Blog
← Back to Blog
July 14, 2016 cybersecurity

Pokemon Go and the Privacy Problem Nobody's Talking About

Person holding smartphone in outdoor setting

Unless you've been underground for the past week, you've noticed people wandering around staring at their phones more than usual. Pokemon Go launched on July 6th and immediately became the biggest mobile game in history. Within days, it had more daily active users than Twitter.

It's fun. People are getting outside, walking around, having a good time. But from a privacy and security perspective, there are some things worth talking about, especially if your employees are playing it on work devices or near your practice.

The Permissions Problem

When Pokemon Go first launched on iOS, it requested "full access" to your Google account. That means it could read your email, see your Google Drive files, access your calendar, and view your search history. Niantic (the developer) said it was a mistake and pushed an update to fix it. But the fact that millions of people clicked "Allow" without hesitation tells you everything about how we handle app permissions.

How many apps on your phone have access to your camera, microphone, contacts, and location right now? When was the last time you reviewed those permissions? If you're using the same phone for work and personal use (and most people are), those apps have access to your professional contacts, your work email, and potentially your practice management system.

Location Data Is Sensitive Data

Pokemon Go tracks your location continuously while the app is open. That's how the game works. But that location data creates a detailed map of where you go, when, and for how long. For a healthcare professional, that might include: patient home visits, meetings with specialists, trips to the pharmacy, visits to specific medical facilities.

Location data seems harmless until you think about what it reveals in aggregate. And this isn't just about Pokemon Go. Dozens of apps on your phone are collecting the same data, often without you realizing it.

The Work Device Question

If your practice provides phones or tablets to staff, you need a mobile device management (MDM) policy. Not because Pokemon Go is dangerous, but because the same casual attitude toward app permissions that lets people install a game also lets them install apps that are genuinely malicious.

Things to consider:

  • Separate work and personal. Ideally, work devices are for work. If that's not realistic, at least use separate profiles or containers that keep work data isolated from personal apps.
  • Review app permissions regularly. Both on personal and work devices. Revoke access that apps don't actually need.
  • Be cautious with knockoff apps. Fake Pokemon Go apps loaded with malware appeared on app stores within days of launch. This happens with every popular app. Only install from official sources.
  • Consider a BYOD policy. If employees use personal devices for work, define what's acceptable and what security measures are required (passcode, encryption, remote wipe capability).

What This Teaches Us

Pokemon Go isn't a security threat. It's a game. But it's a useful lens for looking at how casually we treat data privacy on mobile devices. The average person installs dozens of apps, grants them broad permissions without reading, and uses the same device for everything from banking to patient scheduling.

If the Pokemon Go permissions issue taught us anything, it's that we need to pay more attention to what our apps can access. Not just the fun ones. All of them.

Now if you'll excuse me, there's apparently a Pikachu in the break room.