Yesterday there was a lot of kerfuffle over the discovery that the instant hit game Pokemon Go was collecting an excessive amount of information from people’s Google accounts. In a statement to Polygon, Niantic directly responded to the situation.
We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.
So everything is going to be fine.
Just in case you weren’t aware of what happened yesterday, here’s the story.
In a Tumblr post titled “Pokemon Go is a huge security risk”, Adam Reeve detailed his findings. To play Pokemon Go you need to either sign up for a pokemon.com account or a Google account, and given the overwhelming demand for the game right now the pokemon.com sign-up option has been taken down for now.
Adam chose the Google option, expecting a notification via Google that informed him what the app was going to use from his account specifically. When that didn’t come up, he decided to look it up manually in the account settings page. He was surprised to see “Pokemon Go has full access to your Google account” as the answer. What does it mean though? According to Adam, Pokemon Go and Niantic were able to read all your email, send email as you, access Google drive documents, look through your photos and search history, and a “whole lot more”.
But he was willing to give Niantic the benefit of the doubt.
Now, I obviously don’t think Niantic are planning some global personal information heist. This is probably just the result of epic carelessness. But I don’t know anything about Niantic’s security policies. I don’t know how well they will guard this awesome new power they’ve granted themselves, and frankly I don’t trust them at all. I’ve revoked their access to my account, and deleted the app. I really wish I could play, it looks like great fun, but there’s no way it’s worth the risk.
Its good to see that this issue was addressed quickly by everyone involved, for sure.