Pokémon Go Privacy Settings: What you need to know about the app permissions hype

You’ve heard of Pokémon GO, but how much do you really know about the latest mobile gaming craze? We dive into how everything Pikachu affects your online privacy. Should you tweak your settings or alter your permissions before you try to catch ’em all? It’s time to find out.

Pokémon GO is a sensation of a scale we’ve not seen for quite some time. The craze element is familiar, but this game’s mechanics put a whole new spin on the phenomenon.

It’s location-based, so data about you is crucial to the whole operation. But what happens to that data, and how much does Niantic really know about us?

I’ve trawled through Niantic’s privacy policy and terms of service documents to find out whether Pokémon GO really is about to steal your credit card details and starting posting as you on Facebook.

Related: How to play Pokémon GO – tips and tricks

The Pokémon Go Privacy Problem — Is it safe?

Should we be worried? The answer is not simple, and has already caused a US Senator, Al Franken, to raise concerns about exactly what Pokémon GO is doing with our data.

First off, we need to examine the sort of data the app harvests. As with virtually any game like this, basic personal details are snagged before you’ve even started. It knows your name and your email address, because you either have to make a Pokémon Club account or sign in using your Google address.

Indeed, the iPhone version of the app may still have access to your entire Google account if you choose to register by that method, rather than manually creating a Pokémon Club account.

Niantic claims this is a mistake. I really, really hope it’s telling the truth there, because otherwise it can read your emails and monitor your entire digital life, which really isn’t cool.

It may be fixed by the time you read this, but if you’re concerned, make sure you’ve updated to the latest version of the app. That’s not all you need to worry about though…

Examining Permissions

The first genuine complexity pops-up when you start running the Android version, which thanks to Android Marshmallow’s new disclaimer, tells us exactly what permissions are requested, one-by-one.

Some of these are obvious. It needs the camera because this is fundamentally an augmented reality game. It needs your location because, again, it’s what Pokémon GO is about.

It needs storage access to store additional data – another no-brainer. The eyebrow-raiser is that the game also asks for access to your Contacts.

Related: How to find and catch rare Pokémon in Pokémon GO

There are plans to make Pokémon GO a multiplayer experience, but right now, that’s not the case. I’ve found no need for Contacts access as yet and chances are it won’t help you find Pikachu either.

Niantic appears to have built pre-emptive permissions into this app, ready for the next update. That is if we are to assume the Pokémon series hasn’t simply gone evil and become a Trojan horse for corporate info-gathering.

The way it asks for permissions suggests it’s simply a case of Pokémon GO, despite its insane popularity, still being a fairly rough-edged beta. All permissions are requested as the app is run, rather than as they’re needed. It’s clunky. You can also withdraw Contacts permissions in your Android phone’s settings menu and the app will still be a-go.

At least Pokémon GO doesn’t also want microphone access too, which would make it a potential one-stop surveillance app.

Location, Location, Location

To find out what Pokémon GO feels it is entitled to do with its data, we have to look into the game’s terms of service and privacy policy.

Related: The secret history of Pokémon GO

“The App is a location based game. We collect and store information about your (or your authorised child’s) location when you (or your authorised child) use our App and take game actions that use the location services made available for you (or your authorised child’s) device’s mobile operating system.”

This is as close as we get to a summation of what Pokémon GO does with our data at present. There’s no mention of any camera data being stored or uploaded, no horror-show style clauses you might find in Facebook’s ToS.

However…

Terms of Service documents are there to cover Niantic’s backside should something go wrong, with language that veers wildly between the vague and the pin-point specific when it suits the company. Still, the fact that Pokémon GO downloads more than three times as much data as it uploaded suggests image steals are unlikely.

Related: How to battle in Pokémon GO

The vagaries of vagueness

The game knows who we are, and where we are, almost to the centimetre, but this info isn’t necessarily as scary as it sounds. At this point the use of the data splits into two camps.

The first is what Niantic calls ‘PII’, or information that can specifically identify you: personal identifier information. Then there’s non-identifying “aggregate” information that turns you from a person into a nameless statistic. You can expect the latter to be sold off regularly as marketing demographic info. It’s pocket money Niantic doesn’t strictly need given it is already making a rather large fortune off us through in-app payments.

Identifying data has to be used far more carefully, and it’s here we have to cut through some legalese.

Niantic says stored location data plus “a device identifier, user settings and the operating system” of your device can be used to run, “improve and personalise our Services”. This term, “Services”, is a recurring theme of the Pokémon GO privacy policy, left rather amorphous to let it encompass planned elements that aren’t yet present in the game.

If you aren’t already picturing Pokémon you can only capture in Starbucks, or pop-up ads for nearby Bubble Tea chains that offer refreshment after a long Poké-slog, you’re not cynical enough. This data can be shared with “third party service providers” for this brand of antics, and is where the privacy question gets a little sticky.

The scope for Pokémon GO to become either a product placement paradise (from a marketing perspective) or at least awash with ads is vast. And as a free-to-play game, the market has already thoroughly legitimised these practices. They’re the norm, they are simply even juicier this time around.

Related: A beginner’s guide to Pokémon GO

The next question is: where is The Pokémon Company’s place in this? And what about Nintendo? To break down ‘ownership’ of Pokémon GO, it is made by Niantic, which was granted the license by IP-owner The Pokémon Company. Contrary to what you might hear, it is not a Nintendo game as such, although TPC is joint-owned by Nintendo, Game Freak and Creatures. They own a third each.

Niantic can share information with The Pokémon Company “only for the purpose of performing services on our behalf” for the game, and “may not disclose or use your PII for any other purpose”. As ever, that’s vague.

Niantic’s terms also absolve it of any responsibility for data protection once any data is shared, so we also need to dig into The Pokémon Company’s papers too.

The good news is that Nintendo’s rather sensible obsession with keeping the identities of younger gamers secret has bled into The Pokémon Company’s terms. “We don’t share, sell, or rent your personal information to third parties without your prior consent,” its Privacy Policy reads. Scroll a little further and you’ll see that, much like Niantic, it reserves the right to use location data to personalise ads, offers and so on, though.

Your data is a commodity. Even Niantic calls it a “business asset”. It’s going to be exploited, but likely in ways you’ll both see and, grudgingly, accept.

Niantic’s seemingly shady “third-party” partners will become clear soon enough, and your data seems less likely to be soundly abused here than it might with a start-up whose fortunes are on the downturn.

The one caveat is that Niantic says all bets are off if it goes out of business, is taken over or is part of a merger. And the near-inevitable hack of Niantic’s servers would/will be a big issue.

Niantic was once part of Google, before becoming a separate entity in 2015. Nintendo has, no surprise, invested heavily in the company and is believed to be part-owner of it as this point.

As Nintendo’s fortunes are currently on the up, on the share market at least, is it not the most likely buyer? Nintendo is probably kicking itself for not securing more of the game’s revenues already, if anything. Niantic will be worth an awful lot more now that it was a year ago.

Keeping the kids safe

Business nonsense out of the way, there are a few sensible precautions to take when playing Pokémon GO too, particularly if your kids want to get involved.

For example, Niantic has already detailed that when multiplayer features are introduced, it will be your nickname that’s shared, something you pick during character generation. You may want to avoid giving away personal data like your age (by using your birth year) or any obvious tells of your gender in this. It requires a bit more thought than the name you might use on a normal online game or a chat room.

Parents can also request that Niantic does not share any of their child’s PII data (that’s the player-identifying data) by emailing pokemongo-privacy@nianticlabs.com. It’s not entirely clear whether they’ll be able to play Pokémon GO at all after this — so prepare for a tantrum or two — but shows there are provisions in place at least.

If your dreams of a Poképaradise haven’t been ruined by the realities, we can only wish you happy hunting.

Watch The Refresh: The best tech gossip and reviews every week

What do you think of Pokémon GO? Let us know in the comments below.