Level 3 Communications

Alex Giusto

Let’s Pokéstop: A Moment of Reflection on PoGo’s Recent Privacy Revelations

Anyone with a smartphone, TV or internet access has heard about the current cultural phenomenon that is Pokémon Go. For me, this app has been delightfully addicting, but I’ve also felt the frustrations of trying to play through the game’s technical glitches. In the week or so I’ve been playing, I’ve experienced app failures, battery loss and waited anxiously for my data usage to reset. I’d been warned all of these things would happen, but I hadn’t given the seemingly simple act of signing-in a second thought…until now.

I assumed using my Google account to login would allow Niantic, Pokémon Go’s developer, access to the “basic” information necessary to create an in-app profile. Little did I know, I had actually given them  full access to my Google account, all apps therein, and the personal information each app contained. Once made aware of the problem, Niantic worked quickly to correct the issue for both iOS and Android users.

Niantic is COPPA (Children’s Online Privacy Protection Act) compliant, given a large percentage of their target audience is under 13, and they agree to provide privacy policy changes by “posting them on the services or by sending you an email or other notification.” Unfortunately, I received no such notice when the accidental collection of my personal information occurred (did you?). Luckily, both iOS and Android patch updates have been released and should be immediately downloaded (if you haven’t done so already).

But that doesn’t make me feel a whole lot better about the experience. As much as I’d like to trust game developers, or any company for that matter, I’d want to ensure my personal information isn’t so easily accessed next time.

Although we can all complain that companies shouldn’t access this information without more clear and conspicuous consent, it’s equally important to take the necessary steps to protect yourself against future mistakes. As our Senior Vice President of Global Security Services, Chris Richter, often comments: security is an individual responsibility. So, what should you do immediately?

  1. Update your password – although Niantic may have already accessed your account, it should prevent them from accessing it again in the near future. Best practices say to update your email and social media passwords every 6-8 weeks, and use a variation of capital and lowercase letters and symbols.
  2. Be aware of what the applications you are installing access. Always read the “terms and conditions” thoroughly when giving permission to any application and reach out to the company if any of their disclosures give you pause.
  3. Limit personal information within all email and social media accounts.

In addition, Level 3’s Chief Security Officer, Dale Drew, has the below recommendations and advice for game developers like Niantic:

  1. Be better aware of the data you have access to and of which you are requesting access.
  2. Provide “data access disclosures” as part of the application install process.
  3. All companies with a web facing presence will be subject to DDoS attacks. Make sure you have a DDoS mitigation service in place to help maintain the customer experience. And always have a Plan B.

For the smartphone providers hosting the applications, he says:

  1. Provide more granular controls of access to data. This will help prevent legitimate and rogue applications from gaining access to data the application doesn’t need to perform.

In addition to the PII woes, Niantic’s servers suffered DDoS attacks, with both PoodleCorp and OurMine claiming responsibility for crippling the servers. OurMine, which describes itself as a “white hat” hacker group, warned Niantic “no one will be able to play this game til Pokemon Go contact us on our website to teach them how to protect it.” Just as intended, OurMine showed everyone that no company, no matter how large or small, is safe from attempted attacks.

Whether you’re concerned about your personal information or your company’s critical data, it’s imperative to proactively and thoroughly protect it. Because once it’s out there, you can never get it back.

Concerned you may come under attack? Check out Level 3’s DDoS Mitigation and other security solutions.


Alex Giusto is the media and entertainment vertical strategist for marketing in North America at Level 3. When she’s not working, you can find her playing volleyball or hanging with her hedgehog pal, Henry.