The myriad risks of Pokemon Go

Is that a Snorlax over there?

If you can see it, you’re playing the new smartphone game Pokemon Go, along with millions of other people around the world. And beyond the now-resolved Google account snafu that plagued Pokemon trainers on iPhones in the game’s first days, you should be aware of the serious personal safety and privacy implications that security and privacy experts want gamers to consider before going ga-ga for Gengar.

Because the game combines its main activity—capturing cartoon Pokemon characters—as an overlay on the real world, as viewed through your smartphone camera, it gathers a lot of location data on you. The collection of your data, says Michelle De Mooy, the deputy director of the Privacy and Data Project at the Center for Democracy and Technology, is what you trade for being able to play the game.

Pokemon Go is an exciting game, but takes this data collection to another level by getting finely grained location information about users,” she says, which “is used to profile, target, and make inferences about people that can have harmful effects, including access to information about jobs, and determination of creditworthiness and insurance. Also, the popularity of the game has made it a huge target for hackers.”

Pokemon Go publisher Niantic Labs is run by John Hanke, founder of the company that became Google Earth. Niantic specializes in making smartphone apps that use your physical location and smartphone camera to provide an overlay of information. Its best-known apps are the game Ingress, a game requiring its players to physically travel to certain spots that began as an April Fool’s joke, and Field Trip, a real-time tour guide.

“I’ve never seen so many people playing a game and being so happy.” — security researcher Scotland Symons

Niantic did not respond to multiple requests for comment on security, safety, and privacy concerns about Pokemon Go.

Malicious hackers are notorious for glomming on to whichever popular trends are ricocheting around the Web. They use social-engineering techniques to get unsuspecting people to turn over credit card or bank account information, or even just email log-in information. But Pokemon Go’s reliance on the physical world for gameplay, along with its skyrocketing popularity, is making players put their physical safety at risk alongside their online personas.

A police officer who works in a California city with a large population of college students, who requested anonymity because he didn’t have permission from his superiors to speak to the press, says that on the first Saturday night that the game was released, he saw hundreds of college students walking around, “totally focused on the game and on their phone, and maybe not so much on their surroundings.”

“They were walking around areas where people often get robbed for their cell phones,” which he says are “the easiest thing to get robbed of because you can see the bright screen a mile away.”

Pokemon Go’s safety problems affect nonplayers, too. A Parallax reader reported that her mother’s apartment building issued a safety warning to residents because of Pokemon Go players “trying to gain access to get to the back of the property” to reach one of the game characters.

These stories follow accounts of other real or potential Pokemon-influenced situations, from inappropriate to dangerous, including fears of wandering African-American players getting attacked, crowds of players flocking to a man’s home and a Hell’s Angels clubhouse, uses of the game to discover a lover’s infidelity or market a house, gameplay at a funeral or Auschwitz, and even the discovery of a dead body. Others have complained that Niantic is not making reasonable accommodations for disabled gamers.

Many computer security experts, perhaps surprisingly, seem sanguine about the game. Security researcher Don Bailey wrote a lengthy analysis of the game as he pushed his newborn son around a park, concluding that as long as players create Pokemon-specific accounts, avoid using a jailbroken or rooted phone, and (to avoid stalkers) always play in public with a partner, the game should be fairly safe to use.

The challenge in making people aware of potential problems, says Scotland Symons, a security researcher with more than two decades in the field, is that people love playing the game.

“I’ve never seen so many people playing a game and being so happy,” she says. “[Pokemon Go] is more of a social-engineering question: ‘Can I get people to do this thing?’ And when the thing is playing Pokemon, the answer is yes.”

As smartphone apps and services develop, our resistance to passively sharing data such as our location drops, says Larry Rosen, a psychologist and researcher at California State University, Dominguez Hills, who studies consumer reactions to modern technology.

Pokemon Go “has really tapped into the quality and impact of the smartphone as a connection and entertainment device. We’re not fighting; we’re exploring, we’re getting entertained,” Rosen says. “Other than crossing the freeway and getting hit by cars, this could be an entertaining, social, and health-saving activity. Most activity on your phone requires you to be sedentary, not active.”

And as far as the issue of Pokemon Go’s creators getting grabby with players’ Google permissions, as they did in the first few days after the game’s release, De Mooy of the CDT says it was indicative of how little Niantic cares for player’s rights.

“People should amend their privacy settings in Google, if applicable, and consider how comfortable they are with a large network of companies having such detailed information about them or their kids,” she says. “It’s a testament to the lack of care that the developers put into considering user privacy.”