Warning: Pokemon Go can read your email
UPDATE: Niantic says a fix is on the way.
Meanwhile, the wait continues for Google and/or Niantic to confirm or deny.
Unless you've been in a coma, you'll be aware that Pokemon Go has swept the US, Australia, and New Zealand over the past three days.
Up until now, the main concerns have been about staff goofing off to play the hit smartphone game, or players injuring themselves as they roam around city streets and parks, eyes glued to the screen, in search of Pokemon.
Now a serious privacy and security issue has emerged.
If you sign up for a Pokemon Go on your iPhone using your Google account, the game gets full access to your Google apps.
It's not unusual for an app to request partial access to your smartphone's other apps and features. Without access to Google Maps and your phone's camera, for example, Pokemon Go's location-based "augmented reality" interface couldn't function.
But with Pokemon Go, we're talking the full enchilada. The game can:
- read all your email;
- send email as you (including password reset requests for services outside Google apps);
- access all your Google Drive documents (including deleting them);
- look at your search history and your Maps navigation history; and
- access any private photos you may store in Google Photos.
Citing a post by Adam Reeve, a former senior engineer at Tumblr, Ars Technica calls it a "possible privacy trainwreck." It's a security nightmare, too, if your company uses the Business version of Google Apps and you've got Pokemon Go-crazed staff.
For reasons that are still not clear, the privacy breach doesn't happen with every iOS installation.
Who's behind it?
Nintendo owns the Pokemon franchise. Pokemon Go was developed for Nintendo by a company called Niantic, formed in 2010.
The paranoid should note that until October 2015, Niantic was part of Google. After being spun off, it's co-owned by Google, Nintendo and various venture capital players.
However, most pundits are giving Niantic the benefit of the doubt, calling its full Google account access an example of carelessness rather than intended privacy invasion (the company has yet to comment).
What can you do?
The problem only occurs if you sign up for the iOS (iPhone version of the game). It doesn't afflict those who download the Android version, or who sign up from the Pokemon website (although it has temporarily stopped issuing new accounts, apparently due to overloading).
If you're an iOS user with Google Apps, you can head to this page to revoke Pokemon Go's permissions. I'm assuming that will have the side effect of disabling the game. I'm not about to load Pokemon Go in the first place to find out, given I'm not that keen on Niantic having full access to my Google Apps for Business account – but if you're a Pokemon Go player, let me know.
I know hardcore addicts who don't want to lose their experience points might ignore it but my advice to iPhone owners who signed up to Pokemon Go via a Google account: nuke the game, then sign up for a new account via the Pokemon website.
Privacy commissioner's view
Privacy Commissioner John Edwards says, "it underscores the importance of understanding what you are signing up for. I actually thought the Pokemon Go terms and conditions were pretty clearly expressed and easy to understand. They are more limiting than your correspondent suggests the 'full access' authority is, so they would be held to the higher standard."
He adds, "I’m not sure what jurisdiction Niantic or Pokémon are based in but in the US the Federal Trade Commission would be able to ensure Google and the game maker adhere to fair information practices. Exploiting the access to Gmail and Google Drive in the way suggested in the story would almost certainly fall foul of those requirements.
"In New Zealand, I’d need to examine the jurisdiction issue. But if I found an agency – Google or Nintendo or Niantic – was subject to the NZ Privacy Act, I could look at whether any personal information collection was 'fair' or if any use of information went beyond the stated purposes."
POSTSCRIPT: He'll be here all week. Try the fish
NBR has asked Privacy Commissioner John Edwards for comment on this story (an out-of-hours request; I'll update when his response came in).
When NBR placed a separate Pokemon Go privacy question to the commissioner yesterday, he replied with his usual speed, but in meantime did take to Twitter to josh:
I've got to answer a press query from @TheNBR about the privacy implications of PokemonGo- (1/2)— John Edwards (@JCE_PC) July 11, 2016
(2/2) which I'll do just as I've cleared the Supreme Court of this bad boy pic.twitter.com/pxKSlyYbBI— John Edwards (@JCE_PC) July 11, 2016