Pokémon Is “Stealing” Data You’ve Already Given Away

It’s true: Pokémon Go, the new, jaw-droppingly popular mobile game that invites users to imagine there are cartoon animals in the real world just waiting to be stuffed into tiny balls, demands a lot of access to your phone’s data.

But so do Facebook, and Twitter, and Reddit, and practically every major app on your phone.

The game is simple. Essentially, users walk around their neighborhood, running into Pokémon to capture. Once you’ve played enough, you can meet with other users and have your Pokémon battle theirs. Since it was released on Tuesday, it’s already acquired more users than Tinder, making it by far the most popular geocaching game—in which you use your phone to interact with the real world—ever created. That popularity, combined with the app’s request for a lot of permissions, has some users spooked.

Seeing a lot of posts today from the tech blogs about the startling array of unnecessary permissions you zombies are granting Pokemon Go.

— G.W. Schulz (@GWSchulz30) July 11, 2016

just look at the permissions you give the app #PokemonGO pic.twitter.com/76ml76goQl

— K A S T L E (@KASTLE) July 11, 2016

Installing Pokémon Go onto your phone does give the app, and by extension the company that created it, Niantic, a host of permissions, unless you revoke or prevent them. For Android users, that means access to your phone’s camera, contacts, location, and your storage. The app makes you sign in with either your Google account or a Pokemon.com account, a site that’s been consistently overwhelmed with traffic in recent days, and which might take a few attempts to refresh to work.

“It does ask pretty much for the same things that other apps ask for, and it actually needs them to operate,” Jessy Irwin, a popular information security advocate, told Vocativ. “You have to use the camera to catch the thing, you need location so you phone can do the whole geolocating business, you need storage so the thing works.”

But in this regard, Pokémon Go is far from unique. “Every few months, Facebook has an update and the people go wild with complaints about the permissions,” Irwin said. The latest iteration of the Facebook app for Android, for example, allows the app to access your identity, monitor your calendar’s personal information and add events without your knowledge, read and modify your contacts, determine your location via both GPS and network, read your texts, read and modify your USB storage, record audio—the company has had to repeatedly insist that one isn’t used maliciously—adjust your wallpaper, download files without telling you, prioritize which apps are running, and keep your phone from falling asleep.

“The permissions seem pretty scary on the surface, but only because we’ve been trained to think in engineering terms of access entitlements. Most of the functionality it asks for are pretty necessary to the functionality you expect from the game,” security researcher Jonathan Zdziarski told Vocativ.

“The permissions are probably more of a threat to your battery than to privacy,” he added.

Besides, your location in particular is far from secret for literally anyone who uses a cellphone in a normal manner. By definition, your carrier logs where you are by triangulating which cell phone towers you connect to, and will share such information with law enforcement if served a warrant. The NSA in particular tracks a host of cell phone users by location.

Notably, for iPhone users, if you sign in with Google, the app also asks for access to your Google account. That part doesn’t seem necessary for the game—Niantic didn’t respond to Vocativ’s request for comment. But you can both play the game and play it relatively safely, or at least no more unsafely than using other apps. Just avoid using Google to sign in, and keep reloading Pokemon.com until you can log in there.