You are using an older browser version. Please use a supported version for the best MSN experience.

Don't believe the 'Pokémon Go' privacy hype

Engadget Engadget 15/07/2016 Violet Blue
© Provided by Engadget © Provided by Engadget

When the Pokémon Go obsession reached full saturation this week, privacy concern whispers became full-blown hysterical shrieks when a researcher's blog post accused the game's maker of taking over its users' Google accounts. As it turned out, the app's iPhone permissions were just poorly implemented, and fixed immediately.

Unfortunately that didn't stop the privacy and security hysteria machine. All week long, headlines made a mountain out of the molehill, scaring some people into uninstalling the app altogether.

Pokémon Go, a phone game released by Niantic Labs and Nintendo, has been an astonishing success. The game is basically a GPS-guided treasure hunt using a smartphone camera. It sends people out into the world around them, gets them interacting with others, and has brought the US some much-needed distraction and smiles.

The stories emerging through social media might be more entertaining than playing the game itself. Pokémon have been "caught" at gay bars and churches, people have been shooed out of police stations and courthouses trying to catch the little beasts. Someone found a dead body, people have been robbed, and some police departments have even been forced to issue safety guidelines. On the plus side, there are some mental health benefits. Meanwhile, Pokémon Go has added nearly $11 billion to the value of Nintendo since its release.

Naturally, a few hackers became interested in what was going on under the app's hood. But before anyone had a chance to publish detailed findings, researcher Adam Reeve rushed to make a post that set off the chain reaction of hysteria.

Reeve wrote that if you signed into Pokémon Go with Google, the app was given full permission to access your Google accounts. He claimed that the company could read your Gmail, see your Google search and Maps history, access your private photos, delete things in Google Drive, and more.

He also indicated that it wasn't possible to sign in alternately, by creating a Pokémon account, and sort of made it sound like something suspicious was going on. News outlets rushed to write hyperbolic headlines without bothering to note that this was only happening on iPhones.

That's how we ended up with hysterical, misleadingheadlines like, "Pokémon Go is a major security risk for your entire Google account." And it's why we had people screaming white frothy rage on social media that Niantic was backdooring user accounts. It's also how we ended up with Senator Al Franken sending a letter to Niantic demanding answers about Pokémon Go's privacy practices.

To their credit, Gizmodo contacted Adam Reeve, who then backtracked on his claims, saying he wasn't "100 percent sure" his blog post was actually true. He also admitted that he didn't test any of the claims in his post.

In fact, it turned out that Pokémon Go was never able to read people's Gmail, or any of the really scary things that Reeve and some trigger-happy media outlets claimed. Dan Guido, CEO of security company Trail of Bits did the deep-dive analysis that was needed before any digital ink was spilled in histrionic headlines.

Guido and his team not only cast serious doubt on Reeve's claims, he talked to Google tech support. Imagine that! They told him the "full account access" everyone was freaking out about doesn't mean a third party (in this case, Niantic, Nintendo, or Pokémon) can read or send or send email, access your files or anything else being claimed.

It did mean that Niantic could read so-called biographical information, like an email address and phone number. What Trail of Bits also discovered was that Pokémon Go's Google authorization process was using the wrong permission "token." Their post linked to another researcher who said, "I believe this is a mistake on Google and Niantic's part, and isn't being used maliciously in the way that was originally suggested."

Before the Trail of Bits post was even published, Niantic had reacted. The company put out a press release explaining that there had been a permissions snafu with the social login process, and they fixed the internal mistake in record time. Their statement said:

"We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user's Google account. ... Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO's permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves."

Further, it turned out the mystery about Pokémon's account signup process being suspiciously unavailable at the time of Reeve's post wasn't a conspiracy after all. To the surprise of no one, Pokémon's servers were getting hammered by all the new traffic.

It's quite interesting to see so many people wig out about an app's over-reach of permissions. Which is, incidentally, a big deal. And it's about time.

But it's really frustrating to watch the outrage flames get fanned and Senators spring into action over something that feels more like crying wolf -- when there are flashlight apps that dubiously "need" to know where you are, or must have access to write arbitrary code to your phone. Or, how about a little outrage and action over our recent discovery that popular running app Runkeeper records your location after you've turned the app off? (Runkeeper is in trouble for this in Europe, but not here.) Better yet, how about a senator demand answers from Facebook over tracking user locations without consent and matching it with strangers locations? Because we sure as hell don't know when Facebook did that, or to whom, (or for how long) the company did that. Nor can we can trust that they've actually stopped doing this, or won't do it again in the future.

So this week, everyone we know basically joined a geocaching cult. We already knew that no one reads or understands the terms they agree to for apps and websites, even if they demand giving up your first-born child as payment. We learned that setting up social login permissions is actually really fussy, and difficult to do right. And everyone learned that signing in with your Google or Facebook account means putting some kind of access to your personal stuff in someone else's hands. Which, by the way, is why I recommend never, ever in a million years signing in to any app or website in this manner. Seriously, if you do that, just stop locking your front door and get it over with.

If only the entire internet, security's brighter minds, and our elected representatives would level this amount of scrutiny at all apps.

But as one forum commenter wisely explained, "iOS users using Google Account sign-up affected by Pokémon Go permissions bug, Android unaffected" just doesn't make a sexy headline.

More from Engadget

image beaconimage beaconimage beacon