W3C home > Mailing lists > Public > public-privacy@w3.org > October to December 2011

Re: Opt-out for wifi network of the Google Location Server

From: Nicholas Doty <npdoty@w3.org>
Date: Sun, 27 Nov 2011 01:42:56 -0800
Cc: Karl Dubost <karld@opera.com>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-Id: <05D77AD3-D022-4793-87EE-59871953E482@w3.org>
To: Bjoern Hoehrmann <derhoermi@gmx.net>
On Nov 26, 2011, at 11:03 PM, Bjoern Hoehrmann wrote:
> * Nicholas Doty wrote:
>> I think that's not quite right. In fact, your Android device will still
>> send home the _nomap SSID and its MAC address to Google, specifically so
>> that Google can remove the MAC from its geolocation database (where it's
>> almost certainly already collected). This will make it harder to test,
>> and require us to trust that these geolocation providers will remove any
>> previously collected data, but enables retroactive opting out, which is
>> essential here.
> 
> You simply purge information that's not kept fresh from the database. It
> doesn't really matter whether this "opt-out" takes a couple of weeks, or
> a couple of weeks, to take effect. Consider how many Windows Phone users
> come by your ranch per month to opt you out of Microsoft's database, and
> whether Microsoft should have kept your access point in the database in
> the first place, considering it's rather personally identifiying with no
> other access points nearby. Everything about your "constantly report on
> those who try to opt-out" model is wrong.

I wasn't giving you my model, but reporting on Google's [1].

I can speculate some reasons you might design a system to actively and regularly report back opt-outs. It has the advantage of allowing a user to remove their data at a particular time, rather than waiting for an unknown period of weeks. Perhaps location providers don't want to regularly purge their databases, and if they did, those users who want to opt in (Skyhook allows for manually submitting an AP's location, for example [2]) and live in a rural area might not want to opt in again every N weeks. Also, any misconfigured, non-standard or malicious client could opt my access point back in (if it sent only a MAC and not the SSID, for example), and if it did so at least once every N weeks, my access point would never be removed.

I suspect these advantages could also be achieved with a web form opt out that wouldn't then require constantly reporting back. But I don't believe consumers or regulators would be satisfied with an opt out of the form "change a setting and then hope that everyone cooperates to not report your MAC address and then it'll probably be purged at some future date".

—Nick

[1] http://maps.google.com/support/bin/answer.py?hl=en&answer=1725632 particularly "How long will it take for my opt out to affect the information in Google’s location service?"
[2] http://www.skyhookwireless.com/howitworks/submit_ap.php
Received on Sunday, 27 November 2011 09:43:31 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 27 November 2011 09:43:31 GMT