The Scary Way Pokémon Go Is Making Money Off You

The Scary Way Pokémon Go Is Making Money Off You

© Sam Mircovich / Reuters

If you’re reading this, you must be taking a break from catching Pokémon, so for that I thank you.

In just one week, Nintendo’s augmented reality game Pokémon Go has become the most successful mobile app in history. The game uses geolocation to place Pokémon characters in the physical world for you to collect. It has been downloaded a reported 15 million times in the U.S, with the user base already overtaking longtime social media stalwarts like Twitter. The average Apple iPhone user is spending more time on the game than Facebook or Snapchat.

Shares of Nintendo, which holds a one-third stake in the Pokémon Company (controller of all Pokémon merchandising) and an undisclosed stake in game developer Niantic, rose 53 percent in three days, generating an added $12 billion in market value. The future of augmented reality, fusing the digital and temporal worlds for game-playing and other experiences, looks bright. Vox’s Ezra Klein gushed that Pokémon Go will “change how we live once again.”

Related: 6 Ways Pokémon Go Is Already Changing the Real World

But the economics of the enterprise can initially seem puzzling. Pokémon Go is a free download. Inside the game, you can buy virtual storage devices for the Pokémon for $1, or lures to ferret out the monsters. But while that generates $1.6 million a day, compared to a movie or a consumer product, it’s a fairly low number. And Nintendo only captures a small percentage of that revenue. So where are these unbelievable valuations coming from?

“We’re living in a society where we are the product,” said cybersecurity expert Adam Levin, author of Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves. The business model of Pokémon Go appears to be tied to the incredible amount of data it collects on game players, who hand over access to practically all of their digital information.

This has reached the attention of Sen. Al Franken of Minnesota, who this week detailed his concerns in a letter to John Hanke, the CEO of Niantic. “I am concerned to about the extent to which Niantic may be unnecessarily collecting, using, and sharing a wide range of users’ personal information without their appropriate consent,” Franken said. Niantic has yet to respond.

We should be just as concerned about how personal information has become a core asset in an era of Big Data, weakening privacy and security while collecting rents from what you let the world know about you.

Related: Pokemon GO Could Be Next Big Marketing Tool for Retailers

In order to function, Pokémon Go needs access to a player’s smartphone camera and precise location, to generate maps and place Pokémon within them (even that data release may allow strangers to access your physical location). But upon downloading, the app asks for a user’s Google profile and device identifiers. It seeks to access user contacts and read any USB storage devices in the machine. It can control Bluetooth settings and vibration on the user’s smartphone, while blocking it from sleeping. Initially, the game even secured access to users’ individual Google accounts, like their Gmail inbox, contacts, photos and calendar. Niantic called this a mistake, saying they only wanted the profile information.

It’s likely that the mistake lay only in having the data collection revealed. Niantic clearly knows what a goldmine it has in their user base. “When people are valuing organizations,” said Adam Levin, “they’re interested in the subscriber base, the database, and the lifetime value of the customer or what they can do with you.” The data is the product, effectively.

In the habitually un-read terms and conditions, Niantic acknowledges that aggregated and anonymized data can be shared with the Pokémon Company and unnamed third party providers, for “research and analysis, demographic profiling, and other similar purposes.” They even say outright that any information collected “is considered to be a business asset” in the event of a merger or acquisition.

Related: Pokemon GO Fans Told Not to Play in US Holocaust Museum

You can imagine how data about user movements and locations can be sold to third-party marketers. But the profile records represent even bigger revenue potential. “The game maker wants to know your information, because they want to come up with other games that might appeal to you,” said Levin. “They’re always looking to get intel for what’s next.” And that includes access to contacts, assuming that the people you interact with are interested in similar pursuits.

This is not a new business plan. In 2013, the Federal Trade Commission fined the makers of a flashlight app for sucking contact information out of users’ phones without disclosing that they shared the information with third-party advertisers. Two years ago, California Attorney General Kamala Harris released best practices for limiting sharing on smartphones, to combat a seeming epidemic of data collection.

This has raised awareness over what information app makers try to pull from their users. But regulators have mostly asked for disclosure, and possibly the ability for users to opt out. Sadly, most users don’t read those disclosures and wouldn’t know what to make of the incomprehensible legal-ese if they did. “Everyone has FOMO (fear of missing out), they want to be part of it,” Levin said. “Maybe we need a new acronym, FOGRO, fear of getting ripped off.”

Related: Google Reminds Us What It’s Really Selling: Us

Having all that data collected raises the threat of third parties breaching it. “When you give permissions, you’re inviting someone into your virtual home to have run of the place,” Levin said. “If it’s breached, someone could take souvenirs and the souvenir could be you.” Downloading the game from a spoofing site arranged by scam artists also opens the door to malware showing up on devices and mining for passwords that are routinely used across a host of Web services, including email and banking.

It may be time to consider going from a disclosure-based regime to actively limiting the kind of data companies can collect. When users went into permissions and removed the ability for Niantic to capture data in Pokémon Go, the game still worked, Levin told me. This data collection is not fundamental to the experience; it’s just a profit center. And it may compromise users’ online security too much to be allowed.

With more augmented reality games sure to follow, and with our data up for grabs in so much of what we do online, we should decide whether we want to continue being products for large companies to trade. Should our innermost thoughts and predilections be so lucrative? As Levin put it, “There are business models available without grabbing every piece of information people have.”