Concrete Steps to Take to Minimize Risk While Playing Pokemon GO

5 min read

The launch of Pokemon GO highlights various privacy, security, safety, and privilege concerns with how we use and access tech. While these concerns existed prior to Pokemon GO, and will continue to exist long afterwards, this provides an opportunity to highlight some concrete steps about how we can use technology more safely, and take control over data collected about us. While none of the steps outlined in this post are a panacea, they all allow for incrementally more control over data collected about us. Also, this post focuses on the privacy and security concerns. The safety and privilege concerns are equally real and worthy of attention - as with all tech, we need to take a hard look at who can access the tech, who is pushing adoption of the tech, who benefits most from its use, and who profits most from its use. Time permitting, I will did into these concerns in a different post.

Art LaFlamme also put out a post that covers additional details - it's definitely worth a read.

Without further ado, here are some concrete steps you can take to reduce data collected about you.

1. Turn off services that can be used to collect location information.

Apps with location based services all collect precise location information. A short list of apps that collect location information includes Uber, Disney Experience, Snapchat, Facebook, Pokemon GO, insurance devices, FitBit, Google, Twitter, virtually all of the apps marketed to parents that track their kids in the name of "safety," Voxer, Reward progam apps (like Marriott and Starbucks), and banking apps - so Pokemon GO is not unique in it's aggressive collection of location information. The primary concern with aggressive collection of location data is that it will be used for targeted marketing. A secondary concern is that it will be used and stored and used indefinitely by data brokers, and incorporated into data profiles about us that we will never be able to access.

The concerns listed above are very valid, but it's also worth noting that this steady flow of location data can also be accessed by law enforcement. The privacy policies for most applications contain a clause that explicitly permits personal information - including location - to be turned over to law enforcement. 

For example, Fitbit can release data "If we believe that disclosure is reasonably necessary to comply with a law, regulation, valid legal process(.)" 

Progressive Insurance will release data "when we're legally required to provide the data(.)" 

We are not used to thinking about generating a data stream while playing a video game, but we really need to adjust. But now, with apps like Pokemon GO, our location can become a target for law enforcement. If one kid accuses another of an assault, or of taking part in a robbery, location data collected by the app is now evidence.

To minimize the risk of location based data being collected, toggle location based services off until you absolutely need them. When you leave your house, turn off location services, bluetooth, and wireless. This means that the only company tracking your location on an ongoing basis is your mobile phone carrier.

2. Create a separate email for games

Create a gaming email (via GMail, Yahoo, Outlook, etc), and use this exclusively for games. Ideally, tie this gaming email to usernames and even demographic information that does not identify you personally (and note - doing this can potentially violate the terms of service of some apps that insist upon "accurate information"). However, for games that broadcast your username and location, this additional layer of separation between your username, you "regular" email, and your actual name can provide a small layer of insulation from other players.

Note that this does not prevent companies from identifying you. Companies will still have (at minimum) your device ID, and the IP addresses from which you connect. Additionally, many apps will access your phone number, your call log, your text log, your contact list, and the other apps you have installed on your phone, among other things. The Google Play store lists out the permissions required, so it's easier to spot these types of intrusions into our privacy on Android based phones than on iOS devices. On apps that support both platforms, you can do a rough cross reference from Android to iOS. As an aside, I do not understand why Apple doesn't list app permissions in the same way as the Play store. 

3. Login with your gaming email whenever possible

Avoid social login with your Google, Twitter, Facebook, etc, account. This is arguably less convenient, but it creates an incremental barrier to inappropriate access of your personal information, and to these companies getting more detailed information about your online behavior.

4. Review your authorized apps

Every month, review what apps are authorized to access your accounts.

By aggressively removing apps that no longer need access, you minimize the risk that one of these apps could be used to compromise a different account.

5. Reset your advertising ID.

This should be done monthly. However, it should be noted that vendors are not required to use the advertising, and that many companies collect device specific IDs that are more difficult to alter.

These changes won't prevent more aggressive companies from collecting your device ID, but it provides some incremental improvements.

Summary

As noted in the introduction, none of these steps are panaceas, and none of these steps will eliminate data collection. However, these steps will minimize exposure, and will bring back a degree of control to those of us looking to both use tech and maintain a modicum of privacy.