Pokemon Company Threatens Pokemon Go API Creator With CFAA Lawsuit

from the because-of-course dept

Is there no goodwill that the Pokemon Company’s lawyers won’t step in and kill off? With the popularity of Pokemon Go, some third parties had started trying to develop some services to go with it, and as part of that, a few have tried to create Pokemon Go APIs. A user going by the name Mila432 had created an unofficial Pokemon Go API in Python, and posted it to GitHub. If you go now, you may notice that the Readme now reads:

see you in court nianticlabs, with love from russia xoxo

That’s because the Pokemon Company (not the game developer Niantic, but rather the Nintendo subsidiary that owns a piece of Niantic along with all the Pokemon rights) sent Mila432 a legal nastygram claiming that the creation of the API could violate the Computer Fraud and Abuse Act (CFAA). Mila432 posted screenshots to Reddit. We have all the screenshots posted at the end of this post.

The letter first claims that creating this API is a violation of Pokemon’s Terms of Use as well as Pokemon Go’s Terms of Service. But, more importantly (and ridiculously) it claims a violation of the CFAA — a law we’ve discussed many times before, mainly for it being the one law “that sticks” when no law was actually broken, but you’ve done something people dislike “with a computer.” Here’s what Pokemon’s lawyers have to say:

Additionally, your actions with respect to the Mila 432/Pokemon_Go_API potentially violate the federal Computer Fraud and Abuse Act (“CFAA”), a statute that prohibits the unauthorized access of servers and access which exceeds authorization, as well as similar state statutes. And your inducement of others to violate numerous terms of service provisions violates the CFAA. While notice is not a prerequisite to liability, Pokemon hereby puts you on notice that you are barred from accessing Pokemon servers or infrastructure, and barred from facilitating access by others. Any continued access, whether directly or at your direction or on your behalf, will be unauthorized.

See that language right there, about putting Mila432 “on notice” and saying that s/he is barred? That’s straight out of the very recent Facebook v. Power.com decision in California, where the court ruled that once a company (in that case, Facebook) had sent a cease-and-desist notice, any further access was a CFAA violation. We were troubled by that ruling, and the use of it here further illustrates how problematic it was.

Now, yes, you can argue that unauthorized APIs can cause problems for games — and that’s true. Of course, it can also help make them more compelling by allowing others to build on the game and add more value. But, wherever you come down on that debate, going legal seems pretty silly. Niantic, for its part, had simply gone the technology route of limiting access to third-party servers, to deal with some quality of service problems created by such third parties accessing its system. That is, rather than totally freak out about such APIs, it noted the actual problem (overloaded machines) and sought to fix it through technology.

It’s just the Pokemon company that took it up a few unnecessary notches to pull out a big gun like the CFAA. But, I guess, how can I be surprised? This is the same company that legally fucked over a party by Pokemon fans at PAX last year, suing the people who organized it.

Filed Under: , , , , ,
Companies: niantic, nintendo, pokemon company

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Pokemon Company Threatens Pokemon Go API Creator With CFAA Lawsuit”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Re:

If you look at an older readme update i.e.


then my guess is that is was a bot.
Walk logic, catch pokemon automatically, drop if bag is full all reads like some program you run on whatever to play the game for you.

While I do agree that CFAA is a bit weird to fight an API, the Pokemon Go guys did ban people for GPS spoofing. I guess if Blizzard can sue bot makers so can these guys.

pegr (profile) says:

Re: Re:

The API, or Application Programming Interface, is a standardized interface for communication between the client application and the application server. By duplicating the API, the programmer facilitates communication with the application server with an unauthorized client.

Google and Oracle had a dust-up over APIs. Google argued that an API is purely functional and, as such, is not copyrightable. Oracle differed in that they could copyright the “Structure, sequence, and organization” of the API for Java. First judge said no. Appeals judge said you can. First judge replied, OK, you can copyright it, but others can use it under Fair Use.

Anonymous Coward says:

Re: Re:

I was under the impression that Pokemon GO was largely played “against yourself”. I don’t see how this bot would have affected interactions with other players at a pokestop, pokegym, or whatever. That’s not the sort of thing easily automated.

If someone else “actually does collect them all”, how are you harmed?

Anonymous Coward says:

Re: Re: Re:

If you play the game and have stood at a gym and taken it over with no one around and then instantly spoofing sniper bots take it back that affects everyone playing. Keeping gyms is how you get in game currency for free every 24 hours. So the bots keep all the gyms and get all the in game currency leaving normal players to have spend real money if they want shop items.

Ruby says:

Re: Re: Re:

Aside from the fact that a lot of the epic server problems were being caused by tracking API’s accessing the servers, shutting out players?

The app itself is free but uses micro transactions. You use real money to buy in-game coins then use coins to buy items to advance in the game.

But, you can earn some coins in the game for free. If you have GPS spoofing technology, you can manipulate the game to get a lot of coins. Obtaining for free what other players have to pay for.

You can also quickly obtain and hatch a large number of eggs, without buying incubators.

dakre (profile) says:

Re: Re:

Anyone who runs the risk of running bots, usually know the risks. That’s their decision, and if they get banned, that’s their fault. My problem with your comment, is that they are not all ruining the game for everyone. That statement is too broad, and generalizes everyone as a “bad guy” if they don’t play through the app.

I will admit, the number of botters may be ruining the game by creating server instability, but even that isn’t preventing people from playing. What I will defend, are the people providing a beneficial service for everyone, such as PokeVision.com. They have a much better tracking system, that does get abused (I.E. bots), but at least it provides a positive experience for anyone who uses it.

Rustic Prince says:

Re: Re: Re:

The problem of clients making large numbers of requests at once can be easily solved by:
1. Limiting the number of requests per client/account per second
2. Restricting account creation by phone number/email address
3. Limiting the number of events such as level up

It seems that the service is designed in a way that they need to keep the API secret to keep it secure. If so, too bad. Security by obscurity don’t work

Rustic Prince says:

Re: I fully support Niantic in their decision...

  1. What did they “hack”? They didn’t exploit any security vulnerability of the Pokémon Go servers. They wrote programs that communicate with the servers in a normal way.
    2. How does their actions “ruin” the games for others? It’s not like there is a finite supply of Pokémons in the world.
Anonymous Coward says:

Re: Re: I fully support Niantic in their decision...

A lot of it was figured out with MITM attacks and decompiling. This isn’t a public API given out by Niantic. It’s ruins the game because bot cheaters have characters that are impossibly strong and can keep all the gyms for themselves in a local area. This keeps other people from earning in game currency.

Mike Masnick (profile) says:

Re: Re:

I fully support Niantic in their decision to fight back against the hackers. They are ruining the game for everyone else who plays legit and in my opinion if you are cheating then you deserve to have your falsely acquired assets wiped.

You do realize most of this article is not about Niantic, but Pokemon Company which went way beyond what Niantic did?

Anonymous Coward says:

What the API did (Niantic has killed access to as of about 48 hours ago by encrypting parts of their API) is allow map generation of all pokestops, gyms, and pokemon. tUnfortunately this led to a bunch of bot creators and people creating thousands of fake accounts so they could map large regions at once. The bots were literally plug and play. Turn it on and let it catch all pokemon in the area and take over all the gyms with high level pokemon and characters. It was definitely a problem. All trackers on GitHub and websites were also issued C&D. You could still run python scripts and maps locally though until they forced a game update that starting encrypting and validating calls came from a valid game client.

DocGerbil100 (profile) says:

Goddamit, what a fucking annoying mess of issues. 😛

In FB vs Power, I felt (and still feel) that FB behaved more or less correctly – and that the CFAA was used in more or less the way such laws should be used: to protect both the service and its users from harm.

Now we have that exact judgment seemingly being used to try and protect a game from cheaters. My feelings are annoyingly ambivalent here.

On the one hand: the objectionable service is apparently a cheat-bot and I really, really want to just say “fuck ’em, they deserve what they get”. I have no shred of sympathy for those individuals and organisations who fuck up games for everyone else.

On the other hand, it’s the bloody CFAA being invoked, a ridiculously aggressive law that is profoundly not the right tool for the job. It’s just too heavy-handed, by far.

The only thing I’m certain of is that America needs better laws.

raffishtenant (profile) says:

It’s an implementation of a private API, not a bot, though a number of bots have made use of it. I agree with TPC that these bots are no good for the game, and that TPC (and Niantic) have an interest in blocking them — by technical means at the very least. The CFAA is considerably more problematic.

Either way, it would be possible for them to do this by blocking the “write” functionality of the API without shutting down the “read” functionality as well. As of this week, they’ve attempted to shut down both.

It’s here that I suspect they’re doomed to failure, as a practical matter if nothing else. With the official removal of the tracking feature that worked only briefly at launch, millions of players (including myself) have found the searching elements of the game to be roughly akin to stumbling around in the dark. Enough of these players have found their interest revitalized by the mapping features which the API makes possible that this is looking like the opening salvo of a long and tedious arms race.

In the meantime, yes: shutting down API will be a blow to the bots — though it will have no effect on GPS spoofing, which is a much bigger problem for competitive gameplay than tracking could ever be.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...