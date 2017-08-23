Wading Through AccuWeather's Response (daringfireball.net) 43
On Tuesday, ZDNet reported that popular weather app AccuWeather was sending location-identifying information to a monetization firm, even when a person had disabled location data from the app. In a response, AccuWeather said today "if a user opts out of location tracking on AccuWeather, no GPS coordinates are collected or passed without further opt-in permission from the user." But it is misleading people. John Gruber of DaringFireball writes: The accusation has nothing to do with "GPS coordinates." The accusation is that their iOS app is collecting Wi-Fi router names and MAC addresses and sending them to servers that belong to Reveal Mobile, which in turn can easily be used to locate the user. Claiming this is about GPS coordinates is like if they were caught stealing debit cards and they issued a denial that they never stole anyone's cash. The accusation comes from Will Strafech, a respected security researcher who discovered the "actual information" by observing network traffic. He saw the AccuWeather iOS app sending his router's name and MAC address to Reveal Mobile. This isn't speculation. They were caught red-handed. GPS information is more precise, and if you grant the AccuWeather app permission to access your location (under the guise of showing you local weather wherever you are, as well as localized weather alerts), that more precise data is passed along to Reveal Mobile as well. But Wi-Fi router information can be used to locate you within a few meters using publicly available databases. Seriously, go ahead and try it yourself: plug your Wi-Fi router's BSSID MAC address into this website, and there's good chance it'll pinpoint your location on the map. "Other data, such as Wi-Fi network information that is not user information, was for a short period available on the Reveal SDK, but was unused by AccuWeather," the company writes. In what way is the name and MAC address of your router not "user information"? And saying the information was "unused by AccuWeather" is again sleight of hand. The accusation is not that AccuWeather itself was using the location of the Wi-Fi router, but that Reveal Mobile was. Here are Reveal Mobile's own words about how they use location data.
Increasingly, "free" doesn't enter into it. Applications you pay for are often doing the exact same thing.
I thought it was TINSTAAPP - There Is No Such Thing As A Pitching Prospect.
Oh wait... we aren't talking about baseball, are we?
Your IP, easily obtainable by anyone you are communicating with, already nails down your location to a relatively small area.
Where I live, that "relatively small area" has roughly a 50 mile radius.
our IP, easily obtainable by anyone you are communicating with, already nails down your location to a relatively small area.
Disregarding VPNs, the "relatively small area" for IPs is often the service area for the IP range for the ISP, which can be city sized or bigger. My IP address is around 50 miles off.
That's a far cry from within a few feet.
mine comes up as either San Antonio or Plano, neither is close to where I am. IP locating works OK, but I would not want to attach anything serious to it.
You're kind of a n00b, huh?
You think the accuweather app gets access to cellular tower location info of the device its running on? No.
You think an IP is tied to someone's physical location? No.
Go back to school, your book report is due.
What they're doing is merely annoying. What is actually far worse is trying to obfuscate the actual issue by issuing a mea culpa speaking to 'GPS signals' -- rather than an open admission of what they were doing and why.
And this somehow okay?
The cover-up is almost always worse than the actual deed.
"Oops, this functionality was inadvertently included in the release version of our app. We have removed it and apologize for this error."
How hard is that? Sure, it's still a lie, but at least it's not flipping the users the bird.
It's like they accidentally left a joint in their mother's car.
On second reading, it's hard to tell what they were really saying. My take on it was they were saying that the problem is users are misunderstanding what they're doing. But their verbage is so slippery that your interpretation may be what they wanted us to hear.
Seriously, go ahead and try it yourself: plug your Wi-Fi router's BSSID MAC address into this website...
Not sure which website the submitter was aiming for, but since the hyperlink is missing, here's one website option to try [mylnikov.org].
I tried it with three of my school's AP BSSID's, and I'm surprised that all three were accurate to the actual building. I thought the closest anyone could get was by geotracking our IP address, which leads them to a nearby town. But I had no idea that BSSID's could be much, much more
I tried it with three of my school's AP BSSID's, and I'm surprised that all three were accurate to the actual building.
I can't get it to return anything at all. I enter a MAC or BSSID and either hit submit or return, and nothing happens. Tried four different ones.
Is it slashdotted?
It just worked for my home wifi... and I'm in a fairly rural area.
Funny story but this is how I found out Amazon sold me a used router as new. For a while after I first got it, google maps in Android insisted that I was in a house in NW Washington outside Seattle, and not where I actually live in the mid-west. At some point that router (or one with an identical MAC, but that
Good catch! (Almost) all of my network interfaces get a new, randomized MAC on a daily basis. I would never have noticed that... I guess there is a downside to that practice!
Is BSSID MAC address the same as the MAC addr of your wifi's Internet port?
Maybe. BSSID (Broadcast Service Set Identifier) and SSID (Service Set Identifier) are functionally the same thing -- BSSID is an SSID attached to a radio, basically.
Every network interface has such an ID. If your machine has multiple interfaces, WiFi or wired, each one has its own.
Man, I messed that up. To clarify and correct my answer:
BSSID: the text string that you enter to "name" your WiFi set.
SSID: This is the same as a MAC, but attached to a radio. WIth wired connections, like ethernet, it's just called MAC.
... just uninstall the goddam thing.
This is NOT easy, I just spend 20 minutes trying to uninstall it from my non-rooted samsung. No luck. I can't even force stop it.
Re: (Score:2)
This is a similar smokescreen, because an equally important question is: are they selling the 'derived data' or 'modelled data' that their algorithms distill from your data? For example, when your Facebook likes reveal that you are probably pregnant/gay/smoker/etc, even though you have never literally given up that information. Because most people don't know about this distinction, they are lulled into a false sense o
AccuWeather probably doesn't, but if you read Reveal Media's privacy statement, they are very clear and forthright that they absolutely sell your "anonymized" data to other companies.
AccuWeather is being mealy-mouthed about all of this. They are technically correct that they aren't doing this stuff, but they don't point out that their service provider, Reveal Media, is.
a denial that they never stole anyone's cash.
So they do steal cash? Those rat bastards!
"Claiming this is about GPS coordinates is like if they were caught stealing debit cards and they issued a denial that they never stole anyone's cash."
The EULA was written by a lawyer...and for some reason people were not expecting a response like this?
Give me a fucking break. Corporations tell half-truths using legal doublespeak to fool the ignorant masses all the time. What else is new.