Privacy and Pokémon Go App

Pikachu has the ability to take a peek at you. Just days after its release, the app had more users than Facebook, Snapchat, and Tinder, and boosted Nintendo’s market value by $7.5 billion with shares up 120%. The game isn’t without controversies: the game contributed to an armed robbery, reckless driving, and pedestrian carelessness. But privacy concerns are grabbing the headlines. It turns out, the game has an incredibly broad access to user data which far exceeds what’s needed to play the game. Are Pokémon players getting played?

A Pokémon Primer

The wildly popular game which launched in July 2016, puts users in a real-time, real-life hunt for Pokémon characters all around them. The app was developed by Niantic, a Google spinoff invested in by Nintendo. Aerial maps superimpose a player’s avatar along their actual route and highlight stops, gyms, and how close characters are. To “catch” a character, a player activates their camera which augments reality by displaying the animation into the scene. With a swift swipe of a Pokeball, the character is collected. Players can battle their characters at designated areas on the map.

It’s a big technical leap to the Pokémon trading card game, cartoon, and video games from the late 1990s. Millennials who grew up in that Poke-age are revisiting the game in droves, and today’s kids are discovering it for the first time. Many parents are playing with their children, and local parks are reporting huge leaps in attendance as people are coming out in search of characters.

Malice or Mistake

Location information is obviously crucial to gameplay. But Niantic also has dibs on much more of users’ data. For the first few weeks of its release, the app could access:

  • Word Documents
  • Google Drive
  • Google Email Account
  • Photos
  • Search History
  • Map Use

Niantic maintains it only had erroneous access and could only really see user IDs and email addresses.

Corrective Measures

Just over a week into the craze, Niantic put out an update patch to scale back the data collected and tighten the “Google account scope:”

“We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.”


Pokémon Go is an app released in July 2016 by a Google company backed by Nintendo. It pioneers the virtual gaming experience by placing game characters into real-life by way of a player’s phone camera. In order to accomplish this, user’s location data is used. Several days after the game came out, the app’s broad scope of data collection came to light. Players’ email, Google documents, photos, and other “unnecessary” data were being collected. App maker Niantic issued an update narrowing the account scope to user ID and email one week later. Meanwhile, millions of users have supplied the game maker with access to their data.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional (CIPP/US) Exam, a privacy professional should be comfortable with topics related to this post, including:

  • Limits on Private Sector Collection and Use of Data (II)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>