title — for example, “Pokémon Go Ultimate.” If the app says anything other than Pokémon Go, it’s a good idea to avoid downloading it, especially if it isn’t offered from the Google play store or Apple store.

RM: Many children and teens are using the app. What should parents know?

AM: It’s not just children and teens using the app — it’s everyone. A whopping 40 percent of users who have downloaded Pokémon Go are adults over the age of 25.

The wild and multi-generational popularity of the app (launched only two weeks ago), has already prompted a warning from the National Safety Council pleading with drivers not to play the game while driving and cautioning pedestrians to be careful while playing it.

In a letter to Niantic, well-known privacy advocate and U.S. Senator Al Franken has raised legitimate concerns and demanded answers about Niantic’s astonishingly broad data collection. In his letter, the Senator noted: “Niantic has access to a significant amount of information, unless users — many of whom are children — opt-out of this collection.” Senator Franken wants to know if the vast data collection is necessary for the function of the game, and if not necessary, why is Niantic doing it? And what is Niantic doing with the data its collected? Plus, exactly what third parties are getting their hands on this data?

RM: Is there a possibility that criminals could use the geolocation information to stalk children? Are there other privacy or safety concerns about Pokémon Go? (Robberies, stalking, etc.?)

AM: In short, yes.

Reports have come in from around the globe that demonstrate the app’s potential for danger and misuse. Examples include:

RM: How can we avoid these things?

AM: Physical Safety: Don’t play Pokémon Go in places that are not familiar to you, play with friends you know, play in public places, and always be alert to your surroundings and the people around you.

Parents: Since so many people playing Pokémon are adults well over the age of 25, it’s a good idea to accompany your younger children when they play to keep them safe and help them steer clear of dangerous areas.

Data Privacy & Data Safety: Given that Niantic appears to have access to everything connected to your Google account, a good idea would be to opt-out of Niantic’s data collection practices. The downside — Niantic cautions (or threatens) that opting out will affect game function and opting out requires actually reading through Pokémon Go’s terms and conditions and privacy policy — ugh — before blindly agreeing to them (as so many of us do with apps all the time).

Anne McKenna is a visiting assistant professor at Penn State Law.

Members of the news media interested in talking to McKenna should contact her at atm19@psu.edu or Wyatt DuBois at 814-865-9030 or wed112@psu.edu

Featured image by Eduardo Woo, via Flickr CC BY-SA

Leave a Reply