Miskatonic University Press

Geolocation

geo

I didn’t know anything much about browser-based geolocation before today, but here are a few things I found out, which I’ll note for my own reference.

First: an example! (Which may not work, depending on various things about which browser you’re using and what your privacy settings are, but if it doesn’t work, don’t ask me, ‘cause I don’t know.)

Witness the magic of the browser geolocation API.
(If everything is configured right.)

If you like that wee marvel, try Ed Summers’s Creepy Polaroid. You just look at the page and it shows you a weird-looking Polaroid of where you are! Creepy all right. (Don’t worry, Ed isn’t watching you. View the source of the page to see how he does it—if you program a bit, it’s easy enough to read and see how he’s grabbing an image from Google Maps.)

Here’s the official specification for how all this “where am I” works: the W3C Geolocation API. It’s technical, but short. The use cases for why a browser should be able to find out where the user is are good:

  • Find points of interest in the user’s area
  • Annotating content with location information
  • Show the user’s position on a map
  • Turn-by-turn route navigation
  • Alerts when points of interest are in the user’s vicinity
  • Up-to-date local information
  • Location-tagged status updates in social networking applications

All very sensible.

My preferred browser is Firefox. Here’s how geolocation works in Firefox—this is Firefox’s implementation of the W3C specification:

Getting the current position

To obtain the user’s current location, you can call the getCurrentPosition() method. This initiates an asynchronous request to detect the user’s position, and queries the positioning hardware to get up-to-date information.

But how is Firefox getting the actual location? Does it know itself? No, it asks Google:

Gecko notes

Firefox includes support for locating you based on your WiFi information using Google Location Services. In the transaction between Firefox and Google, data is exchanged including WiFi Access Point data, an access token (similar to a 2 week cookie), and the user’s IP address. For more information, please check out Mozilla’s Privacy Policy and Google’s Privacy Policy covering how this data can be used.

The Mozilla policy has lots of detail on how Firefox respects privacy with regard to location, including:

If your computer or device has a GPS unit or your operating system provides geolocation services and you have elected to use the location aware feature, Firefox will send your location information directly to the requesting website. If not, Firefox will send the other information described above, plus your user agent information (e.g., version of Firefox you’re using) and a temporary client identifier, to a third party geolocation services provider. That provider can determine your approximate location from such data (e.g., convert a set of WiFi signal strengths into latitude and longitude). This information is sent by Firefox over an encrypted connection and no cookies are used. Neither the domain name nor the URL of the site you’re visiting is sent to our service providers. Our providers estimate your location and return it to Firefox. Firefox provides your location information to the webpage that made the request.

Fair enough. Google’s got all the information, and they make it easy to use. Of course they do! They want all the data they can get, and the more they know about where people are, the better.

(Funny thing about Google’s policy. I use HTTPS Everywhere, which makes Firefox load the HTTPS version of a page wherever it can. Good security precaution. But on Google’s site, the HTTP version of the privacy policy can be loaded, but not the HTTPS version! My browser automatically takes me to the HTTPS version and then fails. Strange that a privacy policy can’t be read over an encrypted link.)

Of course, we should all assume that spy agencies like the NSA and CSEC are tracking our movements and can figure out where our smartphone was at any time. Not much I can do about that. Not much I can do about Google without giving up my phone. I do what I can to not run shifty apps that track my location, though, like that ridiculous flashlight app. I don’t think Google’s privacy policy really means anything.

Some good news is that Mozilla, a more trustworthy organization, is building their own system to geolocate people and browsers: Location Service.

The “Mozilla Location Service” project is a pilot project to assess the impact Mozilla can have on the geolocation landscape, specifically to improve user privacy and enable innovation by creating public data sets. In order to do this assessment, we need to understand the technological and legal challenges. Therefore, the Cloud Services team will build and operate a location service to provide geolocation lookup for devices, based on for example cell tower and Wi-Fi data.

Geolocation lookup is a very useful service to provide to users. None of the current companies offering this type of service have any incentive to improve on privacy. Geolocation lookup and the potential for tracking the physical movement of individuals is a serious privacy issue.

They made an Android app called MozStumbler. You can download a release and install it (if you run Android). I ran it while I was walking around my neighbourhood, and it told me it had seen dozens of cell phone towers and hundreds of wifi access points, all of which it reported back to its central system. That system is building up a big database of information of what is where, and it’s already usable: API - Geolocate is a service to “determine the current location based on provided data about nearby cell towers or wifi base stations.”

You can adjust your Firefox configuration to use this service instead of Google. As they say,

You can point your Firefox Desktop browser version 24 or later at this service by changing the geo.wifi.uri setting in about:config to:

https://location.services.mozilla.com/v1/geolocate?key=<API_KEY>

My geo.wifi.uri setting was

https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_API_KEY%

but I changed it (but going to about:config and editing) to the Mozilla service. I’ll see how it goes. I don’t know what I’ve done, but geolocation doesn’t work on my laptop’s Firefox. I’ve got so many settings tweaked and privacy guards installed that I can’t even make that little demo above work, I need to look at it in Chrome, where I have no restrictions. Anyway, I’ll experiment more with browser-based geolocation.