The newest, hottest game, Pokémon Go, was downloaded more than 7.5 million times on iOS and Android phones in less than a week after its release. The free-to-download game is bringing in $1.6 million in daily revenue in Apple’s iOS store alone, based on in-app purchases. This augmented reality game is currently on the fast track to overtake social media apps in terms of amount of active users.
In the early days of the game’s release, the game’s original standard terms and conditions gave the developer (Niantic) unfettered access to Google Drive. The access made device owners’ confidential information vulnerable. The original standard terms granted Niantic read and write permissions for documents stored on the user’s Google Drive, as well as access to Gmail and contact lists. The permissions also authorized Niantic to sell the information obtained through the accounts. Niantic has since rewritten the terms and conditions to grant only limited access to users’ Google account information, and Google is working on implementing the limitations.
Even if this specific issue is resolved, the potential to broadly reach confidential information through an exciting game offering should remind businesses of the importance of reviewing internal confidentiality protocols and protecting confidential information.
Businesses must be vigilant to protect confidential information, especially those businesses allowing employees to “BYO” electronic devices for work purposes or who allow employees to use work-issued devices for personal reasons. Broad permissions, such as those in the original standard terms for the Pokémon Go game, raise questions for:
- Businesses that use Google Drive to store or any Google account to access their confidential, proprietary or trade secret information.
- Businesses that use Gmail or Google Drive to communicate with their attorneys, and attorneys using Gmail or Google Drive or any other Google account for client-related reasons. Permitting a third party program/game to have broad access to an account may create the argument that any applicable privilege under the attorney-client privilege or work product protection has been waived.
- Businesses in the healthcare field using Google Apps as their HIPAA compliant records platform. It remains unclear how the broad-access terms would interact with the protections of Google Apps accounts, and whether such permissions “open a door” to a HIPAA violation.
- Any other business that handles information made confidential or protected by law, that stores confidential information in a Google account or uses any Google account for business purposes.
To protect against potential compromise of confidentiality, business best practices include:
- Having a comprehensive policy in place for employees’ use of technology, designed to minimize the risk of compromising confidentiality.
- Limiting employee use of business-related Google accounts to business purposes only. One easy approach for the Pokémon Go game is for players to create a dedicated Google account solely for playing the game.
- At a minimum, players should revoke Niantic’s access to all Google accounts through the game. This is accomplished by, first, launching the Google security page within the player’s Google account, then selecting Pokémon Go and clicking “Remove” to revoke full access.
Elizabeth F. Collura is an Attorney with Clark Hill’s Litigation Practice Group
Speak Your Mind
You must be logged in to post a comment.