US Senator has privacy concerns about Pokémon Go’s data collection

Al Franken wants to know how the data collected is used

The popularity of augmented reality smartphone game Pokémon Go has raised a variety of concerns, including a warning by the National Safety Council, urging drivers not to play the game behind the wheel and asking pedestrians to be careful while playing it.

U.S. Senator Al Franken, a strong privacy advocate, has raised the inevitable question about the privacy of the extensive data the game collects from its users, including children, and whether the data is used for other purposes.

“I am concerned about the extent to which Niantic may be unnecessarily collecting, using, and sharing a wide range of users' personal information without their appropriate consent,” Franken, a Democrat from Minnesota, wrote in a letter Tuesday to John Hanke, the CEO of Niantic, the developer of the game.

Citing recent reports and the privacy policy of Pokémon Go, Niantic appears to collect a broad swath of personal information from its players, according to the senator. Ranging from the user’s general profile information to their precise location data and device identifiers,  “Niantic has access to a significant amount of information, unless users - many of whom are children - opt-out of this collection,” Franken wrote.

Senator Franken wants to know whether all the information collected is necessary for the provision or improvement of services, or if there are any other purposes for which the data is collected. If some of the data is not not necessary for the provision of services, would the company offer an opt-in option to users for sharing that data, rather than the current opt-out choice.

The senator also wants to have the list of third-party service providers that Niantic says it shares data with in its privacy policy, and would like to know whether Pokémon Go also shares the data with its investors. “Pokemon GO has further indicated that it shares de-identified and aggregate data with other third parties for a multitude of purposes. Can you more exhaustively describe the purposes for which Pokemon GO would share or sell such data?,” he wrote.

Niantic ran into its first privacy issue earlier this week when it was disclosed that the game gave Niantic full access to a user’s Google account when setting up a game account on iOS devices. The company later said it had discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user’s Google account, but assured users that only basic Google profile information like user ID and email address were accessed. It said it was working with Google on a fix to ensure permission for providing only the basic account information.

In its privacy policy, Niantic has said that it complies with "verifiable parental consent requirements mandated by the Children’s Online Privacy Protection Act (COPPA) and European data protection laws (including, without limitation, the Data Protection Directive)" through a verification and consent process handled by the Pokémon Trainer Club. “Apart from publicly available privacy policies, how does Niantic inform parents about how their child's information is collected and used?,” Franken asked in his letter.

Niantic could not be immediately reached for comment on Franken’s letter. A spinout from Google in August, Niantic has the Pokémon Company, Google and Nintendo as investors.

Niantic outlines in its privacy policy that it collects location information, which may be shared with other players, besides being used to personalize or improve services. The service also collects a device identifier, user settings, and the operating system of the users’ device, as well as information about the use of its services from the mobile device, which it may use to improve and personalize services.

Niantic also collects log data, which it says “may include information such as a User’s Internet Protocol (IP) address, user agent, browser type, operating system, the web page that a User was visiting before accessing our Services, the pages or features of our Services to which a User browsed and the time spent on those pages or features, search terms, the links on our Services that a User clicked on, and other statistics.” The log data is used for administering services as well as analysis, including by third parties, to improve and customize the services, according to the privacy policy.

Join the CSO newsletter!

Error: Please check your email address.

More about Google

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John Ribeiro

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place