By Jimmy H. Koo, Bloomberg BNA
Players of Pokémon GO, a wildly popular location-based augmented reality game, may be missing real life threats to their private information.
Pokémon GO creates several privacy and security concerns, particularly for children playing the game, including geolocation tracking, excessive collection of personal data and possible sale of such information to third parties, privacy and security professionals told Bloomberg BNA.
Additionally, cybercriminals are taking advantage of Pokémon GO’s popularity by creating malware disguised as a copycat version of the game, they said.
Pokémon GO, developed by San Francisco-based software company Niantic Inc., works by using the global positioning system and the camera of compatible mobile devices. The game allows players to catch, train and battle creatures called Pokémon that appear through an augmented reality on the devices’ screen, as if they are present in the real world.
Geolocation Data—Collected and Sold
According to Christopher L. Dore, a Chicago-based partner at Edelson PC, a plaintiffs’ class action litigation firm that focuses on technology and privacy cases, the geolocation-centric aspect of Pokémon GO creates significant privacy concerns “impacting both data privacy as well as physical security.”
Due to the fact that “the game takes place almost entirely outside and according to a known and accessible map, the physical location of where individuals, including kids, will want to be is well known,” Dore told Bloomberg BNA.
[caption id="attachment_24059" align="aligncenter” width="403"][Image “People play Nintendo Co.'s Pokemon Go augmented-reality game, developed by Niantic Inc., on their smartphones on a street in the Akihabara district of Tokyo, Japan, on Sunday, July 24, 2016. Nintendo shares plunged by the most since 1990 after the company said late Friday that the financial impact from the worldwide hit Pokemon Go will be limited. Photographer: Noriko Hayashi/Bloomberg” (src=https://bol.bna.com/wp-content/uploads/2016/08/300638695_1-3-e1470162477870.jpg)]People play Nintendo Co.'s Pokemon Go augmented-reality game, developed by Niantic Inc., on their smartphones on a street in the Akihabara district of Tokyo, Japan, on Sunday, July 24, 2016. Photographer: Noriko Hayashi/Bloomberg[/caption]
The vast amount of location data “would be available through a data breach incident,” or through sales by Niantic, Dore said. “There are both criminal and commercial uses for this information, and the demand for both is very high,” he said.
Adding to the problem, according to Dore, is the in-game feature allowing users to buy and place “lures” at specific locations that will attract many Pokémon. “This rush of Pokémon will be visible to anyone in the area and will therefore attract them as well,” Dore said. “The potential then for kidnapping, assault or robbery becomes readily apparent,” he said.
Phyllis H. Marcus, counsel in the global competition group at Hunton & Williams LLP in Washington and a former Federal Trade Commission attorney, agreed.
“Children who play have the very real ability to interact with strangers in real life,” Marcus, who formerly served in the FTC’s Division of Advertising Practices, was in charge of the children’s online privacy program and helped revamp the Children’s Online Privacy Protection Act Rule, told Bloomberg BNA. Children can “follow lures and meet up with people they don’t know,” she said.
Michael T. Raggo, chief research scientist at Baltimore-based social media security and threat intelligence company ZeroFOX, recommended that parents “advise their children to avoid posting information about their location on social media and online chats to avoid child predators, or sharing it via an application like Pokémon GO.” ZeroFOX has seen social media posts “encouraging children to meet at abandoned houses and other dangerous locations to play Pokémon,” he said.
People have already been physically harmed as a result of playing Pokémon GO, Marcus said. These are “very real world problems for an augmented reality game,” she said.
Despite the fact that Pokémon GO has become popular among people of all ages, according to Marcus, Pokémon GO raises a number of privacy issues, specifically with respect to children.
The Children’s Online Privacy Protection Act (COPPA) requires companies to get “verifiable parental consent” before collecting personal information from children under 13. According to Marcus, it’s clear that Niantic anticipated younger children’s participation and “set up what appears to be a decently designed notice and parental consent flow to capture that reality.”
[caption id="attachment_24064" align="aligncenter” width="423"][Image “The Dratini character of Nintendo Co.'s Pokemon Go augmented-reality game, developed by Niantic Inc., is seen in front of the Victoria Harbor on a smartphone in an arranged photograph in Hong Kong, China, on Monday, July 25, 2016. After debuting in the U.S. earlier this month, Pokemon Go launched in Japan on Friday and became available in Hong Kong on Monday. Photographer: Anthony Kwan/Bloomberg” (src=https://bol.bna.com/wp-content/uploads/2016/08/300692037_1-4-e1470162551426.jpg)]The Dratini character of Nintendo Co.'s Pokemon Go augmented-reality game, developed by Niantic Inc., is seen in front of the Victoria Harbor on a smartphone in an arranged photograph in Hong Kong, China, on Monday, July 25, 2016. Photographer: Anthony Kwan/Bloomberg[/caption]
Marcus said, however, that “what is not clear is how many parents have actually utilized the consent process or are thinking through the implications of their children’s participation.”
The Federal Trade Commission released July 2013 a revised COPPA Rule, which broadened the definition of personal information to include “persistent identifiers such as cookies that track a child’s activity online, as well as geolocation information, photos, videos, and audio recordings.” Marcus said that geolocation data is a big deal in protecting children’s privacy.
COPPA also contains a data-minimization provision preventing operators from conditioning a child’s participation on providing more information than necessary, Marcus said.
In a recent letter to Niantic Chief Executive Officer John Hanke, Sen. Al Franken (D-Minn.) identified what he called the over-collection of information as one of his concerns over the popular game. Franken inquired about “exactly which information collected by Pokémon GO is necessary for the provision or improvement of services.”
In addition to issues raised by data collection, data transfers and protection of children’s privacy, hackers use trendy apps to “prey on the apps’ millions of users,” Schulman said. Although hacking Pokémon GO itself is the “ultimate payload,” according to Schulman, there also are malicious copycats of the game with “incredibly realistic user interface” to lure potential victims.
Schulman said that his company has already seen more than 200 malicious Pokémon GO copycats on the Android platform, “packaged with malware and released on third party app stores, which, due to the country-by-country release of the game, were downloaded hundreds of thousands, if not millions, of times.”
Raggo said that his company has seen similar threats. There are “malicious links on social media to both fake Pokémon GO apps outside of the curated app stores, as well as social media phishing links that prompt the user to login to their account, harvesting their credentials,” he said.
“Simply, the popularity of Pokémon GO creates security concerns for its users on social media,” Raggo said.
“Avoid downloading Pokémon GO-related apps from links directly in social media,” Raggo said. “Go through the curated iTunes or Google Play stores,” he said.
To contact the reporter on this story: Jimmy H. Koo in Washington at email@example.com
To contact the editor responsible for this story: Donald G. Aplin at firstname.lastname@example.org