Sen. Franken Hits Pause on Pokémon GO
After the Pokémon GO app was downloaded approximately 7.5 million times in the United States alone in its first week of release, Sen. Al Franken (D-Minn.), the chairman of the Judiciary Subcommittee on Privacy, Technology and the Law, wrote to the company about its privacy policy.
In a letter to John Hanke, CEO of Niantic, the California-based company behind the explosively popular game, the senator requested information about the app's data privacy, collection and sharing practices.
"I am concerned about the extent to which Niantic may be unnecessarily collecting, using, and sharing a wide range of users' personal information without their appropriate consent," Sen. Franken wrote. "When done appropriately, the collection and use of personal information may enhance consumers' augmented reality experience, but we must ensure that Americans'—especially children's—very sensitive information is protected."
Pokémon GO's own privacy policy suggests that Niantic can collect "a broad swath" of personal information from its players, the legislator said, that ranges from a user's general profile information to his or her precise location data and device identifiers. Users must affirmatively opt out of this collection, Sen. Franken noted, and the policy further provides that the data can be shared with "third-party service providers" for a non-exhaustive list of purposes.
Adding to the problem, media reports highlighted that Pokémon GO had full access to some users' Google accounts. Niantic responded quickly to this issue, the lawmaker acknowledged, but he asked for "continued assurance" that a fix will be implemented swiftly.
In light of these uncertainties, Sen. Franken sought "greater clarity" in how the company is addressing issues of privacy and security, particularly that of its younger players. For example, "exactly which information collected by Pokémon GO is necessary for the provision or implementation of services? Are there any other purposes for which Pokémon GO collects all of this information?" he asked.
Pokémon GO also requests permission to access a number of mobile capabilities, including the ability to control vibrations on a phone, the ability to prevent a phone from sleeping, and the capability to find contact accounts on the device. Again, Sen. Franken queried the purpose behind such requests, and wondered if they were necessary for the provision of services and if Niantic would consider making them opt in as opposed to opt out.
Looking for more details on "third-party service providers," the letter requested a list of the third parties as well as an "exhaustive[]" description of the purposes for which Pokémon GO shares or sells user data to third parties.
As for child users, Sen. Franken wondered how Niantic ensures that parents provide meaningful consent for their child's use of the app and the collection of their personal information.
Finally, he requested an update on the fix to the Google access issue and confirmation that Niantic never collected or stored any information it acquired as a result of the mistake.
To read Sen. Franken's letter to Niantic, click here.
Why it matters: While Niantic previously said that Google access was an error and that the company fixed the bug, this and other issues surrounding the hugely popular virtual game generated enough headlines to trigger a closer look by Sen. Franken. The notorious privacy advocate (who has pushed for data security legislation and sent similar letters to other companies regarding privacy issues, including Uber) pushed for a clarification of the app's privacy policy, including what information is being shared and with whom, as well as the logic behind an opt-out system in lieu of opt-in. As with similar developments in the popular app space, developers are on notice that with mass adoption of their games come scrutiny and skepticism about how and what user information is collected and used.