As Ms Tips’ colleagues explained yesterday, Pokemon Go is taking up the time, brain space and mobile data of people all over the world, addicted to catching Pokemon (small cartoon monsters) in their immediate surroundings. It’s now been revealed just how much data the app’s creators can gain from users, including full access to their Gmail accounts:

“As Google’s Accounts Help page says, ‘When you grant full account access, the application can see and modify nearly all information in your Google Account (but it can’t change your password, delete your account, or pay with Google Wallet on your behalf).’ This means Pokemon Go can read everything in your Gmail account and even send (or delete) emails as you, access (and edit and delete) all of your documents in Google drive, view all of your search history as well as all of your location history in Google Maps, and your browsing history in Chrome, access any photos you store in Google Photos (including private photos), access your Google Calendars and Contacts, and more!

“Moreover, this level of access is unusual. When a developer sets up the ‘Sign in with Google’ functionality they specify what level of access they want and best practice is to ask for the minimum amount of information required, usually just basic account information (name, email address, gender, and country).”

Niantic, the company behind the game has now released a statement saying the app accidentally asked for all that information, but would not use it:

“We recently discovered that the Pokemon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokemon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access.  Google has verified that no other information has been received or accessed by Pokemon GO or Niantic. Google will soon reduce Pokemon GO’s permission to only the basic profile data that Pokemon GO needs, and users do not need to take any actions themselves.”