Nintendo's Pokémon Go mobile game's wildly successful launch was marred by a fast-evolving controversy over potentially serious privacy risks involved with the application. While the situation seems to have been mostly resolved, it carries a lasting lesson about personal privacy.
The flap started Monday when former Tumblr senior engineer Adam Reeve wrote of his concerns over how the application required "full access" to his Google account:
Let me be clear - Pokemon Go and Niantic can now:
Read all your email
Send email as you
Access all your Google drive documents (including deleting them)
Look at your search history and your Maps navigation history
Access any private photos you may store in Google Photos
And a whole lot more
What’s more, given the use of email as an authentication mechanism (think “Forgot password” links) they now have a pretty good chance of gaining access to your accounts on other sites too.
Needless to say, Reeve's post gained widespread attention. Game developer Niantic issued a statement saying the application "erroneously" requests full account access:
However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.
Taking Niantic at its word, there was never anything for Pokémon Go players to worry about with respect to their privacy. A report in Gizmodo also questions the accuracy of Reeve's characterization of what full Google account access really means, albeit with the help of second-hand sourcing. (Google hasn't officially commented on the matter).
Still, the fact remains that some app developers deeply lack awareness of privacy matters as they go about their work, says Constellation Research VP and principal analyst Steve Wilson. Take, for example, "the error made by a Google programmer back in 2010, when they thought it would be OK to hoover up all wifi traffic when StreetView cars drive past your house."
"Privacy is about restraint," Wilson says. "There is an abject lack of restraint in the minds of some programmers. For some digital companies, I believe the hunger for data is legitimized and even rewarded by the company culture. There are business models founded on exploiting data found online, and mining raw data to uncover personal information. A finders-keepers attitude is fostered, or a kind of prospectors' mindset, which sees data as a free-for-all."
"You can train and train technologists on privacy but some of them still feel it's ok to help themselves to data," Wilson adds. "Helping yourself to other peoples' personal data needs to become taboo. You just don't do it."
24/7 Access to Constellation Insights
If you’d like unrestricted access to Constellation Insights, consider joining the Constellation Executive Network for analyst advice and analyses that you can use.