Within two weeks of its release last month, Pokemon Go, the augmented reality gaming sensation, surpassed, by one estimate, Twitter, Facebook, and Netflix in its day-to-day popularity on Android phones. Over on Apple devices, the game was downloaded more times in its first week than any app that came before it.
The suddenly vast scale of Pokemon Go adoption is matched by the game’s aggressive use of personal information. Unlike, say, Twitter, Facebook, or Netflix, the app requires uninterrupted use of your location and camera — a “trove of sensitive user data,” as one privacy watchdog put it in a concerned letter to federal regulators.
All the more alarming, then, that Pokemon Go is run by a man whose team literally drove one of the greatest privacy debacles of the internet era, in which Google vehicles, in the course of photographing neighborhoods for the Street View feature of the company’s online maps, secretly copied digital traffic from home networks, scooping up passwords, email messages, medical records, financial information, and audio and video files.
Before Niantic Labs CEO John Hanke was the man behind an unfathomably popular smartphone goldmine, he ran Google’s Geo division, responsible for nearly everything locational at a time when the search company was turning into much more, expanding away from cataloging the web and towards cataloging every city block on the planet. Hanke landed at Google after his wildly popular (and admittedly very neat) CIA-funded company Keyhole, which collected geographic imagery, was acquired in 2004 and relaunched as Google Earth in 2005. By 2007, Hanke was running basically everything at Google that involved a map. In a 2007 Wired profile, (“Google Maps Is Changing the Way We See the World”) Hanke was lauded as a pioneer (“Led by John Hanke, Google Earth and Google Maps are delivering cartography tools to the masses”) and deified, appearing in photo with an enormous globe across his shoulders.
It was an exciting time for Google. Google Maps had become indispensable, dumping the likes of MapQuest into obsolescence, and Google had great ambitions for turning surroundings into revenue. But before Google could sell the world back to its inhabitants, it needed to digitize it; around the world, fleets of sensor-laden Google cars roamed cities, back roads, and highways, snapping photos of buildings, posts, trees, and other features. Each vehicle was labeled a Street View Car by Google, a reference to the Street View feature their pictures enabled on Google Maps. Google shared Street View imagery widely via an application programming interface, or API, and among the apps that owe a debt of gratitude to Street View Cars is Pokemon Go.
Then, in April 2010, Germany’s data protection commissioner announced that Google vehicles had been illegally collecting Wi-Fi data. Further regulatory scrutiny and corroborating news reports eked out the truth: As they drove, Street View Cars were swallowing up traffic from unencrypted wireless networks. Germany’s federal privacy czar, Peter Schaar, said he was “horrified” and “appalled.”
It eventually emerged that, in the U.S. alone, this collection went on for more than two years. The scandal, referred to as the “Wi-Spy” case as it was unfolding, resulted in:
- Findings that Wi-Fi traffic collection was illegal by authorities in the United Kingdom, France, Canada, South Korea, and New Zealand.
- A bruising Federal Communications Commission investigation, which followed a director’s comment that Google’s activity “clearly infringes on consumer privacy” and which resulted in a $25,000 fine.
- A Department of Justice wiretapping investigation.
- A federal class-action case against Google, ongoing to this day, in which a district and appeals court have both ruled, against the company’s arguments, that the sort of data Google accessed is protected from interception under the U.S. Wiretap Act. (The Supreme Court has declined to hear Google’s appeal.)
- Lawsuits brought by authorities in Spain.
- Regulator intervention in Italy and Hungary.
- And a government investigation in Germany.
(The Electronic Privacy Information Center, an advocacy group and vocal critic of Google’s during the Street View scandal, has a good overview of these actions.)
Hanke, through a spokesperson, denied any knowledge of the Wi-Fi collection at the time it was happening, pinning blame on Google’s mobile division. But a unit within his division, not mobile, was the focus of the largest investigation into the matter by U.S. regulators, and it was his division whose vehicles did the actual collection. The way Wi-Fi traffic was intercepted under Hanke’s nose should alarm people who use, or whose children use, Pokemon Go.
Google itself tried to escape responsibility as the scandal unfolded, dismissing concerns, rebuffing investigators, and evincing the sort of hubris and arrogance for which the engineer-dominated company has been repeatedly criticized.
In a blog post published at the very beginning of the scandal, Google denied any wrongdoing, saying it had copied no traffic from inside Wi-Fi networks, but rather gleaned “information that identifies the network and how that network operates,” like the name of your router, which you assume to be public anyway.
This narrative was short lived: Two weeks later, as international scrutiny increased, Google shifted from outright denial to scapegoat tactics, admitting it had copied traffic, but only “mistakenly” and mostly in “fragments.” Google attempted, amazingly, to divert blame from the cars operating on behalf of Hanke’s operation onto one single unnamed rogue “engineer working on an experimental WiFi project.”
A vice president from Hanke’s Geo division two months later acknowledged in a blog post that “serious mistakes were made in the collection of WiFi payload data, and we have worked to quickly rectify them … the WiFi data collection equipment has been removed from our cars.” But Google continued to call the traffic collection a mistake.
Then, three months after that, yet another official post repeated that the collection was “mistaken” but only specifically acknowledged collecting emails, URLs, and passwords.
Only after repeated and increasingly vociferous inquiries from the FCC, which was frustrated that Google had “deliberately impeded and delayed” its investigation, did the company reveal the truth, which was summarized in blunt 2012 commission report. Far from acting on his own, the supposedly rogue “Engineer Doe” (as the report referred to him) had collaborated on and discussed openly his “piece of code” with several other Google engineers, including superiors.
In fact, he’d tried to warn his colleagues, sending his software code and a design document to the leaders of the Street View project, who in turn forwarded it to the entire Street View team. “The design document,” the FCC wrote, “identified ‘Privacy Considerations’ and recommended review by counsel, but that never occurred.”
This design overview stated quite plainly that “a typical concern [with the project] might be that we are logging user traffic with sufficient data to precisely triangulate their position at a given time, along with information about what they were doing.”
Warnings don’t come clearer than that.
The FCC report went on to show that while planning the Wi-Fi collection project, on “at least two” occasions, “Engineer Doe specifically informed colleagues that Street View cars were collecting payload data,” and even shared portions of the collected personal traffic. In a 2008 email, one of these colleagues, “a senior manager of the Street View project,” called Engineer Doe’s analysis of 300 million Wi-Fi traffic packets containing 32,000 web addresses “interesting” and asked, “Are you saying that these are URLs that you sniffed out of Wifi packets that we recorded while driving?” The engineer’s reply confirmed this to be the case: “The data was collected during daytime when most traffic is at work (and likely encrypted). … I don’t think the numbers are high enpugh [sic] for a good sample.”
Data turned over to European regulators and reviewed by the FCC further showed that essentially all types of computer data were collected, including information related to online dating and sexual preferences.
In the end, the unencrypted internet habits of possibly hundreds of thousands of people were secretly scraped up and stored while the cars were carrying out their publicly stated mission of collecting the locations of wireless networks. Google’s cars weren’t just sniffing out the names of wireless routers, but also sucking down all of the unprotected information being sent to and from those routers as the vehicles drove by, including visited websites, search queries, and emails. Of course, even a brief sample of a person’s internet traffic can reveal a great deal that they would prefer remain between them and the computer.
All of this happened while John Hanke led the Geo division, including Street View and Maps, as vice president for product management. Google eventually imposed a set of privacy reforms, but it’s unclear, even before those changes, why no one intervened when engineers spoke openly about collecting the internet traffic of strangers. It may have had to do with the culture inside Google; in a 2009 interview with The Times of London, a year before the scandal began, Hanke said:
“As a company we may not make 100% of everybody happy in all situations but I don’t think you can live your life as an individual or as a company not wanting to step on anybody’s toes. We have to chart a course between the benefit that can come from something and adhering to social mores and the law.”
Soon after the FCC published its findings, the New York Times identified “Engineer Doe” as Marius Milner, a security researcher and well-known figure in the hacker community. Milner at the time declined to elaborate on his role in the data fiasco, saying only that Google’s claim that he acted alone “requires putting a lot of dots together.” Milner confirmed to The Intercept that he still works at Google, meaning the rogue engineer outlasted John Hanke by four years, but said he “never met him.”
Milner, as it happens, does have his own link to Pokemon Go: He and Hanke co-authored with three others a patent held by Niantic on a “System and Method for Transporting Virtual Objects in a Parallel Reality Game.” Milner told me that the patent stemmed from “hatching some ideas with a personal friend that was one of the other co-authors” and that he never discussed the patent with Hanke. It’s worth noting that Google filed the patent in 2012, two years after the company scapegoated Milner as a supposedly lone, rogue engineer. It was granted by the U.S. Patent and Trademark Office in 2015, when it was assigned to Niantic, then a little-known augmented reality startup.
Hanke had begun Niantic inside Google in 2010 as an autonomous business unit, according to news reports, before the unit was spun off late last year to free Niantic up to work with a wider variety of partners. Google and Nintendo joined to put $20 million into the company, though the exact size of Google’s stake remains unclear.
As Niantic left Google, it took the Milner-Hanke patent with it. The patent discusses, at length, how a game such as Pokemon Go could be used to collect real-world data from a player without them knowing it:
The game objective can be directly linked with a data collection activity. An exemplary game objective directly linked with data collection activity can include a task that involves acquiring information about the real world and providing this information as a condition for completion of the game objective.”
The patent also cites, for illustrative purposes, an academic paper from The International Journal of Virtual Reality, “Playful Geospatial Data Acquisition by Location-Based Gaming Communities” by Sebastian Matyas, which includes as its introduction the following paragraph:
“To our opinion, the real challenge lies in motivating the user to provide the data constantly, even after the exciting appeal of technological innovation at the beginning wears off. The data acquisition process should be entertaining for a possible contributor to engage him in the long run. We convince that entertainment and fun are an important design aspect of such data collecting services.”
When asked if he had worked with Hanke’s Street View team, as stated throughout the FCC report, Milner said he was unable to comment. Google did not respond to a request for comment.
Hanke, through a spokesperson, more explicitly distanced himself from the controversy. A Niantic representative communicating on his behalf said “he was not the boss of what happened” and that he had no prior knowledge of the wireless eavesdropping, which, the spokesperson said, was ultimately the fault of Google’s mobile division, even though it was conducted via Street View Cars operating on behalf of Hanke’s division.
The FCC’s report on the Wi-Spy scandal is squarely focused on Hanke’s Street View team and never mentions the mobile team. It also offers one possible explanation for how Hanke can claim he had no knowledge of the eavesdropping: Despite Milner’s (or “Engineer Doe’s”) written and verbal attempts to keep Street View leadership in the loop about the wireless data collection he was doing, he was often simply ignored. The FCC said, “in interviews and declarations, managers of the Street View project and other Google employees who worked on the project told the Bureau they did not read Engineer Doe’s design document” even though it was sent to the entire Street View team.
The confusion about responsibility for Milner’s actions may stem from the fact that he was actually working for Google’s YouTube at the time — which is not part of either Hanke’s Geo division or the mobile team — and created his Wi-Fi collector as a side project under Google’s “20% time” policy. While Google has said wireless collection was initiated by “our mobile team,” it made clear in the same blog post that said team was not in control of Milner’s actions, since “project leaders did not want, and had no intention of using, payload data.”
Meanwhile, the data collected by Milner’s software, about the names and location of wireless access points, was deployed on Street View Cars (working on behalf of Hanke’s divsion) and was used for helping pedestrians and drivers locate themselves on the mobile version of Google Maps (part of Hanke’s division) and on Google’s mobile operating system Android (a different division). In a post on the company’s “Official Blog” about the matter, Google mentioned both Google Maps (again, part of Hanke’s division) and the mobile team (not part of Hanke’s division) as recipients of data from Milner (who worked for neither).
Clearly, no one at Google is eager to claim Wi-Spy as their own, Hanke included.
Today, given the spread of Pokemon Go and sensitivity of the data it accesses, it’s less important that Hanke now blames the mobile team for the Wi-Spy scandal than that his division, unwittingly or not, became the vehicle — or vehicles, to be precise — through which one engineer was able to collect massive amounts of hugely sensitive data, while managers and engineers from Hanke’s division repeatedly ignored explicit warnings, written and verbal, about what was going on from that engineer, according to the most thorough published investigation of the matter by a U.S. government entity.
Electronic Privacy Information Center, the privacy watchdog, is already putting pressure on Niantic and its CEO.
In a letter to the FTC sent this month, EPIC argued that “history suggests Niantic will continue to disregard consumer privacy and security, which increases the need for close FTC scrutiny as Niantic’s popularity – and trove of sensitive user data – continues to grow,” and added that “given the prior history of Google Street View, there is little reason to trust the assurance regarding the current state of Niantic’s data collection practices.”
Reached via phone, EPIC Consumer Protection Counsel Claire Gartland stressed to me that the Street View scandal should make any Pokemon Go player “think twice about whether you can take them at their word” and that the FTC should “pay closer attention to this and make sure that [Niantic’s] data collection practices are on the up and up.”
We collect and store information about your (or your authorized child’s) location when you (or your authorized child) use our App and take game actions that use the location services made available through your (or your authorized child’s) device’s mobile operating system, which makes use of cell/mobile tower triangulation, wifi triangulation, and/or GPS. You understand and agree that by using our App you (or your authorized child) will be transmitting your (or your authorized child’s) device location to us and some of that location information, along with your (or your authorized child’s) user name, may be shared through the App…
We collect certain information that your (or your authorized child’s) mobile device sends when you (or your authorized child) use our Services, like a device identifier, user settings, and the operating system of your (or your authorized child’s) device, as well as information about your use of our Services while using the mobile device.
Niantic reserves the right to share some of the information it collects, in what it claims is a “non-identifying” form, with third parties “for research and analysis, demographic profiling, and other similar purposes.” This would be a lot of sensitive information to entrust even to a CEO with a good record of respecting the privacy of strangers. And in fact, in the very first week of Pokemon Go’s release, Niantic caused a brief privacy scare when it was discovered that the app asked for far broader access to users’ Google accounts than was necessary. The company responded almost immediately:
“We recently discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user’s Google account. … Google has verified that no other information has been received or accessed by Pokémon Go or Niantic.”
All that was missing was a rogue engineer.