Since the beginning of July, our world has been under siege from an augmented-reality, mobile-based game that portrays our world as full of previously-unseen characters. You’ve likely seen the odd headlines, the physical dangers, the health benefits, and the large crowds on the streets all participating in the hunt for Pokémon.
The immense popularity of the game recently forced an examination of its security, revealing that the app itself had some security issues with how it used the google accounts of players. (These have since been addressed by the game’s creator, Niantic).
The origin of the mapping data within Pokémon Go raises other questions, however. Niantic appears to be reusing mapping data collected from users in a previous game, “Ingress.” Also an augmented-reality game, the real-world location of Ingress’ players were tracked, and then that data was reused, at least in part, to form the basis of the Pokémon Go game map. Robinson Meyer of the Atlantic is right to ask questions about this reuse of data collected from users—was this reuse of location data approved by the end users? What personally identifiable information is resident in the data set? What potential side effects are there?
Questions such as these are important because location data is regarded as personally sensitive data. 82% of the respondents to a Pew Research Center survey cited location data as “very or somewhat sensitive,” second only to Social Security numbers:
This sensitivity underscores the fact that in playing a game such as Pokémon Go, users are making a trade-off. They are providing sensitive personal data in exchange for a benefit (in this case, entertainment). And that entertainment value must be rather high, given that there is very little expectation that personally sensitive data, once handed over to a third party, will remain private and secure. In fact, the best case scenario (in a subsequent survey) is one in which only 38% of users expect their personal information will be secure:
Pokémon Go, with large numbers of players rapidly signing up in exchange for personal data, is a rare occurrence. Skepticism about user privacy is prevalent, and most companies will not be able to draw users in with the promise of a Pikachu— they will instead need to alter the balance between perceived risk and benefit in a different way. A helpful recent study on this trade-off, also by the Pew Research Center, looked at six different scenarios in which personal data was given to a third party in exchange for some benefit. One of the more acceptable exchanges for respondents was the electronic storage of health records by their personal physicians. Only 26% of those surveyed rejected this idea out of hand, and 52% were willing to have their sensitive data stored electronically for the benefit of easier appointment scheduling and online access to their own records.
Presumably the joy of conveniently scheduling the next colonoscopy is less than finding a rare Jigglypuff, so what was the cause of this willingness to hand over sensitive data? Trust. Those who deemed the scenario acceptable had higher trust in their doctor’s ability to secure sensitive data. By contrast, a lack of established safeguards drove respondents to reject the trade-off: “If I found out that a company had been negligent in putting in reasonable controls to protect my information and then refused to help me, that would be the tipping point for me to reject the sharing of sensitive information.”
Outside of Pokémon Go’s augmented reality, trust is essential. Companies that set up proper controls—proper governance—on the sensitive data in their possession prove themselves trustworthy. The foundation for this governance is accomplished through a robust identity governance program–one that spans all applications, identities, and data.
Sensitive data is discovered and preventative controls are put in place to ensure that it is protected. After all, the slew of identities that make an organization tick are truly the keys to the kingdom – identity is everything in this day in age.
By governing users’ data appropriately, organizations will prove themselves to be reliable, growing their business and expanding their client base. This is the power of a robust identity governance program–it communicates to customers that their sensitive data is valuable, that it is protected, and that the business is trustworthy.
Anyone who claims otherwise is living in an alternate reality.