Wow, ok, this is freaky.

New computer. Fedora Silverblue 36. Not signed into anything. Location services is on (using Mozilla location services). I’ve been living in Ireland now for 3+ years.

I open GNOME Maps app. I grant it location access. I press the “Go to current location” button.

It goes to the exact location of the home we had in Malmö, Sweden.

What. The. Fuck?

OK, so I have no idea how that’s possible. Mozilla must have somehow cached that location but how do they know it’s me?

@aral Does your WLAN still have the same name? Geolocation based on WLAN/Router is quite common.


@jwildeboer Same router. Unbelievable violation of privacy. So Mozilla is keeping location history tied to your router. I never consented to that. If this doesn’t violate GDPR at its core, we might as well throw GDPR in the bin.

And to think Mozilla Location Services is presented during the installation process of nearly every Linux distribution.

This is a scandal.

· · Web · 2 · 6 · 2

@aral It just needs someone who picks up the WLAN beacon signal (not even having to connect) on an (android) phone with consent to share location and it'll add your router/WLAN with its GPS coordinates to the database. So it's not even possible to really opt-out.

@jwildeboer @aral

Why is it never an opt-in? 🤒

"How do I prevent my wireless access point from being collected?

Mozilla's client applications do not collect information about WiFi access points whose SSID is hidden or ends with the string "_nomap". If you would like to prevent your WiFi access point from being reported to this service, you can rename your SSID to append "_nomap" to the name (eg, SSID "MyWirelessNetwork" becomes "MyWirelessNetwork_nomap") or configure your SSID to be hidden"

@humanetech @jwildeboer @aral so we need to always set our home WLAN name to end with "_nomap" to avoid that?

@mihira @jwildeboer @aral

Yea, apparently. Reminds me of "Do not track" which was similarly ineffective.

@humanetech @jwildeboer @aral arrg! gonna change the names now. Too bad we didn't know that before

@mihira OTOH - as the database still thinks this WLAN is in Sweden, it actually is quite a good obfuscation ATM ;) We should swap WLAN names globally in a quasi random way to further poison the database ;) @humanetech @aral

@mihira No. Other services that coillect geolocation data will ignore the _nomap. There is no defined way to *really* opt-out. It's a huge market. Similar to how "they" subverted the do-not-track option in HTTP to do exact opposite. @humanetech @aral

@jwildeboer @mihira @aral

Changing the name can at least limit the spread of the contagion :)

And show you *want* to be opted out, which is feeble symbolic form of activism.

@humanetech @jwildeboer @aral yeah, I will do just for showing off that I don't want to be tracked.

@jwildeboer @humanetech @aral That is very frustrating, nobody respects our privacy by default.

@humanetech @jwildeboer @aral AFAIK adding _nomap is not enough. You also need _optout. The first one is for Google and Mozilla, the second one for Microsoft. All of my SSIDs are ending with _optout_nomap.

@aral @humanetech @tim And not even that saves you. There other projects/companies out there collecting geolocation data that don‘t even have an opt-out method.

@tim @aral @humanetech @jwildeboer

But, _optout is not the suffix of the ssid string anymore :ablobthinkingeyes:

@tim @humanetech @jwildeboer Fucking hell. I have no words. Who do these people thing they are? (Don’t answer that.) :)

@aral @tim @humanetech @jwildeboer If Google won't resepect robots.txt (I know it doesn't from personal experience) I very much doubt that they will respect some flags appended to an SSID.

@aral so from a legal perspective everything is "fine". Your WLAN was added to the database with the consent of whatever person who happened to be close to it at some point in time. It's a weird world out there :(

@aral good luck with trying to convince the useless Irish data protection agency to take swift action :(

@jwildeboer @aral @humanetech @mihira @tim

Don't forget that Google, Apple Microsoft and others are also collecting this data, so if your in the Mozilla database, you are probably in theirs too.

Things to do about it:
- File a complaint with the Irish DPC
- File a complaint with the Swedish DPC
- Request your data from Mozilla, Google, Apple and Microsoft.
- Demand to delete your data by those companies based upon your right to be forgotten by GDPR
- Quit your job and spend the coming few decades fighting this fight. Fulltime.

But above all, ask @noybeu to get involved.

@AstaMcCarthy @jwildeboer @aral @humanetech @tim @noybeu
> Quit your job and spend the coming few decades fighting this fight. Fulltime.

@aral @AstaMcCarthy @jwildeboer @humanetech @tim @noybeu I wish I could find a way to make some money for the cause... I recently quit my job to take a break and learn german, but I have one year to find another gig to not go bankrupt.

@mihira @aral @jwildeboer @humanetech @tim @noybeu
Sometime there are open positions in privacy organisations, check:
Or in NL:

Sometime there are job openings in and keep an eye open for other privacy organisations.

@AstaMcCarthy @aral @jwildeboer @humanetech @tim @noybeu Thanks for the tip. I will definetively take a look by the time I am ready to get back to work

@aral @jwildeboer the GDPR obly applies to personal data. Is the location of a router or network (i assume they track mac-adresses) personal data? I’d doubt that.

@aral @jwildeboer But is it uniquely identifiable to YOU and to YOUR home? What is in the database? SSID and geolocation, of which neither should be personally identifiable information, unless you name your SSID after yourself, obviously.

I don't think even the MAC address of your router is personally identifiable either, as that information doesn't travel through different subnets, and it's neither globally unique.

Don't get me wrong, I'm no expert on GDPR, but I think there are worse offende

@aral @salle Yes. That was and is the argument from the companies collecting this. But as this example shows, it turns out that it very well now has the potential to become PII. Because of the massive scale of data collection and how it gets combined with other data.


There is no "potential".
It *is* personal data as defined in the GDPR. And this is beyond freaky.

@aral @salle

Sign in to participate in the conversation
Aral’s Mastodon

This is my personal Mastodon.