Pokemon GO – The Scary Stuff Of Augmented Reality Games

1543

I remember back in the 1990s the small characters from Pokemon inundating our world. It was a whole world of cuteness, in fact, the Pikachu being my favorite. Fast forward 20 years and the Pokemon phenomenon has become digitized to within an inch of their little lives in the form of the augmented reality mobile app, Pokemon GO.

Augmented reality is software that overlays the real world, with the digital one. In the case of Pokemon GO, it uses the phone’s GPS to show local maps which guide players around their locale to find hidden Pokemon characters. Pokemon GO is a massive success, with over 100 million downloads in the first month after release. Pokemon GO’s success has been attributed to the fact it gets people out of the house, to hunt down sweet little cartoon characters and even meet new people – so, what’s not to like?

Is a Mewtwo Stealing Our Data?

Augmented reality technology that superimposes a computer-generated image on a user’s view of the real world, thus providing a composite view. In the case of Pokemon GO, the actual data is the location of the player at any given time. This could be the street, local gym, park, or in fact anywhere in the world. The overlaid, computer-generated data comes in the form of the Pokemon creatures, the trainer (player) has to hunt. They hide in the locale you are “hunting” within. To work, the game has to know where the user is during play. This process occurs while tracking the player, using geo-location data from the GPS service of the mobile device on which the app is installed. In addition to the geo-location data, the app had already collected user information when the player created an account. What the game knows, the host knows too, aka Niantic, Inc. who developed the game.

In regards the data shared for the Pokemon GO account. This can either be using the app account itself directly or by using a Google Sign-in account. The current version of Pokemon GO is 1.3.0. There have been some privacy improvements since the first release. In the first version of the game, V1.0., there was an outcry when it was discovered that Niantic was able to effectively have full access to your Google account if you used your Google Sign-in to sign up with (which most users did as it sped up the account creation process). Now admittedly the user has to consent to share these data points during Google Sign-in usage. However, having full access in the first place raises legitimate privacy concerns – the technology behind Google Sign-in (OAuth 2.0 / OpenID Connect) allows developers to set limits on what data access is allowed and shared. It can also set consents that allow the user to set the share level they feel comfortable with if so coded. To Niantic’s credit, they closed off that hole within a week by updating to version 1.0.1 – which asks for permissions to function. However, it appears that Niantic didn’t regard user privacy as a chief concern. It takes an outcry by privacy and security professionals and players to implement privacy details and after the fact.

This isn’t just the fact that Niantic has the potential to read our Google mail. One of the potential outcomes of compiling details of our every movement is that criminals hacking into a Pokemon GO account could cause certain personal privacy and safety issues, similar to issues with other apps like Waze and WhatsApp. In an extension of this, terrorists could also use this same information to identify Pokemon GO hotspots and target those places to cause mass chaos. In a twist to this last scenario, a Ukrainian website which is known to identify ‘Russian military criminals’ is allegedly developing a technology based on the Pokemon GO concept (nicknames Pokemon Ru) to help in the hunt for their Russian targets.

Will The Pokemon Respect Our Privacy?

A month or so since launch, Niantic have taken steps to show an improvement towards protecting user privacy. They have a section in the Pokemon GO Trainer Guidelines called ‘Respect Privacy’ which encourages the players to respect other users privacy stating that:

“In addition to making smart choices about how you choose to reveal your identity…don’t post, repost, or reveal other information about another user’s identity, including their name, phone number, email address, or physical address,…Violations can result in the loss of your account.”

This is all well and good, and in fairness, we all have to take responsibility for privacy and security. However, privacy and security should begin at the design and development stage of the app itself. Putting the onus of privacy respect into the hands of the user is unfair when the game itself lacks privacy as a fundamental feature. Game designers and architects need to, themselves, respect privacy, to the extent that it is part of their design goals and as important an aspect of the app as the gamification itself. Only then can we have some reasonable level of assurance that the data we share within our augmented reality will be as safe as that Dragonite you just can’t quite catch.

About Avani Desai
avani-desaiCompany: Schellman & Company, LLC

Position: Executive Vice President

Twitter: @AvaniDe

Avani Desai is a Principal and the Executive Vice President at Schellman. Avani has more than 15 years of experience in IT attestation (SOC, HIPAA, HITRUST), risk management, compliance and privacy. Avani’s primary focus is on emerging technology issues and privacy concerns for organizations. Avani is an active writer, speaker, and enjoys spending her time educating people on security and privacy.
In this article