Sen. Franken Presses Makers of "Pokemon GO" Smartphone App Over Privacy Concerns
Launched Last Week, Pokemon GO Has Already Been Downloaded an Estimated 7.5 Million Times by Smartphone Users; The App Collects, Uses, and Shares a Wide Range of Users' Digital Data in Potentially Concerning Ways
Today, U.S. Sen. Al Franken (D-Minn.) raised the alarm over potentially serious privacy concerns with "Pokémon GO," a new smartphone game that millions of users around the country have downloaded over the past week.
Launched on July 6, Pokémon GO is a so-called "augmented reality app," meaning that it blends the real world and virtual world by using technology like your phone and GPS tracking. And that also means the app wants access to a whole trove of your personal data and information—things like your precise location, your email address, IP address, the last website you looked at, and according to initial reports, even access to the contents of your Gmail account.
Sen. Franken finds that kind of access to user information troubling, which is why today he's called on Niantic, the company that developed the game, to explain how it collects user data and what it does with that data. You can read a copy of his letter by clicking here.
"Pokémon GO—in less than a week's time—has been downloaded approximately 7.5 million times in the United States alone," wrote Sen. Franken, who is the top Democrat on the Senate Privacy and Technology Subcommittee. "While this release is undoubtedly impressive, I am concerned about the extent to which Niantic may be unnecessarily collecting, using, and sharing a wide range of users' personal information without their appropriate consent. I believe Americans have a fundamental right to privacy, and that right includes an individual's access to information, as well as the ability to make meaningful choices, about what data are being collected about them and how the data are being used. As the augmented reality market evolves, I ask that you provide greater clarity on how Niantic is addressing issues of user privacy and security, particularly that of its younger players."
Sen. Franken has long been an advocate of protecting Americans' privacy, especially in light of new technologies. In 2015, he reintroduced his Location Privacy Protection Act, which would give consumers more control over their private location information.
You can read the full text of today's letter by clicking here or reading below.
Mr. John Hanke, CEO
Dear Mr. Hanke:
I am writing to request information about Niantic's recently released augmented reality app, Pokémon GO, which - in less than a week's time - has been downloaded approximately 7.5 million times in the United States alone. While this release is undoubtedly impressive, I am concerned about the extent to which Niantic may be unnecessarily collecting, using, and sharing a wide range of users' personal information without their appropriate consent. I believe Americans have a fundamental right to privacy, and that right includes an individual's access to information, as well as the ability to make meaningful choices, about what data are being collected about them and how the data are being used. As the augmented reality market evolves, I ask that you provide greater clarity on how Niantic is addressing issues of user privacy and security, particularly that of its younger players.
Media reports have also highlighted that Pokémon GO has full access to some users' Google accounts, which includes their Gmail services. We recognize and commend Niantic for quickly responding to these specific concerns, and ask for continued assurance that a fix will be implemented swiftly. When done appropriately, the collection and use of personal information may enhance consumers' augmented reality experience, but we must ensure that Americans' - especially children's - very sensitive information is protected.
In light of these uncertainties, I respectfully request that you respond to the following questions by :
1. Pokémon GO has stated that it collects a broad array of users' personal information, including but not limited to a user's profile and account information, their precise location data, and information obtained through Cookies and Web Beacons. Can you explain exactly which information collected by Pokémon GO is necessary for the provision or improvement of services? Are there any other purposes for which Pokémon GO collects all of this information?
2. According to reports, Pokémon GO also requests permission to access a number of mobile capabilities, including but not limited to the ability to control vibration on a phone, prevent the phone from sleeping, and find contact accounts on the device. Can you explain exactly which features and capabilities are necessary for Pokémon GO to access for the provision or improvement of services? Are there any other purposes for which Pokémon GO has access to all of these features and capabilities?
3. If, in fact, some of the information collected and/or permissions requested by Pokémon GO are unnecessary for the provision of services, would Niantic consider making this collection/access opt-in, as opposed to requiring a user to opt-out of the collection/access?
4. Pokémon GO has stated that users' information can be shared with The Pokémon Company and "third party service providers". Can you provide a list of current service providers? Does Pokémon GO also share users' information with investors in Pokémon GO?
5. Pokémon GO has further indicated that it shares de-identified and aggregate data with other third parties for a multitude of purposes. Can you more exhaustively describe the purposes for which Pokémon GO would share or sell such data?
6. Can you describe how Niantic ensures parents provide meaningful consent for their child's use of Pokémon GO and thus the collection of their child's personal information? Apart from publicly available privacy policies, how does Niantic inform parents about how their child's information is collected and used?
7. According to reports, signing into Pokémon GO on iOS through a user's Google account gives Niantic full access to an individual's Google account without the user's knowledge. Niantic has since recognized that it erroneously asked for more permissions than it intended. Can you provide an update on any fix Niantic is seeking to correct this mistake? Also, please confirm that Niantic never collected or stored any information it gained access to as a result of this mistake.Thank you for your prompt attention to this important matter, and please do not hesitate to contact me.