Slashdot Mirror

← Back to Stories (view on slashdot.org)

Wading Through AccuWeather's Response (daringfireball.net)

Posted by msmash on from the web-of-lies dept.

On Tuesday, ZDNet reported that popular weather app AccuWeather was sending location-identifying information to a monetization firm, even when a person had disabled location data from the app. In a response, AccuWeather said today "if a user opts out of location tracking on AccuWeather, no GPS coordinates are collected or passed without further opt-in permission from the user." But it is misleading people. John Gruber of DaringFireball writes: The accusation has nothing to do with "GPS coordinates." The accusation is that their iOS app is collecting Wi-Fi router names and MAC addresses and sending them to servers that belong to Reveal Mobile, which in turn can easily be used to locate the user. Claiming this is about GPS coordinates is like if they were caught stealing debit cards and they issued a denial that they never stole anyone's cash. The accusation comes from Will Strafech, a respected security researcher who discovered the "actual information" by observing network traffic. He saw the AccuWeather iOS app sending his router's name and MAC address to Reveal Mobile. This isn't speculation. They were caught red-handed. GPS information is more precise, and if you grant the AccuWeather app permission to access your location (under the guise of showing you local weather wherever you are, as well as localized weather alerts), that more precise data is passed along to Reveal Mobile as well. But Wi-Fi router information can be used to locate you within a few meters using publicly available databases. Seriously, go ahead and try it yourself: plug your Wi-Fi router's BSSID MAC address into this website, and there's good chance it'll pinpoint your location on the map. "Other data, such as Wi-Fi network information that is not user information, was for a short period available on the Reveal SDK, but was unused by AccuWeather," the company writes. In what way is the name and MAC address of your router not "user information"? And saying the information was "unused by AccuWeather" is again sleight of hand. The accusation is not that AccuWeather itself was using the location of the Wi-Fi router, but that Reveal Mobile was. Here are Reveal Mobile's own words about how they use location data.

23 of 81 comments (clear)

  1. NSTAAFL by OffTheLip · · Score: 3, Insightful

    Accuweather confirms what everyone should already know, or assume.

    1. Re:NSTAAFL by JohnFen · · Score: 4, Informative

      Increasingly, "free" doesn't enter into it. Applications you pay for are often doing the exact same thing.

  2. AccuPrivacyPolicy by thechemic · · Score: 5, Funny

    They named it AccuWeather for weather reports. If they wanted to convey an accurate privacy policy, wouldn't they have called it AccuPrivacyPolicy?

    --
    Let's make like a bird... and get the flock outta here.
    1. Re:AccuPrivacyPolicy by toonces33 · · Score: 2

      I call it CrapuWeather. We used to have TWC, but Verizon decided to save a few $$ and replace it with this useless thing instead. So I refuse to have anything to do with them - not the app, not the channel. I use the Weather Underground app instead. It has useful data, not fluff.

  3. Why does a weather app have that access? by Anonymous Coward · · Score: 5, Insightful

    The network connections are managed in the iphone settings. Why would a weather app get access to available SSID info? Seems like Apple left the door open.

    1. Re:Why does a weather app have that access? by Anonymous Coward · · Score: 3, Funny

      Shhhhh. Your never supposed to blame apple. Its never their fault.

  4. Why do apps have access to the BSSID? by Anonymous Coward · · Score: 2

    I don't think Apple allows things like WiFi sniffers / analyzers, so what other legitimate purpose is there for an app to have access to any info about the WiFi network? I would have assumed this info was locked away from the public API on iOS, only available to the OS functions that manage WiFi connectivity.

    Of course, any app could still determine your public IP address and try to locate based on that, but at least it'll have even worse accuracy than the Reveal Mobile database.

  5. They couldn't even give the standard response? by JohnFen · · Score: 3, Insightful

    "Oops, this functionality was inadvertently included in the release version of our app. We have removed it and apologize for this error."

    How hard is that? Sure, it's still a lie, but at least it's not flipping the users the bird.

    1. Re:They couldn't even give the standard response? by 93+Escort+Wagon · · Score: 4, Informative

      It's like they accidentally left a joint in their mother's car.

      --
      #DeleteChrome
    2. Re:They couldn't even give the standard response? by JohnFen · · Score: 3, Informative

      On second reading, it's hard to tell what they were really saying. My take on it was they were saying that the problem is users are misunderstanding what they're doing. But their verbage is so slippery that your interpretation may be what they wanted us to hear.

  6. Re:Fake News by JohnFen · · Score: 3

    Your IP, easily obtainable by anyone you are communicating with, already nails down your location to a relatively small area.

    Where I live, that "relatively small area" has roughly a 50 mile radius.

  7. Geolocation hyperlink missing by Pollux · · Score: 3, Interesting

    Seriously, go ahead and try it yourself: plug your Wi-Fi router's BSSID MAC address into this website...

    Not sure which website the submitter was aiming for, but since the hyperlink is missing, here's one website option to try.

    I tried it with three of my school's AP BSSID's, and I'm surprised that all three were accurate to the actual building. I thought the closest anyone could get was by geotracking our IP address, which leads them to a nearby town. But I had no idea that BSSID's could be much, much more precise.

    1. Re:Geolocation hyperlink missing by EvilSS · · Score: 3, Insightful

      They can actually be more precise if you are indoors and can't get a great GPS fix. Turn off wifi, open google maps, look at the size of the location circle, then turn Wifi on and watch it collapse.

      Funny story but this is how I found out Amazon sold me a used router as new. For a while after I first got it, google maps in Android insisted that I was in a house in NW Washington outside Seattle, and not where I actually live in the mid-west. At some point that router (or one with an identical MAC, but that's not really supposed to happen) was on and was picked up by either a streetview car or an android phone and added to their database. And it was just google, Apple devices didn't have this issue.

      --
      I browse on +1 so AC's need not respond, I won't see it.
    2. Re:Geolocation hyperlink missing by Bert64 · · Score: 3, Insightful

      You have that mixed up still...

      ESSID = name
      BSSID = mac address (usually of the ap's wireless interface)

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  8. This is easy ... by CaptainDork · · Score: 3, Informative

    ... just uninstall the goddam thing.

    --
    It little behooves the best of us to comment on the rest of us.
    1. Re:This is easy ... by captaindomon · · Score: 3, Informative

      Yeah that's not an easy option if you spent lots of money on weather station hardware they produce, and want to be able to remotely interact with it. Accuweather is also a leading weather hardware company.

      --
      Just because I can hook a shark from a boat, I do no offer to wrestle it in the water.
  9. "We will not sell your data" by mrwireless · · Score: 2

    This reminds me all the times companies say: "Don't worry, we will not sell your data".

    This is a similar smokescreen, because an equally important question is: are they selling the 'derived data' or 'modelled data' that their algorithms distill from your data? For example, when your Facebook likes reveal that you are probably pregnant/gay/smoker/etc, even though you have never literally given up that information. Because most people don't know about this distinction, they are lulled into a false sense of trust when they hear their data isn't being sold.

  10. Re:Fake News by EvilSS · · Score: 2

    Where I live it can be a city 4 hours drive from where I live. IP Geolocation is sketchy on the best of days.

    --
    I browse on +1 so AC's need not respond, I won't see it.
  11. The fuck did you expect... by geekmux · · Score: 2

    "Claiming this is about GPS coordinates is like if they were caught stealing debit cards and they issued a denial that they never stole anyone's cash."

    The EULA was written by a lawyer...and for some reason people were not expecting a response like this?

    Give me a fucking break. Corporations tell half-truths using legal doublespeak to fool the ignorant masses all the time. What else is new.

  12. Re:Fake News by rogoshen1 · · Score: 4, Insightful

    What they're doing is merely annoying. What is actually far worse is trying to obfuscate the actual issue by issuing a mea culpa speaking to 'GPS signals' -- rather than an open admission of what they were doing and why.

    And this somehow okay?

    The cover-up is almost always worse than the actual deed.
       

  13. Re:Fake News by Bert64 · · Score: 3, Informative

    Not necessarily..

    In many countries, ISPs are national and their address allocations are allocated from a single national pool, you could be anywhere in a given country.
    You could be using a VPN.
    The externally facing ip addresses of mobile networks are also generally national, and shared with hundreds of users.
    When you're using roaming data in another country it usually tunnels back to your national network too - so it has the same ip as if you were in your home country, even if your half way across the world.

    IP is quite a poor way to locate someone.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  14. Geolocation by DERoss · · Score: 4, Funny

    I just now visited a few Web sites that do geolocation.

    One site has me at the opposite end of the county in which I live, about 40 miles away. On repeating that request, that same Web site placed me in Moscow, Russia.

    Another Web site has me in a city in an adjacent county. Two other sites have me in different states. Accuweather has me in Chantilly, Virginia, near Washington, DC; but I am actually about 20 miles from the Pacific Ocean.

    All this is because I use a browser extension that sends fake headers when I request a Web page.

  15. Re:Fake News by schleimkeim · · Score: 2

    What they're doing is merely annoying.

    Welcome to 2017, where spying on users and selling all the information is 'merely annoying.' It's a Brave New World.