X

Pokemon Go: Gotta catch all your personal data

If you signed into Pokemon Go with your Google account, you might have just handed your digital life over to the game's developers.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
4 min read
Watch this: Pokemon Go's big security flaw to be fixed


Maybe you gotta catch 'em all, but you're not the only one with collection fever.

The developer of the wildly popular Pokemon Go, Niantic Labs, has full access to your Google account if you used it to log into the game from an iOS device. In response to reports of this all-you-can-eat data buffet, Niantic said in a statement that it's drastically limiting the access it requests going forward and that it didn't access anything beyond user IDs and email addresses.

"We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user's Google account," the company said in a statement. "Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access."

But for the time being, the full account permission could give Niantic access to all of your information, as well as the ability to post, delete and send things from your account. In other words, logging in with your Google account is a super effective way to hand over your email, contacts, photos, documents -- everything!

You'd have no way of knowing you granted all this access to begin with if you just downloaded the game and logged in with your Google account. To see whether you've entered a ghastly Pokemon panopticon, you'd have to go into your Google account settings and see which apps have full access. (And you may be able to revoke access and keep playing.)

Google did not respond to a request for comment on this story and did not confirm exactly how much data Niantic would have been privy to with full account access if the problem hadn't been spotted.

"Google has verified that no other information has been received or accessed by Pokémon GO or Niantic," Niantic said in its statement. "Google will soon reduce Pokémon GO's permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves."

Niantic Labs began as a group within Google and first made a splash with its game Ingress. Like Pokemon Go, the game encourages players to get outside and visit specific locations to progress. Niantic announced in August it would spin off into its own company. "We'll be taking our unique blend of exploration and fun to even bigger audiences with some amazing new partners joining Google as collaborators and backers," Niantic said in a statement.

Cybersecurity expert Adam Reeve detailed his experience of discovering that he'd granted full permission to his Google account to Pokemon Go in a blog post Friday. CNET writer Jason Cipriani independently experienced the same thing when he checked his own Google account settings. Reeve noted in his blog post that the Android version of the app doesn't gain full access to your Google account.

screen-shot-2016-07-11-at-11-47-15-am.png
Enlarge Image
screen-shot-2016-07-11-at-11-47-15-am.png

This is what your settings will say if you've granted Pokemon Go full access to your Google account.

Jason Cipriani/CNET

Reeve said it's not just creepy to give a random company access to your Google account -- it's also dangerous. If Niantic got hacked, for example, cyberattackers could access your Google account. Since we often use our Gmail accounts to reset passwords to all our other accounts, this is essentially giving hackers access to every online account we have. That's why Reeve says you should go nuclear if you signed into Pokemon Go with your Google account.

"Revoke permissions through Google and uninstall the app," he said.

If you don't, you've said, "Pikachu, I choose you over my personal privacy."

That advice could apply to a lot of people, since the app has been downloaded 7.5 million times, according to app analytics firm SensorTower. More than 2 million of those were downloaded from the Apple App Store. It's not clear how many users on the iOS platform are logging in with a Google account.

To be sure, Google doesn't spell out exactly what full account access means. That's part of why the blogosphere has cried foul. And some even say it's not as bad as Reeve claims.

As you've traded vast access to your life for the thrill of the Poke-hunt, privacy advocates are calling for app developers and phone manufacturers to do a better job of explaining how much of your data is being collected and when.

For example, Carnegie Mellon University researcher Ashwini Rao presented an idea for making those tiny, legalistic terms and conditions easier to read and digest at the Federal Trade Commission's Privacy Con in January. His suggestion? Make it look like a beautiful nutrition label. Apps like Snapchat, which came under fire in October for its new terms that granted it permission to reproduce user photos and other snaps, are also closely watched by privacy advocates for signs of overreach.

Finally, phones are getting better at telling you when apps are accessing your personal information. iPhones can send you a notification if, say, Google Maps accesses your location even when you're not using the app. The Qualcomm microprocessor Snapdragon 820 is designed to help phones do a better job of tracking what data your applications are accessing and when.

It's hard to know how apps for Android phones compare to those that are developed for iPhones and iPads. The Google Play store is easier to mine for this data than the Apple App Store is, a 2015 Pew study of app permissions found. But this appears to be one circumstance in which the iOS version of an app gives far broader permissions than its Android counterpart.

Updated at 6:10 p.m. PT with comment from Niantic that it will limit its access to Google account data and that the Pokemon Go app had only accessed user IDs and email addresses.

Watch this: Pokemon Go aftermath: Nintendo's stock surges, malware spreads