The Great Pokémon Go Spy Panic

That summer, the Pokémon Go craze was in full bloom. Every day, tens of millions of Americans took to the streets, phones held aloft, impelled by the urge to “catch ’em all.” Hundreds of millions of users were playing the game worldwide.

The game’s rise dovetailed with a new era of digital spying. The information users were freely surrendering to private companies to play digital games, or to use cool new apps or other online platforms, was making intelligence services drool. Spy services dove headlong into stealing, hacking, or buying data from the private sector that they could not somehow procure elsewhere—even if they didn’t really yet understand the value of that information.

But in the summer of 2016, Pokémon Go’s creators had worries other than snooping spy services—like overseeing the rollout of the game, which was an unprecedented global phenomenon. 

Those responsible for the game were blindsided by its popularity. “We were all idiots,” recalled Don McGowan, the Pokémon Company’s former chief legal counsel. “You know those movies where someone is sitting on a beach when the tidal wave hits?” he asked. Before the launch, “That was me.”

The game was a huge hit for its parent company, Niantic, a San Francisco-based firm that launched as a start-up within Google before spinning off as an independent entity in 2015.  (Niantic was granted the rights to develop Pokémon Go from The Pokémon Company, which manages the lucrative franchise.) But there was a steep learning curve. Neither Niantic nor The Pokémon Company had any dedicated “trust and safety” personnel thinking through some of the potential geopolitical pitfalls of the game prior to its launch, recalled McGowan. He had previously worked on cybersecurity issues in Microsoft’s government affairs division and found himself thrust into the role. “Niantic was completely unprepared for how big the game was,” he said.

McGowan found himself dealing with problems nobody had anticipated, such as the day he saw a news report that players were hunting for pokémon in Bosnian minefields. McGowan hightailed it to Washington for meetings at the State Department. They “gave me a piece of paper that had the GPS coordinates of every non-classified location of landmines in the world,” he recalled. McGowan immediately passed the information to Niantic, which disabled the game in those areas.

---

“That summer I was a very pretty girl to every government around the world,” recalls McGowan. “I did what I called my world Pokémon Go tour, talking to every government that raised a concern around privacy.”

In the United States, however, there were no limits on playing the game.  Pokémon were being found everywhere—even, reportedly, within the White House and Pentagon. And the game’s ubiquity, it turned out, was a potentially big problem for the country’s intelligence and defense establishment.

To the dismay of U.S. counterspies, a veritable horde of pokémon were also loitering near other highly sensitive national security and intelligence facilities around the nation.

“People were doing dumb shit with Pokémon Go, like playing in the parking lot at Fort Meade,” the headquarters of the National Security Agency (NSA), recalled a former agency official. “Because there were apparently like some super-rare shiny pokémons or something, so people were wandering campus with their phones up.”

In the Venn diagram of nerdery, there was a considerable crossover between technically inclined intelligence personnel at the NSA, CIA, and other national security agencies, and Pokémon fans. And that worried their superiors.

“There was major concern about Pokémon Go,” a former senior Energy Department official said.

Energy Department and NSA officials even worried—baselessly—that the game might be some sort of covert Chinese espionage tool, recalled former intelligence officials. (Foreign Policy spoke to seven former NSA, CIA, and Energy Department officials familiar with Pokémon Go-related security memoranda and discussions surrounding the game.) The Pentagon implored Defense Department personnel to refrain from downloading Pokémon Go on their government-issued phones, to use sound judgment about where and when they played the game, and to forego chasing pokémon near sensitive installations.

But officials denied there were department-wide security restrictions on playing the game at military or Defense Department facilities. “There is no Poké-ban at the Pentagon,” spokesperson Lt. Cmdr. Patrick Evans told reporters in August 2016. Behind closed doors, however, there were bigger fears. As the game’s popularity exploded, pokémon materialized at NSA headquarters; near America’s top-secret nuclear weapons laboratories in New Mexico; and at covert CIA facilities in northern Virginia, thanks to ardent devotees of the game working there.

This set off alarm bells for U.S. counterintelligence officials. Why were pokémon appearing at such sensitive locations? Could this conspicuous placement be evidence of some sort of malicious intent? Could the app be functioning as a targeted spying tool, as part of a “Pokémon Go hack me” scheme? Security experts from the CIA, NSA, and Energy Department (which manages the country’s nuclear arsenal) subsequently sent memos instructing colleagues to stop playing Pokémon Go at their workplaces—and perhaps entirely.

Foreign Policy’s reporting on worries within the Energy Department, or DOE, about the potential national security-related threats of Pokémon Go is “slightly overstated,” a spokesperson said. “DOE’s major concerns were public safety and potential operational disruption.” The NSA declined to comment, while a CIA spokesperson noted the agency took “responsible measures” for “digital best practices.”

---

Niantic, the creator of Pokémon Go, is an American company, based in San Francisco. Early investors to the company, which has raised $770 million, include Nintendo and The Pokémon Company, both Japanese firms, and Google (again, Niantic’s former parent company). Chinese tech giant NetEase is also an investor, as is South Korean-industrial powerhouse Samsung. Many of Niantic’s financial backers are U.S.-based venture capital firms.

If anything, Niantic springs from the high-tech establishment, where U.S. government connections are common. Niantic’s CEO, John Hanke, previously co-founded the geospatial mapping firm Keyhole, which was acquired by Google in 2004 and eventually became Google Earth and Google Maps. In 2003, Keyhole received funding from In-Q-Tel, the CIA-founded venture capital fund. The company’s technology was promptly used to assist U.S. troops in Iraq.

Gilman Louie, In-Q-Tel’s founding CEO, has sat on Niantic’s board. (Louie’s venture capital fund, Alsop Louie Partners, is also a Niantic investor.) And Hanke is himself no stranger to government work, having served as a State Department official in Myanmar.

---

A primer: Pokémon Go requires simultaneous access to a phone’s GPS and camera. Smartphone in hand, peering through the camera into an augmented version of reality, players must wander around seeking to locate—and catch—geocached Pokémon at real-life locations.

The game tracks players’ GPS coordinates and Wi-Fi and cell tower data—even, sometimes, when users are not actively playing Pokémon Go their phones.

Most pokémon in Pokémon Go are “procedurally generated,” said McGowan—meaning that, when the game senses phones with the app on it, it materializes pokémon nearby for players to nab.

Pokémon Go players also search for “PokéStops” or “Gyms.” Unlike the largely ephemeral Pokémon, PokéStop and Gym locations are permanent.  PokéStop locations are selected in a variety of ways. Many are based on places of public interest, like museums and monuments, identified by online mapping services. (Clearly, some major national security-related facilities, like the Pentagon, would be prime candidates as sites of interest.)

Still others are generated from geotagged photos of popular sites. Finally, some potential PokéStops are crowdsourced—that is, players can nominate potential locations for them.

And here’s where some U.S. counterintelligence officials got worried.

If some malignant actor, like a spy service, were able to successfully nominate sites of intelligence interest as PokéStops, or pay for pokémon to appear near them, or otherwise access user data from individuals playing the game at sensitive locations where pokémon materialized—or where PokéStops were placed, albeit even innocently—it could represent a new sort of espionage opportunity.

Then, in theory, a bad actor—like, say, a foreign spy service—could collect geolocated intelligence from these devices, like audio or video data, or even simply gather information on the phones themselves (thus identifying U.S. intelligence agency employees, or the specific digital signatures of their phones) to facilitate some later compromise.

This was precisely the fear at NSA: that enemy spy services might place Pokémon Go-related infrastructure “at targets of national interest, to lure Pokémon Go-playing intelligence officers to those places so they could collect on their devices,” said a former NSA official. However, the official added, this was “completely not grounded in reality.”

Could adversarial intelligence services “build a 3D model of the world using the camera photos you take when you catch a Pokémon on base? Technically feasible, yes,” said the former NSA official. “Are they going to spend all the computon [computing power] on it? Absolutely not.”

Still, most U.S. spy agency employees recognized that using your personal phone —let alone playing a game like Pokémon Go—at sensitive facilities was inadvisable at best, said the former officials.

Many NSA employees at the agency’s headquarters in Fort Meade, Maryland, greeted the NSA’s Pokémon counterintelligence directive with disbelief. “Who’s dumb enough to be doing this near NSA anywhere?” was the prevalent reaction, recalled a second former NSA official. “Most savvy people put their phone on airplane mode or turned it off when they got to campus.”

The problem wasn’t unique to the NSA. At the CIA, employees received a “very long ‘stop playing Pokémon Go’ email,” recalled a former agency official—though, in typically oblique CIA fashion, the message refrained from overtly naming the game.

---

At the NSA, too, many intelligence officials believed that the worries about Pokémon Go were seriously overblown. “The logical non-boomer thing to do would be to put out an email that says, ‘Do not use Pokémon Go on base because it’s just not good opsec [operational security],’” the first former NSA official said.

But that was far from the tone of the communique, recalled the same former NSA official.

The memo was this “boomer thing” that “they put out … in like Comic Sans, size 36 font, a two-page, poorly formatted” document from the NSA’s counterintelligence division “that said, ‘Hey everyone, Pokémon Go is a Chinese spy app that is from this company called Niantic, and we don’t know anything about them, and it uses your camera to build a 3D model of the world that you’re walking in and [collects intelligence on your] pattern of life, and it’s banned,’” the former official said.

But “none of that was true,” said the former NSA employee. Niantic is “a completely normal company” and “the ridiculousness of that email turned a lot of people off.” So, in response, many NSA employees “were like, ‘No, fuck off, I’ll play Pokémon Go all over base.’”

McGowan didn’t hear directly from the CIA or the NSA during this brouhaha. But he did receive a flurry of calls from the Department of Energy about Pokémon Go-related concerns, he recalled. And they were spooked.

They said, “‘Listen, there are PokéStops inside top-secret nuclear facilities,’” recalled McGowan. “And I was like, ‘Well, OK, I’ll talk to Niantic and get those removed, but you have a way bigger fucking problem. Because this means somebody took a photograph of a location inside your top-secret facility and uploaded it to a third-party server with GPS coordinates attached. So if you got a PokéStop in there, that’s how it got there.’”

It seems that the Energy Department counterintelligence chiefs had conflated PokéStops—the permanent locations—and the pokémon themselves, which could materialize anywhere phones with Pokémon Go on them were nearby.

And at some department facilities, pokémon started appearing in the darnedest places.

The Energy Department’s counterintelligence probe focused on a profusion of rare pokémon near Sensitive Compartmented Information Facilities, or SCIFs—secure rooms specially designed to prevent electronic eavesdropping that are used by U.S. officials to discuss classified information.

Before you enter a SCIF, you deposit your phone in a storage container outside to prevent potential digital snooping. Energy Department security personnel “found that the SCIF thing was simply because everybody’s phones [with Pokémon Go on them] clustering in a box caused the algorithm to think these were cafes, or similarly trafficked spots where Pokémon Go players hang out,” the former senior Energy Department official said.

In the end, the department’s investigation into Pokémon Go turned up nothing improper. But officials were sufficiently unnerved about the game to ask McGowan to disable it from being played at its facilities, the former top Pokémon lawyer recalled.

“And we’re like, ‘We need GPS coordinates because GPS coordinates will take care of it.’ And we gave those over to Niantic and Niantic did whatever magic Niantic did,” he recalled. A Energy Department spokesperson confirmed his account.

Though the buzz around the game has dwindled since 2016, Pokémon Go remains very popular worldwide, with an estimated 62 million players in 2022.

The national security worries around the game have faded, too, with U.S. officials focused on the alleged counterintelligence threats posed by other sorts of digital platforms, like the Chinese-owned social media app TikTok.

But as unsubstantiated as those fears over Pokémon Go now appear—and no matter how comedic the jaw-gnashing seems in hindsight—the alarm over the game was nonetheless evidence of a deep worry in the age of surveillance capitalism, a sort of Charizard in the coal mine.

---

If the game presented novel sorts of counterintelligence challenges for U.S. national security, that wasn’t on the game’s designers. For better or worse, our phones are our reality now. And, at least for a bit, for hundreds of millions of people across the globe, Pokémon Go enlivened and enchanted that reality.