Snatching images of Pokémon® monsters on mobile phones with the Pokémon GO™ App has spread like a fever across the globe. Since Niantic, a Google-owned Silicon Valley company, launched the augmented reality (AR) game in early July, Nintendo’s market value doubled.
Pokémon GO already has more daily users than Twitter®, and surpassed Candy Crush as the biggest mobile game ever with a peak of 21 million active daily users. The AR game sends typically home-bound gamers out into the world to find Pokémon characters that appear in locations using the camera and sensor technology in their mobile phones. It’s all about capturing Pokémon monsters and battling for “gym” control at locations arrived at via instructions from the App.
With BYOD sweeping through corporations, Pokémon GO is already in the workplace, big time. What are some of the implications of the Pokémon GO corporate invasion? It’s also on the streets, steering players to landmarks and potentially unsafe locations across cities. What legal, security and privacy issues loom over this monster-snatching game?
Shortly after the release, a major privacy concern surfaced when it was discovered that Pokémon GO gave itself full access rights to users’ Gmail™, Google Docs™, location history, search history, and more without iOS users’ knowledge. Niantic and Google said this was an inadvertent bug, assuring users they collected no PII beyond IDs and emails before the
Pokémon GO says they do not share your PII, except for (1) company use, (2) their administrative and game services service providers with security and non-disclosure obligations, (3) aggregate PII information to third parties for research and analysis, (4) required disclosure during business transaction like mergers or acquisitions and (5) to protect their rights or cooperate with law enforcement.
Given the vast amount of PII Pokémon GO will store—remember they already have 21 million users— their security systems and incident response protocols are extremely important, given rampant hacking activity in today’s cyber environment. Yet, Niantic servers have already been hacked, raising ongoing privacy worries.
Malware & Security Monsters
BYOD and network security concerns will follow the rise of Pokémon GO. A security firm found a remote access tool (RAT) inside a rogue Android™ Pokémon GO version, which can give an attacker full control over a phone. Users in markets where Pokémon GO has not been officially released have fallen prey to this malware attack that takes advantage of the side-loading app capability in the Android system. Invasions of phones like this can result in bad actors swiping user credentials to get into bank and credit card accounts, or gain access to sensitive company information on BYOD devices. With 48% of BYOD users disabling company-required security settings, CISOs will worry that a hacker will devise a way to use Pokémon GO to enter the company network.
Pokémon GO Problems at Work
A healthcare organization recently instructed all employees and the public to stop using the app on its campuses. “Unfortunately, we have had a number of coworkers and members of the public who have been using this application while on our many campuses, causing our campuses to be ‘marked’ as popular ‘PokéStop’ locations on the game,” according to the email from HR. This has caused disruption to patient services and concerns over staff safety as gamers arrive at all hours of the night.
A major aerospace company banned Pokémon GO from work phones after a distracted employee nearly suffered an injury. And a young worker at a banking/IT firm had his phone confiscated and a serious chat with HR and security after he used his camera to throw Pokéballs at a wild Zubat he encountered while at work. His employer bans cameras due to the presence of sensitive, private customer data. Oops.
Crime & Punishment
Pokémon GO has led gamers to unsavory places where drug use is rampant, and even to Rikers Island, New York City’s main jail complex. In Missouri, unsuspecting gamers were lured to a place by other Pokémon GO users who robbed them. One man finds gamers constantly on his doorstep looking for a Pokémon GO gym. His house is a converted church, apparently still marked on maps as a church, a common Pokémon GO stop. Overly zealous gamers are getting injured running into walls chasing Pokémon monsters, twisting ankles in ditches and stepping in front of traffic—all in hot pursuit of Pokémon GO success.
Where do we GO with Pokémon GO?
- Organizations may want to assess the impact of Pokémon GO, and make any needed adjustments to their BYOD policies and workplace rules.
- Google™ users should make sure wide permissions were not given to Niantic on their mobile device, and implement the fix if necessary.
- E-discovery and forensic investigators might prepare for yet one more new data type and source that may require preservation, collection an analysis.
Law enforcement, plaintiffs and defendants might consider how to leverage evidence on their whereabouts, actions and images of crime scenes from Pokémon GO data—it’s piling up fast.