Pokemon Go is catching personal data from your smartphone
While millions of Pokemon Go fans out there are busy trying to "catch 'em all," the popular smartphone app is quietly snatching up a lot of personal data from their smartphones.
As CNET reports, blogger Adam Reeve discovered a gaping security issue after starting to play on his iPhone: if you sign up for Pokemon Go using your Google account on an iOS device, the app is granted full access to your Google account -- emails, photos, calendar, contacts Google Drive, browsing history and more (though not your Google Wallet payment system). The developer, Niantic, acknowledged "Pokemon Go gains unnecessary 'full access' to users' Google accounts on iOS and is actively issuing a fix."
An updated version of the app was released on the App Store on Tuesday, with the notation: "Fixed Google account scope."
Even aside from that iOS issue, Pokemon Go taps into a phone's GPS information to track players' locations -- that's how it superimposes digital Pokemon characters into their real-world environments.
As a result -- like other location-centric smartphone apps -- Pokemon Go gathers quite a lot of information about a user. From where you were before, to your current location, to the amount of time you spent in a given place, the geolocation data gleaned form the app is ultimately stored by developer Nianti.
And it's not just location. The small print in the game's privacy policy reveals that it also gathers personal email addresses, birth dates, and privacy settings.
"During gameplay and when you (or your authorized child) register to create an account with us ... we'll collect certain information that can be used to identify or recognize you (or your authorized child) (PII)," reads Niantic's privacy policy. "Specifically, because you must have an account with Google, Pokémon Trainer Club ("PTC"), or Facebook before registering to create an Account, we will collect PII (such as your Google email address, your PTC registered email address, and/or your Facebook registered email address) that your privacy settings with Google, PTC, or Facebook permit us to access."
The company says it may also log the Internet Protocol (IP) address of the user's computer, the web page they visited before clicking on Pokemon Go, and what pages and search terms they used on the site, among other data.
This, of course, is nothing new, but many users don't stop to think about what personal information they're sharing when they sign up for a new app, game or digital service.
People who use many different social media apps authorize them to store this kind of data, which could eventually be shared with a third party. According to the privacy policy, Niantic said that it "may share aggregated information and non-identifying information with third parties for research and analysis, demographic profiling, and other similar purposes."
The Pokemon Go app has been a sensation since its July 6 debut, bringing in $9 million in its first week for video game giant Nintendo. The app has surpassed Tinder in Android downloads and currently No. 1 in Apple's App Store. It is free to download and play, but in-app purchases of "PokeCoins" can add up to a lot of real-world cash.
As with any app, users concerned about privacy and the data they might be sharing with third parties should always read the fine print.