[justcommenting]

i didn't say i didn't know how to secure against something like this or that it was not legal.

my point was that this approach to data collection, consent, and privacy sharply and directly contradicts claims mozilla makes to users about being committed to their privacy. i think this reflects the opposite.

maybe a better analogy would be someone from the ACLU photographing everyone they saw in public: legal and easy to defend against, but hypocritical/not cool in my opinion and it might make me question the organization's priorities.

[fooqux]

I understand what you're saying, but you have to draw the line between privacy and common sense at some point.

It has been understood for awhile now that you have no expectation of privacy in public, at least as far as not being photographed, talked to, etc. Most people would probably agree that the paparazzi taking sneaky pictures of celebrities buying milk at Kroger aren't being very classy, but they'll also probably say it's fair game at that point.

Likewise, I would argue that broadcasting your SSID over the electromagnetic spectrum is public. As far as privacy is concerned (I have a slightly different opinion when it comes to security) I still haven't seen any compelling argument explaining how having your SSID mapped to a location is an any way a violation of privacy. Maybe you have one?

[justcommenting]

Sleazy paparazzi can exist in the world without breaking the law, but I expected more than that from Mozilla.

One hypothetical example: SSIDs often betray vendor names out of the box, and home routers are typically embedded devices that don't frequently receive security updates. Suppose Mozilla makes its database public and lists my SSID--or more likely, some weakly-secure hash of my SSID--in a public database that later gets compromised (e.g. plenty of people know their own SSIDs). Then, through no fault of Mozilla's, there's some 0day announced for my router. Now, every script kiddie in the neighborhood's using metasploit against a pre-selected list of vulnerable routers, potentially even remotely depending on their ability to integrate information from other sources. Maybe that sounds like more of a security issue than a privacy issue, but at some point, the effect is the same.

[fooqux]

As you said, that's not a privacy issue but a security one. Also, in your example I'd argue it would just be easier to attack every single IP address and/or WAP rather than attempt to figure out which ones are Linksys and running a vulnerable firmware. It would take less time and also solves the case of non-default SSID names.

I'm still interested in seeing an example of how linking SSIDs to physical locations is a violation of privacy. Especially compared to, say, linking my full legal name to my house address which is already treated as public knowledge.

[justcommenting]

I don't think you'll like my answer, but I think it was Schneier who said that it's not necessarily any one thing: it's having easy access to a bunch of different things, together.

[Ygg2]

I believe that according to law, the onus is on the owner in question to make sure their WiFi Router is secure. If a hacker takes control of your router, and downloads pirated material, you are considered responsible if you didn't take even necessary steps to protect yourself. Then you sue manufacturer, and all routers come with a set of different passwords and _no_map by default. That is the most likely logical course of action.

Everything else is idealizing. Same as with video and with DRM. Mozilla could take a principled stance and say no to patented codes and no to DRM, and then Google says yes to both of those things, reap the benefits, while the end consumer abandon Mozilla because it doesn't play YouTube or Netflix, and then Mozilla is no more.

If you don't like it, you can fork Firefox and/or choose not to trust Mozilla. The situation is super sad, but what else can you do? Be principled and disappear? Or compromise and survive?