Gotta Track'em All: Data Privacy and Saudi Arabia’s Pokémon Go Acquisition

Samantha Bradshaw is an Assistant Professor in New technology and security at American University, where she also directs the Center for Security, Innovation and New Technology (CSINT). Dean Jackson is a Contributing Editor at Tech Policy Press.

In a given month, more than 100 million people open Pokémon Go—the app that allows users to superimpose the world’s most profitable media franchise onto reality using only their smartphone. Using their phone camera and a flick of the wrist, they captured tiny digital monsters at the park, at the office, sometimes in active minefields, and, yes, in the bathroom.

Who else was watching?

Pokémon Go, initially developed by Niantic in 2016, uses augmented reality (AR) to blend the virtual world of Pokémon with the physical world around players. By accessing a smartphone’s camera, GPS, and motion sensors, the game overlays digital Pokémon onto real-world environments, requiring players to physically move to specific locations to 'catch' them. The game’s seamless blending of the digital and physical world made it an immediate smash hit (its ties to Pokémon probably didn’t hurt, either). But underneath that immersive experience are important privacy concerns about how much personal information is being collected, who controls it, and how it’s being used.

On March 12, 2025, Niantic announced it had sold its video games unit to Scopely, a mobile game maker owned by the Saudi Royal Investment Fund, for $3.5 billion. As part of Crown Prince Mohammed bin Salman’s Vision 2030 Initiative, the Saudi government has made major investments in the gaming industry. Some have critiqued the Saudi government’s investments in this space for gamewashing—where popular entertainment is used to divert attention away from human rights abuses committed by the government. But what might be equally concerning are the privacy implications.

Like most online gaming companies, Niantic collects vast amounts of user data, and its terms of service agreements have been criticized for allowing broad access to this information. While the company has stated in its blog that data is collected to improve gameplay and mapping accuracy, the company has been less forthcoming about how it uses data internally. With Niantic’s recent acquisition by the Saudi government, it is also unclear how the sale will impact the data policies and practices for games like Pokémon Go and whether new ownership could lead to expanded data collection practices or applications of sensitive user information.

Location data is sensitive. The geospatial data collected by Pokemon Go is not just about mapping PokéStops: it provides insight into how people move through cities, which locations they frequent, and even patterns of congregation.

Similarly, the app uses smartphone cameras to capture images of potentially sensitive locations, including those that are not easily mapped, like the insides of houses and buildings. In recent years, Niantic has also been building a Visual Position System (VPS), which “uses a single image from a phone to determine its position and orientation using a 3D map built from people scanning interesting locations in our games and Scanverse.” In 2024, the company claimed to be collecting as many as a million new scans a week. Using these, it planned to build a “large geospatial model” to identify places in the real world and inside buildings, a far more powerful tool than satellite photography or even tools like GeoSpy, which can identify outdoor locations from a single image. If the company lacks sufficient images of a certain location, that’s easily remedied—send players there on a “scan mission” and watch the images roll in.

In the past, this has raised obvious concerns for sensitive sites like military bases; consider that the US Marine Corps has issued guidance to marines who moonlight as Pokémon trainers. Such concerns are not unique to Pokémon Go; in 2018, for instance, similar concerns emerged around a fitness app that used exercise routes to create detailed maps of military installations, among other locations. In 2019, the Russian parliament banned smartphone use for on-duty personnel—presumably tired of online sleuths using soldiers’ posts to reveal supposedly covert operations.

Enter Saudi Arabia, Pokémon Go’s new owner. It is not clear if Saudi Arabia’s purchase also gives it access to Niantic’s preexisting data and AI models, but at minimum, it owns the apparatus for collecting this data going forward.

Saudi Arabia’s control over powerful surveillance infrastructures—including those acquired through its investments in gaming—should be a major concern. The Saudi government has a well-documented history of human rights abuses, government surveillance, and cyber operations. In 2018, the Saudi government used spyware to surveil, then murder, Washington Post journalist Jamal Khashoggi. Surveillance is rampant in Saudi Arabia, with the government frequently monitoring every aspect of its citizens' digital lives. The Saudi government has continued to invest in mass surveillance infrastructure, which has been used to spy on activists, journalists, and political dissidents. Strict cybercrime laws criminalize even mild expressions of dissent, with several individuals facing prison sentences for peaceful social media posts. The government has also been known to use state-sponsored troll armies and bot networks to harass and intimidate online activists to further its digital repression and censorship regime.

In addition to serious concerns about how data could be used, Saudi Arabia’s purchase of this popular mobile game highlights the increasingly evident futility of building a firewall between US user data and foreign companies. This was part of the rationale behind the effort to ban TikTok, which has (as Casey Newton recently wrote) entered a kind of Schrodinger's Cat status in the US: simultaneously banned and not. While the world awaits the fate of that Chinese tech giant, how many other popular games are owned by companies overseas? To name one, Tencent, a sprawling Chinese corporation, owns stakes in more than a dozen studios, including all of Riot Games and forty percent of Epic Games, which makes the popular Fortnite. Unwinding foreign access to American data would not be opening a can of worms; it would be more like opening a worm cannery.

When users log into these games, they don’t expect their data to fuel a foreign surveillance machine. But ultimately, the way to protect them is not to crack down on foreign ownership. After all, concerns about how American law enforcement might seek and use personal data are on the rise around topics from abortion to immigration. A better way to protect user privacy is to set universal limits, applicable to foreign and domestic companies alike, about what data can be collected from users and how it can be used. That would be the very best solution.