Australian Privacy Commissioner pokes Niantic for making Pokémon Go catch it all

The Office of the Australian Information Commissioner has asked Niantic to ensure all data it collects complies with the Australian Privacy Act.

oaic-pilgrim-pokemon.jpg
(Image: OAIC)

The popularity of Pokémon Go has raised security concerns after the app accessed users' personal information, prompting the Australian privacy commissioner to intervene.

The augmented reality game uses GPS on mobile devices to detect fictional Pokémon characters, which users then find by travelling to their location. The game, which debuted earlier this month and is said to have more users than Twitter, has become wildly successful.

But the app also previously gained permission to Apple device owners' Google data, despite not needing to do so, prompting the office of Australian Privacy Commissioner Timothy Pilgrim to contact its developer.

Pilgrim said his office had contacted Pokémon Go's developers to ensure they were managing personal data in accordance with the privacy act.

"This is a timely reminder that people need to read the privacy policies of all smartphone apps before signing up," Pilgrim said.

Rather than explicitly asking permission for full account access, the app would skip to terms of service, resulting in full access to the user's inboxes, profile information, Google Drive, and search and location history, with the ability to read and modify the data.

Under the terms of Pokémon Go's privacy policy, the company states it could potentially sell the personal data it acquires, and considers players' personal information to be a business asset.

Developer Niantic Labs said the access was requested in error and that they corrected the permissions in an update on Tuesday, but researchers say smartphone apps are increasingly rifling through sensitive personal information they do not need.

Ari Rubinstein of Product Security at Slack noted in a blog post that full access was most likely an honest mistake: "There is an undocumented flow of being able to exchange a token with the https://www.google.com/accounts/OAuthLogin scope for a session token for google properties," he said. "I believe this is a mistake on Google and Niantic's part, and isn't being used maliciously in the way that was originally suggested."

CSIRO's Data61 Networks Group research leader Dr Daali Kaafar said that "the issue is not confined to this particular app ... it is very, very common. It is estimated that more than half of the (Android) apps are accessing things they don't need."

He said even though Pokémon Go was an example of accidentally accessing more data than necessary, it was endemic in a market that had become hungrier and hungrier for data.

The permissions apps request goes beyond simple collection of personal details and, in extreme examples, can let apps monitor text messages and track all browser traffic sent from a device.

Several simple torch apps on the Android market also request your location on download, Kaafar said.

Canberra University's Centre for Internet Security director Nigel Phair said users don't realise the value of the information they hand over.

"That's the problem: people don't value their personally identifying information ... we still haven't got this correlation between real world and online," Phair said.

He said it was pretty obvious that companies like Google carve most of their profits out of other people's information by using it for lucrative targeted advertising, and urged the ACCC to be more active in policing the market.

"We need carrot and stick. The ACCC do a great job in so many other areas, this is just another consumer area they need to devote resources to," he said.

The ACCC said it could get involved if Australian Consumer Law was breached by businesses misleading consumers about the information they collect.

Both Phair and Kaafar said it was unrealistic to expect users to read often opaque privacy policies, which in Pokémon Go's case is nearly 3,000 words long.

Phair said the onus shouldn't fall solely on consumers, and that a simple explanation of app permissions could properly inform users.

Ever since the Australian Federal Budget of 2014 was handed down, the Office of the Australian Information Commissioner has been in a state of limbo with regards to its future.

Initially set to be disbanded, the office struggled on without any funding set aside for it thanks to an obstinate Senate refusing to pass the legislation that would abolish it.

After its near-death experience, the office was eventually handed AU$9.3 million annually for the next four years in the 2016 budget, although that funding will mostly be syphoned off the Australian Human Rights Commission.

As well as being the Australian Privacy Commissioner, Pilgrim has been in the role of Acting Australian Information Commissioner since July 2015 on a series of three-month appointments.

Pilgrim's current appointments are to expire next Tuesday.

With AAP