A privacy organization is asking the federal government to investigate the spying on consumers that goes on when they play the surging Pokemon GO app on their cell phones, especially since a key player behind the software is a man whose data-collection practices raised alarms when they were used for Google’s Street View.
The letter was dispatched recently by the Electronic Privacy Information Center to Edith Ramirez of the Federal Trade Commission.
The game has caught the attention of the American public – indeed, the world – and hundreds of thousands of people if not millions are staring at their cell phones these days looking for the Pokemon characters that are tied to GPS coordinates so they can be captured.
But the letter from Marc Rotenberg, EPCI’s president, and Claire Gartland, its consumer-protection counsel, calls for close scrutiny of the operations of Niantic, Inc., the app developer.
“As you are likely aware, Niantic granted itself full access to users’ Google accounts when it first released the Pokemon GO app. This was almost certainly in violation of the Federal Trace Commission’s … earlier consumer privacy decisions and posed an enormous security risk to millions of Internet users who downloaded the app,” the letter said.
“The company concedes that it made a serious mistake, but questions remain about the scope of Niantic’s ongoing data collection practices, a similar episode involving Google Street View and the Niantic CEO, as well as Niantic’s ongoing relationship with Google.”
That “full access,” the letter explained, “allowed the company to view users’ contacts; view and send email; view and delete Google Drive documents; access search and map navigation history; and view private photos stored in Google Photos,” the letter warned.
“At no time did Niantic request user permission for full access to Google accounts; users simply logged in to the app via their Google account without receiving any additional information about what data will be accessed.”
The letter explained that similar practices, in the past, have been found by the FTC to be unfair or deceptive.
Further, even though those permissions now have been cut back, still “Niantic can view users’ email addresses and associate users with their public Google profiles.”
And, too, “This is not the first time that Niantic’s founder and CEO, John Hanke, has been at the center of a privacy controversy. Hanke was a cofounder of Keyhole, the company purchased by Google to develop Google Earth. While at Google, Hanke oversaw the development of Google Maps, Earth, and Street view. Google Street View raised serious privacy concerns when it launched in 2007, sparked by the collection and display of images obtained by the Google Street View cameras,” the letter warned.
And as part of that data collection operation, Google admitted it collected “a vast amount” of WiFi data.
“Google revealed that it gathered MAC addresses (the unique device ID for WiFi hotspots) and network SSIDs (the user-assigned network ID name) tied to location information for private wireless networks. Google also admitted that it intercepted and stored WiFi transmission data, stating that ‘in some instances entire emails and URLs were captured, as well as passwords.'”
The privacy group’s alarm was evident.
“History suggests Niantic will continue to disregard consumer privacy and security, which increases the need for close FTC scrutiny as Niantic’s popularity – and trove of sensitive user data – continues to grow. … There is little reason to trust the assurance regarding the current state of Niantic’s data collection practices.”
The data collected includes device identifiers, user settings, device operating systems, IP addresses; and “the web page last visited before accessing the app.'”
“Niantic does not explain the scope of information gathered from Google profiles or why this is necessary to the function of the Pokemon GO app,” the letter warns. That information, described by one industry expert as “one of, if not the most, detailed [location-datae] social graphs every compiled,” eventually could be shared, then, with others such as “third-party service providers,” “third parties” and “government or law enforcement.”
Even “private parties.”
The letter suggests “it’s prudent to expect some of your location data to end up in Google’s hands.”
“Collecting and compiling detailed maps of consumers location history causes substantial injury to consumers by posing serious safety and privacy risks of abusive data practices and identity theft,” EPCI warns.