Sen. Al Franken (D-Minn.) has fired off a letter to Pokémon Go game developer Niantic raising alarm bells over the smartphone game app's collection, use and sharing of user data in what Franken calls potentially concerning ways.
Since the augmented reality app launched July 6, it has been downloaded over seven million times and has kids and adults wandering highways, byways, parks and strip malls in search of Pokémon characters. It was even the subject of some pre-hearing chatter at an FCC oversight hearing Tuesday and was then mentioned in passing by FCC Chairman Tom Wheeler.
Related: ACA to Senate—FCC Privacy Regime Is Overly Burdensome
"Recent reports, as well as Pokémon GO’s own privacy policy, suggest that Niantic can collect a broad swath of personal information from its players," said Franken in his letter to Niantic CEO John Hanke. "From a user’s general profile information to their precise location data and device identifiers, Niantic has access to a significant amount of information, unless users – many of whom are children – opt-out of this collection," Franken said.
"Pokémon GO’s privacy policy states that all of this information can then be shared with The Pokémon Company and 'third party service providers,' details for which are not provided, and further indicates that Pokémon GO may share de-identified or aggregated data with other third parties for a non-exhaustive list of purposes. Finally, Pokémon GO’s privacy policy specifically states that any information collected – including a child’s – 'is considered to be a business asset' and will thus be disclosed or transferred to a third party in the event that Niantic is party to a merger, acquisition, or other business transaction.
"I am concerned about the extent to which Niantic may be unnecessarily collecting, using, and sharing a wide range of users’ personal information without their appropriate consent," said Franken in his letter. "I believe Americans have a fundamental right to privacy, and that right includes an individual’s access to information, as well as the ability to make meaningful choices, about what data are being collected about them and how the data are being used. As the augmented reality market evolves, I ask that you provide greater clarity on how Niantic is addressing issues of user privacy and security, particularly that of its younger players.”
Related: NCTA to FCC—Broadband Privacy Approach Out of Step
The full text of the letter is reprinted below:
Mr. John Hanke, CEO
Niantic, Inc.
Dear Mr. Hanke:
I am writing to request information about Niantic’s recently released augmented reality app, Pokémon GO, which – in less than a week’s time – has been downloaded approximately 7.5 million times in the United States alone. While this release is undoubtedly impressive, I am concerned about the extent to which Niantic may be unnecessarily collecting, using, and sharing a wide range of users’ personal information without their appropriate consent. I believe Americans have a fundamental right to privacy, and that right includes an individual’s access to information, as well as the ability to make meaningful choices, about what data are being collected about them and how the data are being used. As the augmented reality market evolves, I ask that you provide greater clarity on how Niantic is addressing issues of user privacy and security, particularly that of its younger players.
Recent reports, as well as Pokémon GO’s own privacy policy, suggest that Niantic can collect a broad swath of personal information from its players. From a user’s general profile information to their precise location data and device identifiers, Niantic has access to a significant amount of information, unless users – many of whom are children – opt-out of this collection. Pokémon GO’s privacy policy states that all of this information can then be shared with The Pokémon Company and “third party service providers”, details for which are not provided, and further indicates that Pokémon GO may share de-identified or aggregated data with other third parties for a non-exhaustive list of purposes. Finally, Pokémon GO’s privacy policy specifically states that any information collected – including a child’s – “is considered to be a business asset” and will thus be disclosed or transferred to a third party in the event that Niantic is party to a merger, acquisition, or other business transaction.
Media reports have also highlighted that Pokémon GO has full access to some users’ Google accounts, which includes their Gmail services. We recognize and commend Niantic for quickly responding to these specific concerns, and ask for continued assurance that a fix will be implemented swiftly. When done appropriately, the collection and use of personal information may enhance consumers’ augmented reality experience, but we must ensure that Americans’ – especially children’s – very sensitive information is protected.
In light of these uncertainties, I respectfully request that you respond to the following questions by August 12, 2016:
1. Pokémon GO has stated that it collects a broad array of users’ personal information, including but not limited to a user’s profile and account information, their precise location data, and information obtained through Cookies and Web Beacons. Can you explain exactly which information collected by Pokémon GO is necessary for the provision or improvement of services? Are there any other purposes for which Pokémon GO collects all of this information?
2. According to reports, Pokémon GO also requests permission to access a number of mobile capabilities, including but not limited to the ability to control vibration on a phone, prevent the phone from sleeping, and find contact accounts on the device. Can you explain exactly which features and capabilities are necessary for Pokémon GO to access for the provision or improvement of services? Are there any other purposes for which Pokémon GO has access to all of these features and capabilities?
3. If, in fact, some of the information collected and/or permissions requested by Pokémon GO are unnecessary for the provision of services, would Niantic consider making this collection/access opt-in, as opposed to requiring a user to opt-out of the collection/access?
4. Pokémon GO has stated that users’ information can be shared with The Pokémon Company and “third party service providers”. Can you provide a list of current service providers? Does Pokémon GO also share users’ information with investors in Pokémon GO?
5. Pokémon GO has further indicated that it shares de-identified and aggregate data with other third parties for a multitude of purposes. Can you more exhaustively describe the purposes for which Pokémon GO would share or sell such data?
6. Can you describe how Niantic ensures parents provide meaningful consent for their child’s use of Pokémon GO and thus the collection of their child’s personal information? Apart from publicly available privacy policies, how does Niantic inform parents about how their child’s information is collected and used?
7. According to reports, signing into Pokémon GO on iOS through a user’s Google account gives Niantic full access to an individual’s Google account without the user’s knowledge. Niantic has since recognized that it erroneously asked for more permissions than it intended. Can you provide an update on any fix Niantic is seeking to correct this mistake? Also, please confirm that Niantic never collected or stored any information it gained access to as a result of this mistake.
Thank you for your prompt attention to this important matter, and please do not hesitate to contact me.
