But just me talking to the camera for a few minutes isn't particularly interesting,

so I asked my illustrator friend Simon to create some plausible,

but utterly fake, Pokémon for me to catch.

Yeah, that'll do.

This week, there was a bit of a privacy scare about Pokémon Go.

Someone said that the company behind it could read all your email;

someone else said no, they couldn't,

and that was after doing a lot of research into how the app worked;

and then the consensus became that,

while it was technically possible,

it would require a lot of hassle on their part and it was the result of a mistake,

not some devious attempt to steal your data.

The problem was permissions.

When you see one of those buttons that says sign in with Google,

or sign in with Facebook, or -- excuse me --

Mm. Or sign in with Twitter, you are using something called OAuth.

It works like this:

you tell the app “I'd like to sign in with Google”.

The app then sends you to Google.

Google checks who you are with your username and password,

or by doing some magic with your Android phone, and if they're happy,

they send you back to the app with a new thing called a token.

The app takes the token, and until you say otherwise,

it can use that token as a way to access your account

without ever knowing your password and without you needing to be there.

It is, of course, a little bit more complicated than that,

as anyone who's ever tried to write code for it knows,

but that's a reasonable summary of what's going on.

Here's the clever part: that token, yes,

it could have access to your full account,

but it can also be set up so it only allows access

to a very limited and specific set of permissions.

Maybe it can only read your calendar appointments.

Or maybe it can only add comments to YouTube videos that you watch.

For Pokémon Go, that token was meant to only grant access to see your email address,

not to read anything, just to prove who you were.

The problem was, it didn't.

Pokémon Go is made by a company called Niantic (Nyan-tic?)

They were originally a spin-off of Google,

and it looks like they've got some contacts on the inside.

They weren't using the permissions system that everyone else had to use:

they were using an old one.

Through some fancy, manual trickery,

it was possible to convert the token they'd been given

into an "uber-token" that would give an attacker full access

to everything in your Google account,

including your email.

They weren't doing this, but they could have. And for that reason,

when you checked what permissions Pokémon Go had,

Google correctly reported that it had full access to your account.

I want to credit Ari Rubinstien at this point:

he was the developer who did all the digging

and put a really good post together about what's going on.

If you want the in-depth, technical details,

I've put a link in the description.

The latest update to Pokémon Go,

which has none of these weird things,

fixes the problem, of course, and all is well. Or is it?

Because there's a deeper problem here that can't be fixed by patching some code.

Don't get me wrong, the current OAuth solution with its tokens is much better than the old days.

I remember when you had to give your actual Twitter password to third-party apps,

who would then send it in plain text over the internet.

The current solution is better, but it's not perfect.

And there are two big things wrong with it.

First of all, you have to trust the app.

You have to trust that the “sign in with Google” button is actually doing what it claims

and when the box pops up asking for your Google password,

it actually is a box from Google and not the app just faking it.

That's less of a problem for big apps,

or if you're downloading from the well moderated Apple App Store,

but because Pokémon Go was incredibly popular and not available everywhere in the world,

lots of people on Android were sideloading it:

downloading it from somewhere unofficial,

and copying it over manually to their phone.

There were plenty of alternate versions filled with malware

that would happily have stolen your password, or, well,

anything else that was on your phone.

Second, people's priorities for security often don't reflect reality.

We all emphasise easy to understand scare stories over complicated, subtle, boring attacks.

That's the reason I'm doing a video about Pokémon Go, for crying out loud.

A scare story about an innocent game,

one that millions of people are playing and have an emotional attachment to?

Oh, if that's actually being evil and reading your email? That'll get the clicks.

But that same game having live tracking on millions of people's locations and social networks,

being run by a small company that is now an enormous target for private hackers, and blackmailers,

and governments that would really like to know that information? That's boring.

That's abstract. We know that,

but it'll never happen to you, right?

I'm a great believer in the old saying cock-up before conspiracy:

never attribute to malice what can be explained by incompetence. No,

of course this wasn't a dastardly scheme to read all your email,

it was just a couple of developers making a mistake while rushed.

Let's just hope there aren't any more headlines caused by any other mistakes

while you're catching your… whatever the heck that is.

I'm going to be away for three weeks on an expedition to the Arctic.

But rather than abandon my channel for a while, I thought:

why not get some guests involved? So,

if you have a YouTube channel,

and you've got an idea for an Amazing Places or a Things You Might Not Know video

that you could make and get to me before 6th August,

follow the link on screen or in the description.

I am particularly looking for people, styles,

and videos a little different from what normally appears here.

So if you just heard that and thought

"oh, I'd like to do that, but I'm not sure I'd fit”:

I definitely want you to get in touch.

[Translating these subtitles? Add your name here!]