WASHINGTON – Rob Knauff has lost 43 pounds playing Pokemon Go. The Inver Grove Heights man walks constantly in search of characters to capture in the popular real-time smartphone app. So do his sons, ages 15 and 18.
Knauff, 39, loves the game. He knows that the creator of Pokemon Go is gathering his and his children’s movements as a condition of playing. He did not realize that it is also gathering a vast amount of other information from their mobile devices. Still, he is not worried.
“I don’t have anything anyone needs,” he said.
Privacy experts are not so sure. What the makers of Pokemon Go know about players begins with location. But it also includes access to “photo, media and files on the device, camera and contacts,” Pokemon Go creator Niantic recently told U.S. Sen. Al Franken of Minnesota.
“Network provider information is also collected,” Niantic said in a letter addressing privacy concerns Franken raised. “Country is collected and stored … language may be stored … items collected or purchased … mobile operating system, mobile device identifier, and hardware build information.”
The trove of personal data that Pokemon Go and other popular smartphone apps obtains and keeps on users has led privacy advocates to warn that players risk having personal details exploited commercially and possibly criminally.
In 2013, the Federal Trade Commission found that Goldenshores Technologies deceived tens of millions of users of its Brightest Flashlight app by collecting location data and transferring it to third parties — including advertising networks — without permission.
The issue of surreptitious or overly broad personal data collection led Carnegie Mellon University to create privacygrade.org, a website that “measures the gap between people’s expectations of an app’s behavior and the app’s actual behavior.”
Smartphone apps that track people’s movements yield a revealing personal profile over time, said Claire Gartland, consumer protection counsel for the Electronic Privacy Information Center, known as EPIC.
“It provides a detailed map of day-to-day lives: where you live, where you work, where your kids go to day care,” Gartland explained. Global positioning system “functionality is very precise. It can tell whether a woman visits a health clinic or if someone goes to an AA meeting.”
Police in the St. Louis area believe three men used the Pokemon Go app to lure players in a string of robberies. Police at the University of Maryland said they think the same thing happened there.
Niantic did not respond to a Star Tribune request to comment on Pokemon Go data collection.
The company told Franken it accessed players’ information only to enhance the game’s performance. The real-time app can only work with access to device location data, the company wrote.
Franken, who helped create the privacy, technology and law subcommittee of the Senate Judiciary Committee, said he is “largely satisfied” with Niantic’s explanation, but wants to better understand whether the company keeps user information anonymous and whether it can be sold, even though Niantic has no plans to do so at this time.
Smartphone app users “are more the product than the customer” for companies like Niantic, Franken said. “That’s the business model, and you have to understand that.”
Players seem less worried about their camera rolls and contact lists being compromised than finding and capturing Pokemon.
“It doesn’t feel threatening that they have that information,” said 60-year-old Bev Mello of Plymouth. She encouraged her daughter and son-in-law to join in an activity that keeps her moving.
Niantic has a program for parental control of players younger than 13. But children younger than 13 can sign up merely by fudging their birthdays and the company has no way of knowing, EPIC’s Gartland said.
Protecting those youngsters, however small their number, is a big issue for privacy advocates like Franken.
“There are things you can’t anticipate,” Franken said. “You always have concern for children. You want to reassure parents that their kids are safe. Location [data] can tell people where you go. There is a concern that someone else can get that data.”
The ability of Pokemon Go players to lure others to locations recently caused New York Gov. Andrew Cuomo to order corrections officials to restrict paroled sex offenders’ access to the app.
A Google search for the term “Pokemon Go robbery” yielded news reports of app players being robbed in areas around St. Louis; Dallas; College Park, Md.; London, and Fresno and Berkeley, Calif.
Most of those cases appear to be crimes of opportunity and not exploitation of the app’s “lure” functions, said Mike Johnson of the University of Minnesota’s Technology Leadership Institute. But multiple thefts in and around St. Louis show the way in which bad guys can abuse the app to target victims.
Johnson and other cyber security experts worry more about massive personal data collection and retention. It speaks to a more general challenge with technology.
“People will download apps with a complete lack of awareness,” Johnson said.
Franken has proposed a location privacy bill that requires app users to give specific permission for location data to be collected, a process called opt-in.
The security of information storage for popular apps like Pokemon Go is another issue. Identity theft by hackers is a possible risk, Johnson said.
“The National Security Agency got hacked,” he noted. “If the NSA can’t protect its information, how can we expect Niantic to? If the information is valuable enough, there’s a chance someone will try to steal it.”
Johnson, who directed cybersecurity in the financial services industry for 15 years, describes himself as “pro-business.” But he also knows that the business model of smartphone app developers and distributors is to “monetize data.”
“If they weren’t regulated [by government],” Johnson said, “they would collect everything.”