Wading Through AccuWeather's Response

On Tuesday, ZDNet reported that popular weather app AccuWeather was sending location-identifying information to a monetization firm, even when a person had disabled location data from the app. In a response, AccuWeather said today "if a user opts out of location tracking on AccuWeather, no GPS coordinates are collected or passed without further opt-in permission from the user." But it is misleading people. John Gruber of DaringFireball writes: The accusation has nothing to do with "GPS coordinates." The accusation is that their iOS app is collecting Wi-Fi router names and MAC addresses and sending them to servers that belong to Reveal Mobile, which in turn can easily be used to locate the user. Claiming this is about GPS coordinates is like if they were caught stealing debit cards and they issued a denial that they never stole anyone's cash. The accusation comes from Will Strafech, a respected security researcher who discovered the "actual information" by observing network traffic. He saw the AccuWeather iOS app sending his router's name and MAC address to Reveal Mobile. This isn't speculation. They were caught red-handed. GPS information is more precise, and if you grant the AccuWeather app permission to access your location (under the guise of showing you local weather wherever you are, as well as localized weather alerts), that more precise data is passed along to Reveal Mobile as well. But Wi-Fi router information can be used to locate you within a few meters using publicly available databases. Seriously, go ahead and try it yourself: plug your Wi-Fi router's BSSID MAC address into this website, and there's good chance it'll pinpoint your location on the map. "Other data, such as Wi-Fi network information that is not user information, was for a short period available on the Reveal SDK, but was unused by AccuWeather," the company writes. In what way is the name and MAC address of your router not "user information"? And saying the information was "unused by AccuWeather" is again sleight of hand. The accusation is not that AccuWeather itself was using the location of the Wi-Fi router, but that Reveal Mobile was. Here are Reveal Mobile's own words about how they use location data.

This is easy ...

[CaptainDork]

... just uninstall the goddam thing.

Re:This is easy ...

[captaindomon]

Yeah that's not an easy option if you spent lots of money on weather station hardware they produce, and want to be able to remotely interact with it. Accuweather is also a leading weather hardware company.

Re:NSTAAFL

[JohnFen]

Increasingly, "free" doesn't enter into it. Applications you pay for are often doing the exact same thing.

Re:They couldn't even give the standard response?

[93+Escort+Wagon]

It's like they accidentally left a joint in their mother's car.

Re:They couldn't even give the standard response?

[JohnFen]

On second reading, it's hard to tell what they were really saying. My take on it was they were saying that the problem is users are misunderstanding what they're doing. But their verbage is so slippery that your interpretation may be what they wanted us to hear.

Re:Fake News

[Bert64]

Not necessarily..

In many countries, ISPs are national and their address allocations are allocated from a single national pool, you could be anywhere in a given country.
You could be using a VPN.
The externally facing ip addresses of mobile networks are also generally national, and shared with hundreds of users.
When you're using roaming data in another country it usually tunnels back to your national network too - so it has the same ip as if you were in your home country, even if your half way across the world.

IP is quite a poor way to locate someone.