When Privacy Gets in the Way of Becoming a Pokémon Master

I’m the first to admit: I love Pokémon Go. With my trusted Charmander at my side, I’ve been able to do some incredible things—I’ve caught a Pidgey in front of San Francisco’s Ferry Building and even saved a fellow intern from a divebombing Zubat.

Another thing I love? Privacy. That’s why I was really shocked to find out that in signing up to explore the Pokémon world, I had potentially – and inadvertently – given Pokémon Go the permission to explore my inbox.

To play Pokémon Go, users create an account on the application’s website or use their Google account credentials. Users using the latter option were met with a big surprise. Turns out, using Google credentials granted Pokémon Go full access to a user’s Google account.

I was sad to put my adventures on hold until the app developer fixed things. But Pokémon Go’s privacy misstep isn’t just an issue for users, it’s a lesson for all app developers on the importance of protecting their users’ privacy through data minimization.

Users store a lot of information about themselves online and unintentionally giving third parties access to this information could reveal sensitive information. That’s why developers should only stick to collecting the information needed to provide a great user experience—nothing more.

Pokémon Go’s creator made an all-too-familiar mistake. A few years ago, a simple music app Jay Z released with Samsung to promote an album required the ability to access and alter internal phone data, including permission to know who you were talking to on the phone. In another case, a simple flashlight app was sued by the Federal Trade Commission for sharing location information with advertisers. Such preventable oversights have consequences, including lawsuits.

Instead of placing an emphasis on the bells and whistles of a mobile application, mobile developers should place just as much energy—if not more—on respecting user data by only collecting what’s needed to provide a positive user experience. Strong security practices and encryption help ensure that any collected data stays safe, and private.

But fear not fellow Pokémon trainers! The problem with Pokémon Go’s data access policy appears to be fixed (though the app still collects a lot of data). After receiving overwhelming criticism that was almost as viral as the app itself, Niantic, the parent company of Pokémon Go, responded. It acknowledged user concerns and released an update to the app that “[f]ixed [the] Google account scope.”

However, while the prompt response is welcome, we still don’t know what happened to all of that data. A serious congressional probe is trying to find out. Niantic could have saved itself a lot of trouble if it had been more careful about the user data it requested in the first place.

So calling all mobile app developers: make sure to read our ACLU primer for tech businesses. It’s chock full of useful advice on privacy practices so you can avoid problems like this in the future.

Alex Andresian is a Technology & Civil Liberties Intern with the ACLU of Northern California.