Although not as big as Pokemon GO, Niantic Labs third AR game is still raking in millions of downloads, not to mention concurrent users. The game has had its rough patches while trying to distance itself from its more popular sibling. It may be facing its most difficult challenge yet, and not from the usual culprits like cheating or lackluster. The problem comes from within Niantic itself, from the vaults containing players’ location data collected even when they weren’t playing the game at all.
Given the nature of the game, it’s not really surprising that Harry Potter: Wizards Unite collects location data from users’ phones. The problem, based on Kotaku’s exhaustive exposé, is the frequency and amount of location data it collects. Making it worse is the fact that the game collects and sends the data to Niantic servers even when it has been backgrounded, that is, no longer running in the foreground.
This isn’t Niantic Labs’ first dance with such a privacy scandal. Pokemon GO was at one point discovered to be requiring more device and account permissions than needed. This Harry Potter: Wizards Unite issue, however, might eclipse that. According to records voluntarily submitted by players, the game collects an average of three location data per minute, a lot more than Pokemon GO. One player’s data even showed that the game kept checking his location data every hour, which proved it still works even while not playing the game.
These pieces of data were acquired by players when they requested them from the company under Europe’s GDPR law but Niantic insists no third-party can gain access to that data. It is also anonymized, which is the usual defense of companies. Unfortunately, security experts have proven how easy it could be to crack those security measures. And given the volume of location data Niantic has on players, it’s even easier to build a profile for that user.
Niantic Labs says that this background collection of location data was a bug in the Android app that has already been patched. A bug that no one realized existed until the exposé. Who know what would have happened if hackers were able to get hold of that data or if the bug had never been discovered.