Personal Security Concerns with Pokémon Go's "Friends" Feature

Originally posted on Twitter yesterday, where I said I didn't have a blog. And then I created a blog because I kind of hate long Twitter threads.

I have some serious privacy concerns about Pokémon Go's new Friend system and in particular about how it encourages you to give away your location.

In order to catch special "mythic" Pokemon, players have to complete a series of "Special" research tasks: Upgrading Pokemon, catching certain types, raids & gyms, things like that. Tasks that might be difficult or time-consuming, requiring effort for the mythic reward.

Pokémon Go has a friend system. You can add people in the game and send them "gifts" back & forth. Gifts contain items that are helpful in-game. Gifts show the location you picked them up. Not exact geo coords, but city/state. Most can be figured out w/ a Google search.

 Gifts show you where they were picked up.

Gifts show you where they were picked up.

 

One of the tasks in the latest challenge for mythic Pokemon Celebi is to "Make 3 new friends." To do this, many people are posting their friend codes (which let other people add them) on Facebook & Twitter. This opens up serious personal security risks if you send gifts.

 Your list of friends in Pokémon Go.

Your list of friends in Pokémon Go.

Accounts don't publicly show the person's name, so it's easy to anonymize, hide or alter your ID. If a malicious actor gets your Friend Code (tied to you by your Twitter/FB post) & you accept & send them gifts, they can possibly identify your location down to neighborhood.

By matching patterns of where you commonly send gifts from, they at least can figure out the locations you frequent. Which can be concerning for stalking victims, victims of DV and others who need to be private. Pokémon Go is a fun game but don't get caught off guard.