The runaway success of the interactive augmented reality game Pokémon GO was overshadowed this week by privacy complaints, prompting the app to issue an update to its policies—but critics, including Sen. Al Franken (D-Minn.), remained concerned that its parent company is still trying to "catch them all."
Franken wrote a letter (pdf) to Niantic Inc CEO John Hanke on Tuesday asking for information about the app and expressing concern "about the extent to which Niantic may be unnecessarily collecting, using, and sharing a wide range of users' personal information without their appropriate consent."
"As the augmented reality market evolves, I ask that you provide greater clarity on how Niantic is addressing issues of user privacy and security, particularly that of its younger players," wrote Franken, who chairs the Senate Subcommittee on Privacy, Technology, and the Law.
Using players' GPS coordinates and Google map of their city, Pokémon GO superimposes characters from the games for users to catch and train for virtual battle against other players.
It was revealed earlier this week that Pokémon GO users were, in signing up, automatically granting Niantic access to their email address, IP address, browsing history, and location, among other data, unless they opted out of certain authorizations listed in a lengthy terms of service agreement.
And iPhone users who signed in with their Google accounts and did not opt out were allowing Niantic full access to their accounts, including read and write privileges to their email.
Niantic claimed that particular policy was a mistake, issuing an update that removed that access and instead only collected users' names and Gmail addresses. But Franken wrote that other privacy issues remained.
"We recognize and commend Niantic for quickly responding to these specific concerns, and ask for continued assurance that a fix will be implemented swiftly," his letter continued.
Marc Rotenberg, president of the digital rights group Electronic Privacy and Information Center (EPIC), told the Wall Street Journal on Wednesday that there were no practical reasons for the app to request personal information.
"You can build a game that superimposes graphics over the real world, that relies on maps and locations, without having to know a person's name," he said. "Niantic made the choice not to do that."
Franken issued several questions for Hanke to answer, including:
- Can you explain exactly which information collected by Pokémon GO is necessary for the provision or improvement of services? Are there any other purposes for which Pokémon GO collects all of this information?
- If, in fact, some of the information collected and/or permissions requested by Pokémon GO are unnecessary for the provision of services, would Niantic consider making this collection/access opt-in, as opposed to requiring a user to opt-out of the collection/access?
- Can you provide a list of current service providers? Does Pokémon GO also share users' information with investors in Pokémon GO?
He also asked for an update on Niantic's updated policy revoking its full access to Google accounts and for Hanke to "confirm that Niantic never collected or stored any information it gained access to as a result of this mistake."
Franken gave Hanke until August 12 to reply.
Rotenberg noted to the WSJ, "I think people care about their privacy but the reality is that there is very little they can do about it and they know that."