Slashdot Mirror

← Back to Stories (view on slashdot.org)

Wading Through AccuWeather's Response (daringfireball.net)

Posted by msmash on from the web-of-lies dept.

On Tuesday, ZDNet reported that popular weather app AccuWeather was sending location-identifying information to a monetization firm, even when a person had disabled location data from the app. In a response, AccuWeather said today "if a user opts out of location tracking on AccuWeather, no GPS coordinates are collected or passed without further opt-in permission from the user." But it is misleading people. John Gruber of DaringFireball writes: The accusation has nothing to do with "GPS coordinates." The accusation is that their iOS app is collecting Wi-Fi router names and MAC addresses and sending them to servers that belong to Reveal Mobile, which in turn can easily be used to locate the user. Claiming this is about GPS coordinates is like if they were caught stealing debit cards and they issued a denial that they never stole anyone's cash. The accusation comes from Will Strafech, a respected security researcher who discovered the "actual information" by observing network traffic. He saw the AccuWeather iOS app sending his router's name and MAC address to Reveal Mobile. This isn't speculation. They were caught red-handed. GPS information is more precise, and if you grant the AccuWeather app permission to access your location (under the guise of showing you local weather wherever you are, as well as localized weather alerts), that more precise data is passed along to Reveal Mobile as well. But Wi-Fi router information can be used to locate you within a few meters using publicly available databases. Seriously, go ahead and try it yourself: plug your Wi-Fi router's BSSID MAC address into this website, and there's good chance it'll pinpoint your location on the map. "Other data, such as Wi-Fi network information that is not user information, was for a short period available on the Reveal SDK, but was unused by AccuWeather," the company writes. In what way is the name and MAC address of your router not "user information"? And saying the information was "unused by AccuWeather" is again sleight of hand. The accusation is not that AccuWeather itself was using the location of the Wi-Fi router, but that Reveal Mobile was. Here are Reveal Mobile's own words about how they use location data.

81 comments

  1. NSTAAFL by OffTheLip · · Score: 3, Insightful

    Accuweather confirms what everyone should already know, or assume.

    1. Re:NSTAAFL by __aaclcg7560 · · Score: 0

      That weather prediction is an art and not a science?

    2. Re:NSTAAFL by Anonymous Coward · · Score: 0

      Well the OP abbreviated the acronym - it is supposed to be TANSTAAFL for "There aint no such thing as a free lunch" but "No such thing as a free lunch" works too.

    3. Re:NSTAAFL by JohnFen · · Score: 4, Informative

      Increasingly, "free" doesn't enter into it. Applications you pay for are often doing the exact same thing.

    4. Re:NSTAAFL by 93+Escort+Wagon · · Score: 1

      I thought it was TINSTAAPP - There Is No Such Thing As A Pitching Prospect.

      Oh wait... we aren't talking about baseball, are we?

      --
      #DeleteChrome
    5. Re:NSTAAFL by yuriklastalov · · Score: 1

      Increasingly, "free" doesn't enter into it. Applications you pay for are often doing the exact same thing.

      Does that mean we're down to "There Ain't No Such Thing As Lunch", then? So it's come to this...

  2. AccuPrivacyPolicy by thechemic · · Score: 5, Funny

    They named it AccuWeather for weather reports. If they wanted to convey an accurate privacy policy, wouldn't they have called it AccuPrivacyPolicy?

    --
    Let's make like a bird... and get the flock outta here.
    1. Re:AccuPrivacyPolicy by toonces33 · · Score: 2

      I call it CrapuWeather. We used to have TWC, but Verizon decided to save a few $$ and replace it with this useless thing instead. So I refuse to have anything to do with them - not the app, not the channel. I use the Weather Underground app instead. It has useful data, not fluff.

    2. Re:AccuPrivacyPolicy by Anonymous Coward · · Score: 1

      are you aware that The Weather Channel owns Weather underground

    3. Re:AccuPrivacyPolicy by toonces33 · · Score: 1

      Yes.

    4. Re:AccuPrivacyPolicy by tepples · · Score: 1

      Yes. When a pay TV provider dropped TWC, toonces33 installed Weather Underground to get TWC back.

    5. Re:AccuPrivacyPolicy by Anonymous Coward · · Score: 0

      are you aware that The Weather Channel owns Weather underground

      You are a bit daft, to put it kindly.

    6. Re:AccuPrivacyPolicy by thegarbz · · Score: 1

      Given the accuracy of their weather predictions, wouldn't that make more sense for a completely deceptive and false Privacy Policy which is likely to change at any time?

  3. Fake News by Anonymous Coward · · Score: -1

    Your IP, easily obtainable by anyone you are communicating with, already nails down your location to a relatively small area. Triangulation of mobile device signals and tower locations can as well. This is really not much different, and pretty much a non-story. I suspect some small-fry in the world of internet security attempting to make a name for himself.

    1. Re:Fake News by JohnFen · · Score: 3

      Your IP, easily obtainable by anyone you are communicating with, already nails down your location to a relatively small area.

      Where I live, that "relatively small area" has roughly a 50 mile radius.

    2. Re:Fake News by Anonymous Coward · · Score: 1

      Thanks for your input, Dr. Joel Myers.

    3. Re:Fake News by arth1 · · Score: 1

      our IP, easily obtainable by anyone you are communicating with, already nails down your location to a relatively small area.

      Disregarding VPNs, the "relatively small area" for IPs is often the service area for the IP range for the ISP, which can be city sized or bigger. My IP address is around 50 miles off.
      That's a far cry from within a few feet.

    4. Re:Fake News by stabiesoft · · Score: 1

      mine comes up as either San Antonio or Plano, neither is close to where I am. IP locating works OK, but I would not want to attach anything serious to it.

    5. Re:Fake News by EvilSS · · Score: 2

      Where I live it can be a city 4 hours drive from where I live. IP Geolocation is sketchy on the best of days.

      --
      I browse on +1 so AC's need not respond, I won't see it.
    6. Re: Fake News by TheDarkener · · Score: 0

      You're kind of a n00b, huh?

      You think the accuweather app gets access to cellular tower location info of the device its running on? No.

      You think an IP is tied to someone's physical location? No.

      Go back to school, your book report is due.

      --
      It is pitch black. You are likely to be eaten by a grue.
    7. Re: Fake News by Anonymous Coward · · Score: 1, Insightful

      Well you just revealed your own ignorance there. Your WAN IP can indeed be tied to a fixed point in a lot of cases. Of course the area around that fixed point may be anywhere from metres to planetary scale but IP geolocation indeed works to some degree.

    8. Re:Fake News by rogoshen1 · · Score: 4, Insightful

      What they're doing is merely annoying. What is actually far worse is trying to obfuscate the actual issue by issuing a mea culpa speaking to 'GPS signals' -- rather than an open admission of what they were doing and why.

      And this somehow okay?

      The cover-up is almost always worse than the actual deed.
         

    9. Re:Fake News by Bert64 · · Score: 3, Informative

      Not necessarily..

      In many countries, ISPs are national and their address allocations are allocated from a single national pool, you could be anywhere in a given country.
      You could be using a VPN.
      The externally facing ip addresses of mobile networks are also generally national, and shared with hundreds of users.
      When you're using roaming data in another country it usually tunnels back to your national network too - so it has the same ip as if you were in your home country, even if your half way across the world.

      IP is quite a poor way to locate someone.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    10. Re:Fake News by mrbester · · Score: 1

      The closest location "nailed down" for me is 12 miles away. That's because that's ostensibly where the node is, but then then there's even an argument about that as it is three different places according to various databases.

      --
      "Wait. Something's happening. It's opening up! My God, it's full of apricots!"
    11. Re:Fake News by gordguide · · Score: 1

      Although the Geolocation with my connection is often accurate (defining the city I live in) it occasionally puts me at another city 150 miles away.

      Perhaps more interestingly, when I was in a remote area and we connected via a dish satellite link, I often got geolocation that put me in New York City, some 2500 miles away an in a different country.

      The above is from ads, especially shady dating ads, that would suggest I could find many "available" dates in xx city. These days that doesn't happen because I use effective ad blocking, so the ads simply don't appear anymore, but I suspect similar things would happen if I turned ad blocking off.

    12. Re:Fake News by thegarbz · · Score: 1

      Your IP, easily obtainable by anyone you are communicating with

      My IP is assigned by carrier grade NAT and is narrowed down to "somewhere in the country".

    13. Re:Fake News by schleimkeim · · Score: 2

      What they're doing is merely annoying.

      Welcome to 2017, where spying on users and selling all the information is 'merely annoying.' It's a Brave New World.

    14. Re:Fake News by Anonymous Coward · · Score: 0

      Oh, it can be a bit further than that.

      https://arstechnica.com/tech-policy/2016/08/kansas-couple-sues-ip-mapping-firm-for-turning-their-life-into-a-digital-hell/

    15. Re:Fake News by LordWabbit2 · · Score: 1

      Maybe in your area, but when you use cells in my country it NAT's most of it through a couple IP addresses. It's not unusual to go to a site you have never been to before and it tells you your IP address has been banned for whatever.

      --
      There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
    16. Re:Fake News by rogoshen1 · · Score: 1

      Fair enough, fair enough.

  4. Why does a weather app have that access? by Anonymous Coward · · Score: 5, Insightful

    The network connections are managed in the iphone settings. Why would a weather app get access to available SSID info? Seems like Apple left the door open.

    1. Re:Why does a weather app have that access? by Anonymous Coward · · Score: 3, Funny

      Shhhhh. Your never supposed to blame apple. Its never their fault.

    2. Re:Why does a weather app have that access? by AmiMoJo · · Score: 1

      This requires a separate "manage wifi connections" permission on Android. I'm rather surprised that iOS doesn't require something similar.

      Having said that, it probably isn't reading the SSIDs itself, just using the "coarse location" service which it likely wants to present you with local weather forecasts.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re:Why does a weather app have that access? by schleimkeim · · Score: 1

      I'm rather surprised that iOS doesn't require something similar.

      Are you? Really?

  5. Why do apps have access to the BSSID? by Anonymous Coward · · Score: 2

    I don't think Apple allows things like WiFi sniffers / analyzers, so what other legitimate purpose is there for an app to have access to any info about the WiFi network? I would have assumed this info was locked away from the public API on iOS, only available to the OS functions that manage WiFi connectivity.

    Of course, any app could still determine your public IP address and try to locate based on that, but at least it'll have even worse accuracy than the Reveal Mobile database.

    1. Re:Why do apps have access to the BSSID? by tepples · · Score: 1

      I don't think Apple allows things like WiFi sniffers / analyzers

      And many customers choose Android devices for precisely this reason. It's why, for example, Mozilla Stumbler is an Android exclusive.

  6. the reasons we check on stuff frequently??? by Anonymous Coward · · Score: 0

    hoping something relevant & truthful will appear... or warnings of what's to come... cease fire stand down... motive=results... some people still calling this 'weather'?

  7. They couldn't even give the standard response? by JohnFen · · Score: 3, Insightful

    "Oops, this functionality was inadvertently included in the release version of our app. We have removed it and apologize for this error."

    How hard is that? Sure, it's still a lie, but at least it's not flipping the users the bird.

    1. Re:They couldn't even give the standard response? by EvilSS · · Score: 1

      They did exactly that actually. They even blamed Reveal's SDK and claimed to not even know it was happening. Then they went and got all defensive about the whole situation.

      --
      I browse on +1 so AC's need not respond, I won't see it.
    2. Re:They couldn't even give the standard response? by 93+Escort+Wagon · · Score: 4, Informative

      It's like they accidentally left a joint in their mother's car.

      --
      #DeleteChrome
    3. Re:They couldn't even give the standard response? by JohnFen · · Score: 3, Informative

      On second reading, it's hard to tell what they were really saying. My take on it was they were saying that the problem is users are misunderstanding what they're doing. But their verbage is so slippery that your interpretation may be what they wanted us to hear.

  8. Geolocation hyperlink missing by Pollux · · Score: 3, Interesting

    Seriously, go ahead and try it yourself: plug your Wi-Fi router's BSSID MAC address into this website...

    Not sure which website the submitter was aiming for, but since the hyperlink is missing, here's one website option to try.

    I tried it with three of my school's AP BSSID's, and I'm surprised that all three were accurate to the actual building. I thought the closest anyone could get was by geotracking our IP address, which leads them to a nearby town. But I had no idea that BSSID's could be much, much more precise.

    1. Re:Geolocation hyperlink missing by arth1 · · Score: 1

      I tried it with three of my school's AP BSSID's, and I'm surprised that all three were accurate to the actual building.

      I can't get it to return anything at all. I enter a MAC or BSSID and either hit submit or return, and nothing happens. Tried four different ones.
      Is it slashdotted?

    2. Re:Geolocation hyperlink missing by EvilSS · · Score: 3, Insightful

      They can actually be more precise if you are indoors and can't get a great GPS fix. Turn off wifi, open google maps, look at the size of the location circle, then turn Wifi on and watch it collapse.

      Funny story but this is how I found out Amazon sold me a used router as new. For a while after I first got it, google maps in Android insisted that I was in a house in NW Washington outside Seattle, and not where I actually live in the mid-west. At some point that router (or one with an identical MAC, but that's not really supposed to happen) was on and was picked up by either a streetview car or an android phone and added to their database. And it was just google, Apple devices didn't have this issue.

      --
      I browse on +1 so AC's need not respond, I won't see it.
    3. Re:Geolocation hyperlink missing by Nutria · · Score: 1

      Is BSSID MAC address the same as the MAC addr of your wifi's Internet port?

      --
      "I don't know, therefore Aliens" Wafflebox1
    4. Re:Geolocation hyperlink missing by JohnFen · · Score: 1, Interesting

      Good catch! (Almost) all of my network interfaces get a new, randomized MAC on a daily basis. I would never have noticed that... I guess there is a downside to that practice!

    5. Re:Geolocation hyperlink missing by 93+Escort+Wagon · · Score: 1

      It just worked for my home wifi... and I'm in a fairly rural area.

      --
      #DeleteChrome
    6. Re:Geolocation hyperlink missing by JohnFen · · Score: 1

      Maybe. BSSID (Broadcast Service Set Identifier) and SSID (Service Set Identifier) are functionally the same thing -- BSSID is an SSID attached to a radio, basically.

      Every network interface has such an ID. If your machine has multiple interfaces, WiFi or wired, each one has its own.

    7. Re:Geolocation hyperlink missing by JohnFen · · Score: 1

      Man, I messed that up. To clarify and correct my answer:

      BSSID: the text string that you enter to "name" your WiFi set.

      SSID: This is the same as a MAC, but attached to a radio. WIth wired connections, like ethernet, it's just called MAC.

    8. Re:Geolocation hyperlink missing by Nutria · · Score: 1

      I put the LAN Port MAC addr into http://find-wifi.mylnikov.org/ and according to Google Maps, it was 500m from my house.

      Still in the neighborhood...

      --
      "I don't know, therefore Aliens" Wafflebox1
    9. Re:Geolocation hyperlink missing by Bert64 · · Score: 3, Insightful

      You have that mixed up still...

      ESSID = name
      BSSID = mac address (usually of the ap's wireless interface)

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    10. Re:Geolocation hyperlink missing by jemmyw · · Score: 1

      I tried it with my home wifi and it worked... for an address I lived at 2 moves ago.

    11. Re:Geolocation hyperlink missing by JohnFen · · Score: 1

      Bah, you're right. When my brain misfires, it can be spectacular!

    12. Re:Geolocation hyperlink missing by Anonymous Coward · · Score: 0

      A while ago a friend started being geolocated to a place in Japan that I had visited. It only happened when he was using my phone as a WiFi hotspot. Some geolocation service must have stored my phone's SSID as a stationary router in Japan.

  9. This is easy ... by CaptainDork · · Score: 3, Informative

    ... just uninstall the goddam thing.

    --
    It little behooves the best of us to comment on the rest of us.
    1. Re:This is easy ... by Hankenstein · · Score: 1

      This is NOT easy, I just spend 20 minutes trying to uninstall it from my non-rooted samsung. No luck. I can't even force stop it.

    2. Re:This is easy ... by captaindomon · · Score: 3, Informative

      Yeah that's not an easy option if you spent lots of money on weather station hardware they produce, and want to be able to remotely interact with it. Accuweather is also a leading weather hardware company.

      --
      Just because I can hook a shark from a boat, I do no offer to wrestle it in the water.
    3. Re:This is easy ... by Anonymous Coward · · Score: 0

      I think you are confusing Acurite with Accuweather.

    4. Re:This is easy ... by n329619 · · Score: 1

      remotely interact with it

      I can't wait to see half a billion people trying to remote the same equipment on the app!

    5. Re:This is easy ... by jenningsthecat · · Score: 1

      There are Android firewalls available that don't require root. I don't know if they're any good, because my own phone is rooted and I use AFWall+, but you may want to try one out - you just might be able to stop the app from phoning home.

      --
      'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
    6. Re:This is easy ... by jezwel · · Score: 1

      The article describes the iOS app as having this issue - is it replicated in Android? AccuWeather was installed by default on my Samsung Galaxy phone...

  10. "We will not sell your data" by mrwireless · · Score: 2

    This reminds me all the times companies say: "Don't worry, we will not sell your data".

    This is a similar smokescreen, because an equally important question is: are they selling the 'derived data' or 'modelled data' that their algorithms distill from your data? For example, when your Facebook likes reveal that you are probably pregnant/gay/smoker/etc, even though you have never literally given up that information. Because most people don't know about this distinction, they are lulled into a false sense of trust when they hear their data isn't being sold.

    1. Re: "We will not sell your data" by JohnFen · · Score: 1

      AccuWeather probably doesn't, but if you read Reveal Media's privacy statement, they are very clear and forthright that they absolutely sell your "anonymized" data to other companies.

      AccuWeather is being mealy-mouthed about all of this. They are technically correct that they aren't doing this stuff, but they don't point out that their service provider, Reveal Media, is.

  11. Accuweather Has A long history of shady dealings by supercell · · Score: 1

    Accuweather has a long history of shady dealings. This comes as little surprise. One of their founders is an attorney. They are well known for suing their customers.

  12. Double negative by wonkey_monkey · · Score: 1

    a denial that they never stole anyone's cash.

    So they do steal cash? Those rat bastards!

    --
    systemd is Roko's Basilisk.
  13. The fuck did you expect... by geekmux · · Score: 2

    "Claiming this is about GPS coordinates is like if they were caught stealing debit cards and they issued a denial that they never stole anyone's cash."

    The EULA was written by a lawyer...and for some reason people were not expecting a response like this?

    Give me a fucking break. Corporations tell half-truths using legal doublespeak to fool the ignorant masses all the time. What else is new.

    1. Re:The fuck did you expect... by RPI+Geek · · Score: 1

      You seem to think that "everyone knows" about corporate legalese half-truths, and you seem upset that it is posted as news. Well, the reason that "everyone knows" is because of these kind of news stories. Slashdot has a long history of posting this type of article, so of course old-timers like you and me know about it. At some point in the past though, you didn't know; so let others learn instead of berating the teacher for repeating a lesson you've heard before.

      There's even a relevant XKCD about this phenomenon, but I'm willing to bet you already knew about it.

      --

      - "Nobody came out that night, not one was ever seen. But Old Man Stauf is waiting there, crazy sick and mean!"
  14. Re:Accuweather Has A long history of shady dealing by Drishmung · · Score: 1

    Citation? A quick search shows them being sued, but not them suing their customers.

    --
    Protoplasm. Quiet Protoplasm. I like quiet protoplasm.
  15. Install good Privacy app for seeing any spying app by Anonymous Coward · · Score: 1

    Unfortunately this is how 'free' apps are making money these days.

    I use Glasswire on Windows and android to check what apps are using my internet to upload/download.

    Their latest blog post is is a good read about how some apps are getting too much information about people.

    https://blog.glasswire.com/2017/08/17/is-your-data-usage-or-vpn-app-spying-on-you/

  16. Not exactly by Anonymous Coward · · Score: 0

    BSSID MACs are specific to each SSID being broadcast. Most of the octets are the same, but there will be one or two that are different in order to make it unique for that SSID.

  17. reveal = creepy by binarybum · · Score: 1

    That reveal website looks like an independent criticism of their company's MO, but it's just THEM saying what they do plainface. It's like if the state lotto had a website titled "how to profit off the poor and stupid. "

    --
    ôó
  18. Sweet! by Anonymous Coward · · Score: 0

    This is great! Now I can install Accuweather on my Android Stereo. If someone ever steals my car, disables GPS, and logs me out of Google or disables location history, I will have law enforcement contact them.

  19. Re: Accuweather Has A long history of shady dealin by Anonymous Coward · · Score: 0

    But he did sleep at a Holiday Inn Express last night so fuck you!

  20. Geolocation by DERoss · · Score: 4, Funny

    I just now visited a few Web sites that do geolocation.

    One site has me at the opposite end of the county in which I live, about 40 miles away. On repeating that request, that same Web site placed me in Moscow, Russia.

    Another Web site has me in a city in an adjacent county. Two other sites have me in different states. Accuweather has me in Chantilly, Virginia, near Washington, DC; but I am actually about 20 miles from the Pacific Ocean.

    All this is because I use a browser extension that sends fake headers when I request a Web page.

    1. Re:Geolocation by shortscruffydave · · Score: 1

      Web site placed me in Moscow, Russia.

      In post-Soviet Russia website places you

  21. Privacy Implications? by Anonymous Coward · · Score: 0

    I thought I bought some privacy with VPN hiding my IP. Now I learn that my router's MAC is tied to my home address (I checked - it is) and there is nothing but a software manufacturer's good faith keeping my MAC/home address separate from my browsing habits. How much should I worry about this and can I do anything about it?

    1. Re: Privacy Implications? by Anonymous Coward · · Score: 0

      The only company that sees your MAC is your ISP, and they already know everything about you anyway.

  22. Why Use Accuweather? by DERoss · · Score: 1

    I do not understand why some people in the U.S. are adverse to using the National Weather Service, which does not track your visits to its Web sites.

  23. What's wrong with all these weather companies? by ayesnymous · · Score: 1

    Weather.com has the worst web site ever - they even put tabloid companies to shame.

  24. I have a rule: I don't install proprietary apps by Anonymous Coward · · Score: 0

    Problem solved. Anybody demanding or trying to sell me a proprietary app I tell to fuck off. It's not worth the price. It's bad enough I carry a tracking device in the first place and my only real reason for doing so is so I can spend my crypto. Yes... I'm living in NH so there are lots of places to spend it. Over a dozen in my little old town of Keene alone. Thank you free staters! ie referencing the Free State Project.

  25. International coverage; apparent Flash dependency by tepples · · Score: 1

    I too rely on Weather.gov, a service of the National Weather Service. But NWS operates only in the United States, and many people who often travel internationally don't want to have to find, install, and learn a different website for each country to which they travel. I'd bet some countries don't even have a counterpart to Weather.gov, either because they're poor or because they've enacted a counterpart to Rick Santorum's NWS Duties bill. This failed bill would have banned NWS from issuing any information to the public other than severe weather alerts, precisely to boost the business of AccuWeather in Santorum's district.

    In addition, NWS's radar loop is still using Adobe Flash Player unless you click the out-of-the-way "standard version". First I load the 7-day forecast for San Diego, home of Slashdot Media. Then I scroll down to "Radar & Satellite Image", click the radar picture, and then click "Reflectivity: Base Loop" at the left. It doesn't load because it's SWF, and this PC has no Flash Player installed. But if I click Standard Version at the top left, it loads as a GIF. I'd bet a lot of others couldn't find this.