Wednesday, July 13, 2016

US Senator Al Franken concerned about Pokemon privacy

from http://boingboing.net/2016/07/13/us-senator-al-franken-concerne.html

US Senator Al Franken doesn't think Niantic, the creators of Pokemon GO, need all your personal information. He sent Niantic CEO John Hanke the following letter:

Dear Mr. Hanke:

I am writing to request information about Niantic s recently released augmented reality app, Pokemon GO, which - in less than a week's time - has been downloaded approximately 7.5 million times in the United States alone. While this release is undoubtedly impressive, I am concerned about the extent to which Niantic may be unnecessarily collecting, using, and sharing a wide range of users' personal information without their appropriate consent. I believe Americans have a fundamental right to privacy, and that right includes an individual's access to information, as well as the ability to make meaningful choices, about what data are being collected about them and how the data are being used. As the augmented reality market evolves,

I ask that you provide greater clarity on how Niantic is addressing issues of user privacy and security, particularly that of its younger players.

Recent reports, as well as Pokemon GO s own privacy policy, suggest that Niantic can collect a broad swath of personal information from its players. From a user's general profile information to their precise location data and device identifiers, Niantic has access to a significant amount of information, unless users - many of whom are children - opt-out of this collection. Pokemon GO'S privacy policy states that all of this information can then be shared with The Pokemon Company and "third party service providers", details for which are not provided, and farther indicates that Pokemon GO may share de-identified or aggregated data with other third parties for a non-exhaustive list of purposes. Finally, Pokemon GO s privacy policy specifically states that any information collected - including a child's - "is considered to be a business asset" and will thus be disclosed or transferred to a third party in the event that Niantic is party to a merger, acquisition, or other business transaction.

Media reports have also highlighted that Pokemon GO has full access to some users' Google accounts, which includes their Gmail services. We recognize and commend Niantic for quickly responding to these specific concerns, and ask for continued assurance that a fix will be implemented swiftly. When done appropriately, the collection and use of personal information may enhance consumers' augmented reality experience, but we must ensure that Americans' - especially children's - very sensitive information is protected.

In light of these uncertainties, I respectfully request that you respond to the following questions by August 12, 2016:

1. Pokemon GO has stated that it collects a broad array of users' personal information, including but not limited to a user's profile and account information, their precise location data, and information obtained through Cookies and Web Beacons. Can you explain exactly which information collected by Pokemon GO is necessary for the provision or improvement of services? Are there any other purposes for which Pokemon GO collects all of this information?

2. According to reports, Pokemon GO also requests permission to access a number of mobile capabilities, including but not limited to the ability to control vibration on a phone, prevent the phone from sleeping, and find contact accounts on the device. Can you explain exactly which features and capabilities are necessary for Pokemon GO to access for the provision or improvement of services? Are there any other purposes for which Pokemon GO has access to all of these features and capabilities?

3. If, in fact, some of the information collected and/or permissions requested by Pokemon GO are unnecessary for the provision of services, would Niantic consider making this collection/access opf-in, as opposed to requiring a user to opt-out of the collection/access?

4. Pokemon GO has stated that users' information can be shared with The Pokemon Company and "third party service providers". Can you provide a list of current service providers? Does Pokemon GO also share users' information with investors in Pokemon GO?

5. Pokemon GO has further indicated that it shares de-identified and aggregate data with other third parties for a multitude of purposes. Can you more exhaustively describe the purposes for which Pokemon GO would share or sell such data?

6. Can you describe how Niantic ensures parents provide meaningful consent for their child's use ofPokemon GO and thus the collection of their child's personal information? Apart from publicly available privacy policies, how does Niantic inform parents about how their child's information is collected and used?

7. According to reports, signing into Pokemon GO on iOS through a user's Google account gives Niantic full access to an individual's Google account without the user's knowledge. Niantic has since recognized that it erroneously asked for more permissions than it intended. Can you provide an update on any fix Niantic is seeking to correct this mistake? Also, please confirm that Niantic never collected or stored any information it gained access to as a result of this mistake. Thank you for your prompt attention to this important matter, and please do not hesitate to contact me, or Leslie Hylton on my staff, at (202) 224-5641.

Sincerely,

Al Franken

U.S. Senator


No comments:

Post a Comment