157 comments

[ 3.9 ms ] story [ 225 ms ] thread
It was possible for long. Many years back my low IQ Nokia phone had no GPS or wifi but maps were pretty accurate using just feel phone tower tringulation.
Yep I have memories of traveling abroad using the J2ME Google Maps on my Sony Ericsson dumbphone and walking down the street and waiting for it to switch to the next tower just to see if I went in the right direction...
cell tower triangulation.
This is not tower triangulation.

Android searches for access points even when wifi is turned off. If anyone (with GPS enabled) uses that wifi with any google services the bssid will end up in their database. Also if the google car has been nearby it has recorded the presence of the wifi access point at that location [1].

Before you freak out: Apple and Microsoft also use access point information for positioning, although not as successfully.

[1] https://googleblog.blogspot.se/2010/05/wifi-data-collection-...

This raises another imprtant question: Is it okay for a private company to have detailed positioning data from inside of your office or home?

Who would really need that sort of information? I understand how this can be useful at the mall but I think I can find my way around my own house thank you.

I thought you can disable it.
Is it okay for a private company to have detailed positioning data from inside of your office or home?

I don't know the answer to that question, but I have a guess at the answer to another question: "is it okay for a private company to create a geodatabase of SSID strings that were freely and willingly broadcast via radio?"

I think the answer is "yes". Ten, fifteen years ago, if there were an HN story about how I, owner of a small business you've never heard of, created a database of SSIDs that are broadcast and tagged them with lat/longs, I'd bet money it would make the top of the front page. Bonus points if I included an API and threw the thing up on github.

Fine, it's evil, append "_nomap" to your SSID string. That's fine for stopping Google, but it won't stop "owner of small business you've never heard of". Don't broad SSIDs, but then (IIRC) one can still obtain the MAC address.

But in the end, if a radio broadcasts something then one has little recourse when receivers use that broadcast in ways you didn't intend. The analogy crumbles under a little scrutiny, but it's similar to FM broadcasters complain about geodatabases of FM towers because the intent of the broadcaster was to allow you to listen to drive-time hyenas, not use it for location services.

I seriously doubt most people even know whst "broadcast" means, or that "their" wifi is not limited to their own four walls and personal use.
Not knowing how it works doesn't change the fact that broadcasting the SSID is a key part of how wifi works. The only real solution is not to use wifi if you don't want it to be mapped.
"Ignorance is no excuse"? I mean, I don't know what the solution is if that's an allowable excuse. Google has to run PSA's on how WiFi works before they're allowed to scoop up SSIDs?

Additionally, I don't buy that to begin with, at least not as it concerns the majority. Where do folks think those other SSIDs (even if they don't call them that) in their list of networks come from?

Come on. There have to be some minimum standards of knowledge required for the citizens of a technological society, and I'd argue that "how radio works" is one of those things one should be expected to know.

   minimum standards of knowledge required for the citizens
Do you know how the electricity in your wall works? What about the plumbing under your house? Would you be able to fix those things on your own?
His argument was that you can reasonably expect people to know how to handle such technologies safely, not that he expects people to know how to build a WiFi Router from electronic parts themselves.

Using your analogy it would be sufficient for a person to know how to handle electricity coming from your wall or the plumbing under your house safely. And generally people do know how to do that.

Everyone who is regularly using WiFi networks knows that he/she can see the names of other WiFi networks in their vicinity. Therefore people using WiFi generally do know that this information is publicly broadcasted and available to be collected by anyone interested in doing so.

No one believes that he is the only person being able to somehow magically see the name of his neighbours WiFi.

I think the advanced users of HN vastly over-estimate the common sense level of the general public.

http://qz.com/333313/milliions-of-facebook-users-have-no-ide...

In third world countries people historically got to use Internet services much later, with more limited hardware and in also in a very different way. (not on a PC, instead on a feature phone with a very small screen) So it's not surprising that they have a different perception than we do.

Frankly I don't care for the matter at hand about the perception and understanding of the Internet that people from a different culture might have just as I do not care about the Saudi perspective on women's and LGBT rights. We are discussing here what should be the standard in our societies.

I think the 'advanced' users of HN vastly over-estimate the amount of information that the general public requires in order to apply common sense. As a member of the public, I have no real need to know about the protocols the Internet uses, or how Facebook and the Web are related, but it is useful to make a distinction between using Facebook (social interaction, sharing information actively, communicating with friends) and using the Internet (browsing Wikipedia, looking up recipes on Google, accessing Web sites on my laptop or tablet by myself) when communicating with others.
Yes. Yes. No.

The level of IMO required knowledge I'm talking about here is to know e.g. that water in your faucet is distributed through the building via water pipes, and electricity comes through cables that are inside walls. Even this basic knowledge allows one to infer quite a lot.

(comment deleted)
> Fine, it's evil, append "_nomap" to your SSID string. That's fine for stopping Google,

This should be opt-in by default in sane universe, not opt-out.

I'd agree, if you mean broadcasting an SSID should be opt-in by default, but not if you mean having a publicly broadcast SSID be mapped should be opt-in by default separately from broadcasting the SSID.

OTOH, to the extent this is not true, its ISPs and router manufacturers who are at fault.

if broadcasting SSID was not on by default, mom and dad would be screaming at tech support that wifi isn't "working" on their phone because the network isn't in the list of discovered networks.
I've meant sharing the location of the SSID with $company should be opt-in. Who the fuck do they think they are?
> I've meant sharing the location of the SSID with $company should be opt-in.

Broadcasting is, inherently, sharing location with everyone with a receiver.

> Who the fuck do they think they are?

People with receivers (see above.)

Ok, but one thing is broadcasting something that has a limited reach then documenting and storing in various databases around the planet.
Cell towers, FM/AM radio towers, amateur radio repeaters are just a few things off the top of my head that have limited reach but are stored somewhere as key/value pairs with a lay/long with public access.

I don't know what to tell you other than "I don't like the way I feel about this" is not the basis of good policy.

When you use their service your forfeit your privacy.
You don't even need to use their services, interested crowdsourcers will map your router and help build a SSID:location database just for fun. https://www.wigle.net/
So, then it’d also be legal if I stand near all schools, and photograph every child with a telezoom lens, follow each of them home, and then publish a website with photos of every child and where they live?

If they don’t want to be seen, they can just stop broadcasting their face and wear a burqa, right?

There is a huge difference between "publicly available in every case seperately" and "publicly indexable".

EDIT: Instead of downvoting, please leave a comment instead – do you disagree because you believe there’s a fundamental difference between gigahertz and terahertz light waves? Or is there another reason you disagree?

It is different because this behaviour fits a well know pattern of a certain type of criminal. The child molester.

There is no such established pattern where we can reasonably assume that a company collecting SSIDs will usually do this to act in a criminal way.

By the way I didn't down vote you, but I think this is the "common sense" reason why people reject your position.

Well, but it applies to every other such case, too.

You can't publicly index newspaper articles that are already decades old and irrelevant, you can't publicly index photos of buildings, you can't publicly index the names of people even.

Every of these things requires written approval of everyone listed, be it StreetView, the application of the Right to be Forgotten, or collecting WiFi SSIDs.

So the question is: why does everything require approval, except for SSIDs?

Does it? I didn't give written approval for the Google StreetView car to photography the front of my house. If I was to create a database of photographs of buildings, taken from a public location and indexed by street address, I don't believe I have to get permission, and the product could be released publicly, or even sold to estate agents or similar. I used to have to give the phone company written (or st least explicit) notice to opt out of their public index of numbers and names. So, it seems most things operate the same way as SSIDs, public information requires an opt-out to be available, not an opt-in.
Well, here Google had to run a media campaign and had to wait for people explicitly say yes or no to streetview, and the phone books have been opt-in for decades, since the market was liberalized and the Postmonopol ended with it being split into Deutsche Post DHL, Postbank and T-Online.

At least for Germany Google could have stayed within of this single law. I don’t care if Google literally would enslave and rape US-Americans – they chose to vote for politics that allows that – but Google should at least stay within of German law in Germany.

It was never illegal. It has always been legal. Debates were around asking if people could change the law to make it retroactively illegal.

Also: down voted again for emotionally manipulative and outright vile rhetoric. If Hacker News is a place for free speech and open debate, you casually turning every conversation you can to molestation, rape and violence is a violation of the social contract we all have to keep the tone civil, and hurts the goal of honest debate.

But that's literally what I don't care about? Google cando whatever they want, no matter how crazy it would be, in the US, as long as they follow the laws Ivoted for where I live.

I use that hyperbole to make it specifically clear that I would literally not care. I literally wouldn't care if they used Blackwater's army to level entire cities if the people chose to allow this by voting. It's literally the worst case scenario, and hundred times more, and I wouldn't care.

But I do care about them following the laws I voted for where I live.

And yes, it was already illegal.

German law has a principle where an action being done once or twice is very different from the same being automatically done thousands of times.

That includes collecting SSIDs, likely.

> And yes, it was already illegal.

Oh really. Fascinating. That seems to line up with the history.

> I use that hyperbole to make it specifically clear that I would literally not care.

I would like to make it clear I specifically don't care what your justification is for invoking that specter. It's at best utterly irrelevant and unneeded. At worst, it's threatening.

Find a better way to express this and you won't get downvotes. It's on you to communicate yourself in a socially acceptable way. If you don't care about that, then accept the downvotes as salty fluid that waters the tree of your liberty.

Did you just see the word "rape" and downvote blindly?
I read the whole thing, understood it, dismissed it. Vague or explicit allusions to sexual violence are about as funny/helpful/fair/meaningful/good/logical/whatever as vague allusions to racial violence.

So yeah, free downvote for mentioning it outside of a discussion that actually includes it meaningfully.

That's a shame. Extreme/hyperbolic examples have an important place in discourse. They force you to consider your ideas to their logical ends. In this case it illustrated that a line needs to be drawn somewhere by giving an example of something we all agree is reprehensible.

As far as I can tell, though, you're opposed to mentioning racial and sexual violence at all in conversation. What is the point of that kind of self-censorship? Rape will continue to be rape even if you never read or say that word again.

You seem to think that maintaining a polite level in discourse amounts to be censorship.

Curiously, we never feel the need to make these hyperbolic examples in the highest levels of discourse (be they academic or political), and yet somehow feel incredibly strongly about allowing them on internet sites.

Attempting to evoke violence, sexual assault and child abuse in discourse about something as abstract as the proper rules for radio light interpretation is not a positive addition.

We have plenty of opportunities to actually discuss said topics and no dearth of extreme metaphors to reach for to extend arguments to the absurd. We need not pretend this speech is vital for this community. Eroding the bulwark that protects this low and lazy standard as discourse is a net good for the community.

Perhaps maybe the author should have compared the practice to how Germans correlate re-naturalozed jewish citizens with health care use and reporting them for it, a quiet but severe controversy for that country.

> Perhaps maybe the author should have compared the practice to how Germans correlate re-naturalozed jewish citizens with health care use and reporting them for it, a quiet but severe controversy for that country.

This is where we differ. If we were talking about healthcare and someone brought up that point, I'd stop and think about it for a minute. Just because it refers to something evil and terrifying doesn't make it any less of a good point.

I actually learned something in this back-and-forth about how people perceive offensiveness in public dialogue, and react to perceived that offensiveness. I hope you make an effort to learn something too, and don't just come away with a haughty sense of victory.

> If we were talking about healthcare and someone brought up that point, I'd stop and think about it for a minute.

Riiiiight, but it'd be germane to a discussion about health care (assuming it actually was and was not a cheap shot). "Stranger danger creeps outside schools with cameras because radio = light and therefore basically the same as having your phone notice SSIDs" is a complete non-sequitur.

> and don't just come away with a haughty sense of victory.

Do you think this website has ever given me any sense of value or return? I'm here because I feel obligated to be. Not because I enjoy it or relish these debates. Our conversation and your predictable downvoting were practically foretold 500 years ago during a seizure by someone who saw a comet... that's how lamentably predictable the whole thing has been.

the phone books have been opt-in for decades

Where I live, it used to cost extra to have an unlisted number (it might still, don't know).

"Enslave and rape"? You are quite the master of hyperbole, aren't you? Your point might be better made if you dialed back the emotional rhetoric a bit.

I used the hyperbole tomake specifically clear I don't want to appeal to any "protect X group" or similar rhetoric — I literally wouldn't care if the US was wiped out if it was democratically legitimated — but I do care about Google following those democratically legitimated laws wherever they operate, and that means not collecting SSIDs where I live.

BSSIDs might possibly be legal to collect, but SSIDs definitely not. Likely one could even argue for copyright protection on a specifically poetic SSID.

What is the standard for "democratically legitimated"?

Like what if there is some group that is a substantial portion of a population and they decide to force their will on a smaller portion of the population. Say it gets severe. Does their larger number legitimize their actions?

Or does it mean something else?

Democratically legitimated means there is a consensus within of the majority of society, yes.

Society can not cater to every minority, but has to hear them at least out, if they can present a logical argument for their position, and consider that. (See also: Petition laws, Election laws)

Yes, that probably is a legal activity. However, someone could sue for a restraining order. After that, and possibly further lawsuits, that activity would become illegal for you.

The possibilities of human behavior are infinite. We don't need to and can't enumerate all possible bad behaviors as illegal. Thus the civil court system.

On the second thought, I think there's some law against publishing images of people without their consent in some circumstances. I'm not clear on exactly what is allowed, but I know that TV broadcasters post notices in places that they are filming.

> Yes, that probably is a legal activity. However, someone could sue for a restraining order.

A restraining order is issued for either actually illegal activity, or for activity whose legal status is in dispute, and which would irreparably negatively impact a party in the case in which it that status was in dispute, or for activity which might straddle the line of legality but which is related to a broader pattern of activity which was found to be illegal.

Its not done for specifically legal activity.

> The possibilities of human behavior are infinite. We don't need and can't enumerate all possible bad behaviors as illegal. Thus the civil court system.

The civil court system is for addressing things which are illegal -- violations of the law -- but which are not violation of criminal law. The civil court system applies those things prohibited in civil law, it does not substitute for having laws to determine what is prohibited.

No, a restraining order is issued when someone is performing actions that, taken individually, are legal - recording a link between an SSID and a street address, knocking on an ex-girlfriends door to ask them to talk to you, photographing a child - but when carried out systematically, constitute a pattern of behaviour that is undesirable, and by virtue of the order becomes illegal. Sometimes the pattern itself is also illegal, if it falls under harassment or stalking laws. Generally restraining orders prevent you from doing things that are otherwise legal, such as being within 50m of some person, or within 300m of a particular place or type of place, or sending a message, e-mail or similar to someone.
> No, a restraining order is issued when someone is performing actions that, taken individually, are legal - recording a link between an SSID and a street address, knocking on an ex-girlfriends door to ask them to talk to you, photographing a child - but when carried out systematically, constitute a pattern of behaviour that is undesirable, and by virtue of the order becomes illegal.

The subset of restraining orders (sometimes called "protective" orders) you are thinking of are available when something illegal has been done, and relate to patterns of activity related to that illegal thing. For California, there are several kinds [0] of such orders:

(1) Domestic Violence Restraining Order: available if someone close to you in specific ways defined in law has abused you in specific ways defined in law as acts of domestic violence.

(2) Elder or Dependent Adult Abuse Restraining Order: available if you are elderly or disabled and have been a victim of certain kinds of abuse.

(3) Civil Harassment Restraining Order: available if you are being harassed or stalked, etc., by someone not close enough to be covered by a domestic violence restraining order.

(4) Workplace Violence Restraining Order: available to an employer to protect an employee that has been a victim of stalking, harassment, violence, or serious threats.

Now, yes, they sometimes cover acts which would not otherwise be illegal, but they actual require something illegal to have happened as their basis (a temporary restraining order can be issued on the claim that such a thing has occurred, and a permanent restraining order only after a hearing to determine that.)

[0] http://www.courts.ca.gov/1260.htm

Would obsessive public surveillance not qualify as "stalking"?
In the scenario that kuschku suggested, taking a photo of each child and following them home to record the location (once) would probably not count as stalking IMO but its difficult to say. In the UK it has to happen twice, according to Wikipedia

https://en.wikipedia.org/wiki/Stalking

Others have explained it, but I downvoted without comment because, to paraphrase Jules in Pulp Fiction: "that's not only not in the same ballpark, it's not even the same fuckin' sport." I wouldn't know how to comment beyond that. (That, and your "think of the children" didn't help.)
Then assume I'm talking about photographing every building and putting a list of that online. Also illegal.

Or putting video surveillance up in public spaces. Also illegal, even for the government.

Or whatever.

Collect the router mac and BSSID? Possibly justifiable. That's like making a map where phone numbers are, physically.

But collecting the SSID?

Looking at the wifi list, I see "Meier family WiFi" and "Meier WiFi upper floor: Finn & Jan" (that's their children, having both the room on the upper floor, and family protection filters enabled for that WiFi).

I see WiFi names that are identifiable, somes that have a little poetry in them, others named as the favourite football club of their owners.

That's creative work and PII.

> Then assume I'm talking about photographing every building and putting a list of that online. Also illegal.

How is that illegal? That's called a map.

I down voted and left a comment.

Appealing to child stalking as a way to emotionally charge your argument about radio reception is a disingenuous tactic for this conversation. What's more, people who actually work to promote and secure a safer environment for kids don't need people like you constantly exacerbating parental paranoia with a constant back chatter stranger danger.

Please refrain from emotionally manipulative rhetoric.

Then assume I'm talking about taking a picture of every living room through the window whenever no one is there.

Or anything else that's that personal.

The point isn't about what is collected, but that this type of broad data collection exists in the first place.

Let's recap: not eventhe government can do video surveillance of public places, streetview became opt in, the phone book is opt in.

But Google collects SSIDs?

Collecting only the router mac or BSSID might possibly be justifiable, because it's just a map of technical data, but collecting a string where people but creative works in, or names, or jokes?

I've seen families where the WiFi for the first floor had another name than that for the ground floor — specifically, the names of their two children, whose room was on first floor.

Collecting such PII can be problematic.

> Then assume I'm talking about taking a picture of every living room through the window whenever no one is there.

No. That's not my job to arbitrarily re-interpret what you said to give you a free pass for your disingenuous rhetoric.

> Let's recap: not eventhe government can do video surveillance of public places, streetview became opt in, the phone book is opt in.

The government CAN do video surveillance though. Both our governments do it. What varies is how its deployed and who has access.

> Collecting only the router mac or BSSID might possibly be justifiable, because it's just a map of technical data, but collecting a string where people but creative works in, or names, or jokes?

Look, responsibility has to be exercised in all forms of data collection. But it's also the case that the light that shines out of your house is subject to public interpretation. Standing nude in your window facing a crowded street CAN be illegal in both our countries, as could placing a sign that says threatening things to passerbys. The trigger conditions for this vary between our countries, but they exist in both cases.

> Collecting such PII can be problematic.

COLLECTING PII is seldom the problem. Storing it or promptly and thoroughly deleting it is the challenge. You might argue that you shouldn't have collected it in the first place, and maybe that's true. But given the modern world where we have a rapidly expanding frontier of data analytics, it's actually difficult for real (re: not rhetorical trashbag arguments on HackerNews) people. Often times it's not obvious what PII is until later.

For example, there are people who claim that transactional data can be "anonymized". Do not believe these people; it is nearly impossible to anonymize transactional data. Even mixing users and attempting to delocalize vendor strings will not fix the problems.

> The government CAN do video surveillance though. Both our governments do it. What varies is how its deployed and who has access.

But they literally can not at any point ever do it. Video surveillance of public space is a crime, even for the police, government, or security agencies, and it does not happen.

> COLLECTING PII is seldom the problem. Storing it or promptly and thoroughly deleting it is the challenge. You might argue that you shouldn't have collected it in the first place, and maybe that's true. But given the modern world where we have a rapidly expanding frontier of data analytics, it's actually difficult for real (re: not rhetorical trashbag arguments on HackerNews) people. Often times it's not obvious what PII is until later.

The law literally makes that a crime. You have to stop collection of PII, not just delete it at any later point.

> But they literally can not at any point ever do it. Video surveillance of public space is a crime, even for the police, government, or security agencies, and it does not happen.

Surveillance of public environments via the private security systems is how your government (and ours really) accomplishes this "legally."

> The law literally makes that a crime. You have to stop collection of PII, not just delete it at any later point.

The law's definition of PII in your country is woefully out of date. Same in mine.

What do you think of high-resolution satellite imagery? Do you imagine that a satellite operator needs to get opt-in consent from anyone who happened to be looking up at the sky at the moment of the photograph?
I don't understand the down votes here, this is a sound analogy to me.

I wouldn't be surprised if there were in fact laws against this kind of public surveillance behavior in some jurisdictions in the United States.

This existed 15 years ago, called WiGLE.
Are you sure they do that when wifi is off? I was under the impression that it only happens when wifi is on (and it seems to me that my location on the map is more stable with wifi on).

That would be very not ok if it would happen with wifi off. I turn my wifi off to save the battery, and it wouldn't do much if it was still looking for broadcasts.

There's another wifi setting, in advanced I think, for "scanning always available"
Its a question of terminology. When you are passively listening to (periodic) SSID beacons, you are not transmitting anything, nor consuming any energy on your radio. One could do that even in airplane mode.

It's very different from when you hit "scan" and are actively sending broadcast packets on every frequency and waiting for the wifi routers to (actively) answer. Which really only happens when you pull down the list of nearby hotspots.

> nor consuming any energy on your radio

This simply isn't true. You'll be using power to demodulate at a minimum. You'll also be using energy to ammplify the incoming signals and a variety of other things.

Yes, this is also the reason why GPS is so power hungry--it takes a lot of power to keep a GPS radio receiver operating.
Close enough for a quick reply, but it's not the "radio" using lots of power, it's the chip that's doing the signal processing. GPS signals are very weak (approximately -120dbm) and thus below the noise floor. It takes complex FFT operations that actually cause the power hungry nature to find the proverbial needle in the haystack.
Normally, "radio" includes the amplifiers and demodulators, even if they're digital.
> or consuming any energy on your radio

Listening is actually one of the more power-intensive things a radio does, because it tends to be active more of the time than transmitting does. For many radios power consumption is the same whether transmitting or receiving.

>For many radios power consumption is the same whether transmitting or receiving

This, is not right.

Please elaborate at least a bit.
WiFi is never completely off until you disable "Scanning always available" https://i.stack.imgur.com/wcQkc.png
I don't have that option under "Advanced Wi-Fi" but under Settings -> Location -> Scanning I have "Wi-Fi Scanning Improve location by allowing system apps and services to detect Wi-Fi networks at any time". Is that the same thing?

Nexus 5X, Android 7.0

Ditto, Nexus 5, Android 6.0.1. That's how I interpreted it: as a relocation and rewording of a setting.
> I turn my wifi off to save the battery

Sending/receiving data over wifi takes roughly ~8x less power than sending/receiving data over cell.

If you want to save battery you need to turn off data entirely not turn off wifi. Turning off wifi ultimately costs you battery.

Not if I'm out of range of my home wifi which is practically the only wifi I connect to. I think my phone last longer like that, but I never actually measured it, so maybe it's not worth it after all. I guess I also don't like the idea of broadcasting these few known networks I have saved.
(comment deleted)
>"Sending/receiving data over wifi takes roughly ~8x less power than sending/receiving data over cell"

How did you arrive at this 8x figure? I don't think this is correct at all. See:

http://people.cs.umass.edu/~arun/papers/TailEnder.pdf

Additionally power efficiency is related to distance from the cell tower which is generally much further away than a wifi access point.

Were you misled by the changing axis scale? From that paper:

> Our measurements (Section 3) confirm that the transmission energy consumed by WiFi is significantly smaller than both 3G and GSM, especially for large transfer sizes.

Also that's 3G, not LTE which is what most everyone is using nowadays.

This was true in the past. Now wifi off is not really off. There is an obscure setting in location where you can disable it.

Of course Google does its usual, making it inconvenient. When you enable that setting wifi location is completely disabled and many apps which use finer location will trigger a popup to enable it back in order to get a better location.

They do this with any setting that benefits them. For example if you don't allow Google to store your historical location Maps won't remember any locations searched. As if it was impossible to maps store that details locally sigh.

> There is an obscure setting in location where you can disable it.

For those wondering, I believe the setting is Settings => Location => => Scanning (in the the vertical dots menu in the upper right) => Wi-Fi scanning (on my Nexus 5 running Android 6.0.1, anyway.)

Apple uses wifi for positioning but only while wifi is turned on. It does not use it while wifi is turned off. It sounds like in android there is a separate setting that allows wifi scanning to happen in the background for positioning even while wifi is turned off. Not sure if that's better or worse.
This is also not triangulation but trilateration.
> Before you freak out: Apple and Microsoft also use access point information for positioning

Is that supposed to comfort one, or make one freak out even more? The usage to mean the former is very.. peculiar, and the usage of the phrase "freak out" rather than, say, "before you are concerned about this and move to change it", does make it seem like that was the intended usage.

GPS for a long time haven't been used as the only source of location, to some extent it can now be considered a "2nd fiddle" to INS since solid state INS sensors are very good these days. The phone receives location information from wifi and more importantly it gets location messages from cell towers, and it uses dead reckoning[0] using it's INS sensors. [0]https://en.wikipedia.org/wiki/Dead_reckoning

If you want "privacy" turn off the location services, or your phone, if you want privacy don't take your phone with you.

That said this isn't some "conspiracy" Google actually states when you enable background location services that this will be on all the time even when GPS and the wireless network are explicitly disabled, IIRC even in airplane mode the location background service can be operational without violating FCC regulations.

Do you have a citation on phones using inertial navigation?
I'd also be curious to see a reference for

Orientation/heading from a phone's gyroscope/compass can be pretty reasonable, but most mems accelerometers are pretty much crap for dead reckoning use when loosely attached to a person. I could definitely see some interesting ideas with cell tower position data + heading + pedometer estimation getting merged, but I have a hard time believing that works in practice.

This isn't using a "pedometer" this is fusing the input from multiple sensors like gyro, accelerometer, magnetometer, barometer etc. as well as other location data (wifi/gps/cellular/beacons etc.) and extrapolating the location using a path prediction algorithm.

Given a known starting point, or a known point in general this increases both the speed and accuracy of identifying your location considerably even outdoors.

I think we're starting from the same assumptions - my reference to pedometer meant the software-fused data from whatever on-board inertial/nav sensing was available, 6DOF IMU, compass, etc... In practice in consumer products I most often see this provided as "estimated distance" based on a learned or hard-coded model of what a single step looks like from the IMU (the pedometer part) + the output of GPS/cell/wifi localization.

I'm specifically curious about evidence for a commercial smartphone that can track you to room-level accuracy using only IMU + GPS. (Add in wifi or other RF triangulation and it's clearly a solved problem.) In practice with a cell-phone GPS receiver and IMU only, attached to a person it is a hard problem to track a path to within a few meters. Trying to use accelerometer data to get position information over more than fractions of a second in that situation is... tricky.

This is what Google does, the GPS updates are actually pretty infrequent, especially if you specify low power mode, or they detect a slow activity and or you are indoors. Google's location API fuses all the sensors, they rely heavily on sensor data for indoor tracking and it's been getting pretty darn good since they've introduced it 2-3 years ago. I've linked a few google talks in this thread already, and you can read about the Fused Location API.
The technical term is usually sensor fusion and route prediction, this is how your phone knows that if it gets a weird echo from the GPS signal that you haven't jumped 150 meters forward under 1 second or help you navigate in doors etc.

It is also used for indoor navigation, Google had quite a few talks about this this one is from Google I/O 2013 https://www.youtube.com/watch?v=oLOUXNEcAJk (click to https://youtu.be/oLOUXNEcAJk?t=1985 if you want to see the break down).

There were a few better/more technical talks from 2010 and a few more recent ones that I'm trying to find again.

On android this is exposed through the Fused Sensor Location provider https://developers.google.com/android/reference/com/google/a....

"Fused Location Provider: Get highly accurate location information (latitude and longitude) based on combined signals from the device GPS and sensors."

Research has been done before on using the gyro + accelerometer on a smartphone as an IMU (inertial measurement unit) to augment positioning; see for example: http://gpsworld.com/showing-smartphones-the-way-inside/

However the last I heard, powering the gyro + accelerometer constantly was a prohibitive drain on the battery and the relatively low grade sensors used in smartphones made the positional drift rate high enough to be problematic, so I'm pretty sure that the original poster above is misinformed. I'm not aware of any smartphones that use inertial dead reckoning to augment their positioning.

Google has been supporting this since API version 10, this is the default (and only) location provider if you are using the Google Play Services API. https://youtu.be/Bte_GHuxUGc?t=400

Then skip https://youtu.be/Bte_GHuxUGc?t=700 to for the deep dive :)

You can still do location "manually" by either using GPS or sensor data using the Android framework.

Thanks for those links - I think they frame the progress on localization really nicely. They also make clear the improvements are based on fusion of GPS + wifi + IMU/sensors. Adding IMu data to the existing mix is a clear win, but there's a major difference between that and using the IMU for dead reckoning alone. I think that's worth clarifying since the thread started out talking about localization with wifi disabled (although disabled clearly doesn't quite mean what you think it might in this context.)
Oh no they don't use that alone, the amount of data they receive from the sensors and how it factors into everything also varies, if you got that impression it's my bad, I thought I was clear that when you enable the "location services" in Android it works all the time in the background regardless of what you have explicitly enabled or not they even state that when you turn it on. Pretty much the IMU data is used to prevent jumps, enable them to use better path predicting algorithms and to provide coverage in doors, if you don't want them tracking you disable the background location services, or well sadly don't take the phone with you.

P.S.

I'm pretty sure that iOS has the same thing, I also know that there are a few startups that want to push their own location provider service including sensor based tracking, I've played around with pathsense their location API was faster and considerably* more accurate than Google's https://pathsense.com

*As far as jitter goes, if you are talking about accuracy only to the point of "is jim at the juicebar on the corner of Main St. and 8th.?" they both work pretty much the same.

(comment deleted)
From the comments section of the top-voted answer:

> Something you didn't mention: when a Google-car goes around taking pictures for StreetView it also maps the location and all wifi networks name. So taking a new router with a new network name from a different ISP might work, but only until they come near your house to update their pictures... > - Bakuriu

I am not sure how this makes me feel :-|

You can opt out by adding _nomap to the end of your ssid. There's another string you can add to opt out for Microsoft.

https://www.reddit.com/r/privacy/comments/3g3xyu/for_wifi_ms...

The string for Microsoft seems to have a different effect, one of the comments[0] says:

"_optout" only gets you out of Microsoft's WiFi sharing of open networks, which allows other computers to automatically connect to your network. To opt out of Microsoft's location tracking of your router's location, you need to go to https://www.windowsphone.com/en-us/support/location-block-li... and input your MAC address (BSSID). Microsoft uses the MAC address instead of WiFi name (SSID), because supposedly they don't collect WiFi names at all due to privacy concerns.

[0]https://www.reddit.com/r/privacy/comments/3g3xyu/for_wifi_ms...

Nice catch. I wish google did this. It it easier to put my MAC address on some list than having to change my SSID.
You could create a faraday cage around your home to prevent your Wi-Fi signals from broadcasting outside your home. Otherwise I don't really see the issue with Google picking up signals from the street that people blast outside the extents of their homes.
So I can go around with a telezoom lens attached to a drone and photograph into every backyard, into every window, photograph people naked in the shower, children changing clothes on 21st floor thinking no one will look, etc – and publish that?

Or maybe we as society do already have reasonable limits where "publicly available" is not equivalent to "publicly indexable".

Do you agree that there's a difference between collecting information from spherically-broadcast radio waves, to which most building walls are nearly transparent, and collecting other electromagnetic waves by putting a detector in a place where most people wouldn't assume it would exist? I'd argue that using opaque building materials to block emission of radiation in directions that one might an observer to be located shows a clear intent to establish a degree of privacy, and that someone flying a quadcopter into unusual places to take advantage of holes in peoples' reasonable expectations should be counted as a violation.

The types of radiation that you're comparing have two very important differences that influence people's expectations: First, they're blocked by very different sets of substances. Second, we've got a detector for one of those ranges built into our heads. I don't think it's reasonable to treat the two segments of the spectrum in the same way.

I expect vehicles to drive by my home. I expect people in those vehicles to have wifi devices that can see the broadcasts from my AP. I expect their devices to capture that data, possibly store it, and possibly transmit it to another device. I think it's unreasonable to assume that someone won't do that. I don't have a strong argument for how capturing and publicly indexing that information is harmful to me.

No, this is analogous to cameras on every street. Perfectly legal even if they are recording children ...
But they are not.

Video surveillance of public space is illegal, not even the government can do that.

At least here in Germany.

I think I'm just going to start using a hiden wifi network.
Does that actually do anything? I thought it was trivial to detect those.
It does do something yes. The complete opposite of what you want.

When a modern phone connects to a non-hidden wifi access point for the first time, it remembers it can connect to that and passively listens for it to announce it's self in future.

When a modern phone connects to a hidden wifi access point for the first time, it remembers that it can connect to that access point, and also that it wont receive any announcements about it's presence in future. So how does it auto-connect in future? By constantly shouting "ARE YOU THERE HIDDEN ACCESS POINT NAMED FOO?". Making you even easier to track.

Can the auto-connect be turned off? Perhaps scripted to try when your GPS coordinates get close enough to your house?
A device could be made to work that way. I'm not aware of any that have that feature built in. You could certainly use something like Llama to turn wifi on or off depending on where you are located, but that isn't quite what you asked for. I don't know if Android or iOS have APIs available for an app to automatically add/remove wifi networks, but if they do, then that would be useful for achieving what you suggest.
If you want to stop your network from being scanned by Google street view or stop Microsoft doing whatever they do, you can add strings to your ssid.

https://www.reddit.com/r/privacy/comments/3g3xyu/for_wifi_ms....

We should not have to do that.
Talk to your government, or organize a boycott threat.

Your house is also visible in Street View, for precisely the same reason: It transmits electromagnetic waves that are visible from public roads.

Not mine. I've painted the whole thing with Vantablack®
Just created an account to update this comment
I'm vaguely surprised that Android phones don't let you just look around with the camera from any sidewalk and tell you where you are based on comparisons of what it sees to known street view images. That sort of capability would be quintessentially googly.

And slightly less scary.

Yea, the government can stop it legally, that's why there is no Street View in Austria.

In other countries you can ask Google to blur your house.

Your house broadcasts a beacon ID that ties to a specific place. It's very helpful for your neighbors to be able to locate themselves quickly.

Why aren't you helping your neighbors?

You don't have to explain this to me. I was just providing a fix. Talk to your local representatives.
Does my phone have a portion of this BSSID db locally?
(comment deleted)
If I understood correctly, android downloads nearby BSSIDs with corresponding Geoposition when internet connectivity is available, to use them when no connectivity is available.

It should be possible to reconstruct google's BSSID database, right?

I had someone from Google (young guy, summer job stuff) come into my office park and map out wi-fi points asking us if this office is still where the company I work for works at. Google has the resources to utilize HUMINT. That's how Google knows where you are.

This guy said he does this in a bunch of cities, driving around the geographic area of the USA where I work in. Very interesting to learn about.

Edit: I am not located anywhere near where Google has an office, so for him to stop by was interesting by itself.

Edit 2: grammar.

Did he also give away promotional google pendrives by any chance? and ask for special access to the office buildings? This sounds dodgy as f. I think your office park was being pentested.
Wifi mapping is the method by which google has no idea where I am. My roommate moved across the country and moved in with me, and android thinks I'm at his old house whenever I connect to his wifi router, even with GPS enabled, and even having installed OpenWRT and changed the ssid of the router. It's pretty maddening.
You can switch your phone to "Device Only", to use only the actual GPS chip.
I have apps that ask to switch it back. They won't run without crap positioning.
It's because Google and other mapping companies use the BSSID (MAC) which doesn't change if you just change the SSID.
(comment deleted)
(comment deleted)
Of course. I just wanted to point out that I changed everything that could be changed apart from buying a new router. I am at Google's mercy, they created the problem and only they can fix it.
My parents moved across continents and had the same problem. It finally fixed itself after a couple weeks/a month. This was with Apple devices though (not Google), so a different database.
Facebook knows where you are too.. and your friends. Muhahahaha.
Mozilla built a crowd-sourced database of Wi-Fi, cell, and Bluetooth network locations, collected by volunteers running an Android "stumbler/war-driving" app. I helped start this project for Firefox OS, which is mostly defunct but the Mozilla Location Service (MLS) is still used for Firefox Nightly and DevEdition on the desktop. :-) Here is a zoomable map of the location data coverage:

https://location.services.mozilla.com/map

Mozilla exchanges the cell location data with the OpenCellID project. Mozilla's cell database is available for download here:

https://location.services.mozilla.com/downloads

For privacy reasons, the Wi-Fi and Bluetooth databases are not currently downloadable, but they can be queried through a web service API:

https://location.services.mozilla.com/api

just wait for project tango rollout, inb4 "How does Google know the layout of my flat and brands I use?".
This was not publicly known before.

To my knowledge this Google trick was first discovered by the researcher Samy Kamkar (https://samy.pl/mapxss), though the tool no longer works.

When the tool used to work, I tested it using my home router address and it accurately located me. Then, I moved to another house, and the location remained being my old home. Then, after a couple of weeks, it got updated.

I think in the final product the resulting location is not only based off one WiFi address. It might try to crossvalidate using the multiple addresses you can see.

Can you trace your cellphone-to-cellphone contacts, and conclude where a User is by comparing his environment? I always imagined for fun a "underground" internet consisting of multicellular social-organism, that traffics data by handing packets over to another organism that is most likely to meet the user. In Reverse this approach could be used to trace a users propable location by finding in which social-organism s/he/it resides, and if that organism is showing its usual behaviour. (e.g. The morning Bus-To-Work always consists of a base set of workers and a set of drivers, the driver remaining constantly in it, the user has for last 2 years entered this organism at the same time and left at the same station, thus the packet can be entrusted to this organism, who will deliver it to the most likely organism the user contacted next).
Most geolocation methods make sense to me, but I've yet to figure out how Google knows the location of my desktop PC, both home and work PCs, with greater accuracy than just city.

Neither has Wi-Fi.

I hate suggesting regulation, but devices should be required to have physical switches for cams, mics, and radios. The gap between what the consumer thinks their gear is doing and what it's actually doing has become far too broad.