News

Pokemon Go Security Fixes Are Coming

by Noor Al-Sibai

Just last week, the sight of gaggles of people wandering aimlessly while staring at their phones would have caused confusion. Now, however, it's safe to assume they're playing Pokémon GO, the latest (and most popular) installment in the Nintendo franchise. On Monday, reports that the uber-popular game had been given "full access" to some users' Google accounts began circulating, causing some people to wonder: What can Pokémon GO access on your Google account?

You may recall that when you first logged into the app, you had the option to either sign up with Google or create a Pokémon G-specific account. Many users opted to go with the Google sign up (myself included). Cybersecurity analyst Adam Reeve pointed out that Pokémon GO seemed to have been granted "full access" on Google, and later, many other users on iPhones found the same thing.

Before Niantic (the creators of Pokémon GO) announced that they'd "erroneously" granted the app full account access on Google, the only fix was to revoke the app's access and lose all your Pokémon. Now, Niantic says they're working with Google to fix the access issue, and that soon the app will only be able to access "only the basic profile data that Pokémon GO needs".

Now that the fix is on its way, techies are working to figure out exactly what Pokémon GO/Niantic will be able to access. According to their statement, "Google has verified that no other information has been received or accessed by Pokémon GO or Niantic."

While Niantic's statement said Pokémon GO only accesses your Google user ID and email address, parts of the Pokémon GO privacy policy are definitely troublesome:

We take appropriate administrative, physical, and electronic measures designed to protect the information that we collect from or about you or your authorized child from accidental or unlawful destruction, accidental loss or unauthorized access, use, modification, interference, or disclosure. Please be aware, however, that no method of transmitting information over the Internet or storing information is completely secure. Accordingly, we cannot guarantee the absolute security of any information.

It gets worse:

Your (or your authorized child's) PII may be transferred to, and maintained on, computers located outside of your state, province, country, or other governmental jurisdiction where the privacy laws may not be as protective as those in your jurisdiction.

This kind of legally-obligated information sharing is, unfortunately, nothing new. On Facebook's expansive Privacy Policy landing page, they outline the places your information may go: to legal entities like the FBI if they have "a good faith belief" that the law requires it (based on subpoenas for cases investigating fraud or other illegal activity), but also to "Advertising, Measurement and Analytics Services" (though they specify that it's "non-personally identifiable information" only). Additionally, your info can go to, "Vendors, service providers and other partners," and "Apps, websites and third-party integrations on or using our Services."

While Niantic and Google work to fix this embarrassing Pokémon GO security risk, users are uncomfortably reminded that nothing they share online is secure. The only real way to ensure information security is to stay off the internet entirely, but when Pokémon are so cute and fun, it makes it very difficult.