Clarification on the Google API.

[skorokithakis]

I'd like a clarification (it would be great if this were in the documentation). How is the Google API used? How does the app make the reverse geo lookup?

[binarybucks]

What exactly would you like to have explained? How the code works or what data is send?

Mit freundlichen Grüßen / With kind regards Alexander Rust

Am 27.06.2016 um 21:13 schrieb Stavros Korokithakis < notifications@github.com>:

I'd like a clarification (it would be great if this were in the documentation). How is the Google API used? How does the app make the reverse geo lookup?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/owntracks/android/issues/379, or mute the thread https://github.com/notifications/unsubscribe/AAvwFIXGoQi5ZWG3qP003HrAX3Dj-Lk0ks5qQCDngaJpZM4I_aXz .

[skorokithakis]

What data is sent, yes. Is my current location sent to Google at any point?

[jpmens]

In order to perform reverse-geo lookups, the latitutde/longitude of a user's location is sent to the Google API for translation into an address. That address is returned and displayed in your app.

[skorokithakis]

So the location is continuously sent to Google? Doesn't that defeat the entire purpose of running OwnTracks? I'm only using it so Google doesn't get my location.

[jpmens]

The location is sent when a reverse geo is requested; not permanently.

And no, it doesn't defeat the purpose of running OwnTracks; you run it in order to storer the history of your locations on your broker / HTTP server. If you run the app in background (without opening it) no reverse-geo is performed.

Be that as it may: you are using an Android phone and don't want Google to see where you are? I think you might want to reconsider the use of a smartphone. :-)

[skorokithakis]

I have disabled location sharing with Google, that's why I use OwnTracks. The problem is that it's showing me the address on the notification, so it must be making a reverse geo request every time, no? It's not waiting for me to open the app.

[jpmens]

@binarybucks could you please clarify for us how/when the notification is updated?

[binarybucks]

When a location message is published the Google Play Services Geocoder API is queried for the corresponding location object that triggered the publish. The object is provided by the Google Play Services location API.

Geocoder information for contact locations is resolved the same way.

Am 27.06.2016 um 22:04 schrieb JP Mens notifications@github.com:

@binarybucks https://github.com/binarybucks could you please clarify for us how/when the notification is updated?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/owntracks/android/issues/379#issuecomment-228858718, or mute the thread https://github.com/notifications/unsubscribe/AAvwFPhjg6zyBmt-J2Z9jXWVXyEkUYisks5qQCywgaJpZM4I_aXz .

[skorokithakis]

So every time OwnTracks gets a location, it sends it to Google?

[binarybucks]

yes it sends a pair of lat/lon coordinates to Google. You can disable that in the notification settings

Note, that incoming locations are also resolved. If that also bothers you, you can disable subscriptions entirely via an imported configuration.

Please note that you are using a phone with a Google OS and the location OwnTracks uses isn't provided by noble white magic but by accessing Google Play Services APIs.

As I'm quite tired of explaining this, please read the OwnTracks privacy statement. Especially my quote at the top.

If this is not what you want, you are free to uninstall OwnTracks.

[skorokithakis]

"Accessing Google play services APIs" doesn't mean that my location gets sent to Google, which, in turn, doesn't mean you can be cavalier about my privacy.

Literally the first page of the website says:

OwnTracks is open-source and uses open protocols for communication so you can be sure your data stays secure and private.

Except it turns out that the data is not secure and private, it's no better than using anything else on the market, is it... I recommend adding an option to disable sending data to Google, rather than being condescending about the issue.

[jpmens]

If configured correctly the data is transmitted securely to a private location. We believe the privacy statement linked to describes the situation as it is.

We don't have the resources to add such an option, quite apart from the fact that most people actually want reverse-geo lookups to happen on our Android and iOS apps.

OwnTracks is open source, and as such, you are free to modify the code to better suit your needs.

[binarybucks]

@skorokithakis To clear up some confusion from your rant on Twitter

OwnTracks relies on the Google Play Services APIs for a) location (providing lat/lon) and 2) reverse Geocoding (lat/lon to address mapping).

Both APIs have the potential to expose information to Google by varying degrees. 1) It's not possible to directly influence if and what information the Google Play Services library sends to Google when using the location APIs. From a logical perspective most of the data should be provided by the GPS and radio chips. For WiFi assisted location, the device can pull in information about SSIDs that are close by. Those SSIDs are probably send to Google where they are looked up in some kind of database. This is a feature of the operating system that you can disable in the settings.

2) As the device does not have an internal database of all possible lat/lon to street mappings, the device obviously has to query some external provider for those mappings. At this point I'm not sure what you expected to be honest? To receive the mappings, the lat/lon coordinates and the apps signing certificate fingerprint are send to Google. I cannot say if any identifying information is included in the request as that is beyond our control. If you do not need or want that, you can disable this as stated above.

That being said, please consider the following before continuing your rant.

You are using an open source app on an OS provided by Google running on closed source hardware. It is very likely that your location is known to some entities even though you disabled most location sharing services on your device. If you're picky, one could probably identify your location based on the tiles that are loaded by the mapview.

However, this lies in the nature of the two dominant mobile operating systems and OwnTracks is not to blame here. Yes, we allow you to privately track and share your location on your servers. No, we will not and cannot make sure that your location data does not leak your device because that is simply not possible.

OwnTracks is open source software so instead of weeping on Twitter I'd be very happy to collaborate with you if you can provide constructive criticism instead.

So instead of complaining about the current situation you should consider that this is a) an open source project b) you are not forced to use the app if you don't like it c) you are free to improve it if you don't like it d) we're investing our free time to provide this app e) nobody forces us to continue doing so if all we hear is some superficial idle talk

This issue will remain closed and will be locked to prevent more FUD. You're free to respond to me privately at support@owntracks.org or open new issues with any constructive feedback you'd like to provide.