Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
By Jimmy H. Koo
July 26 — Players of Pokémon GO, a wildly popular location-based augmented reality game, may be missing real life threats to their private information.
Pokémon GO creates several privacy and security concerns, particularly for children playing the game, including geolocation tracking, excessive collection of personal data and possible sale of such information to third parties, privacy and security professionals told Bloomberg BNA.
Additionally, cybercriminals are taking advantage of Pokémon GO's popularity by creating malware disguised as a copycat version of the game, they said.
Pokémon GO, developed by San Francisco-based software company Niantic Inc., works by using the global positioning system and the camera of compatible mobile devices. The game allows players to catch, train and battle creatures called Pokémon that appear through an augmented reality on the devices' screen, as if they are present in the real world.
According to Christopher L. Dore, a Chicago-based partner at Edelson PC, a plaintiffs' class action litigation firm that focuses on technology and privacy cases, the geolocation-centric aspect of Pokémon GO creates significant privacy concerns “impacting both data privacy as well as physical security.”
Due to the fact that “the game takes place almost entirely outside and according to a known and accessible map, the physical location of where individuals, including kids, will want to be is well known,” Dore told Bloomberg BNA.
The vast amount of location data “would be available through a data breach incident,” or through sales by Niantic, Dore said. “There are both criminal and commercial uses for this information, and the demand for both is very high,” he said.
Adding to the problem, according to Dore, is the in-game feature allowing users to buy and place “lures” at specific locations that will attract many Pokémon. “This rush of Pokémon will be visible to anyone in the area and will therefore attract them as well,” Dore said. “The potential then for kidnapping, assault or robbery becomes readily apparent,” he said.
Phyllis H. Marcus, counsel in the global competition group at Hunton & Williams LLP in Washington and a former Federal Trade Commission attorney, agreed.
“Children who play have the very real ability to interact with strangers in real life,” Marcus, who formerly served in the FTC's Division of Advertising Practices, was in charge of the children's online privacy program and helped revamp the Children's Online Privacy Protection Act Rule, told Bloomberg BNA. Children can “follow lures and meet up with people they don't know,” she said.
Michael T. Raggo, chief research scientist at Baltimore-based social media security and threat intelligence company ZeroFOX, recommended that parents “advise their children to avoid posting information about their location on social media and online chats to avoid child predators, or sharing it via an application like Pokémon GO.” ZeroFOX has seen social media posts “encouraging children to meet at abandoned houses and other dangerous locations to play Pokémon,” he said.
People have already been physically harmed as a result of playing Pokémon GO, Marcus said. These are “very real world problems for an augmented reality game,” she said.
Despite the fact that Pokémon GO has become popular among people of all ages, according to Marcus, Pokémon GO raises a number of privacy issues, specifically with respect to children.
The Children's Online Privacy Protection Act (COPPA) requires companies to get “verifiable parental consent” before collecting personal information from children under 13. According to Marcus, it's clear that Niantic anticipated younger children's participation and “set up what appears to be a decently designed notice and parental consent flow to capture that reality.”
Marcus said, however, that “what is not clear is how many parents have actually utilized the consent process or are thinking through the implications of their children's participation.”
The Federal Trade Commission released July 2013 a revised COPPA Rule, which broadened the definition of personal information to include “persistent identifiers such as cookies that track a child's activity online, as well as geolocation information, photos, videos, and audio recordings” (128 PRA, 7/3/13). Marcus said that geolocation data is a big deal in protecting children's privacy.
COPPA also contains a data-minimization provision preventing operators from conditioning a child's participation on providing more information than necessary, Marcus said.
In a recent letter to Niantic Chief Executive Officer John Hanke, Sen. Al Franken (D-Minn.) identified what he called the over-collection of information as one of his concerns over the popular game. Franken inquired about “exactly which information collected by Pokémon GO is necessary for the provision or improvement of services.”
In addition to issues raised by data collection, data transfers and protection of children's privacy, hackers use trendy apps to “prey on the apps' millions of users,” Schulman said. Although hacking Pokémon GO itself is the “ultimate payload,” according to Schulman, there also are malicious copycats of the game with “incredibly realistic user interface” to lure potential victims.
Schulman said that his company has already seen more than 200 malicious Pokémon GO copycats on the Android platform, “packaged with malware and released on third party app stores, which, due to the country-by-country release of the game, were downloaded hundreds of thousands, if not millions, of times.”
Raggo said that his company has seen similar threats. There are “malicious links on social media to both fake Pokémon GO apps outside of the curated app stores, as well as social media phishing links that prompt the user to login to their account, harvesting their credentials,” he said.
“Simply, the popularity of Pokémon GO creates security concerns for its users on social media,” Raggo said.
“Avoid downloading Pokémon GO-related apps from links directly in social media,” Raggo said. “Go through the curated iTunes or Google Play stores,” he said.
Niantic didn't respond to Bloomberg BNA's request for comments.
To contact the reporter on this story: Jimmy H. Koo in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Donald G. Aplin at email@example.com
Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)