Consumer Electronics Daily was a Warren News publication.
Privacy Panic Cycle?

Pokemon Go Data Collection Matter Privacy Concern for Some, Not All

July 18, 2016 by Dibya Sarkar|Top News

The company behind the popular augmented reality game Pokemon Go said it essentially goofed when it asked for full permission for iOS users who registered through their Google accounts -- and has since fixed it. Some concerns have been raised, including a letter from Sen. Al Franken, D-Minn., to Niantic CEO John Hanke over the company's data collection and use practices (see 1607120072). Unclear is whether there will be a government investigation as one privacy activist sought or if this issue was hyped as another observed mentioned. One expert said it's possible similar privacy concerns may emerge as this technology with geolocation is increasingly used.

Jeff Chester, executive director of the Center for Digital Democracy, emailed us that he expected the FTC to investigate Pokemon Go's data collection practices. He said his group also is concerned about potential violations of the Children's Online Privacy Protection Act rule and collecting data from teens for marketing purposes. Use of geolocation data raises significant privacy and consumer protection concerns, he said.

"This is emblematic of the unchecked explosion of highly personal geo-location data that is, basically, being stolen from consumers by apps, mobile devices and other digital marketing applications," wrote Chester. "The FTC does not have the tools to protect the cross-device, data-driven, geo-targeting aware privacy devouring apparatus that digital marketers have unleashed. Notice isn’t sufficient for geo-location, especially as marketing clouds and other data brokers integrate where we are with our online and offline consumer profile. But we do have to thank Niantic, because they have helped lead Pokemon right to the FTC’s Consumer Protection Bureau." The FTC didn't comment.

The issue surfaced when security expert Adam Reeve posted on his Tumblr page July 8 that Pokemon Go was a "huge security risk" because the game wanted "full access" to a user's Google account. After Niantic said it "became aware of this error," it posted that it began working to fix the "request permission for only basic Google profile information, in line with the data that we actually access." Niantic said Google, which spun out the game developer as an independent company in October, confirmed no other information "has been received or accessed by" the game or itself.

Alan McQuinn, Information Technology and Innovation Foundation research analyst, told us the concern raised over the game is a "really good example of the privacy panic cycle." That's (see 1509100053) a phenomenon in which people make outsized claims about the privacy risks associated with new technologies or their new applications.

Niantic "accidentally" asked for full access to account information from users who logged in from their Google account but not from those who logged in through their Pokemon accounts, said McQuinn. But he said the company didn't actually collect data from the Google account. "So if you actually logged on to your Google account and revoked, which is what I did … that permission, the app still worked perfectly, still did everything," signaling it was probably a mistake, he said.

"So basically there was an uproar. It went away really quickly. The market functioned," said McQuinn. "If [the] company didn’t intend to do it, then there was no harm there should be no penalty taken against the company and ... [the Pokemon Go situation] is basically a textbook case of that." He said he wasn't saying regulators and others shouldn't investigate but said it would be a waste of resources. He called Franken's letter typical of policymakers who react to such matters, adding the senator wasn't actually seeking to curb the technology. Generally, policymakers should take a step back to get a better understanding of the situation before weighing in, he said. Franken's office didn't comment.

In the long run, Chester said the FCC, if its privacy proposal is approved, would probably be better positioned to help consumers gain control over their location information because the FTC is "largely helpless" without rulemaking authority. "Which is why it is so disingenuous -- if not a flat out lie -- when industry opposes the FCC’s plan and urges the FTC regime instead," he wrote. "They do so because right now, under the non-existent FTC rules -- they get away with practically everything when it comes to our consumer data."

"Protecting privacy is really hard and there’s lot of things to think about when you’re building products and services," said Jedidiah Bracy, an editor for two International Association of Privacy Professionals publications who wrote a piece about the Pokemon Go issue. In an interview, he said generally, "companies are realizing that personal data is valuable and ... the ones that are smart about it are going to build as many privacy protections as they can because they want to keep the trust of their consumers."

Use of location-based data in this manner is new, but Bracy, who complimented some parts of Niantic's privacy policy, said it's not necessarily bad as long users know what they're doing and protections are built in to, for example, prevent stalking. It's something companies should think about, he said. But he said Pokemon Go may be the "tip of the iceberg" on future uses and emerging privacy issues.

"We're going to see a lot more innovative games. We're going to see a lot more virtual reality," said Bracy. "We're going to see a lot more ... bleeding over of the digital world into the physical world and companies and privacy pros ... are going to have to think about how they can continue to protect people's privacy as these new innovations are pushing the envelope."