Last week, my thirteen-year-old son uttered words I’ve never heard from him before. “Mom, do you want to go for a walk?” he said. I knew it wasn’t a dream, yet my brain struggled to process the words my ears heard. As it turned out, the desire to walk was neither a new interest in exercise nor a desire to spend quality time with his mother; it was to catch Pokemon using the new "Pokemon Go" augmented reality application.
Off we went strolling through our neighborhood, catching Pokemon and little by little adding the strange creatures to our Pokedexes. In case you haven’t heard the news this last week, Pokemon Go is the addictive augmented reality game that has found success nearly instantaneously over the last week. The servers crashed for days and it started off glitchy. Naturally, I downloaded the app before we left for our walk, and found myself compelled to find and catch the Pokemon as my son and I walked together through the suburban streets.
Although I may be a middle-aged mother of two, since I began as an 80’s gamer back in the ancient days of local arcades, Atari and Intellivision, I often try out my kids’ games thinking, “I got this” - which I rarely do.
"Pokemon Go" was different.
A simple, easy interface with good graphics and the unique novelty of using augmented reality. The game accesses your forward-facing camera and the Pokemon appears in front of you, wherever you are. This weekend, we went to Southern Ontario with a few friends to a beautiful old country estate. Despite the weekend away, fly fishing, swimming, eating wonderful food and other grown-up activities, while my husband was watching Wimbledon or the Tour de France, I found myself playing "Pokeman Go" throughout the estate. Walking to the spa? Find and capture a Pokemon. Sitting by the pool? Better check for any Pokemon. Perhaps it’s some embedded brain washing code, but the game is addicting even if the purpose remains unclear.
People are now catching Pokemons all over the real world. The news cycles are filled with stories like the woman in Wyoming who found a dead body, a man in New York who fell into a pond while playing, and the guy who lives in a converted church with dozens of people literally camped out in front of his house. People are wandering through parks and cities on their phones, and law enforcement agencies throughout the country have had to issue warnings to citizens to not drive and catch Pokemon, not to trespass, not to go to deserted areas and to otherwise use caution while playing the game.
So, instead of using the little free time I have catching Pokemon, why am I now writing about it?
The other evening I learned that Niantic, the game developer, configured "Pokemon Go" to access my entire Google account when I signed up through Google. Initially I had tried to sign up through the Pokemon Trainer Club using my email, figuring there was no reason in the world I needed to connect my Google account. However, the servers weren’t working, so I signed in through my Google account, followed the links to my Google settings to confirm what the articles were saying, and sure enough, along with my operating system, "Pokemon Go" had full access to my entire Google account.
Now my worlds converge.
I spend many of my days advising about data collection and use. I preach on a regular basis that information management is critical for companies and ensuring customer trust is paramount. I’m in the privacy and security business, and I’ve worked for companies that develop and create products and services that collect, use, and disclose data. So, I removed access to "Pokemon Go" from my Google account, and then next time I try and use Pokemon Go, I can’t sign in. Game over.
Pokemon Go’s configuration problem is an issue. Why did they configure the access permissions to access your entire Google account? We can speculate. Will they fix it? Niantic Labs recently issued this statement:
We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.
Assuming for a moment that this was an inadvertent security gap, what interests me professionally is how would Niantic avoid this issue in the first place? How did a Google Alphabet company miss a basic security principle and configure the set up to have full Google access?
Chances are, someone wasn’t paying attention.
Or it was easy or quicker? There could be a number of reasons, and logs are likely being analyzed to determine the root cause. Beyond the root cause analysis, what else could have been done, in the real world, to avoid these types of misses? Did other people know? Was there a checkpoint or gate in place to catch or test these things at the product development phase? Was it truly a miss or did someone think having full Google access would be beneficial?
While some may speculate it was a data play, and in many corporations there is a constant tension between those who want to collect more data and those that support data minimization, my opinion leans toward this being inadvertent based both on its quick response (less than 24 hours) and the scope of the security issue. Nintendo owns the Pokemon franchise and its stock value is up since last week.
Google and Nintendo both have a financial interest in Niantic Labs. Niantic Labs - an internal spin off from Google Alphabet - reportedly closed on a $20 million financing round in 2016. Is it a small spin off? Is there a very high pressure to perform quickly? Did Niantic Labs management or board set up metrics driving them to cut corners or ignore processes? Did they even have internal resources focused on these kinds of issues, or was it simply a start-up engineering company focused on going to market in the most expeditious manner?
Whatever the reasons for Niantic Labs, the takeaways for those in the corporate world who face myriad competing pressures, constant measurement, stretched budgets, and tension-filled product launches include remembering the fundamentals:
- Done is not better than secure
- Customer data matters: Ultimately how you use data is a reflection of how you value customer trust
- Culture is important
- Do what you say and say what you do
As the professionals in companies, government, education, and other institutions continue to focus on ways to improve and how to develop privacy and security check points into our product lifecycles, we learn as we go. We train, we educate, we develop policies and processes, we architect, we test, we do all the things to prevent issues and try and ensure products and services are safe and secure, laws and regulations followed and reasonable expectations of privacy are met. We are constantly thinking about ways to improve and streamline processes. Process is critical, especially at scale.
However, as Elon Musk said in Wired in 2012: “The problem is that at a lot of big companies, process becomes a substitute for thinking.”
What cannot be underestimated is regardless of how many processes are in place, the importance of critical thinking in making sure these issues are taken care of before launch. The importance of culture as it relates to data is crucial: How does the company think about and prioritize the collection, use, and protection of consumer data? Does the leadership support and focus on these issues – with resources and words?
With emerging technologies, sophisticated bad guys, and ubiquitous connectivity, it’s hard enough for companies where leadership completely supports a focus on data protection and data privacy. Without that support, it’s even harder. There are many lessons to be learned here, and thankfully they are being learned on a game platform and not a vehicle platform.