If Google wants to use other people's stuff for their purposes, they should pay them. Not force them to jump through hoops to avoid Google abusing them.
How would that work? Keep in mind that we are talking about parts of the radio spectrum that were deliberately set aside for unlicensed use, without any sort of registration, centralized control, or reporting on the part of users. So how would Google or any other company know who to pay? Do you want to force users to register their APs, or to include some kind of payment information in wifi beacons? Or are you proposing that new restrictions be added to the ISM rules e.g. forbidding people from monitoring the band without first asking for permission from each station operator (note: this would completely break wifi)?
I think a user registration system would make sense: People who wanted to register their APs are probably using Google Location Services, and the incentive is hence, self-serving. Businesses may want to register their APs to help customers' devices locate themselves at their buildings.
And yes, Google could incentivize people to register in some way. One thing you'll notice is that the most valuable companies in the world seem incredibly reliant on free labor: They take for free what other companies used to pay for or pay staff to create or gather themselves.
I think you misunderstood what "registration" meant in this context. Right now consumer wifi operates in the unlicensed ISM bands, which are parts of the radio spectrum that are set aside for use by the general public without requiring any coordination -- stations can freely interfere with each other's operation as long as they transmit below the legal power limit (which is antenna-dependent). In other words, you are allowed to buy a wifi router, plug it in, set up whatever SSID you want (or no SSID at all for a BSSID-only network) and use it with as many client devices as you want, without having to ask anyone's permission or register your new AP with anyone.
For comparison, take a look at 802.11y, which operates in the 3.6Ghz band, a "lightly" licensed part of the radio spectrum. Before you can set up 802.11y stations you must first register with the FCC (or whatever the equivalent in your country is called) and receive a license, and all your stations must be identifiable (you are not free to choose your SSID). That is already far too much for consumer devices (802.11y is meant for WISPs; it has better propagation characteristics than the unlicensed bands and you are allowed to transmit at higher power), and that is a "lightly" regulated radio band. Typical regulations e.g. the bands used by cell phones require far more coordination with governments -- more paperwork, more money, and many more rules about permissible operations.
Finally, for what it's worth, nobody has ever had to pay anyone for ISM band operations, including just recording transmissions on the band. In fact, if you are using wifi, you have been monitoring and analyzing nearby wifi transmissions this whole time without ever paying anyone -- that is part of the wifi standard. Just connecting to a wifi network means your device is monitoring transmissions from other people. So here is a final bit of snark for you: HOW DARE YOU USE WIFI WITHOUT PAYING YOUR NEIGHBORS?!?!?!?!?!
1. I clearly said I was being snarky and there was a lot more in what I wrote than a single snarky sentence.
2. I have APs that do collect and store data about nearby wifi stations and transmission patterns as part of a system that improved wireless throughput.
3. What difference does it make if it is being stored?
> 2. I have APs that do collect and store data about nearby wifi stations and transmission patterns as part of a system that improved wireless throughput.
If it's just nearby ones then that's much less of a problem.
> 3. What difference does it make if it is being stored?
Imagine saying that about someone else's telephone call...
Listening out for interference is not at all the same as siphoning up information.
Speaking of strawmen..."siphoning up?" We are talking about a database of wifi beacons (SSID/BSSID) and GPS coordinates for where the beacons were received. It is no different from a database of street addresses and corresponding GPS coordinates. There is no reasonable expectation of privacy for SSIDs or wifi beacons -- everyone knows they can see their neighbor's SSIDs.
You seem to be saying that if an AP stores information about other "nearby" APs there is no problem. What if I am operating thousands of APs across a broad geographic region using a centrally managed AP controller? That is a common practice for large organizations and that is exactly the setting where you see APs collecting and storing information about other wifi stations. Is that not a large enough scale to be a concern? I have to wonder at what point you are drawing the line here. What is an unacceptable scale?
"Street address" refers to the address of an individual home or building here in the US. How is being a matter of public record relevant here? Are you suggesting that there is nothing wrong with a company that queries public records across thousands of municipalities to build a unified database? In any case, that something is a matter of public record is irrelevant because there is no reasonable expectation of privacy to begin with. Even if there were no public records to query, anyone could go out and start creating a map of any town, recording specific details of the locations of any structures they believe to be relevant to their map. It is relatively common to do so because of the inaccuracies and missing information in most public records (e.g. people often make unauthorized modifications to properties, fail to file the proper paperwork after otherwise legal work is completed, report incorrect information, etc.) and it is done at national or even global scale.
I do not see how SSIDs are in different in any meaningful way. We are literally talking about building a map -- a map that includes the locations of SSIDs, to be used as a kind of landmark, no different from a map that includes other landmarks (e.g. "the house with the red siding") that could conceivably be used to help a person identify their position on the map. There is zero expectation of privacy for SSIDs, just like there is zero expectation of privacy for the exterior of your home.
Is there any specific objection beyond, "This is happening at a large scale?"
Those FCC registration records would then be public information.
Would you feel comfortable with your name, address and MAC + SSID of your wireless AP(s) being registered in a public database and the onus on you to keep that registration information up to date every time you changed the SSID or swapped in something with a different MAC address?
I'm not sure I would be.
The ethics around Google's behavior aside - this is a tricky problem to solve.
Edit: Why the downvotes? I'd really like for people that disagree to engage and tell me where I am either wrong or not arguing in good faith. If you believe this is a Google specific problem or somehow an easy problem to solve under the current FCC regulatory regime I'd be happy to hear about it.
I just don't see either approach (opt-in vs opt-out) being workable in practice though.
Taking it to a bit of a silly extreme - what happens when 100 different companies want to use public SSID data? 100 different opt-in codes? 1 code for all? What if I want to allow 5 companies out of that 100 to use that data and exclude the other 95?
Free stuff, like a free web browser? Or a free smartphone OS?
If you don't want to be tracked by Google, don't use their software.
Now, if you're having a hard time avoiding their software because it's become a de-facto standard that's a separate problem. The bottom line is that we shouldn't be in a position where we don't have a choice not to use software from Google (or Apple, or Microsoft, etc). As long as these companies are in a position to offer software that can't reasonably be avoided, you should expect them to optimize these offerings at the expense of their users.
I don't have to use their free browser, their free smartphone OS or even their search engine, but they will still freeload on my Wi-Fi for location tracking and will record my router location without consent, and the only way to opt-out is appending a stupid _nomap to the end of my ID.
That is kind of like saying, "How dare you listen to me when I am shouting my name in public?!" You are broadcasting your SSID on an unlicensed band, all wifi stations in your area have been listening to and analyzing those transmissions, and your wifi stations (APs and client devices) have done the same with all your neighbors' wifi networks. In fact the wifi standard requires more than just monitoring nearby beacons -- wifi stations monitor all wifi frames being transmitted from nearby stations, even those connected to a different AP, to avoid interference.
You don't want anyone to monitor your wifi network? Either don't use wifi, or switch to a band that will not propagate beyond your home (60 ghz).
How dare you write down my name, which I was shouting in public, in your diary?! How dare you write down where I was standing when I was shouting my name?! Respect my privacy!
No, it’s more like “how dare you go around and record the license plate of every vehicle observable on the street and put it in a location/time database”.
You’re right that it’s technically public, just like the license plate on a vehicle. However, there is still a privacy expectation that all of that localized data won’t be pulled into a massive database for correlation.
It’s beyond the SSID, using your logic, it would also be fine if Google observed all of the client frames to track the locations of users that don’t use Google services. Randomized MACs aren’t usually used for home WiFi so this is completely feasible and well within your “privacy” framework.
It's also not a fair comparison to equate a database containing the whole world's SSIDs and location data with a personal diary...
Repeating what I said in other comment: What Google is doing is a cool hack and might be fully legit, but it's foolish to claim there's no potential privacy issues in it.
I do not see how there are any privacy concerns here. We are talking about radio broadcasts in a band set aside to be a free-for-all (no licensing, no permissions, no coordination required -- the only limit is on transmitter power). Moreover, people have many options available to them; among other things, you can not use an SSID (BSSID-only wifi networks are common), you can reduce your transmission power and use directional antennas to prevent the signal from propagating beyond your home, you can use the 60Ghz band which will not propagate through walls, and if all else fails, you can just use wired connections. People who want privacy can have it without having to do anything extraordinary.
Wifi is convenient because it is unlicensed and loosely regulated. The price of that convenience is that you have no particular claim to privacy with your wifi transmissions, and everyone knows it -- that is why we encrypt the contents of those transmissions. Building a database of AP locations is not a privacy issue at all -- it is no different from building a database of landmarks (or publishing a travel guide with a list of landmarks in various towns), or for that matter, creating a map by gathering information about roads/buildings/etc.
If there weren't privacy concerns, then the SSID API wouldn't be behind a Location permission toggle for iOS and Android.
It's not just Google doing it - see https://wigle.net/ with over 10B observations. So your privacy would be at risk even if Google didn't collect SSID/location information.
Fundamentally, asking people not to do something has never been a security measure that's worked. You need to implement some tangible, real protections. We already have those in the case of SSIDs, namely, the SSID and AP information aren't accessible to an app without location permissions in modern operating systems.
You are talking about the privacy of a device user, who may want to prevent apps from learning the location of their own device (and that is the point of the location permission). The claimed privacy issue I was responding to has to do with the privacy of the owner of an AP whose SSID is included in the database.
I don’t use their software yet my ssid was tracked and associated with me and others.
This argument “don’t use google” or “don’t use Facebook” is very frustrating because others make this decision for me. If only it was possible to not use these services.
