privacy provision

You Should Probably Check Your Pokémon Go Privacy Settings

In the five frenzied days since its American release, Pokémon Go has become an economic and cultural sensation. Downloaded by millions, the game has boosted Nintendo’s market value by $9 billion (and counting), made a major case for augmented reality as the gaming format of the future, and led to a plethora ofstrange, scary, and serendipitous real-life encounters.

And as millions of users wander the country collecting Pikachus and Jigglypuffs, the Alphabet spin-off Niantic, Inc. that developed the game is collecting information about the collectors. And it’s most definitely catching them all.

Like most apps that work with the GPS in your smartphone, Pokémon Go can tell a lot of things about you based on your movement as you play: where you go, when you went there, how you got there, how long you stayed, and who else was there. And, like many developers who build those apps, Niantic keeps that information.

According to the Pokémon Go privacy policy, Niantic may collect — among other things — your email address, IP address, the web page you were using before logging into Pokémon Go, your username, and your location. And if you use your Google account for sign-in and use an iOS device, unless you specifically revoke it, Niantic has access to your entire Google account. That means Niantic has read and write access to your email, Google Drive docs, and more. (It also means that if the Niantic servers are hacked, whoever hacked the servers would potentially have access to your entire Google account. And you can bet the game’s extreme popularity has made it a target for hackers. Given the number of children playing the game, that’s a scary thought.) You can check what kind of access Niantic has to your Google account here.

It also may share this information with other parties, including the Pokémon Company that co-developed the game, “third-party service providers,” and “third parties” to conduct “research and analysis, demographic profiling, and other similar purposes.” It also, per the policy, may share any information it collects with law enforcement in response to a legal claim, to protect its own interests, or stop “illegal, unethical, or legally actionable activity.”

Now, none of these privacy provisions are of themselves unique. Location-based apps from Foursquare to Tinder can and do similar things. But Pokémon Go’s incredibly granular, block-by-block map data, combined with its surging popularity, may soon make it one of, if not the most, detailed location-based social graphs ever compiled.

And it’s all, or mostly, in the hands of Niantic, a small augmented reality development company with serious Silicon Valley roots. The company’s origins trace back to the geospatial data visualization startup Keyhole, Inc., which Google acquired in 2004; it played a crucial role in the development of Google Earth and Google Maps. And though Niantic spun off from Alphabet late last year, Google’s parent company is still one of its a major investors, as is Nintendo, which owns a majority stake in The Pokémon Company. Indeed, Google still owned Niantic when the developer released its first game, Ingress, which is what Niantic used to pick the locations for Pokémon Go’s ubiquitous Pokéstops and gyms.

Citing CEO John Hanke’s travel plans, a representative from Niantic was not able to clarify to BuzzFeed News if the company will share location data with Alphabet or Nintendo. A Google representative forwarded BuzzFeed News’ request for comment to Niantic.

However, in a statement to Gizmodo Monday night, Niantic said they started working on a fix and verified with Google that nothing beyond basic profile information had been accessed.

Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic.

Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.

Given the fact that Pokémon Go already has millions of users and that it has already attracted the attention of law enforcement, it seems likely that at some point police will try to get Niantic to hand over user information. And if Google’s track record is any indication — a report earlier this year showed that the company complied with 78% of law enforcement requests for user data — they are probably prepared to cooperate.


You Should Probably Check Your Pokémon Go Privacy Settings

Germany orders Facebook to stop collecting WhatsApp user data

27 September 2016. National data protection authority blocks recent privacy changes made by social network and commands existing shared data and phone numbers be deleted for 35 million users

Facebook, Facebook Messenger, WhatsApp, and Instagram app on Android
Facebook has been ordered to stop collecting data from WhatsApp by the German data regulator. The German data protection agency has ordered Facebook to stop collecting user data from its WhatsApp messenger app and delete any data it has already received.

The social network announced in August that it would begin sharing data from its 1 billion-plus user base, including phone numbers, from WhatsApp users with Facebook for the purpose of targeted ads. It gave users the option of opting out of the data being used for advertising purposes, but did not allow them to opt out of the data sharing between WhatsApp and Facebook. 

Hamburg’s Commissioner for Data Protection and Freedom of Information Johannes Caspar ruled on Tuesday that Facebook “neither has obtained an effective approval from the WhatsApp users, nor does a legal basis for the data reception exist”. “It has to be [the users’] decision whether they want to connect their account with Facebook. Facebook has to ask for their permission in advance.” Caspar also recalled that in the wake of Facebook’s 2014 acquisition of WhatsApp it had promised that they would not share user data.

Facebook’s German activities are headquartered in Hamburg, placing the social network under the jurisdiction of the regulator in the northern city. Caspar ordered Facebook to delete any data already received from WhatsApp in Germany, saying that he was acting to protect the privacy of Germany’s 35 million WhatsApp users and that of people saved in each user’s address books, whose details might also be forwarded under the data-sharing arrangement. 

A Facebook spokesperson said: “Facebook complies with EU data protection law. We will work with the Hamburg DPA in an effort to address their questions and resolve any concerns.” 

The California-based company has faced several privacy challenges across Europe, including those from the Belgian data protection authority, in Germany and France. Facebook has maintained that it operates in Europe from its headquarters in Ireland and that its actions are therefore governed by Irish law. The European Commission recently recommended tighter privacy and security requirements for services including WhatsApp and Microsoft-owned video calling service Skype, saying they should be regulated more like traditional telecoms. Greater regulation could result in stricter data privacy provisions as well as requirements for emergency calling services and other facilities currently the preserve of mobile and fixed line telephony services. As seen on www.theguardian.com.