Driving around the last few days, I’ve seen more than the usual numbers of people blundering unaware into traffic. Enough that I had to do a quick check for signs of the zombie apocalypse. Alas, it is not. It’s a new game. A particularly engrossing game. Pokemon Go is an augmented reality game that currently reports more active users than Twitter. That’s impressive for such a short period of time. More impressively, it appears to have gotten most people out of their homes and wandering around their communities. They say you should always start constructive criticism with something nice to say… Now on to the bits that worry me… This app produces a nearly constant stream of data that’s being sent back and forth to Nianic’s servers, much to the approval of cellular carriers everywhere. To the carriers, it’s a good thing. For everyone else, you’re giving up a huge amount of data about yourself, and where you are, but it doesn’t stop there. The app on multiple platforms demands permissions to use a truly impressive array of information on your device. Location, I can see. Camera, sure. Gyroscope, digging it. Full access to your Google account? What the heck? And by full access, we mean EVERYTHING. Access to your emails, access to your contacts, your location histories, your documents, your PHOTOS (even the hidden ones). Do I think that this is part of a sinister conspiracy? Perhaps a nation-state level information gathering exercise? Nope. This is lazy, sloppy coding, plain and simple. Programmers have a long and storied tradition of fixing things that don’t work because of restrictive permissions by demanding they operate at the highest levels of authority, bypassing all the carefully designed safeguards and restrictions. I remember the oft-vilified Windows Vista, when Microsoft first started gaining more awareness about the security impacts, they actually began implementing architectural changes that improved security significantly, by carefully controlling and segmenting the operating system and user data. For years, there were applications that simply would NOT run, unless you ran as an administrator. Including Quickbooks! It required end users, many of whom still can’t receive an email from a Bank Manager in Scammeristan without clicking on the link, to run as Administrator, adding to the risks of getting their systems compromised. This was a very poor error, and I suspect it will be corrected soon. But enough about video games. Look at this from a business perspective! This is why tools like identity and access management and provisioning tools exist, to help you avoid those “forget it, I’ll just give them permissions to everything so they’ll stop bugging me” scenarios. With Pokemon Go, Nianic has learned their lesson with some public rebuke. Your organization may not be so lucky.