Privacy preserving richer geolocation

[hellais]

When looking at OONI Probe measurements we often face a challenge in properly understanding what country (or more granular location) they are telling us things about.

Often times the location information (since it's based on geoip) is completely useless, because they GeoIP database we did the lookup on was stale.

On the other hand we also have a responsibility to protect user privacy to the extent that it's possible and therefore we don't collect IPs or store location information that is more granular than country level.

We have been discussing, especially within the scope of the internet blackouts methodology, of collecting more accurate location information, such as city level or regional level.

Initially we thought of doing this by splitting the world into regions or cities and resolving on the users device (in the case of mobile) which bounding box they fall under based on their GPS coordinates.

Another idea could be that of instead finding which is the closest airport (or railway station) to the current users coordinates and returning the IATA airport code or station code. See: https://openflights.org/data.html

[hellais]

This is a good resource instead for geographical polygons: https://github.com/CAIDA/ioda-geo-polygons

[hellais]

See also: https://lists.torproject.org/pipermail/ooni-talk/2019-November/000169.html

[hellais]

We discussed this further and came to the conclusion that the core of this issue is doing research.

Namely we would like to better understand how off our current geolocation approach is and what strategies we can adopt to improve it's accuracy. This might include using cell tower information and/or coarse GPS info.

Once we have done the research we might be able to move forward with implementation if considered acceptable.

[bassosimone]

I discussed this topic with @aanorbel a few days ago. It seems it's possible to dynamically ask for the coarse grained location permission starting from a certain version of Android (going on memory: API level 23). Therefore, here we have an opportunity to add this functionality as an opt-in and users who do not like it could stay with the current geolocation database model.

[bassosimone]

User story: I am a user in a country where a specific region (as opposed to the whole country) has increased levels of censorship and I want this fact to be reflected in my measurements. So, I enable a specific option that changes the geolocation precision to include not only the country but also the region in which I am. As a result, the probe will include into the measurement the name of the region. (If I were to do this, "Liguria".)

Because we'are planning on replacing local databases with remote databases (see https://github.com/ooni/probe/issues/2085) and because we do not submit IP addresses and geolocation results, we may possibly consider using MaxMind proper rather than db-ip.com for performing this operation, should MaxMind be more accurate. FWIW: db-ip.com thinks I am in Lombardy and ipinfo.io thinks I am in Tuscany, so I am a bit worried because only MaxMind seem to know my region correctly. Hence I am worried about introducing noise in the data.

The other, alternative approach would be to request for the permission to use GPS data in the manifest and then only use GPS information when explicitly asked by the user. This approach comes with its own set of issues.

Regardless, the emergence of regional censorship efforts is making it even more urgent for us to solve this problem.

I am going to flag this comment of mine for discussing into the next community meeting.

[agrabeli]

During the May 2022 OONI Community Meeting (where this topic was discussed extensively), @bassosimone raised the following important questions for the community:

• Should there be an option to include also the region or should we include the region by default?
• Should we invest some legal research time to figure out if we could use MaxMind?
• Should we really try to have location permission in the app and use that? should we have two apps, one with location the other without in case people are scared about the manifest declaring we may use geolocation?
• Should we allow users to manually annotate/correct the geolocation results if they find it inaccurate?

[arky]

I would like to provide a use cases that has been increasingly seen in southern and southeast asian countries. This is really concerning because mobile Internet is required to access basic essential services in these countries, including access to banking, social welfare and health benefits.

Local mobile internet was shutdown in region of Punjab, India citing security reasons. Shutting down Internet is increasingly seen to suppress social unrest. https://therecord.media/india-punjab-mobile-internet-blackout