Privacy Paradox

Pokémon and a Better Conversation on Data Privacy

By Toby Levy
Thursday, August 11, 2016, 1:36 PM

Amid an onslaught of privacy and cybersecurity threats, it can be difficult to predict which potential concerns will capture the public imagination. A particularly unlikely candidate for public debate over privacy and cybersecurity is Pokémon Go—a location-based, augmented reality mobile game developed by Niantic for iOS and Android devices. And yet, in the month since its release, media outlets, members of Congress, and even celebrities have lambasted Pokémon Go over a supposed lack of privacy measures.

Film director Oliver Stone has voiced concerns over the game, citing the astonishingly successful app as “surveillance capitalism,” and suggesting that Pokémon’s “new level of invasion” of privacy could lead to “totalitarianism.” In Congress, Minnesota Senator Al Franken expressed concern over Pokémon, broadly noting that, “we must ensure that Americans'—especially children's—very sensitive information is protected.” A blog post by Adam Reeve, Principal Architect at Red Owl Analytics, suggests that Pokémon Go was granted “full account access” to user’s Google accounts when they log on with Google on iOS, granting Niantic unprecedented access to people’s accounts. And yesterday, The Intercept published an article linking Niantic’s CEO to Google’s controversial collection of Wi-Fi data in connection with the company’s Street View mapping program.

And that’s just the outrage in the United States. In Russia, where Pokémon Go was released three weeks ago, the app has been blamed for all manner of privacy evils—from a state TV channel suggesting that the CIA had placed a Pokémon gym in the Ministry of Defense building for covert purposes, to conspiracy theories about the game’s collection of Russian citizens’ data.

Generally, it is a positive thing when issues as important as data privacy break through in media headlines and lend attention to important debates. Unfortunately, when privacy questions do penetrate the public consciousness, as the controversy over Pokémon Go has, they are often overblown or disconnected from reality. Pokémon Go will not lead to totalitarianism. Odds are that it isn’t a secret CIA plot to vacuum up Russian data via Squirtles. And actually, the app might not even present real privacy concerns at all.

Yes, it is true that the app accessed users’ Google accounts without owners’ consent. But before stoking the public’s fear, those calling for Niantic’s head might note that changes were underway even before the public outcry emerged. With the now-completed update, Niantic’s new permission request asks for only “basic Google profile information, in line with the data that we actually access.” And in fact, both Ari Rubinstein, a security engineer at Slack Technologies Inc. and Dan Guido, of the independent information security company Trail of Bits, determined that Niantic doesn’t actually collect any data beyond a Google username and email address.

Furthermore, it turns out that even when Pokémon Go had access to users’ emails, it never elected to read them, as Reeve and some trigger-happy media outlets claimed. Niantic confirmed that the access overreach was a mistake, and that the company never accessed below-the-surface information. But lots of apps do gather personal information, and yet have avoided public scrutiny.

The attention around Pokémon Go and privacy does present an opportunity to have a public discussion regarding the amount of information that technology giants collect on consumers and then sell to advertisers. But the public will not be better informed by fearmongering. Debates on how to address legitimate concerns about data privacy should also acknowledge that some data collection improves our lives without us realizing it.

Consider that this isn’t the first time Niantic has produced a successful app with similar gaming and security features. Before developing Pokémon Go, Niantic created another map-based augmented-reality game, called Ingress. Google then used the Ingress data to dramatically enhance mapping services by building a database of publicly accessible locations available to pedestrians and routes taken by pedestrians between these locations. And thousands of other popular applications require similar data.

The Pokémon Go commotion is a reminder that privacy “threats” and concerns over access may not always be what they seem. Unwarranted privacy hysteria actually obfuscates more significant issues by confusing the public understanding about whether their smartphones apps are collecting particular types of data and why. This confusion results in public fatigue over privacy issues and, like the boy who cried wolf, runs the risk that genuinely problematic privacy invasions will evade scrutiny.

The data privacy focus actually might distract from other real concerns about augmented-reality games like Pokémon Go. Already lawyers are gearing up for cases in which players are injured while staring at tiny monsters on their phones. Who bears the liability when a game algorithm places virtual monsters near the edge of a cliff? And does locating a Pokémon character on private property, without permission, affect the owner’s interest in exclusive possession of the property?

Questions that first present in trivial areas might eventually inform much more significant questions of technology law and policy. Augmented reality—and its associated perils—may appear mostly in games for now, but these technologies will eventually permeate other industries, like healthcare, where extremely sensitive information is stored and shared.

It is important we take these questions seriously and get the answers right. But we’d also be wise to not take them too seriously. The odds that Google is going to help North Korea invade the US with an armada of Magikarp are still relatively low.