Pokémon Go is an augmented reality game developed by Niantic (a Google affiliate) and Nintendo. Players navigate real world locations capturing and training virtual “Pokémon” creatures with their iOS and Android smartphones. It is also a cultural and financial phenomenon. In its first few weeks of existence, Pokémon Go has approached or overtaken the market share of many widely known and well-established apps, including Tinder and Twitter. As a result, Nintendo’s share price has skyrocketed as the company that brought us Donkey Kong, Super Mario Bros., and the Wii appears to have generated yet another pop culture sensation.
Like the Wii’s use of gyroscopic technology to transform video game interaction from a sedentary, thumbs-only experience into a marginally more kinetic activity, Pokémon Go’s use of augmented reality technology brings the video game (and the gamer) out into the wider world. While many would welcome a video game that gets gamers off the sofa and burning calories in the great outdoors, Pokémon Go has generated its share of negative press. In notable examples, enthralled players have collided with Baltimore police cars, discovered dead bodies, walked into traffic, and even been asked to refrain from playing the game in Arlington National Cemetery. Given the obvious physical risks that Pokémon Go can engender, data privacy issues have largely been reported as tangential concerns. However, the game presents significant potential privacy concerns.
Early commentators flagged Pokémon Go’s required registration process as a potential privacy problem. The registration process could be completed either at Niantic’s website or by logging in through an existing Google user account. Due to heavy web traffic on Niantic’s site, many early adopters found it more convenient to register via their Google accounts. Notably, the Google registration route enabled Niantic to request and obtain full access to the user’s Google account, at least for iOS users. This reportedly included access to the contents of the user’s Gmail, Google Docs, Google Drive and Google Calendar services. (According to subsequent reports, Niantic’s access was actually limited to reading users’ biographical information, such as email addresses and phone numbers.) In the wake of public criticism, both Google and Niantic assured users that the full access setting was an unintended glitch. They subsequently issued an update that limited access to basic profile data. But even with the Google account access problem fixed, several concerns remain.
For example, Pokémon Go’s software relies heavily on location data and keeps a record of the user’s location. Likewise, the game utilizes the user’s smartphone camera to capture images from wherever the user happens to be playing the game, including inside private homes and other locations that normally would not be visible to third parties. If and when combined with location data, those images could paint a colorfully detailed picture of the user’s personal spaces, routines and habits.
As with other Internet-based applications, the privacy risks of Pokémon Go aren’t limited to the technological realm. The social aspects of Pokémon Go can also present significant risks. Early reports indicate that criminals are exploiting users’ enthusiasm to lure them into unfamiliar locations where they can be robbed or assaulted. Similarly, taking and publicly sharing screenshots from the Pokémon Go app (particularly if they include a map or a recognizable landmark) could reveal the user’s location and potentially put him or her at risk of an unwanted physical encounter.
While some regulators-and Senator Al Franken-have sought details regarding these issues and others, most users appear to be wholly unconcerned. However, as the first augmented reality game to capture the public’s imagination, Pokémon Go is likely to also be a trailblazer for a number of data privacy issues and practices as the sector matures. As the real and virtual worlds become increasingly interconnected and indistinguishable, we expect that the resulting data privacy challenges will continue to evolve and combine in new and surprising ways. Stay tuned, and happy hunting.
Physical Address: 301 Fayetteville Street, Suite 1900, Raleigh, NC 27601 | © Poyner Spruill LLP. All rights reserved.