Friday, July 15, 2016

Pokemon Go Tips For Intelligence Professionals

Damn things are all over the office now!
There is no way any reader of this blog has not heard of Pokemon Go at this point.  This smart phone based augmented reality game gained more users than Twitter in less than a week. 

There has been a lot of concern in the press and elsewhere about both privacy and security. Obviously, the best way to stay secure is to simply not to play.  This may be a mistake.  As the first mainstream augmented reality application, Pokemon Go provides a real insight into what the technology does and doesn't do.  

Just as the auction house in World of Warcraft influenced online currencies such as bitcoin, the world of Pokemon Go will inevitably shape augmented reality applications in the future.  Not playing is similar to refusing to travel to another country simply out of security concerns - it might be warranted but don't expect your analysis of a country to be very good if you have never been there.

Even if you have no interest in playing, others you know will want to.  Under these circumstances, it seems logical to think about what are the best practices for maintaining both personal safety and cyber security.

One of my contacts (Thanks!) within the intel community put together a tip sheet for friends and family and, having read it, it sounds like good advice for anyone who wants to play Pokemon Go with a reasonable level of safety and privacy.  Remember, it is a tip sheet and is designed to be helpful, not comprehensive.  If it is not covered here, just remember D2S2 – Don’t Do Stupid Stuff. 

  • Only download the official version of the Pokemon GO application from the developer (Niantic), from the Google Play Store or Apple App Store. 
  • GPS and a data connection (either WiFI or cellular (30/4G) data) arc required in order to play. Avoid playing in any areas where you don't want to be geo-tagged. 
  • Don't use your personal Gmail account to log in, as this not only links your personal information with your Pokemon GO activity (which includes GPS data), it could also expose your Google credentials to the app owner. Although security holes have been patched, previous versions of the app required extensive permissions to your Google account: make sure your app is up to date. Either create a Pokemon Trainers Club account or create a "throw-away" Gmail account to use specifically for this purpose. 
  • Use a trainer name (screen name) that is not already associated with you through other sources (other online games, online communities, etc.) and does not contain any personal information (part of your real name, birthday, etc.). Currently you cannot view other players or information about other players through the interface, except the trainer name and Pokemon name at gyms or the trainer name who places lures at Pokestops. However, this feature may be added in the future. 
  • Be mindful of your surroundings when using this augmented reality (AR) mobile game, especially when taking pictures of Pokemon during the capture process. Note what's in the foreground and background, including reflective surfaces and information revealing identity and or location (street signs, vehicle license plates, Government buildings, etc.). Disabling AR makes Pokemon easier to catch! The location where you take a picture of a Pokemon is also likely embedded in the picture's metadata. 
  • When physically visiting Pokestops and gyms, maintain awareness of your surroundings. Travel with a buddy or remain in your vehicle with the doors locked.  It is not necessary to physically enter the real-world establishment where a Pokestop or gym is located, you may be able to interact with the Pokestop/gym from the curb or even across the street. 
  • For the safety of yourself and others, do not attempt to catch Pokemon or interact with Pokestops or gyms while driving. Pull off the road if it is safe to do so, or revisit the area while someone else is driving.

5 comments:

Unknown said...
This comment has been removed by a blog administrator.
Unknown said...
This comment has been removed by a blog administrator.
Anonymous said...

"create a "throw-away" Gmail account to use specifically for this purpose."

-- One would need a "throwaway" mobile phone to do this - one cannot create a Gmail account without providing a valid mobile phone number as part of the signup + verification process.

Unknown said...
This comment has been removed by a blog administrator.
Mark Jay V. Aquillo said...

I've heard about the dangers of using you personal gmail account, as well. While the issue has been resolved (or so they say), I can't keep myself from doubting the safety of using a personal gmail account or any account containing personal information.