Ed. Note.: This post, by Ashwin Murthy, is a part of the NALSAR Tech Law Forum Editorial Test 2016.
For centuries rights have slowly come into existence and prominence, from the right to property to the right to vote and the right against exploitation. In the increasingly digital world of interconnection, the latest right to gain immense popularity is the right to privacy. This right entails the right to be let alone and more importantly the right to protect one’s own information – informational privacy. Thus armed with the right to privacy, one can limit what information others have access to and may use, and thus what information corporations might have or what is up on the Internet. This right to privacy comes in direct contact with applications downloaded on phones, which often ask for permissions to various information on the phone – a device which already possesses a great deal of information of the owner, including the location of the user, their phone number, their emails, their chat conversations and their photos. Applications often ask, either explicitly or in their terms and conditions, for permissions to access varying degrees of the information on the phone, sometimes in a rather unexpected fashion (such as a flashlight app asking for permissions to location), and more recently these apps have been singled out for their questionable privacy settings.
The latest app to come under fire for its privacy settings is Pokémon GO, an Android and iOS game that took the world by storm, being downloaded over 100 million times by August. The game is an augmented reality game that allows people to catch Pokémon in the real world through synchronous use of the phone camera and location detection. With such popularity, the app was inevitably scrutinised for its privacy settings, especially since it appeared that Pokémon GO was given full permission of the owner’s account. Adam Reeve, a former software engineer at Tumblr, was the first to cause a commotion when he wrote a post detailing all the information the app supposedly had access to. Niantic, the creators of Pokémon GO, later stated that this was an error and the app only accessed basic account information for logging in and in fact could not access information in applications like Gmail or Calendar, later confirmed by security developers. While this was clarified and fixed by Niantic, there were many who were still sceptical, losing trust in not just Pokémon GO, but also in apps in general.
While of course many consumers may not have a problem with these applications having access to such information, they must first have an awareness that these applications actually do have access to all of this information when they are downloaded. Consumers are often content to merely accept the terms and conditions of an app without reading them. The scope for abuse of privacy is almost unparalleled. For there to be a change, the sceptic atmosphere that Pokémon GO accidentally created is needed, and not just for the short period of time that it existed in the wake of Adam Reeve’s post. Currently there is almost zero awareness of the degree to which applications can access and store private information, especially when the privacy policies and terms and conditions are not read or are incomprehensible. The publishers and creators of apps and other such software must be made to disclose explicitly what access they have and what information they can see/store/use. A high level of scrutiny from the consumers would ensure this, especially in the dearth of laws that exist on this specific issue. India has implemented the Information Technology (Amendment) Act, 2008, adding S.43A and S.72A which deal with implementation of reasonable security practices for sensitive information and punishment for wrongful loss or gain by disclosing personal information respectively. These however are both inadequate and too broad to effectively deal with such issues as apps invading a person’s right to privacy. Further such laws would apply only to the app’s usage in India. Thus creation and effective implementation would still only be on a very localised level, further causing a need for the people to be more conscious themselves.
The privacy settings in Pokémon GO might have been a harmless error from a seemingly benevolent company however most companies are not quite as harmless. Consumers must be vigilant to prevent their private lives and affairs slipping away from them, a task which hopefully Pokémon GO has somewhat equipped them to do.
For Further Reading:
- Data Protection in India: Overview – Stephen Mathias and Naqeeb Ahmed Kazia, Kochhar & Co
- Don’t believe the Pokémon GO Privacy Hype – Engadget
- Pokemon GO raises security concerns among Google users – Polygon