Skip to main content

Pokémon Go owners are threatening to sue developers over third-party hacks

Pokémon Go owners are threatening to sue developers over third-party hacks

Share this story

In the latest twist in the ongoing feud between the Pokémon Go community and the app's creators, The Pokémon Company has sent out at least one cease and desist letter to an independent developer threatening prosecution under the Computer Fraud and Abuse Act. The letter, sent to GitHub user Mila432 and reposted online, contains a detailed breakdown of how the developer violated Pokémon Go's terms of service with a reverse-engineered application programming interface (API). It also says the developer may be subject to legal action if he or she does not comply with the company's demands.

"Your actions ... potentially violate the Computer Fraud and Abuse Act, a statute that prohibits the unauthorized access of servers and access which exceeds authorization as well as similar state statues," the letter reads. "And your inducement of others to violate numerous terms of service provisions violates the CFAA." It's unclear if The Pokémon Company could actually bring a CFAA lawsuit against someone for breaking the terms of service in this case when there is no material harm done. But it's certainly not the most outlandish use of the law.

Mila432 reverse engineered and released a 'Pokémon Go' API that could be used to develop bots

Mila432's API, released online over at code repository GitHub was designed to automate Pokémon Go play. It allows any third-party developer to create bots that could play the game without user input by effectively simulating the software and communicating with the game's servers. The Pokémon Company says this API violates the Pokémon terms of use, which governs the use of the Pokémon Trainer Club account system for logging into the game. It also allegedly violates the Pokémon Go terms of service, which dictate how users interact with the game, its servers, and any data involved in the communication between the two.

The Pokémon Company has banned Mila432 from accessing any Pokémon-related service, and it's also asking the developer remove the API from GitHub within seven days. The letter was first received on July 28th and the API remains live over at GitHub, where it has been starred more than 2,250 times. Mila432 was not immediately available for comment.

This appears to be a significant escalation in how Pokémon Go's creators are handling any abuse of the service. Starting this week, developer Niantic begin restricting how third-party APIs access its servers, effectively breaking many of the popular pokémon-tracking apps used to locate different creatures on a virtual map. This was, according to Niantic CEO John Hanke, a decision the company felt it had to make to ensure the game was played fairly and to reduce the amount of strain being placed on its servers. "We have limited access by third-party services which were interfering with our ability to maintain quality of service for our users and to bring Pokémon GO to users around the world," Niantic wrote in a Facebook post on Monday.

The Pokémon Company hasn't gone after map makers

So it would seem that Niantic and The Pokémon Company have hard and fast rules on what they will and will not allow with regards to gameplay. They haven't, however, gone after any of the third-party map makers with legal threats. In fact, the creator of the most popular Pokémon Go mapping API has not received a cease and desist letter, the developer tells The Verge. That API is still available at GitHub as well. Enabling people to use bots to play the game would seem to be where Niantic and The Pokémon Company draw the line. It even now appears hacking and taking advantage of exploits is now a reason for a permanent game ban:

The Pokémon Company is co-owned by Nintendo, developer Game Freak, and merchandise company Creatures. The entity owns the rights to the Pokémon franchise and licenses them to developer Niantic, which made and now operates Pokémon Go. The joint company handles all matters related to intellectual property rights, so it makes sense it would handle sending out cease and desist letters. Still, it's unclear why The Pokémon Company is targeting certain developers, like Mila432, and not those responsible for more popular APIs. A representative for The Pokémon Company did not respond to our requests for comment.

Update August 4th, 5:23PM ET: Added information regarding new Pokémon Go bans for hacking and using exploits.

Update August 8th, 3:15PM ET: The creator of the most popular Pokémon Go mapping API, mentioned above, has also received a cease and desist letter and has decided to shut the project down. In a note posted to his GitHub account, creator Ahmed Almutawa said he wished not to proceed with Niantic's blessing. He also said the decision was less about legal concerns than it was about his interest in the project.

"I'd like to clarify that the main reason I chose to shut it down was because I’ve lost interest rather than legal concerns," Almutawa wrote. "Niantic’s actions towards third-party developers have been very off-putting and it has killed my personal motivation to work on this project. This was a fun weekend project for a game I enjoyed, and now I’ve lost interest in both."

Pokémon Go Advanced Tips