Pokemon Stop

Posted by Phil on July 12, 2016

There's nothing like a good social media / app craze and 2016 seems to have been landed with Pokemon.

There will no doubt be plenty of well-researched articles discussing this new mobile app and for the technical readers looking at this post, take a look at this tweet from Den Delimarsky. Someone obviously hasn't taken Troy Hunt's Pluralsight course on "Hack Your API First".

The area I'm more interested in focussing on right now is the Niantic Labs privacy policy for Pokemon Go.

https://www.nianticlabs.com/privacy/pokemongo/en/

Like any normal person, you'll have agreed to whatever is in that statement without having even read it. Often these privacy statements aren't too bad, but this is an app that children use or are assumed to have been authorised to use by their parents. So it's probably worth checking what data is being collected.

What's in the fine print?

Right off the cuff, we start in Section 1 being told:

"During gameplay and when you (or your authorized child) register to create an account with us, we’ll collect certain information that can be used to identify or recognize you"

So they're gathering information about you all the time. When you register, and then when you're playing the game. What are they gathering? The policy lists the following:

  • Unique user name (tied to you or your child)
  • Your email address
  • Your date of birth
  • Your IP address, browser details, and operating system
  • The web page you were on BEFORE visiting the Pokemon Go site and where you clicked during and after
    • It's worth noting they may engage a 3rd party to analyse that data and despite all assurances that the information will be stored securely (ref: S 7), there's no definitive explanation of what that looks like. History has shown that companies tend to "take security very seriously" only after their data has been breached.
  • Location data (this one is really important) - Section 2e
  • Third parties are “obligated to secure your “Personally-Identifiable Information” or “PII” but this is not (and cannot be) enforced
  • Their services “do not have the capability” to respond to Do Not Track (which translates to 'We do, but we’ll ignore it because it doesn't really suit us')
  • Section 7 : “Security” “We cannot guarantee the absolute security of any information” - but wait, didn't you just say you were going to be really secure?

So to recap, here's what the game knows about you or your child: Their name, their email address, their date of birth, their ACTUAL address (location data, remember?), and their device's address and software details. We're just going to take it on faith that their security is effective (I have my misgivings).

So that's what information you expressly share, but what services on the phone are you asked to grant access to?

So it can read everything on your SD card, modify that content, read all of your contacts and retrieve information about them.

The Privacy Argument

The common argument is that the company will be aggregating this information and will likely never use anything at an individual level. Another is that they aren't interested in little 'ol me and I'm not sharing any useful information anyway. Finally, a third argument is "well what's the worst that could happen?"

Let's look at each of these. Sure, the company will be aggregating this data - it's likely one of the biggest social databases (certainly one of the most up-to-date) in use globally today. But that data never stays in the hands of the company for long. As it's such a big target, the temptation of hackers to exploit and sell that data becomes very strong. The dataset would likely be highly valuable so a very compelling prize. I'll come back to this point in a moment.

To say they're not interested in you specifically and what's the worst that would happen in a breach anyway, is naive at best. Section 3(d) says:

Information that we collect from our users, including PII, is considered to be a business asset

So they can choose to sell (or may be forced to sell in the event of an acquisition or merger) the data to whomever they choose. What if they sell to marketing companies? At no point is Niantic specific about who they are providing any information to or how they are monetising that data.

And now the "what if" worst case part. The Pokemon Go API (the web services that are used to send and receive the data being collected) has already been shown to be inherently insecure. What if someone with enough technical knowledge and an unfavourable interest in children were to intercept the data that's being transmitted or stored from devices in a given area?

As with any mobile / social networking service, just make sure you're well-informed about what your child is doing, what information is being shared and with whom it's being shared. The NZ Privacy Commission has excellent, easy to understand resources on protecting children and it's worth your time to read them. You don't need to go full tinfoil hat on this game but a little paranoia in small doses is probably a healthy thing.

Good luck catching 'em all!

 

Update:

BuzzFeed is writing about the same thing and has some really valid perspectives on logging in with your Google account: https://www.buzzfeed.com/josephbernstein/heres-all-the-data-pokemon-go-is-collecting-from-your-phone and Adam Reeve has already questioned the extent to which the game can reach into your phone:  http://adamreeve.tumblr.com/post/147120922009/pokemon-go-is-a-huge-security-risk, although Google have advised that “full account access” does not mean a third party can read or send or send email, access your files or anything else. It means Niantic can only read biographical information like email address and phone number.

There's a lot of discussion and alarm bells with the wording of this privacy policy. The bottom line in any case is always "make sure you've read and understood the terms for using a service and what data you'll be sharing with it".