In May, Nicci Kay and her wife moved 25 miles south to the port city of Tacoma, Washington where, in time, they planned to overtake the Resistance’s hold on the area. Kay is an Ingress player, an agent in a great and invisible cyberwar over territory that spans the globe, involving two factions: the Resistance and the Enlightened, of which Kay is a member. Between leaving her new home and clocking in at work, Kay, who goes by SmugLioness in Ingress, would drive to enemy strongholds—parks, statues or other local structures—to claim them as her own. Kay had heard that local Resistance members were unusually aggressive in their tactics, but was not deterred from her hunt for territory until she came home one day to a mysterious note on her doorstep.
“You are a lion,” it read. “Don’t be a cheetah.” Then a smiley face.
The note appeared to be accusing Kay of cheating (a charge she denies), but more importantly, it was unsettling for her to find. Somebody who also plays Ingress apparently tracked her down and left a note at her home. And she says that what enabled her enemies to find her was an underground, player-made tool that collects Ingress agents’ location data. Kay describes herself as one of countless Ingress players who have fallen victim to third-party tracking tools that cheaters use to gain the upper-hand—tools that, apparently, were originally created to detect cheaters of a different kind.
Unlike most multiplayer games, Ingress is played in person, out on the streets. Although it’s not as popular as its spiritual successor, the blockbuster mobile game Pokémon Go, it has a substantial audience, having been downloaded over 8 million times since its 2012 release. Like Pokémon Go, Ingress is navigated through a smartphone app that depicts the player’s immediate proximity on a map. Across the globe, two teams vie for control of “portals,” or real-life locations marked as in-game objectives. Recently, some Enlightened teammates coordinated to seize portals that collectively spanned across the state of Alabama at 10 a.m. on a Saturday.
Ingress is a strategic game. Players have a lot to gain by getting to portals before their enemies do and by intercepting large, planned territory grabs. And they have a lot to gain by continually defending those portals for long periods of time, which earns them achievements. To get an edge, it’s kosher to scope out nearby people’s phones to see if they’re secret agents trying to take down a portal. It’s also kosher to memorize times a local competitor might get off work and swing by crucial portals when they’re not around—even though it sounds creepy as hell. What’s messed up, Ingress players say, is using third-party software to track opponents’ movements, right up to their doorstep.
On Tuesday, October 17th, a Resistance whistleblower exposed their team’s widespread use of a third-party tool called Riot, which was released in December 2015. Riot is a data-scraping tool that unearths and organizes players’ activity data stored in Ingress. Most actions in Ingress are attached to a geolocation, but what Riot does is sort those public actions into easily-queried trends. Over the chat application Slack, privileged Resistance members could type in commands like “!Riot JohnSmith123,” which would prompt a bot to list and locate all portals owned by JohnSmith123, information that would be difficult to obtain and organize on such a large scale through regular gameplay.
It’s got a lot of other functions, too. Riot can list locations where users have sent messages through Ingress’s app, which can easily lead enemies to a player’s home, where they can leave menacing notes (or worse). Riot can list locations where players visit most to capture portals. It can be set to notify users when enemies drive outside a defined home area—presumably, to conduct an out-of-town strategic action. The whistleblower shared screenshots of Riot in action as well as nearly 800 players with access to it.
Whispers of high-tech Ingress tracking tools had spread among Enlightened members who felt that their opponents had a little too much dirt on them a little too quickly. A Washington-based woman I’ll refer to as Carlie told me that the portals she’d been meticulously upkeeping would often get taken down moments before they’d level up, which meant that someone was likely keeping track of her progress. Three times throughout one year, she said, her car was blocked into a parking space by another car when she was attempting to leave a lot to re-up her portal, for example—a story two other Ingress players have echoed.
When Carlie and her husband took a trip to Puerto Rico, portals they captured there were quickly taken down by Resistance members, she says. Carlie says she saw local Washington players bragging over Ingress’s chat app that they knew she was traveling out of town and tracked her to Puerto Rico, where they commissioned someone to sabotage her.
Carlie doesn’t think that these portal captures and well-timed defensive maneuvers were coincidences. The Resistance teammates she accused of participating in this conspiracy later appeared on the whistleblower’s list of Riot users—as did the person whom Kay suspects left the note on her doorstep.
Here’s the thing: Nobody I talked to argued that the data available through Riot was “private.” Ingress gives players access to a startlingly large and detailed amount of location data about one another, but that data is abstract and unfocused. That’s how the game is played. Without Riot or analogous third-party tools, it would only be possible to determine where a player spends most of their time through a ton of time and effort. What alarmed Ingress players wasn’t necessarily the technology—they signed up for this—but the way players were using that technology to violate other players’ privacy and do creepy things.
Riot was apparently developed to detect “spoofers,” or cheaters who have multiple Ingress accounts. With some extra software, these spoofers can trick Ingress into thinking they’re in different locations so they can grab portals in New Mexico when they’re actually in Virginia. A lawyer and Resistance player named Chris Norris, who says he has spoken with Riot’s creator, said that its creator was frustrated after years of asking Niantic to address the cheating problem. (While reporting this story, we couldn’t get in touch with Riot’s creator.) So, Norris said, the creator decided to collect and decode location information contained in the game “to aid in the tracking of cheaters.” One Wisconsin-based Ingress player named Sarah Jean said she’s used Riot to report 30 alleged “spoofers,” and went on to allege that players on the Enlightened team have swiped in to sabotage her long-standing portals, too, with currently unnamed tools.
Perhaps the person who left a note on Nicci Kay’s doorstep, accusing her of being a “cheetah,” was also using Riot the way it was intended to be used, as terrifying as the effects may have been.
Ingress publisher Niantic declined to comment for this story, instead referring me to an October 28th Google Plus post. In that post, Niantic acknowledged that Ingress players had been scraping, extracting and indexing data from Ingress without their consent, a violation of the game’s Terms of Service. Niantic also acknowledged that some Ingress “Ambassadors,” sort of liasons between Niantic and Ingress players, had used the technology. They stepped down or were “excused.”
“This isn’t a faction issue,” a Seattle-based player named Cate Goodfriend told me. “Players on both sides have stalked and been stalked.” There’s always a level of risk involved in playing a location-based game, especially one that puts enemy players right in front of each other. Where someone works and lives can theoretically be determined by studious and long-term Ingress players without third-party tools, but those tools have made it too easy.
It’s unclear whether Riot is still available. However, for years, less-powerful tools like it have floated around the Ingress community, and it’s likely that they will continue to crop up. That’s led players from both factions to argue that the risks of playing are verging on too high. With a new type of location-based gaming on the rise, both with Ingress and the far-more-popular Pokémon Go, the rules of engagement are still being hammered out.
“It’s not okay to continue to follow a player after they have stopped playing the game,” said Goodfriend. “It’s not okay to identify where someone lives or works and then use that information to send them an intimidating message.”