Pokémon Go and the law of augmented reality


Some of my favourite science fiction novels of recent years have featured augmented reality in one form or another: Pattern Recognition by Willam Gibson, Halting State by Charlie Stross, and Rainbows End by Vernor Vinge. I liked the ideas so much that I’ve been thinking about the legal implications of augmented reality for many years now (here’s my Gikii presentation back in 2010). However, I don’t think that any of those interested in the subject could have guessed that the first mainstream adoption of the technology would be a game where the objective is to catch virtual monsters. As William Gibson commented on Twitter, quoting Bruce Sterling:

In case you have been living in a cave for the past week, Pokémon Go is a smartphone game that allows users to catch virtual pokémon in the real world (hence the augmented reality element). The game displays an avatar that interacts with a realistic map of your surroundings, and whenever you are near a pokémon, you receive a notice and can catch it. The game encourages players to move around the world in various ways. First, the more you move, the better chance there is to catch different pokémon. Second, there are stops in real-life landmarks (which contain goodies), and there are also “gyms” where you can combat other pokémon for control of a location, usually a church, park, or business. Third, walking allows you to hatch eggs containing more pokémon.

Help! There's a Psyduck in my car!
Help! There’s a Psyduck in my car!

Clearly there are a few positives to the game. It is strangely addictive and lots of fun, it encourages players to leave their couches and exercise, and it has already allowed me to get to know my neighbourhood a lot more than I already did. But there are undoubtedly lots of privacy and security concerns. Because this is a game based on geolocation and GPS, it is building an incredibly valuable database of people’s movement and daily routines. Who has access to that data? Is it secure? Who would be liable if something bad happens to a player? I’ll explore a few legal issues.

Privacy and data protection

Unsurprisingly, the first concern in everyone’s mind has been the potential privacy and data protection implications of the game. The possibilities for data gathering are astounding, it records your speed (and marks your state as walking, running, cycling or driving), it knows if you are with other players, it knows your schedule, and it can gather many other aspects that we are just starting to uncover. While this is already possible with smartphones, the fact that this pervasive gathering takes place during gaming has raised some eyebrows, particularly when you read the Privacy Policy and Terms of Service. The Privacy Policy very much accepts that the game is a data collection service, and that it will disclose some of that data to service providers, third parties, and that it is an asset that may be subject to commercial negotiations, although this date will not have personal identifiers.

The Privacy Policy is drafted with exceptions for European citizens, but these mostly consist of opting out from email campaigns. To me it is quite telling that the game has not been officially released in the EU, as it might fall foul of data protection rules. It will be interesting to see if the export of data outside of the EU is affected by the new Privacy Shield agreement. What is clear is that the game could immediately prompt regulatory scrutiny in Europe.

A very troubling privacy aspect is the report that iOS Pokémon Go accounts that are using Google as registration and authentication mechanisms may have inadvertently given full access to all Google services, including email, contacts, Google Drive, etc. This is because Niantic, the makers of Pokémon Go, are using an outdated Google authentication mechanism for iOS which could give the game developer access to all services. At the moment this seems to be a bug and not a feature, so we have to wait and look for further developments.


Related to the above, Pokémon Go may open a phone to security breaches. The obvious one comes from the fact that some users are installing the game from unofficial websites because it has only been officially launched in the US, Australia and New Zealand. Many such sites are reputable, such as APK Mirror, but there are already reports of malware versions available.

Another potential security risk is that the popularity of the game may be used by hackers to find exploits and gain access into user accounts, but this is a concern shared by other popular apps.


An interesting aspect of a mainstream augmented reality app is that it brings together the virtual and the real. Users may place themselves in danger by driving erratically, by walking without seeing where they’re going, or just by wandering into dangerous territory on their own. Anecdotally, there is a gym close to my home in the back of a church which is frequented by the local drug addicts and drunks, and it is perhaps the type of locale that you do not want children near to. We already have reports of criminals using the game to mug unsuspecting players.

Seems legit.

It seems almost inevitable that something really bad will eventually happen to someone when using the app. Who is responsible when that happens? Niantic has gone to great lengths to try to reduce their liability. The game’s logging screen contains a warning for players to remain vigilant of their environment, while the Terms of Service read:

“During game play, please be aware of your surroundings and play safely. You agree that your use of the App and play of the game is at your own risk, and it is your responsibility to maintain such health, liability, hazard, personal injury, medical, life, and other insurance policies as you deem reasonably necessary for any injuries that you may incur while using the Services. You also agree not to use the App to violate any applicable law, rule, or regulation (including but not limited to the laws of trespass) or the Trainer Guidelines, and you agree not to encourage or enable any other individual to violate any applicable law, rule, or regulation or the Trainer Guidelines.”

These may be enough to limit Niantic’s liability in most jurisdictions, but we will have to see on a case by case basis. For example, Niantic will really have to police the location of their stops and gyms, as failing to identify potential trouble spots could open them to negligence claims.

Virtual location rights

One of the most interesting aspects of the game is one that is currently not covered by any legislation, but that it may arise if the popularity of the game remains, or even expands. This arose from a fascinating Twitter thread from designer Boon Sheridan, who lives in an old church in Massachusetts. Because it was marked as a church in some database, his house was tagged in the game as a gym, and after the game’s release he started getting large numbers of visitors. It got to the point that he started wondering if there is anything the law can do in situations like this. He wrote:

The easiest recourse may be to ask Niantic to move the gym to some other location, but we start entering interesting legal territory. Should there be a virtual location right of some sort? Should people be able to legally object to a physical location being tagged in some form without their permission? I know that this way madness lies, but there could be situations in which having strangers show up in large numbers could become problematic.

On the other hand, this could be fantastic for businesses, it is not beyond the realm of possibility that businesses would want to become stops and gyms. One of the local pubs is a gym, I specifically dropped by last night to have a pint and take over the location (Go Team Blue!), and I asked the bartenders if they knew that they were a Pokémon Go gym. They looked at me as if I was mad.


The following months will certainly provide more legal issues we have not even thought of. I am sure that many can be answered with existing legislation, but one thing is for certain, augmented reality has finally arrived.

As an interesting parting note, one of the things that we will have to analyse in coming months are the commercial motives surrounding the game. Niantic started life as an internal Google startup company, so I would be surprised if there is no agreement in place to share data with the mothership. Pokémon Go may be nothing more than a large exercise to gather data from otherwise recalcitrant Millennials.

Comments 4

  1. One of the problems is going to be where Niantic gets their location data. You can imagine certain types of business being a preferred location for a gym, some public open space in front of a burger bar for instance, but how will they know what sort of business is there? How will they find public spaces, rather than some sort of pseudo-public space such as a shopping mall’s car-park? And how current is the information they have to work on?

    Yes, there are databases of businesses, and you can go looking for something via the internet. Search for a common type of business, and Google will give you several places that will list nearby locations. Sometimes they’re not all that nearby. And some of the businesses have gone. Some seem never to have existed. These databases have copyright traps, maybe. I once found a listing in a database for “Chattel’s Auctioneers”, even with a link to a very generic auctioneer-type website. And at one time there was a sign on the building, you could see it on Streetview. It was already ringing alarm bells for me. and it looked as though part of the sign had been removed. The point is, that is England at least, the phrase “Goods and Chattels Auctioneer” has a specific meaning, covering a particular sort of auction, distinct from antiques or livestock or houses. Find old photographs and you do see it as part of a sign. Was it a copyright trap, or just a complete mess-up by the database compilers? Either way, they get fees from advertisers for the pageviews generated.

    At the time I was doing the hunting, one local auctioneering business had just closed It had been run by one local company, been taken over by another, then closed, and the building had become a shop. All three businesses were listed, all at the same address.

    There’s even a local hospital, a site used for various specialised services that fit uneasily between the NHS and the local authority’s Social Services, which has closed, been demolished, and has become a housing estate, and it’s still showing on the databases and on Google Earth as the hospital site.

    This could get difficult.

    On the other hand, Niantic are going to be sending real people to places, and maybe they could start asking people, “Is this place still what we think it is?” Would that give them a reliable database of businesses which they could make money from?

Leave a Reply