Pokémon GO™ Security, Privacy and Legal Monsters

Teresa Loccisano

Jul 21 2016

Snatching images of Pokémon® monsters on mobile phones with the Pokémon GO™ App has spread like a fever across the globe. Since Niantic, a Google-owned Silicon Valley company, launched the augmented reality (AR) game in early July, Nintendo’s market value doubled.

Pokémon GO already has more daily users than Twitter®, and surpassed Candy Crush as the biggest mobile game ever with a peak of 21 million active daily users. The AR game sends typically home-bound gamers out into the world to find Pokémon characters that appear in locations using the camera and sensor technology in their mobile phones. It’s all about capturing Pokémon monsters and battling for “gym” control at locations arrived at via instructions from the App.

With BYOD sweeping through corporations, Pokémon GO is already in the workplace, big time. What are some of the implications of the Pokémon GO corporate invasion? It’s also on the streets, steering players to landmarks and potentially unsafe locations across cities. What legal, security and privacy issues loom over this monster-snatching game?

Privacy Potluck
Shortly after the release, a major privacy concern surfaced when it was discovered that Pokémon GO gave itself full access rights to users’ Gmail™, Google Docs™, location history, search history, and more without iOS users’ knowledge. Niantic and Google said this was an inadvertent bug, assuring users they collected no PII beyond IDs and emails before the bug was fixed. To set up an account, users still must give the App. IDs, emails and other information, as well as access to their camera, phone sensors and location to play the AR game.

Even without the extra access to PII, Pokémon GO no doubt stores a treasure trove of private information. In their privacy policy, the company indicates it will collect and store account information such as your or your “authorized child’s” date of birth and email address. Pokémon GO log data may include your device’s IP address, user agent, browser type, operating system or the last website you visited before accessing the game—all to help them improve your experience and the services. During play they also collect your mobile device identifier, settings, operating system and of course, your location.

Pokémon GO says they do not share your PII, except for (1) company use, (2) their administrative and game services service providers with security and non-disclosure obligations, (3) aggregate PII information to third parties for research and analysis, (4) required disclosure during business transaction like mergers or acquisitions and (5) to protect their rights or cooperate with law enforcement.

Given the vast amount of PII Pokémon GO will store—remember they already have 21 million users— their security systems and incident response protocols are extremely important, given rampant hacking activity in today’s cyber environment. Yet, Niantic servers have already been hacked, raising ongoing privacy worries.

Malware & Security Monsters
BYOD and network security concerns will follow the rise of Pokémon GO. A security firm found a remote access tool (RAT) inside a rogue Android™ Pokémon GO version, which can give an attacker full control over a phone. Users in markets where Pokémon GO has not been officially released have fallen prey to this malware attack that takes advantage of the side-loading app capability in the Android system. Invasions of phones like this can result in bad actors swiping user credentials to get into bank and credit card accounts, or gain access to sensitive company information on BYOD devices. With 48% of BYOD users disabling company-required security settings, CISOs will worry that a hacker will devise a way to use Pokémon GO to enter the company network.

Pokémon GO Problems at Work
A healthcare organization recently instructed all employees and the public to stop using the app on its campuses. “Unfortunately, we have had a number of coworkers and members of the public who have been using this application while on our many campuses, causing our campuses to be ‘marked’ as popular ‘PokéStop’ locations on the game,” according to the email from HR. This has caused disruption to patient services and concerns over staff safety as gamers arrive at all hours of the night.

A major aerospace company banned Pokémon GO from work phones after a distracted employee nearly suffered an injury. And a young worker at a banking/IT firm had his phone confiscated and a serious chat with HR and security after he used his camera to throw Pokéballs at a wild Zubat he encountered while at work. His employer bans cameras due to the presence of sensitive, private customer data. Oops.

Crime & Punishment
Pokémon GO has led gamers to unsavory places where drug use is rampant, and even to Rikers Island, New York City’s main jail complex. In Missouri, unsuspecting gamers were lured to a place by other Pokémon GO users who robbed them. One man finds gamers constantly on his doorstep looking for a Pokémon GO gym. His house is a converted church, apparently still marked on maps as a church, a common Pokémon GO stop. Overly zealous gamers are getting injured running into walls chasing Pokémon monsters, twisting ankles in ditches and stepping in front of traffic—all in hot pursuit of Pokémon GO success.

It’s not hard to imagine law enforcement needing to collect information off the mobile phones of Pokémon GO users to investigate assaults, robberies or other crimes that may happen at gyms or Pokémon stops. Workplace injuries that occur when employees using industrial machinery are distracted by Pokémon activity could also mean App. data, camera activity and location data may need to be preserved for legal discovery. Personal injury, property damage and trespassing claims can only be around the corner. Niantic itself will likely receive subpoenas to provide evidence from the data they store on gaming activity and gamers, as they anticipate in their privacy policy.

Where do we GO with Pokémon GO?

  • Organizations may want to assess the impact of Pokémon GO, and make any needed adjustments to their BYOD policies and workplace rules.
  • Google™ users should make sure wide permissions were not given to Niantic on their mobile device, and implement the fix if necessary.
  • E-discovery and forensic investigators might prepare for yet one more new data type and source that may require preservation, collection an analysis.

Law enforcement, plaintiffs and defendants might consider how to leverage evidence on their whereabouts, actions and images of crime scenes from Pokémon GO data—it’s piling up fast.

Contact us today to learn more about our products and our
approach to improving how you collect, analyze and use data.
Tell Me More