The Risks of Pokémon Go!
The Pokémon Go game has hit civilization with a tsunami of success. Children and adults, pasty and weak from lack of exposure to the sun are now out and about, chasing pocket monsters on their smartphones. Humans, skittish as they are, are raising flags that the platform might be used for nefarious purposes. I have looked into this, and wanted to pass along some thoughts as an IT Security professional, with 20+ years of real world experience.
I will state up front: I am 100% certain that there is nobody, anywhere in the world, thinking “Wow, I saw that person playing pokémon, therefore I will hack her.” Nobody. Anywhere. That is such an utterly unrealistic fear that I will not justify it further.
But maybe you don’t like what you see? Perhaps you should take some time to compare that with other commonly used applications that don’t really generate any paranoia in the media, such as Facebook, Google, and iTunes.
Here are some additional facts you should know:
- Through Pokémon, other players cannot ascertain your location (or if they can, I can’t figure out how, and have seen no evidence that such knowledge can be had). In fact, the only plausible risk to person and property that I can see would be scumbags hanging around pokégyms or popular pokéstops to rob/molest visitors. This latter could be a risk to unaccompanied small children, or people obliviously staring into their screen and not paying attention to their surroundings. Nevertheless, this is a real risk that people need to manage it.
- The Niantic game “Ingress” used the same map, same locations, and same general format, and the world didn’t end. There is nothing magical or special about the Pokémon map.
- The game does not use the camera to feed information anywhere. Players don’t even have to give it access to the camera, and using the camera is completely optional for every single fight. In fact, using the camera makes the game a bit harder, so many people don’t bother.
- The game neither forces, nor requires, nor exerts any coercion upon anyone to trespass at all, let alone in sensitive areas. People who are trespassing are doing so because they’re stupid and rude. People wandering onto subway tracks and into traffic are just stupid. I have been unable to accurately measure the radius from which you can engage a Pokémon, but it is no less than 20 metres.
- The game doesn’t gather any more position data than does Tom Tom, Google Maps (on which Pokémon Go! is based), Waze, Apple Maps, FourSquare, or any number of applications that have existed for many years. Have you ever wondered how Tom Tom or Google puzzle out the shortest route or where traffic is heavy? That’s created from reported position info. The Facebook app reports about as much info to its masters as well. In short, if you have a smart phone, you crossed this privacy bridge pretty much the moment you used it for anything that wasn’t actually a phone call, which leads to…
- This isn’t the first game to do this on smartphones. It’s just the most popular in recent times.
And then there is this ridiculous meme circulating around the internet:
The “foreign company” is Japanese. Ask yourself: is it plausible that Japan is thinking embarking on a campaign of world domination through Pokémon? If you think that is plausible, then have you considered what the “foreign company” that makes iPhones, or any Android phone might be up to? That’s right… everyone’s smart phone is made by a foreign company, so is the computer you’re reading this on if you’re not on a phone. A major percentage of the people who wrote all the software you’re using are foreigners too. Damn foreigners!
That meme is one of those things that does a lot of damage to goodwill toward security people. It is manifestly untrue, and intended to incite fear, uncertainty, and doubt into people who can’t be bothered to look things up.