Josh Hafner

USA TODAY

Pokémon Go has taken over the world since launching last week, sending millions of users into the streets to collect and battle virtual monsters on their smartphones.

With so many players sharing their locations and other personal data with the app, what could happen to all that information?

As users hand over access to their phones’ precise locations, storage and cameras to play the game, the company behind the game reserves the rights to share the data it collects with third parties including potential buyers and law enforcement.

That’s the price to “catch ‘em all” on the free-to-play game. And while companies regularly collect and profit from user data, Pokémon Go’s massive popularity and reliance on users’ locations and camera access have raised eyebrows in tech circles.

Who reads the fine print?

Most of us don’t read the privacy policies of apps we use. Indeed, reading all of them would take about 30 days per year, one study found. So it’s safe to assume that many players of Pokémon Go – which threatens to surpass Twitter in daily active users -- aren’t reading the fine print before logging on to chuck Poké balls, either.

To understand how the app can use data, it helps to know what data the app can collect.

For Android users, the game can access both the precise and general locations of the device as well as its camera – permissions inherently necessary to play the game. The game can also access users’ USB storage, contacts, network connections and more.

For iPhone users, the game can access users’ location, camera and photos. Many iOS users log in through their Google account, which grants the app full access. This means, per Google, the app “can see and modify nearly all information in your Google Account” including Gmail, Google Drive, Google Maps and more.

Data can be 'used for good and bad'

Jason Hong, an associate professor at Carnegie Mellon University’s CyLab Security and Privacy Institute, analyzes apps’ privacy for PrivacyGrade.org. He said just how Niantic uses that data will be dictated by its business model, which doesn’t seem clear at the moment.

If Niantic, Pokémon Go’s developer, decided to monetize data for advertising (as Facebook and Google do), it would be incentivized to collect as much user data as possible, Hong said, providing a larger privacy threat.



If Pokemon Go instead builds its business through in-app purchases, however, Hong said the app could prove safer for user privacy.

“That’s the challenge with this data,” Hong said. “It can potentially be used for good and bad as well."

What the privacy policy says

The Pokémon Go privacy agreement describes how Niantic might share both users’ general and personally identifiable information with other parties.

The agreement says Pokémon Go collects data about its users as a “business asset.” This includes data used to personally identify players such as email addresses and other information pulled from Google and Facebook accounts players use to sign up for the game.

If Niantic is ever sold, the agreement states, all that data can go to another company.

Aside from being sold, Niantic has the right to share non-identifying information with third parties “for research and analysis, demographic profiling and other similar purposes.”

The app’s location permission enables it to track exactly where users are, their mobility patterns, where a particular user visits most often and more, Hong notes. That could come in handy for law enforcement officers should they request it via a subpoena – which the privacy agreement makes clear.



“We may disclose any information about you (or your authorized child) that is in our possession or control to government or law enforcement officials or private parties as we, in our sole discretion, believe necessary or appropriate,” the agreement states.

For players, a matter of value

Many companies, including Facebook and Google, sell user data and hand it over to authorities when asked. But Pokémon Go’s constant location tracking and camera access required for gameplay, paired with its skyrocketing popularity, could provide data like no app before it.

“Their privacy policy is vague,” Hong said. “I’d say deliberately vague, because of the lack of clarity on the business model.”

Until that business model becomes more clear, Hong said he worries more about the physical threats and privacy quandaries posed by the app.

Since the game’s launch last week, armed thieves used the game to rob unsuspecting players. One man’s home was marked as an in-game destination, causing strangers to flock there. Another player wandered across a dead body.

Whether Pokemon Go can sustain its popularity in the long term comes down to how aware users are of its privacy invasions and whether they deem it a worthwile trade-off for the game’s experience.

“It’s basically an issue of time as people become aware how these technologies work and their tangible clear value,” Hong said. “If people feel it’s out of proportion, people will delete the app.”

Update: After this article originally published July 11, Niantic issued a statement describing Pokémon Go's request for full access to players' Google accounts as an error. The company has since contacted Google to "reduce Pokémon Go's permission to only the basic profile data that Pokémon Go needs."

Follow Josh Hafner on Twitter: @joshhafner

'Pokémon Go' maker says full Google access an 'error'