Pokémon GO is this summer’s craze, with the latest figures showing that 7.5 million people have downloaded it. And along with Rattata and Pidgey, people have also been discovering a number of personal risks while playing – notably, falling off cliffs or even wandering in front of traffic. But what about business risks? If an employee uses their personal phone (even if they don’t play Pokémon GO) for work e-mail (e.g. BYOD) are they unknowingly introducing risk to their employer? Even worse, are they risks that the business isn’t aware of or prepared to handle?
There is a clear risk involved with BYOD, but beyond malicious apps, there are subtler risks at play here. In order to play Pokémon GO, you agree to allow Niantic to track your location, access your camera and “certain personal information (such as your email address) that your privacy settings on the applicable account permit us to access.”1 Even more concerning are other parts of the Pokémon GO ‘Terms of Service’ that you must agree to in order to play the game.
In particular, the statement “By making any User Content available through the Services, you grant to Niantic a nonexclusive, perpetual, irrevocable, transferable, sub licensable, worldwide, royalty-free license to use, copy, modify, create derivative works based upon, publicly display, publicly perform, and distribute your User Content…”2 I’m no lawyer, but those are terms that seem out of place on a device with proprietary business information and sensitive customer content. But we can segment the corporate data from game data, right? Well, on an IOS device I’d be inclined to agree as Apple’s sandboxing is solid. But what if your employee, intentionally or otherwise, uses their Gmail account for work e-mail? What if the employee uses the same password for their Gmail or Facebook account as Active Directory? The easiest way to sign up for Pokémon GO is to use your Gmail account or Facebook account, and even if password re-use isn’t relevant, you’ve just provided your Facebook or Gmail account password to a gaming company. Last I heard, gaming companies aren’t immune to compromise, which could put all kinds of personal and professional information at risk, particularly when Facebook accounts are threatened.
So let’s recap a bit. In order to play Pokémon GO, people need to:
- Give up their Gmail or Facebook account password
- Allow a gaming company to track their physical location at all times
- Give access to their camera (as needed)
I can’t speak to the percentage of people who gave up their Facebook account password, but given the number of people playing the game, it has to be a pretty wide net. In addition to not being a lawyer, I’m also not a conspiracy theorist, but that sounds like pretty juicy information for someone to use (be it for good or evil). Being paranoid, I’m going to assume the latter.
Given all that, what are the clear risks to businesses? I’d say the primary risk is password re-use. While we can assume that Niantic doesn’t plan to exploit Gmail and Facebook account credentials, we *can* assume that they will be targeted by malicious actors who do plan to exploit said credentials. If someone were to compromise customer Personally Identifiable Information (PII) from Niantic, the amount of business-specific information harvested could be significant – particularly if there is a lag between the compromise, detecting the breach and public disclosure. So, if your employees are using the same password for Gmail and/or Facebook as they are for Office 365, and Niantic gets hacked … well, you know the drill.
So what can businesses do? A lot of it has to do with solid policies and user education but technology is important too:
- Invest in a solid security awareness program. Employees need to understand the risks inherent with mixing church (personal) and state (corporate) on the same device.
- Write a security policy that resonates with your employees. Well written policies tend to be well read and adhered to, and poorly written policies tend to be poorly read.
- Make sure every device that interacts with your network is secured. While educating employees is essential, millennials are coming and they expect to be secure, everywhere, on any device and without impacting the user experience.
- Ensure BYOD is a privilege, not a right. There is skin in the game on both sides of the table and while the benefits are clear (e.g. companies save money, employees pick their own smartdevice) there are also responsibilities for both parties.
We need to make peace with the fact that we’re owned by every device we depend on and every app we can’t live without and that these devices are already a utility for work, health, and play. Trying to force a single application to suit solely business interest will likely be counterproductive. Security professionals and business leaders should be looking for technology solutions which will support the user’s interests, as well as the business requirements.