In what feels like an inevitability, the owners of Pokémon Go have started threatening to sue outside developers for reverse engineering some of the game's code.
On the r/PokemonGoDEV subreddit, developer Mila432 posted screenshots of a cease and desist letter they'd received from lawyers representing the Pokémon Company (co-owned by Nintendo, GameFreak, and Japanese video-game maker Creatures), which co-produced the popular mobile game with Niantic Labs. Specifically, the letter took issue with an Application Program Interface (API) that Mila432 made, which would allow other developers to access game information and make tools for players.
The cease and desist letter posted on Reddit obliquely cites one of the broadest sections of the CFAA, which criminalizes anyone who "intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains…information from any protected computer."
This isn't the first salvo launched by Pokémon Go's creators at outsiders who are using their code in ways they don't like. Niantic has already cut off API access for various developers who created apps and websites like Pokevision, which allowed players to check where various pokémon were spawning near their location.
But threatening to use the CFAA, which has been called the "worst law in technology" by open internet advocate and law professor Tim Wu, takes things to a whole other level. Though it's ostensibly an anti-hacking law, it's been used to pursue aggressive prosecution of activists like Aaron Swartz. The ACLU is even representing a group of academic researchers in suing the government, arguing the CFAA potentially and wrongly criminalizes their work.
Anyone who doesn't comport exactly with a company's terms of service is potentially liable (certainly under civil law, if not always criminally). And while that may sound reasonable, it often means someone doing research—like the academics mentioned above—or simply sharing their Netflix password.
There's little recourse for Mila432, who's already removed the offending code from Github. Though other unofficial API's remain online, this is another reminder that tech companies can dangle the overly broad provisions of the CFAA as a legal threat with impunity.
Ethan Chiel is a reporter for Fusion, writing mostly about the internet and technology. You can (and should) email him at email@example.com