While we've already established that Pokemon Go [Free] is on track to be bigger than sliced bread, not everything is as awesome as it seems in the land of Pokemon. As discovered by Adam Reeve, principal architect of the security firm RedOwl, if you're playing Pokemon Go via logging in through your Google Account, you're potentially giving Niantic and Pokemon Go access to everything on your Google account. What can you do with full access to a Google account? Well, as Reeve points out:

Let me be clear - Pokemon Go and Niantic can now:

  • Read all your email
  • Send email as you
  • Access all your Google drive documents (including deleting them)
  • Look at your search history and your Maps navigation history
  • Access any private photos you may store in Google Photos
  • And a whole lot more

Sure enough, I double checked my own Google Account, and Pokemon Go has full access to everything. Oddly enough, Niantic's other game, Ingress [Free], which also uses your Google account only requests permission to basic account info:

Screen Shot 2016-07-11 at 1.49.06 PM

The other option for playing on iOS is by using a Club Pokemon account, but it seems the whole Club Pokemon system has been offline ever since Pokemon Go got slammed so hard. Also, there doesn't appear to be any way to transition from a Google account to a Club Pokemon account, as your progress is locked to your account. Right now, this is all feeling kind of gross as Google really ties you into their ecosystem and I really, really don't like the idea that Pokemon Go has access to send email as me.

If you want to check what access Pokemon Go and other apps connected to your Google account have, click here, log in, and then go to the connected apps & sites link. Also, while you're in there, it's a good idea to revoke access to stuff you're not using anymore. We're going to keep a close eye on this, so stay tuned for updates on how this all ends up unfolding.

Update: Unsurprisingly, it turns out this was just an error on Niantic's part. The Verge received the following statement from them:

"We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon Go only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon Go or Niantic. Google will soon reduce Pokémon Go’s permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves."

  • Poo

    Ew I don't like that at all.

    • Poo

      It's the only thing connected besides iOS and chrome so I'm not too worried but I hope they change that.

      • Claudia5566655496

        I am getting paid close to $6k-$8k /every month with an online job i found on internet. For everybody ready to do simple freelance work for 2-5 h daily from your home and get good paycheck while doing it... Try this gig SELF99.COM

  • John Dickerson

    Thanks for info removed it from my google account. I was able to get a Club Pokemon account this morning. It did take awhile though.

  • spsummer

    Wow, that's not creepy at all. Geez

  • thejbe

    Party poopers 🙁

  • gaberaph

    And so it begins 🙁

  • AshEnke

    Does it have all the same access on Android ? It might be just a mistake on their part (somethingthey didn't turn off on the iOS build of the game)

  • Terroantula

    That game is crap, why would you play it at all? Nintendo making mobile games... only the outsource it and don't give you the games you actually want.

    I could think of anything better, like a proper TCG like Hearthstone and not the crap they released however long ago that was broken.

    Or an online Pokemon Stadium

    Or a proper Pokemon game... maybe a Pokemon online MMO.

    But no.

    Gamefreak suck any ways, recycling the same old shite without much change

  • iPhallex

    I've connected my personal web hosting email address with a Google account -- I doubt Niantic will get access to read my emails that aren't hosted on Google's servers.

  • RelientKSoCal

    I'm not seeing it in the list. I've deleted the app already, did that maybe remove the Google account link? Now I'm paranoid about making sure this is removed.

    • RelientKSoCal

      Nevermind, I was in the wrong place. Found it.

  • curtisrshideler

    So, that's disgusting of them. But why not just create a new Google email just for this game? I'm not using my actual Google account for this. I'm using a secondary one for sure.

    • Z3R05UM

      Principle. That's why.

  • http://aggromagnetgames.com/ Aggro Magnet Games

    Assuming this is not malicious on the part of Niantic, it's a pretty shocking mistake for them to make.

    I checked the "connected apps" page of my Google account and saw, just as Eli reported, that Pokemon Go (which I have on iPhone) had "full access".

    Since I'm not okay with Niantic -- or any hacker who manages to gain access to Niantic's systems -- being able to read/delete email or send email on my behalf from my Gmail account, I revoked Pokemon Go's access, and won't be playing any more until this gets corrected.

  • nini

    Eh, I'm just assuming Niantic goofed given Ingress doesn't need that level of access. Looks like super skeevy behaviour, might just be an unintentional accident.

    • http://toucharcade.com Eli Hodapp

      I'd put the chance of this being a goof at close to 100%.

      • maxpower42

        Considering John Hanke, the head of Niantic, and google have a history of CIA affiliation it seems like less than a 100% goof to me.

    • Alan Baldwin

      To be fair, it sounds like Ingress is doing this as well from what I've seen on twitter. Still most likely a goof, but man, what a big goof.

  • fabell

    Revoked. Thanks for the notice, Eli.

  • frobadams

    Oh man that is so damn shady! No other app in my main account has ever tried that. So gross. Shame on you Nintendo & Niantic! Glad I connected it to my gaming account that doesn't have any other info

  • ShinHadoukin

    Can you remove them from google then create a new account & have your original screen name? Like, delete the original?

  • FastShoes

    *Urp!* I think I just squirtled in my mouth a little bit.

  • skitch

    And that's why I have a dedicated Google account for gaming only

  • Cropod

    Would having a Facebook login for Pokemon Go fix anything, or would that just be a parallel to the current problem?

    Also, I've never had any issues with Google ever. I've had my account for probably 7 years.

  • scottsoapbox

    Bwahahahaha! Ultimate power!!

  • nonen

    Doesn't google notify you of what permissions you are granting when you sign in with your goog account?

    • http://toucharcade.com Eli Hodapp

      Not in Pokemon Go.

      • nonen

        "Either Google goofed, or Niantic is doing browser automation to programmatically agree to Google's security warning. Major issue either way." -- Swift on Security

  • Mr. Adams

    The photo part is the sick part.... for me at least.

    Google has been working hard lately to improve how the company is perceived when it comes to user privacy... This is a gigantic step backwards for Google.

  • Glenn Lea

    Does anyone know if removing the Google permission delete your collection of Pokemons? I'm considering this until it gets fixed.

  • Slate

    Sweet. A good reason to not play. Just revoked access, Fortunately you posted this before I spent any money on this game. Now just waiting for day of the tentacle to download 🙂

  • Naraka

    One of the many reasons I keep a gaming email and Facebook account. Essentially fake accounts that have no data in them or tied to them other than the other games signed up with. Go ahead and post to my wall that has zero friends lol.

  • paintsplatterz

    Creepy. Please do update us!!

  • curtisrshideler

    I noticed that in Google's setting it mentions that even apps like Google Maps requires full access. They are pretty much Big Brother.

    • Namnoot

      It's one reason I won't install Google Maps on my desktop Mac that I use for work. I stick to the website, which is bad enough but at least isn't running who-knows-what in the background.

  • Namnoot

    Good on them for patching this. Now let's see them fix the apparent issue where owners can't request that their private property be de-listed as "gyms" (there's an article in The Independent today about a guy whose home has been mistakenly designated a gym but he can't get it delisted because right now you can only report unsafe locations apparently). Doesn't matter if it's a home, business or a church, you should have the ability to opt-out if you want to.