Follow

Wow, ok, this is freaky.

New computer. Fedora Silverblue 36. Not signed into anything. Location services is on (using Mozilla location services). I’ve been living in Ireland now for 3+ years.

I open GNOME Maps app. I grant it location access. I press the “Go to current location” button.

It goes to the exact location of the home we had in Malmö, Sweden.

What. The. Fuck?

OK, so I have no idea how that’s possible. Mozilla must have somehow cached that location but how do they know it’s me?

Fucking hell, as some of you have pointed out in the comments, also, it’s tied to my router. I have the same router I had in Malmö. If this is not a GDPR violation, I have no idea what is.

So Mozilla – Defender of Privacy™ – is storing my location history, tied to my router, without ever having gotten consent from me to do so.

This is a fucking scandal.

@aral Does your WLAN still have the same name? Geolocation based on WLAN/Router is quite common.

@jwildeboer Same router. Unbelievable violation of privacy. So Mozilla is keeping location history tied to your router. I never consented to that. If this doesn’t violate GDPR at its core, we might as well throw GDPR in the bin.

And to think Mozilla Location Services is presented during the installation process of nearly every Linux distribution.

This is a scandal.

@aral It just needs someone who picks up the WLAN beacon signal (not even having to connect) on an (android) phone with consent to share location and it'll add your router/WLAN with its GPS coordinates to the database. So it's not even possible to really opt-out.

@jwildeboer @aral

Why is it never an opt-in? 🤒

"How do I prevent my wireless access point from being collected?

Mozilla's client applications do not collect information about WiFi access points whose SSID is hidden or ends with the string "_nomap". If you would like to prevent your WiFi access point from being reported to this service, you can rename your SSID to append "_nomap" to the name (eg, SSID "MyWirelessNetwork" becomes "MyWirelessNetwork_nomap") or configure your SSID to be hidden"

@humanetech @jwildeboer @aral so we need to always set our home WLAN name to end with "_nomap" to avoid that?

@mihira @jwildeboer @aral

Yea, apparently. Reminds me of "Do not track" which was similarly ineffective.

@humanetech @jwildeboer @aral arrg! gonna change the names now. Too bad we didn't know that before

@mihira OTOH - as the database still thinks this WLAN is in Sweden, it actually is quite a good obfuscation ATM ;) We should swap WLAN names globally in a quasi random way to further poison the database ;) @humanetech @aral

@mihira No. Other services that coillect geolocation data will ignore the _nomap. There is no defined way to *really* opt-out. It's a huge market. Similar to how "they" subverted the do-not-track option in HTTP to do exact opposite. @humanetech @aral

@jwildeboer @mihira @aral

Changing the name can at least limit the spread of the contagion :)

And show you *want* to be opted out, which is feeble symbolic form of activism.

@humanetech @jwildeboer @aral yeah, I will do just for showing off that I don't want to be tracked.

@jwildeboer @humanetech @aral That is very frustrating, nobody respects our privacy by default.

@humanetech @jwildeboer @aral AFAIK adding _nomap is not enough. You also need _optout. The first one is for Google and Mozilla, the second one for Microsoft. All of my SSIDs are ending with _optout_nomap.

@aral @humanetech @tim And not even that saves you. There other projects/companies out there collecting geolocation data that don‘t even have an opt-out method.

@tim @aral @humanetech @jwildeboer

But, _optout is not the suffix of the ssid string anymore :ablobthinkingeyes:

@tim @humanetech @jwildeboer Fucking hell. I have no words. Who do these people thing they are? (Don’t answer that.) :)

@aral @tim @humanetech @jwildeboer If Google won't resepect robots.txt (I know it doesn't from personal experience) I very much doubt that they will respect some flags appended to an SSID.

@aral so from a legal perspective everything is "fine". Your WLAN was added to the database with the consent of whatever person who happened to be close to it at some point in time. It's a weird world out there :(

@aral good luck with trying to convince the useless Irish data protection agency to take swift action :(

@jwildeboer @aral @humanetech @mihira @tim

Don't forget that Google, Apple Microsoft and others are also collecting this data, so if your in the Mozilla database, you are probably in theirs too.

Things to do about it:
- File a complaint with the Irish DPC
- File a complaint with the Swedish DPC
- Request your data from Mozilla, Google, Apple and Microsoft.
- Demand to delete your data by those companies based upon your right to be forgotten by GDPR
- Quit your job and spend the coming few decades fighting this fight. Fulltime.

But above all, ask @noybeu to get involved.

@AstaMcCarthy @jwildeboer @aral @humanetech @tim @noybeu
> Quit your job and spend the coming few decades fighting this fight. Fulltime.
:pikachuSurpreso:

@aral @AstaMcCarthy @jwildeboer @humanetech @tim @noybeu I wish I could find a way to make some money for the cause... I recently quit my job to take a break and learn german, but I have one year to find another gig to not go bankrupt.

@mihira @aral @jwildeboer @humanetech @tim @noybeu
Sometime there are open positions in privacy organisations, check:
noyb.eu/en/jobs
Or in NL: bitsoffreedom.nl/kom-bij-ons-w

Sometime there are job openings in european-pirateparty.eu and keep an eye open for other privacy organisations.

@AstaMcCarthy @aral @jwildeboer @humanetech @tim @noybeu Thanks for the tip. I will definetively take a look by the time I am ready to get back to work

@aral @jwildeboer the GDPR obly applies to personal data. Is the location of a router or network (i assume they track mac-adresses) personal data? I’d doubt that.

@aral @jwildeboer But is it uniquely identifiable to YOU and to YOUR home? What is in the database? SSID and geolocation, of which neither should be personally identifiable information, unless you name your SSID after yourself, obviously.

I don't think even the MAC address of your router is personally identifiable either, as that information doesn't travel through different subnets, and it's neither globally unique.

Don't get me wrong, I'm no expert on GDPR, but I think there are worse offende

@aral @salle Yes. That was and is the argument from the companies collecting this. But as this example shows, it turns out that it very well now has the potential to become PII. Because of the massive scale of data collection and how it gets combined with other data.

@jwildeboer

There is no "potential".
It *is* personal data as defined in the GDPR. And this is beyond freaky.

@aral @salle

@jwildeboer @aral Oh yeah, this is how Skyhook etc. work. They drive through towns, and triangulate each Wifi signal a few times. The SSID gets correlated with that GPS coordinate. It's how "fast Wifi lookup" without GPS works. Most cell phones these days perform this triangulation as well, feeding Apple/Google's Skyhook-obsoleting databases.

@aral your wifi access point ... it's probably the same one that you had in sweden?

@aral @jcolson Yes, same access point would do it. Same mac address and/or a unique SSID.

@aral that's stuff like that that gets me mad at Firefox and thinking : where my Duck Duck Go browser at ?!

@paillp I’d say unfucking believable but it’s, sadly, too fucking believable.

@aral did you bring your wifi router and not change the ssid?
@paillp

@aral @mozilla is giving quite a few ~negative~ surprises lately.
What is happening?

@mihira @aral @mozilla

He he, even that mozilla fedi account you linked, is apparently listen-only. Maybe it scraped our info just now ;)

@mihira @aral @mozilla

* starting sentiment analysis

<grind, grind>

* BEEP. Not positive

* submit user profiles for auction

<kaching>

* buyer found, cash received

@aral when you broadcast your presence in public by connecting to the public internet ...

@aral
It's kind of impossible to not have a location related to your wifi router, it doesn't even need your consent. I frequently gather and share nearby WiFi networks and radio cells with my GPS on during my walking, to improve libre/free databases like the Mozilla one. So it's not necessary to have your explicit consent to know where your router is, but anyone can gather and share that information. It's not related to your identity in any way, tho, it's just a Mac address geolocated somewhere

@aral hmmm... would love to check that but I dont use Gnome ... but the app is installed.

But launching it I got :
(org.gnome.Maps:2917014): folks-WARNING **: 16:46:51.336: Failed to find primary PersonaStore with type ID 'eds' and ID 'system-address-book'.
Individuals will not be linked properly and creating new links between Personas will not work.
The configured primary PersonaStore's backend may not be installed. If you are unsure, check with your distribution.

I guess I'm alright 😅

@aral To better understand your position here: if you don't like the way Mozilla's geolocation works, what would you say about github.com/n76/DejaVu, that's basically the same approach, but the data about your WiFi AP collected by users are stored at their phones and serve to only those users?

@aral How is the router being identified then? The mac address is not exiting the LAN, is it?

@aral moz geocoding db includes entries with similar fingerprint (traceroute? os? Portscan?) as one of the many services (routers, Nat) you exposed in Sweden over the years.

Sign in to participate in the conversation
Aral’s Mastodon

This is my personal Mastodon.