Much has been written about the sensational new augmented reality game Pokémon Go that allows people to chase after characters “in the real world.” There has been significant discussion about the game around liability and risk, privacy, children’s safety, personal security, and even the nefarious and ever-present theory on government intrusion.
Although that final one about it being a secret CIA plot to collect information and enhance mapping may be for the tinfoil hat crowd, for the most part I agree with the conclusions arrived at by these authors. The game stretches so deeply into the gray areas of so many elements of appropriate consumer product delivery that, overall, I believe it presents a significant potential risk to Niantic, the company behind Pokémon Go.
And I have to wonder if any one person or group was at the top of the decision-making chain orchestrating all of these efforts, or whether things were so compartmentalized that many of the decisions were made in the vacuum of a single business unit and not cross-checked with others.
That is the topic I actually want to cover today: good governance and good oversight of operations to reduce the risk of liability of your products in market.
Taking this from the technology and information security side, where I am much more comfortable, governance, risk and compliance (GRC) frameworks are generally focused on ensuring that:
- The right people have the appropriate information to make strategic decisions related to the product’s and the company’s security and liability;
- The right processes are in place to collect, evaluate and monitor the risks associated with building, delivering, and managing the product, and;
- The right level of expertise is available to communicate the controls needed to meet the requirements of all regulations that may impose themselves on the company and product in market.
Implementing such a framework requires continuous interoperability between business units, from the executive team to the management team, the legal and privacy team, the finance team, the security team, the product team and the operations team (and everyone in between). Efforts under this framework include proper documentation control and distribution, transparent group communication, qualified regulatory and market research, proper implementation of measures and triggers, solid issue tracking and remediation, and much more.
For many Fortune 500 and Global 2000 companies, GRC is a continually maturing process, but as we all move to the smaller, swifter, more agile consumer products industry, there appears to be less adherence to this model because of the near-zero cost of software deployment.
And I believe the result of this is what we see with games like Pokémon Go, where failures showed very early in the product’s release cycle, including far too loose permissions on data collection, onerous terms of service conditions, lack of clarity on regulations like COPPA to address the more stringent requirements of an audience primarily comprising underaged users, unintended enterprise BYOD security risks, and potential misreadings of regulations like U.S. Intellectual Property rights on copyrights and trademarks. On top of this is the unknown risks of personal bodily harm due to misuse of the game or exploitation of game components by criminals intent on luring users to high risk environments.
While some of this failure can be attributed to a first-to-market precedent, where such a revolutionary concept has caught the target market unaware of the potential dangers associated with it’s play, the developers of Pokémon Go, in their rush to “get the game to market,” must assume a piece of the responsibility with respect to the slew of legal and regulatory gaps that have been exposed here. The other responsible parties, of course, are the regulatory bodies themselves, which appear to be too slow with their changes, or too inflexible in their process, to be able to address such a fast-moving market.
The question is, with all of these potential risks to Niantic in the form of lawsuits from individuals, brands and regulatory bodies, who was in charge of making the decision to release, and did they have all of this information in front of them?
Additionally, was this effort a result of negligence, naiveté, or was this a calculated and purposeful effort to use the community as a test bed, a beta, to flush out these complex issues because the answers were not apparent? If so, there may be significant liability that the company will have to address in the near future as more light is shone upon these gray areas of concern.
In the end, until these issues are sorted out, from the perspective of corporate security, as well as from the perspective of a dad trying to protect the privacy of his young children, I just have to say "No" to this game.
This article is published as part of the IDG Contributor Network. Want to Join?