The Risks and Perils of Pokemon GO

Posted By Anna on Aug 19, 2016 | 3 comments

This summer it seems the world has gone crazy over Pokemon. The characters who first gained fame in the animated series from the early 2000s have returned triumphantly and are again earning millions – now in the form of the game Pokemon GO. Its popularity is such that even serious IT-themed internet publications are writing articles about the rules of the game and advice about how to download and install it in countries where the app is not officially released yet.

However, the game has drawn more than just praise. Even though it is a very recent phenomenon, the app has already caused several incidents. In some, it has played the role of victim, and in others, that of villain.

For example, on Google Play there have been three viruses masquerading as Pokemon GO. Of particular concern was one called “Pokemon GO Ultimate”. This “app” from hackers promised access to the game in countries where it had yet to be officially released, but then completely paralyzed smartphones, frequently without the possibility to reboot them. Even after hard reboots, the virus would continue to work in the background. It would also redirect browser traffic to pornographic websites.

Two more pieces of malware displayed ads on the screens of the affected devices or threatened the owners of the smartphones into signing up for paid services.

The offending apps were detected and removed from the store, but a large number (more than 50 thousand) of users managed to download the app before that and infect their gadgets. And this happened in the official Google play store! Imagine what is taking place in less regulated app repositories, where there are practically no checks on the available programs.

It turns out that these are not the only problems one can encounter after downloading Pokemon GO. Widely circulated posts worry about the game’s capability to spy on gamers and pass their personal data on to third parties. Few apps have drawn so much criticism for violating the confidentiality of their users. Some talk of the dirty PR tactics of the company (to attract interest in its product), others hint about a conspiracy of the “hidden world” or about the direct participation of the surveillance state in making the game. Whether or not to believe these extreme versions is a private choice. However, there is a perfectly official source that makes it possible to find out exactly which information is being collected. On the website of the company Niantic in the section dedicated to Pokemon GO, one can find the publicly-available confidentiality policy. It’s a shame that people rarely read the EULA – such agreements are not always as boring and useless as they seem.

Let’s Refer to the Source

Writing this article, we used the most recently published Pokemon GO confidentiality policy. We provide here a short summary of the contents of this document:

• To register for the game, in addition to going directly through the service, you can use a Facebook or Google account. All users will need to provide an email address. You also need to provide your age and a name (not necessarily your real one). For children 13 years and younger, the permission of a parent or guardian is required in order to register for the game. If a child is discovered to have made an account without parental consent then the account is to be deleted.
• The provider’s services may record not only the IP address, browser type, and operating system of the user, but also any websites visited prior to opening the app. It also records the time you’ve spent on these websites and links you may have followed from them. Even in the event of closing or deleting your account, some information stays with the company. All private messages exchanged with other players also belong to the company. They claim that your data is all the same secured, and the private identity of the user will not be made public. The collected data is planned for use only in targeted advertising, demographic profiling, and for the betterment of the service.
• Another term is cookies, which allow tracking the entire history of the interface between the game and the app. Some of them are not deleted after the end of the session. Third parties (for example, advertisers) can also install cookies on the user’s hard disk.
• The game’s design, based as it is on virtual reality, makes it necessary to track the exact location of the user – after all, Pokemon appear near the user. The game does not allow the user to stop geolocation. However, in addition to the game developer, geographic information becomes available to other gamers. If the user tries to stop geolocation services, then almost all functions of the game cease to work (and the game loses its point).
• The company Niantic, which created Pokemon GO, shall upon request immediately transfer any information to the authorities. This could be caused by subpoena, the protection of the company’s rights and properties, the rights or security of third parties or society in general, or by any evidence of illegal behavior. The company assumes the right to determine the boundaries of these concepts.

With “confidentiality” like this, one could immediately give up on any means of securing privacy online: secure messengers, two-factor authentication, and the like. This seems a little strange against the background of a tendency towards securing private data. On top of which, many other leading companies in the IT sphere throughout the world support the right of users to secure private data.

Last winter’s conflict between the FBI and Apple, when security services were refused access to the smartphone data of a suspected terrorist, was highly revealing. Apple wasn’t trying to protect criminals, but instead trying to consistently enforce their company policy, in which is enshrined the notion of securing user data without any exceptions. If they were to deviate from this policy even once, then there would be no guarantee that the data of law-abiding citizens would also be protected from the government. Apple was able to defend its position in court, and the FBI was forced to turn to hackers to crack the iPhone. The principled position of the Cupertino company inspired many others: one direct result was WhatsApp’s decision to implement end-to-end encryption (one of this idea’s creators called Tim Cook his hero).

Is it worthwhile to prohibit Pokemon GO, as is demanded in some countries? Any limitations would only give it the allure of being forbidden. It would almost certainly be more productive for every user to individually weigh the pros and cons of such loose data protection and then decide for themselves whether or not to play. This is what is called “free choice”, and that is something that we all want to have.