Playing Pokémon GO might be a privacy and security risk. Pic: Niantic.

Prepare for trouble, make it double: Pokémon GO might be a security and privacy risk

POKEMON GO might just become the killer AR app of 2016, and is also starting to beat already-popular apps like Tinder. However, the game’s ability to collect personally-identifiable information means players’ security and privacy might be at risk.

Launched on July 6, Pokémon GO leverages on smartphone cameras and location-sensing capabilities to deliver an immersive experience that lets players “catch” on-screen Pokémon in real-world locations across the globe.

The immersive gameplay has led to millions downloading it in the first few days of launch, boosting it to the top of the Apple and Google’s app stores on day one, even with limited release.

Even as the app is not yet available in all countries, it has already surpassed Tinder in terms of daily active usage, and it is set to overtake Twitter soon. User engagement has been unprecedented, with Internet analysts at Similarweb estimating that 60 percent those who downloaded the app actively play everyday. Also, each player averages at 43 minutes and 23 seconds of daily use – higher than Instagram, Facebook Messenger, Snapchat and WhatsApp.

Where did my privacy go?

With all this popularity though, security analysts warn of potential risks users might be subject to. Gary Miliefsky, CEO of cybersecurity firm SnoopWall, tells The Daily Beast that users might be at risk of data breaches, should malicious hackers successfully break into the game’s player database.

This is because the Pokémon GO app takes a lot of liberties with smartphone permissions. On Android devices, the app asks to access the device’s camera, contacts, GPS location, and SD card contents. It also requires active data or WiFi connection for gameplay.

In addition, game developer Niantic’s privacy policy also authorizes the company to share information with third-party service providers, law enforcement or any party who may obtain the data through acquisition or sale. Plus, the company explicitly states that data may be stored and processed in servers outside of one’s home jurisdiction.

Although the use of data sharing among social apps is common, the cited security experts expressed concerns about the lack of disclosure during registration.

“It is becoming abundantly clear that the permissions screen, which evolved to provide users a screenshot of information that apps can access, no longer provides adequate notice on how that information is collected and used,” said Drew Mitnick, policy counsel for the digital rights organization Access Now.

Another thing players might want to consider is the connection that Niantic has with Google. The game developer started out as an internal startup, but spun off as an independent entity when Google reorganized under its new umbrella holdings company, Alphabet.

However, the Pokémon GO app itself was developed with millions of dollars in funding from Google, Nintendo and the Pokémon Company. Such institutional interest might mean that Google will also have access to user data – a possibility that doesn’t stand well with privacy advocates, given the perception that Google takes a lukewarm stance on the issue of user privacy.

A parent’s nightmare

Niantic’s stand on privacy notwithstanding, the more palpable concern is how unscrupulous individuals are taking advantage of location features in Pokémon GO to perpetrate crimes. For instance, armed robbers have used the game’s information to anticipate where potential victims might go.

The app encourages players to visit Pokéstops – virtual sites designated in public (or sometimes private) locations – and robbers have victimized at least eight people at such a location in Missouri in the past couple of days.

Players might also be at risk of abduction, especially when people get sucked into the game and forget about their surroundings. A 19-year old Massachusetts woman was reportedly nearly abducted while playing it. The game’s Lure Module – which attracts nearby monsters to a Pokéstop or other location – might be used by potential abductors to likewise lure children or other gamers.

A personal responsibility

Of course, it can be argued that your safety is your personal responsibility, especially when it comes to playing online games – something that is often considered a non-essential smartphone activity. As for data, Niantic’s privacy policy says parents can request the company to delete their children’s information, along with opting out of the game itself.

When in doubt, you can always opt out. But for many gamers, a game as immersive and interactive  as Pokémon GO might just be too enjoyable to pass up.