Pokémon GO—Sacrificing Privacy to Catch 'Em All?

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo

July 26 — Players of Pokémon GO, a wildly popular location-based augmented reality game, may be missing real life threats to their private information.

Pokémon GO creates several privacy and security concerns, particularly for children playing the game, including geolocation tracking, excessive collection of personal data and possible sale of such information to third parties, privacy and security professionals told Bloomberg BNA.

Additionally, cybercriminals are taking advantage of Pokémon GO's popularity by creating malware disguised as a copycat version of the game, they said.

pikapika

Pokémon GO, developed by San Francisco-based software company Niantic Inc., works by using the global positioning system and the camera of compatible mobile devices. The game allows players to catch, train and battle creatures called Pokémon that appear through an augmented reality on the devices' screen, as if they are present in the real world.

Geolocation Data—Collected and Sold

According to Christopher L. Dore, a Chicago-based partner at Edelson PC, a plaintiffs' class action litigation firm that focuses on technology and privacy cases, the geolocation-centric aspect of Pokémon GO creates significant privacy concerns “impacting both data privacy as well as physical security.”

Due to the fact that “the game takes place almost entirely outside and according to a known and accessible map, the physical location of where individuals, including kids, will want to be is well known,” Dore told Bloomberg BNA.

By collecting geolocation data, Niantic is able to “keep track of anyone, at any time, while they're playing the game or letting it run in the background,” Asaph Schulman, vice president of marketing at app security company Checkmarx Ltd. in Tel Aviv, told Bloomberg BNA. Additionally, Schulman said, the game's privacy policy allows Niantic to share aggregate information with third parties, “effectively giving them the right to sell users' geolocation data.”

The vast amount of location data “would be available through a data breach incident,” or through sales by Niantic, Dore said. “There are both criminal and commercial uses for this information, and the demand for both is very high,” he said.

Adding to the problem, according to Dore, is the in-game feature allowing users to buy and place “lures” at specific locations that will attract many Pokémon. “This rush of Pokémon will be visible to anyone in the area and will therefore attract them as well,” Dore said. “The potential then for kidnapping, assault or robbery becomes readily apparent,” he said.

Phyllis H. Marcus, counsel in the global competition group at Hunton & Williams LLP in Washington and a former Federal Trade Commission attorney, agreed.

“Children who play have the very real ability to interact with strangers in real life,” Marcus, who formerly served in the FTC's Division of Advertising Practices, was in charge of the children's online privacy program and helped revamp the Children's Online Privacy Protection Act Rule, told Bloomberg BNA. Children can “follow lures and meet up with people they don't know,” she said.

Michael T. Raggo, chief research scientist at Baltimore-based social media security and threat intelligence company ZeroFOX, recommended that parents “advise their children to avoid posting information about their location on social media and online chats to avoid child predators, or sharing it via an application like Pokémon GO.” ZeroFOX has seen social media posts “encouraging children to meet at abandoned houses and other dangerous locations to play Pokémon,” he said.

People have already been physically harmed as a result of playing Pokémon GO, Marcus said. These are “very real world problems for an augmented reality game,” she said.

Targeting Children?

Despite the fact that Pokémon GO has become popular among people of all ages, according to Marcus, Pokémon GO raises a number of privacy issues, specifically with respect to children.

The Children's Online Privacy Protection Act (COPPA) requires companies to get “verifiable parental consent” before collecting personal information from children under 13. According to Marcus, it's clear that Niantic anticipated younger children's participation and “set up what appears to be a decently designed notice and parental consent flow to capture that reality.”

pokemongo

Marcus said, however, that “what is not clear is how many parents have actually utilized the consent process or are thinking through the implications of their children's participation.”

The Federal Trade Commission released July 2013 a revised COPPA Rule, which broadened the definition of personal information to include “persistent identifiers such as cookies that track a child's activity online, as well as geolocation information, photos, videos, and audio recordings” (128 PRA, 7/3/13). Marcus said that geolocation data is a big deal in protecting children's privacy.

COPPA also contains a data-minimization provision preventing operators from conditioning a child's participation on providing more information than necessary, Marcus said.

In a recent letter to Niantic Chief Executive Officer John Hanke, Sen. Al Franken (D-Minn.) identified what he called the over-collection of information as one of his concerns over the popular game. Franken inquired about “exactly which information collected by Pokémon GO is necessary for the provision or improvement of services.”

Dangerous Copycats

In addition to issues raised by data collection, data transfers and protection of children's privacy, hackers use trendy apps to “prey on the apps' millions of users,” Schulman said. Although hacking Pokémon GO itself is the “ultimate payload,” according to Schulman, there also are malicious copycats of the game with “incredibly realistic user interface” to lure potential victims.

Schulman said that his company has already seen more than 200 malicious Pokémon GO copycats on the Android platform, “packaged with malware and released on third party app stores, which, due to the country-by-country release of the game, were downloaded hundreds of thousands, if not millions, of times.”

Raggo said that his company has seen similar threats. There are “malicious links on social media to both fake Pokémon GO apps outside of the curated app stores, as well as social media phishing links that prompt the user to login to their account, harvesting their credentials,” he said.

“Simply, the popularity of Pokémon GO creates security concerns for its users on social media,” Raggo said.

“Avoid downloading Pokémon GO-related apps from links directly in social media,” Raggo said. “Go through the curated iTunes or Google Play stores,” he said.

Niantic didn't respond to Bloomberg BNA's request for comments.

To contact the reporter on this story: Jimmy H. Koo in Washington at jkoo@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.