Pokémon Go, a beta tested espionage project?

To begin to understand where I’m coming from, we have to look at a little of the history behind a game that came out of nowhere, took the world by storm before going quiet.  However, given the hype it has created a market and momentum it created all of its own, it seems to be coming back.  It is always worth starting with a little history.

In 2001, a company called Keyhole Inc. was founded by John Hanke whose first job out of college was in a foreign affairs position within the U.S. government before he moved into the technology industry. Keyhole was an interesting choice of names as the name “Keyhole” is a homage to the KH reconnaissance satellites, the original eye-in-the-sky military reconnaissance system now some 50 years old.

Keyhole Inc. was a pioneering software development company specialising in geospatial data visualisation applications, it was acquired by Google in 2004 for $35 million. It was initially launched as a spin-off from a company called Intrinsic Graphics with initial funding coming from a Sony venture capital fund and others, with additional capital coming from the US graphics giant NVIDIA bundling deal including a company called In-Q-Tel.

The name, Keyhole combined with In-Q-Tel involvement starts to make the history of Pokémon Go very interesting in deed. In-Q-Tel was widely billed as the venture capital arm of the CIA and the majority of the funds it used for its venture with Keyhole came from the National Geospatial-Intelligence Agency (NGIC). Other funding came from the angel investor Brian McClendon who later became a VP with Google, when they acquired Keyhole, before moving to Uber.

The link between Keyhole and In-Q-Tel wasn’t as sinister as it could first seem when you understand the project that Keyhole was working on.  It was called Earth Viewer which later became the widely used opensource mapping and imagery tool, Google Earth when Google acquired Keyhole in 2004.

In 2010, the company behind Pokémon Go was founded, initially inside Google, by Keyhole’s founder, John Henke.  As it launched the initial game allowed a lot of activity for players for free which meant it quickly went viral across the globe; there were news storied of people chasing high priced ‘monsters’ all over the place and a rush to see who could get them all first.  There was no obvious revenue stream that would pay for this ground-breaking, complex interactive game.

Working on the principal that you get nothing for free the only answer to the lack of obvious revenue is you paid in some other way, and that way had to be data. So, on launch, if we look at the data the game could access on any facility, (spook speak for a phone, tablet, laptop or computer associated with an individual), we get a list of what, when you click install and accept terms, you have just allowed the app to access on an android device:

Identity

  • Find accounts on the facility

Contacts

  • Find accounts on the facility

Location

  • Precise location (GPS and network-based)
  • Approximate location (network-based)

Photos/Media/Files

  • Modify or delete the contents of your USB storage
  • Read the contents of your USB storage

Storage

  • Modify or delete the contents of your USB storage
  • Read the contents of your USB storage

Camera

  • Take pictures and videos

Other

  • Receive data from the internet
  • Control vibration
  • Pair with Bluetooth devices
  • Access Bluetooth settings
  • Full network access
  • Use accounts on the device
  • View network connections
  • Prevent the device from sleeping

So, what the game app can do with no difficulty is identify:

  • Where you are
  • Where you were
  • What route you took between those locations
  • When you were at each location
  • How long it took you to get between them
  • What you are looking at right now
  • What you were looking at in the past
  • What you look like
  • What files you have on your device and the entire contents of those files
  • What other facilities you are connected to
  • Access the data via Bluetooth and network connections on those other facilities

My next step was to look at the terms and conditions to see what was being done with all of this data.  I have used extracts to illustrate certain points and those extracts have been italicised for clarity, there are the boring T’s and C’s but worth a scan!

 Information Collected Using Cookies and other Web Technologies:  Like many website owners and operators, we use automated data collection tools such as Cookies and Web Beacons to collect certain information on our Site.

We may use both session Cookies and persistent Cookies to identify that you (or your authorized child) have logged in to the Services and to tell us how and when you (or your authorized child) interact with our Services.

Some third-party services providers that we engage (including third party advertisers) may also place their own Cookies on your hard drive.

“Web Beacons” (also known as web bugs, pixel tags, or clear GIFs) are tiny graphics with a unique identifier that may be included on our Services.

In essence, you agree to data collection capabilities to be put on the facility with the app and give it access to almost everything.

Information Related to Use of the Services:  Our servers automatically record certain information about how a person uses our Services. This may include information such as a User’s Internet Protocol (IP) address, user agent, browser type, operating system, the web page that a User was visiting before accessing our Services, the pages or features of our Services to which a User browsed and the time spent on those pages or features, search terms, the links on our Services that a User clicked on, and other statistics.

Information Sent by Your Mobile Device:  We collect certain information that your (or your authorized child’s) mobile device sends when you (or your authorized child) use our Services, like a device identifier, user settings, and the operating system of your (or your authorized child’s) device, as well as information about your use of our Services while using the mobile device. We may use this information to provide the Services and to improve and personalize our Services for you (or your authorized child).

And the team are great, they tell you they are going to assess everything.

Location Information:  The App is a location-based game. We collect and store information about your (or your authorized child’s) location when you (or your authorized child) use our App and take game actions that use the location services made available through your (or your authorized child’s) device’s mobile operating system, which makes use of cell/mobile tower triangulation, wifi triangulation, and/or GPS. You understand and agree that by using our App you (or your authorized child) will be transmitting your (or your authorized child’s) device location to us and some of that location information, along with your (or your authorized child’s) username, may be shared through the App. For example, when you take certain actions during gameplay, your (or your authorized child’s) username and location may be shared through the App with other users who are playing the game. We may also use location information to improve and personalize our Services for you (or your authorized child).

They also tell you they will track you through your facility and the cell towers and wifi you use, gathering all of that data.  Think of the threat to your home router or the work routers?

International Transfer: Your (or your authorized child’s) PII may be transferred to, and maintained on, computers located outside of your state, province, country, or other governmental jurisdiction where the privacy laws may not be as protective as those in your jurisdiction. If you’re located outside the United States and choose to provide your (or your authorized child’s) PII to us, we may transfer your (or your authorized child’s) PII to the United States and process it there.

And the ‘coup de grâce’ is the data will be transferred to the US for processing (there is an opt out clause, but it is buried and goes on to say if you do, the game won’t work (I paraphrased it.)

So what?

The US Foreign Intelligence Surveillance Act describes procedures for physical searches and electronic surveillance of activities of foreign entities and individuals where a significant purpose of the search or surveillance and the collection of information is to obtain “foreign intelligence information.” The term “foreign intelligence information” is defined to include information that relates to actual or potential attacks or grave hostile acts of a foreign power or an agent of a foreign power, sabotage, international terrorism, weapons of mass destruction, clandestine intelligence activity by or on behalf of a foreign power, or similar issues.

The Patriot Act enlarged the scope of the existing law to apply when “a significant purpose” of the search or surveillance is the collection of foreign intelligence thereby bringing the sort of capability provided through Pokémon Go into the legal statute for intelligence collection.

The FISA was amended in 2008 through the FISA Amendment Act (FAA) to permit the U.S. Attorney General and the Director of National intelligence to jointly authorize the targeting of non-U.S. persons reasonably believed to be located outside the United States, in order to acquire foreign intelligence information.

In essence by signing up to Pokémon Go, developed through a linke to US intelligence agency money, designed to encourage taking pictures where high priced ‘monsters’ appear whilst giving access to your location data and all of the data on your facility, with lots of play before revenue streams appear to start asking for money, you are asked to believe it is just a game?

Hell, if as a spook I had thought of it, getting a 9-year-old to take a picture of a top-secret entrance to an intelligence facility without putting a special ops team on the ground, would I do it? Yup, I would.

Does this mean Pokémon Go is an intelligence gathering tool for the US Government, nope, but the T’s&C’s at release mean it could be and it is a great example of what apps on facilities can do and if you don’t know who has developed them what are you losing to the world?

We worry about Huawei hardware, given the proliferation of app technology, we don’t need to worry about the hardware at all as it is not the issue and this blog is merely an illustration of what could be happening; or is it…………  A Happy New Year to all.