Pokémon GO - Catching Em' or Giving your Personal Data?

09 August, 2016
By G-Team in Technology
Gpayroll payroll software blog - catching pokemon or giving your personal data
If you have not heard, the latest downloaded game is not Candy Crush or Tsum Tsum, but Pokémon GO. Yes, Pokémon has finally made a comeback with the help of software development company, Niantic. In this free-to-play location-based, augmented reality game, users are able to "travel" between the real world and the virtual world of Pokémon. Using either an iPhone or Android device, Pokémon GO uses real locations to encourage players to search and catch more than a hundred species of Pokémon as they explore their surroundings. 
To re-create the real world setting, the game uses the player's smartphone camera, GPS and position sensors to indicate what to display and where to locate the Pokémon. Furthermore, businesses can purchase these Pokémon as part of their advertising strategy to lure these imaginary monsters and real fans to the actual locations.

Given how this game app operates on users' data feed, and billions of it, some have started to wonder if there is a potential data breach at work here. What type of data is being collected and what the company is doing with it?

Like any other game, Pokémon GO requires the user to have an account. There are two options to authenticate here - either a Pokemon.com account or a Google account. Most users would typically log in using a Google account, given the convenience that most of us already have an account. In most cases, the user will be shown the level of permissions the application will require. However, in the case of Pokémon GO, there is almost no permissions notice and the user is immediately directed to the login screen.

Since the launch of Pokémon GO, several users have been concerned with the security and privacy aspect of it. When players went back to confirm the application's permissions online, several found that Pokémon GO had full access to their Google account. This means that Niantic can now: Read all their emails, send emails, access all documents on Google drive including private photos that might be stored, look at their search history and much more.

While it is unlikely that Niantic is planning a global personal information heist, this does not shed any light on Niantic's security policies. For all we know, they could be abusing this new power that they have granted upon themselves. Nobody knows exactly they might do with the huge amount of data they have unknowingly collected.

With these uncertainty and security issues surrounding Niantic, organisations can learn some lessons from this matter as well. There are many instances whereby an organisation may unknowingly be gathering personal data from clients or customers. In such situations, organisations should be transparent about how these data is being handled. When it comes to applications, software developers should ensure that the first level of authentication should allow the user to select the levels of privacy that they grant to the application. This can prevent any risk of security breaches by the organisation to the user.