Pokemon GO has only been available for a few days in some territories, but the game has already become one of the fastest-growing mobile sensations ever and easily the biggest video game related news story of the year so far. The first of its kind collaboration between old-school gaming company Nintendo and mobile giant Niantic became an instant phenomenon at launch, but was also soon hit with accusations of privacy violation based on its access to users Google accounts.
Following the reports that made the concerns known, Niantic issued a statement calling the potential for privacy-infringement an “error” to be fixed and denying that user data has been compromised.
Pokemon GO had been the subject of intense buzz from longtime fans of the now 20-year-old Pokemon franchise following its surprise announcement in a cinematic trailer in 2015, but no one was prepared for just how massive a hit it would be and how quickly it would happen. A fusion of traditional Pokemon mechanics and GPS “geocaching” gameplay, the game allows players to seek, collect, trade, and battle Pokemon in “Augmented Reality” fashion by traveling to real actual locations in their own neighborhoods and (theoretically) all over the world.
At issue in the privacy question is that, like many similar mobile apps, Pokemon GO functions in part by accessing user data on individual mobile devices. And while many apps act on multiple levels of permission in order to view and/or interact with certain types of user accounts — Google Gmail accounts, for example — tech-security writer Adam Reeve discovered that Pokemon GO users who had signed on to the service (which does not offer the option of creating a separate proprietary account) through iOS effectively allowed the app (and, implicitly, its corporate owners) access to their entire Google profile without actually being asked explicit permission.
The discovery has led to a day-long outcry on social media and in the tech-security world, which has in recent years been focused on repeat instances of games and gaming companies being lax in the area of user data-privacy. According to a summary posted to BuzzFeed by reporter Joseph Bernstein, the wide (and, importantly, not originally advertised) degree of access not only means that Niantic could have read/write abilities for users’ Gmail, Google Docs, and Google Drive accounts; but that those same accounts would be potentially vulnerable to hackers who found their way into the developer’s systems — an area of special concern considering the game’s huge base of younger users.
With the discontent reaching mainstream news outlets and threatening to undermine the overwhelmingly (but by no means exclusively) positive reception of the game (which has raised the value of Nintendo’s stock by $9 billion and — incredibly — recently surpassed the dating/hookup app Tinder in user popularity), Niantic has now issued an official statement claiming that the extent of access granted was a design error, that no user info outside of standard Google ID and email address were accessed and that Google has been tasked with correcting the design issue on its side to reflect this:
“We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.”