Don’t believe the ‘Pokémon Go’ privacy hype
When the Pokémon Go obsession reached full saturation this week, privacy-concern whispers became full-blown hysterical shrieks when a researcher’s blog post accused the game’s maker of taking over its users’ Google accounts. As it turned out, the app’s iPhone permissions were just poorly implemented, and fixed immediately.
Unfortunately that didn’t stop the privacy and security hysteria machine. All week long, headlines made a mountain out of a molehill, scaring some people into uninstalling the app altogether.
Pokémon Go, a phone game released by Niantic Labs and Nintendo, has been an astonishing success. The game is basically a GPS-guided treasure hunt using a smartphone camera. It sends people out into the world around them, gets them interacting with others, and has brought the U.S. some much-needed distraction and smiles.
The stories emerging through social media might be more entertaining than playing the game itself. Pokémon have been “caught” at gay bars and churches, people have been shooed out of police stations and courthouses trying to catch the little beasts. Someone found a dead body, people have been robbed, and some police departments have even been forced to issue safety guidelines. On the plus side, there are some mental health benefits. Meanwhile, Pokémon Go has added nearly $11 billion to the value of Nintendo since its release.
Naturally, a few hackers became interested in what was going on under the app’s hood. But before anyone had a chance to publish detailed findings, researcher Adam Reeve rushed to make a post that set off a chain reaction of hysteria.
Reeve wrote that if you signed into Pokémon Go with Google, the app was given full permission to access your Google account. He claimed that the company could read your Gmail, see your Google search and Maps history, access your private photos, delete things in Google Drive, and more.
He also indicated that it wasn’t possible to sign in alternately, by creating a Pokémon account, and sort of made it sound like something suspicious was going on. News outlets rushed to write hyperbolic headlines without bothering to note that this was only happening on iPhones.
That’s how we ended up with hysterical, misleading headlines like, “Pokémon Go is a major security risk for your entire Google account.” And it’s why we had people screaming white frothy rage on social media that Niantic was backdooring user accounts. It’s also how we ended up with Sen. Al Franken sending a letter to Niantic demanding answers about Pokémon Go‘s privacy practices.
To their credit, Gizmodo contacted Adam Reeve, who then backtracked on his claims, saying he wasn’t “100 percent sure” his blog post was actually true. He also admitted that he didn’t test any of the claims in his post.
In fact, it turned out that Pokémon Go was never able to read people’s Gmail or any of the really scary things that Reeve and some trigger-happy media outlets claimed. Dan Guido, CEO of security company Trail of Bits, did the deep-dive analysis that was needed before any digital ink was spilled in histrionic headlines.
Guido not only cast serious doubt on Reeve’s claims, he talked to Google tech support. Imagine that! They told him the “full account access” everyone was freaking out about doesn’t mean a third party (in this case, Niantic, Nintendo, or Pokémon) can read or send email, access your files or anything else being claimed.
It did mean that Niantic could read so-called biographical information, like an email address and phone number. What Trail of Bits also discovered was that Pokémon Go‘s Google authorization process was using the wrong permission “token.” Their post linked to another researcher who said, “I believe this is a mistake on Google and Niantic’s part and isn’t being used maliciously in the way that was originally suggested.”
Before the Trail of Bits post was even published, Niantic had reacted. The company put out a press release explaining that there had been a permissions snafu with the social login process, and they fixed the internal mistake in record time. Their statement said:
“We recently discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user’s Google account. … Google has verified that no other information has been received or accessed by Pokémon Go or Niantic. Google will soon reduce Pokémon Go‘s permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves.”
Further, it turned out the mystery about Pokémon’s account signup process being suspiciously unavailable at the time of Reeve’s post wasn’t a conspiracy after all. To the surprise of no one, Pokémon’s servers were getting hammered by all the new traffic.
It’s quite interesting to see so many people wig out about an app’s overreach of permissions. Which is, incidentally, a big deal. And it’s about time.
But it’s really frustrating to watch the outrage flames get fanned and senators spring into action over something that feels more like crying wolf when there are flashlight apps that dubiously “need” to know where you are or must have access to write arbitrary code to your phone. Or, how about a little outrage and action over our recent discovery that popular running app Runkeeper records your location after you’ve turned the app off? (Runkeeper is in trouble for this in Europe but not here.) Better yet, how about a senator demand answers from Facebook over tracking user locations without consent and matching it with strangers’ locations? Because we sure as hell don’t know when Facebook did that, or to whom (or for how long) the company did that. Nor can we can trust that they’ve actually stopped doing this or won’t do it again in the future.
So this week, everyone we know basically joined a geocaching cult. We already knew that no one reads or understands the terms they agree to for apps and websites, even if they demand giving up your first-born child as payment. We learned that setting up social login permissions is actually really fussy and difficult to do right. And everyone learned that signing in with your Google or Facebook account means putting some kind of access to your personal stuff in someone else’s hands. Which, by the way, is why I recommend never, ever in a million years signing in to any app or website in this manner. Seriously, if you do that, just stop locking your front door and get it over with.
If only the entire internet, security’s brighter minds and our elected representatives would level this amount of scrutiny at all apps.
But as one forum commenter wisely explained, “iOS users using Google Account sign-up affected by Pokémon Go permissions bug, Android unaffected” just doesn’t make a sexy headline.
(15)