Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Privacy The Internet Apple

Wading Through AccuWeather's Response (daringfireball.net) 81

On Tuesday, ZDNet reported that popular weather app AccuWeather was sending location-identifying information to a monetization firm, even when a person had disabled location data from the app. In a response, AccuWeather said today "if a user opts out of location tracking on AccuWeather, no GPS coordinates are collected or passed without further opt-in permission from the user." But it is misleading people. John Gruber of DaringFireball writes: The accusation has nothing to do with "GPS coordinates." The accusation is that their iOS app is collecting Wi-Fi router names and MAC addresses and sending them to servers that belong to Reveal Mobile, which in turn can easily be used to locate the user. Claiming this is about GPS coordinates is like if they were caught stealing debit cards and they issued a denial that they never stole anyone's cash. The accusation comes from Will Strafech, a respected security researcher who discovered the "actual information" by observing network traffic. He saw the AccuWeather iOS app sending his router's name and MAC address to Reveal Mobile. This isn't speculation. They were caught red-handed. GPS information is more precise, and if you grant the AccuWeather app permission to access your location (under the guise of showing you local weather wherever you are, as well as localized weather alerts), that more precise data is passed along to Reveal Mobile as well. But Wi-Fi router information can be used to locate you within a few meters using publicly available databases. Seriously, go ahead and try it yourself: plug your Wi-Fi router's BSSID MAC address into this website, and there's good chance it'll pinpoint your location on the map. "Other data, such as Wi-Fi network information that is not user information, was for a short period available on the Reveal SDK, but was unused by AccuWeather," the company writes. In what way is the name and MAC address of your router not "user information"? And saying the information was "unused by AccuWeather" is again sleight of hand. The accusation is not that AccuWeather itself was using the location of the Wi-Fi router, but that Reveal Mobile was. Here are Reveal Mobile's own words about how they use location data.
This discussion has been archived. No new comments can be posted.

Wading Through AccuWeather's Response

Comments Filter:
  • NSTAAFL (Score:4, Insightful)

    by OffTheLip ( 636691 ) on Wednesday August 23, 2017 @03:08PM (#55071593)
    Accuweather confirms what everyone should already know, or assume.
  • by thechemic ( 1329333 ) on Wednesday August 23, 2017 @03:12PM (#55071619)
    They named it AccuWeather for weather reports. If they wanted to convey an accurate privacy policy, wouldn't they have called it AccuPrivacyPolicy?
    • I call it CrapuWeather. We used to have TWC, but Verizon decided to save a few $$ and replace it with this useless thing instead. So I refuse to have anything to do with them - not the app, not the channel. I use the Weather Underground app instead. It has useful data, not fluff.
    • Given the accuracy of their weather predictions, wouldn't that make more sense for a completely deceptive and false Privacy Policy which is likely to change at any time?

  • by Anonymous Coward on Wednesday August 23, 2017 @03:16PM (#55071651)

    The network connections are managed in the iphone settings. Why would a weather app get access to available SSID info? Seems like Apple left the door open.

    • Re: (Score:3, Funny)

      by Anonymous Coward

      Shhhhh. Your never supposed to blame apple. Its never their fault.

    • by AmiMoJo ( 196126 )

      This requires a separate "manage wifi connections" permission on Android. I'm rather surprised that iOS doesn't require something similar.

      Having said that, it probably isn't reading the SSIDs itself, just using the "coarse location" service which it likely wants to present you with local weather forecasts.

  • by Anonymous Coward

    I don't think Apple allows things like WiFi sniffers / analyzers, so what other legitimate purpose is there for an app to have access to any info about the WiFi network? I would have assumed this info was locked away from the public API on iOS, only available to the OS functions that manage WiFi connectivity.

    Of course, any app could still determine your public IP address and try to locate based on that, but at least it'll have even worse accuracy than the Reveal Mobile database.

    • by tepples ( 727027 )

      I don't think Apple allows things like WiFi sniffers / analyzers

      And many customers choose Android devices for precisely this reason. It's why, for example, Mozilla Stumbler is an Android exclusive.

  • by JohnFen ( 1641097 ) on Wednesday August 23, 2017 @03:22PM (#55071693)

    "Oops, this functionality was inadvertently included in the release version of our app. We have removed it and apologize for this error."

    How hard is that? Sure, it's still a lie, but at least it's not flipping the users the bird.

  • by Pollux ( 102520 ) <speter@[ ]ata.net.eg ['ted' in gap]> on Wednesday August 23, 2017 @03:28PM (#55071725) Journal

    Seriously, go ahead and try it yourself: plug your Wi-Fi router's BSSID MAC address into this website...

    Not sure which website the submitter was aiming for, but since the hyperlink is missing, here's one website option to try [mylnikov.org].

    I tried it with three of my school's AP BSSID's, and I'm surprised that all three were accurate to the actual building. I thought the closest anyone could get was by geotracking our IP address, which leads them to a nearby town. But I had no idea that BSSID's could be much, much more precise.

    • by arth1 ( 260657 )

      I tried it with three of my school's AP BSSID's, and I'm surprised that all three were accurate to the actual building.

      I can't get it to return anything at all. I enter a MAC or BSSID and either hit submit or return, and nothing happens. Tried four different ones.
      Is it slashdotted?

    • by EvilSS ( 557649 ) on Wednesday August 23, 2017 @03:44PM (#55071811)
      They can actually be more precise if you are indoors and can't get a great GPS fix. Turn off wifi, open google maps, look at the size of the location circle, then turn Wifi on and watch it collapse.

      Funny story but this is how I found out Amazon sold me a used router as new. For a while after I first got it, google maps in Android insisted that I was in a house in NW Washington outside Seattle, and not where I actually live in the mid-west. At some point that router (or one with an identical MAC, but that's not really supposed to happen) was on and was picked up by either a streetview car or an android phone and added to their database. And it was just google, Apple devices didn't have this issue.
      • Re: (Score:2, Interesting)

        by JohnFen ( 1641097 )

        Good catch! (Almost) all of my network interfaces get a new, randomized MAC on a daily basis. I would never have noticed that... I guess there is a downside to that practice!

    • by Nutria ( 679911 )

      Is BSSID MAC address the same as the MAC addr of your wifi's Internet port?

    • by jemmyw ( 624065 )
      I tried it with my home wifi and it worked... for an address I lived at 2 moves ago.
  • This is easy ... (Score:4, Informative)

    by CaptainDork ( 3678879 ) on Wednesday August 23, 2017 @03:29PM (#55071727)

    ... just uninstall the goddam thing.

    • This is NOT easy, I just spend 20 minutes trying to uninstall it from my non-rooted samsung. No luck. I can't even force stop it.

      • There are Android firewalls available that don't require root. I don't know if they're any good, because my own phone is rooted and I use AFWall+, but you may want to try one out - you just might be able to stop the app from phoning home.

      • by jezwel ( 2451108 )
        The article describes the iOS app as having this issue - is it replicated in Android? AccuWeather was installed by default on my Samsung Galaxy phone...
    • Re:This is easy ... (Score:4, Informative)

      by captaindomon ( 870655 ) on Wednesday August 23, 2017 @03:45PM (#55071813)
      Yeah that's not an easy option if you spent lots of money on weather station hardware they produce, and want to be able to remotely interact with it. Accuweather is also a leading weather hardware company.
      • remotely interact with it

        I can't wait to see half a billion people trying to remote the same equipment on the app!

  • This reminds me all the times companies say: "Don't worry, we will not sell your data".

    This is a similar smokescreen, because an equally important question is: are they selling the 'derived data' or 'modelled data' that their algorithms distill from your data? For example, when your Facebook likes reveal that you are probably pregnant/gay/smoker/etc, even though you have never literally given up that information. Because most people don't know about this distinction, they are lulled into a false sense o
    • AccuWeather probably doesn't, but if you read Reveal Media's privacy statement, they are very clear and forthright that they absolutely sell your "anonymized" data to other companies.

      AccuWeather is being mealy-mouthed about all of this. They are technically correct that they aren't doing this stuff, but they don't point out that their service provider, Reveal Media, is.

  • Accuweather has a long history of shady dealings. This comes as little surprise. One of their founders is an attorney. They are well known for suing their customers.
  • a denial that they never stole anyone's cash.

    So they do steal cash? Those rat bastards!

  • by geekmux ( 1040042 ) on Wednesday August 23, 2017 @03:47PM (#55071829)

    "Claiming this is about GPS coordinates is like if they were caught stealing debit cards and they issued a denial that they never stole anyone's cash."

    The EULA was written by a lawyer...and for some reason people were not expecting a response like this?

    Give me a fucking break. Corporations tell half-truths using legal doublespeak to fool the ignorant masses all the time. What else is new.

    • You seem to think that "everyone knows" about corporate legalese half-truths, and you seem upset that it is posted as news. Well, the reason that "everyone knows" is because of these kind of news stories. Slashdot has a long history of posting this type of article, so of course old-timers like you and me know about it. At some point in the past though, you didn't know; so let others learn instead of berating the teacher for repeating a lesson you've heard before.

      There's even a relevant XKCD [xkcd.com] about this
  • Unfortunately this is how 'free' apps are making money these days.

    I use Glasswire on Windows and android to check what apps are using my internet to upload/download.

    Their latest blog post is is a good read about how some apps are getting too much information about people.

    https://blog.glasswire.com/2017/08/17/is-your-data-usage-or-vpn-app-spying-on-you/

  • That reveal website looks like an independent criticism of their company's MO, but it's just THEM saying what they do plainface. It's like if the state lotto had a website titled "how to profit off the poor and stupid. "

  • I do not understand why some people in the U.S. are adverse to using the National Weather Service, which does not track your visits to its Web sites.

    • I too rely on Weather.gov, a service of the National Weather Service. But NWS operates only in the United States, and many people who often travel internationally don't want to have to find, install, and learn a different website for each country to which they travel. I'd bet some countries don't even have a counterpart to Weather.gov, either because they're poor or because they've enacted a counterpart to Rick Santorum's NWS Duties bill [wikipedia.org]. This failed bill would have banned NWS from issuing any information t

  • Weather.com has the worst web site ever - they even put tabloid companies to shame.

Technology is dominated by those who manage what they do not understand.

Working...