6 days later

On their website they say "Every open-source project can consume data from Positon free of charge." However their data actually proprietary, meaning they can one day decide to charge money for it or introduce other onerous restrictions. That is disappointing, because it could indeed cannibalize truly open projects like BeaconDB (which I've never heard of until now but looks great).

zzz i've had a look at beacondb and it seems installing apps like NeoStumbler can help them get more data points from my area

After downloading the app, to contribute you have to change endpoint from Mozilla to

https://beacondb.net/v2/geosubmit

And then start scanning with wifi/bluetooth/cell tower enabled, once completed you can send it off

I think the GOS team should not change their development priorities because a company is putting the pressure with false claims.

admin: @GrapheneOS has responded to this below debunking it.

So I finally got a reply from them after sending an email last weekend.

Hello,

Thanks for your interest in our service. Sorry for the delay in replying to your message, but as we're entirely based on volunteer work and your questions required some coordination to get the reply right, it took a little longer. As a general remark: We've started Positon in a rush to make sure it's available ASAP after MLS was shut down. The first two weeks we even ran without any website and the current website still lacks a lot of useful information. This will be added later on, but to date we focus on providing a good service rather than a good website.

  1. Who is behind Positon?

Positon is developed and run by open-source enthusiasts. We've previously used microG and when it was announced that MLS was going to shut down, we wanted to ensure there will be an alternative, so we can continue to have network-based location. We got in touch with microG developers early to ensure we can provide the best possible service for them, and early on they pointed out that there are other open-source users than microG that would suffer from the loss of MLS, and so we decided to make Positon available outside of microG as well.

  1. What is your relationship to /e/OS?

We obviously became aware of claims on the internet, that we would be somewhat related to /e/OS, which perplexed us. The truth is that no /e/OS developer has ever contributed to Positon and we also did not receive any funding from them. In fact, one of our contributors was previously publicly criticizing /e/OS for not delivering security updates in-time. /e/OS, as of now, never contacted us to ask for access or an API key to our service. We later learned that the claims are based on the fact that we work with microG, which itself is sponsored by /e/OS. The claim of our relationship reworded from "developers from /e/OS" to "developers tied to /e/OS", so now you know what ties we have and I guess the claim "with their funding" is solely based on /e/OS sponsoring microG and microG advising us free of charge.

  1. How are you funded and what is your strategy to keep the service running?

We don't have any funding. We got access to the commercial database free of charge, for as long as we restrict our service to non-commerical open-source usage and no similar freely available service with reasonable quality exists. We also got free server resources from a hosting company for the time being. And the people working on Positon are doing so entirely unpaid. Positon is a non-commercial offering and always will be. When it comes to long-term strategy, the strategy is to turn Positon off, once a proper successor of MLS (fully open-source and based on user-contributed data) emerged and has enough data to be used in practice.

  1. How are you processing the privacy-sensitive location data submitted by users?

As a general remark regarding privacy, I suggest to check out our privacy notice at https://positon.xyz/docs/privacy/ which is concise and easy to read (as we're not commercial, it also doesn't include commercial bullshit). At this point - as we don't support user submitting data yet - we absolutely do not store any location related data of users. To protect our service, we keep a log file of incoming request metadata, with IP addresses anonymized.
Additionally, we have worked with the microG developers and introduced capability for aggressive caching on the client to ensure that client devices don't have to do more requests to our service than absolutely necessary. This is in our own interest, as it means we have less requests to process, but it also means that even if we wanted to, we couldn't keep a record of a users location history.

  1. Will you support geosubmit API in the future and how will you use this data?

Currently we don't support the MLS geosubmit API, simple because we don't have our own database and we don't want to mix contributed data with our commercial database - as we already plan for the license of our commercial database to eventually end. As I mentioned above, this will happen once there is a proper alternative and we are keeping an eye on https://beacondb.net/ and similar services.
Our plan is to add support for the geosubmit API in a fashion, where we batch submitted data (e.g. of a full day or hour, depending on the number of contributors) and then forward it to BeaconDB and similar services, so we can contribute to those services setting up a database, completely independent of us. Once this was to happen, we will publish details about this and the services we forward the submissions to on our website.

Should you be sharing this information publicly on the internet, we ask you to attach a full copy of this email both for transparency and to ensure no relevant information was left out. Thanks for your understanding.

microG and /e/ clearly took the public position on the Mozilla Location Service issue tracker that they were against open data, and it's easily proven that they're the ones behind the Positon location service, not a third party:

https://github.com/mozilla/ichnaea/issues/2065

They began coordinating together in a private chat room following this issue tracker thread. We have logs showing they're the people behind Positon, showing their close coordinating together and that they're still strongly against open data. /e/ has been largely providing the funding for microG and that funding is also what's allowing this to be done.

They very clearly view BeaconDB as a competitive threat to their attempt to grab location service market share and convince open source projects to use their service. They've adjusted their strategy to pretend they're supportive of BeaconDB and yet are still trying to stop it to the point that they're making another location service beyond both the one hosted by /e/ for their own usage and the Positon service aimed at getting adoption from other open source projects. There's going to be another one from the same people with "libre" in the name despite being anything but "libre" and with the continued goal of trying to get other open source projects using their service.

In public, on the MLS issue tracker, several people against open data viewed it as important to get everyone using one service to avoid data being split into multiple proprietary databases. In private, they've continued down that path towards repeatedly talking about and emphasizing the importance of everyone using their service. The goal of Positon and the upcoming rebrand is hiding their involvement, portraying it as an independent project and getting lots of open source projects on board using it. We're clearly going to be against centralizing location services instead of an open data approach. Even with BeaconDB, it remains to be seen how open it is and if it satisfies our minimum expectations in that regard so we're linking to it but not wholeheartedly endorsing it until we see the open data approach.

We're going to continue to be strongly against the approach of centralized location services with proprietary data, particularly services that are being dishonest with people about who is behind it, who is providing the funding and their goals. They're clearly contradicting their own statements both in public on the MLS tracker where they had a strong position and in the many weeks following that in a private chat room. It's ridiculous to not acknowledge that the lead microG developer is the one making Positon in close coordination with /e/.

They claimed /e/ OS applied AOSP security patches every month, is it not true?

    Kira902 It's not at all true.

    They ship the Android Open Source Project subset of the Android Security Bulletin patches across devices, but with significant delays of a month or more. Those include most but not all High/Critical severity Android Open Source Project patches. Shipping the full set of High/Critical severity patches and nearly all of the Low/Moderate severity patches requires staying caught up with the latest release of Android. /e/ is far behind the latest release of Android and has far more than the month or two of delays they have for ASB patches for the full set of patches. It's a year or more of delays. It's multiple years of delays for a lot of the devices they support.

    There's a comparison of this subset of another subset of the overall patches here:

    https://divestos.org/pages/patch_history

    ASB is a subset of the overall patches: it does not include most driver/firmware patches and does not include any Low/Moderate severity AOSP security patches or certain High/Critical severity ones. Shipping only the AOSP portion of the ASB is an even smaller subset of the patches. The bigger problem is misleading users about this.

    Many patches require updates for drivers and firmware. /e/ fails to properly ship these for most devices even when they're available. They do not even ship the firmware and vendor updates at all for many devices. Most of the devices they support don't have these patches provided properly in the first place, and they fail to ship them in most cases they are available. They're downplaying the importance of this despite it being no less important than having the AOSP backports. The Android Security Bulletins only list a very small subset of driver/firmware patches, but they do list some of them, and they do require them for claiming to have the current Android security patch level. /e/, LineageOS and CalyxOS ignore this and set an inaccurate Android security patch level along with claiming to provide patches they are not providing. For example, CalyxOS claims to provide all open source patches by shipping the AOSP backports when they're behind on Android releases or for devices not shipping the full patches, despite the fact that many of the missing patches are open source. Each of these projects is heavily downplaying the missing patches and misleading users about it.

    Only the first half are provided through the AOSP security backports alone. The other half requires driver/firmware patches. Only a small portion of the overall driver/firmware patches are listed there. Compare the Android Security Bulletin to the Pixel Update Bulletin which currently mostly lists patches applicable to many other devices including AOSP patches, Broadcom Wi-Fi, Qualcomm Wi-Fi, Qualcomm cellular, Samsung cellular, etc. The patches for Qualcomm cellular and Snapdragon will stop being listed in the Pixel Update Bulletin once the Pixel 5a is end-of-life in the near future though. Qualcomm has their own bulletins with a more complete list of patches than the Android Security Bulletin.

    If I understand correctly about the possible new location service, only some GOS users (since collaboration between Open Source projects seem difficult) enabling an option will send WiFi hotspots location and maybe Bluetooth and cell tower location.

    This will result in a maps with users routes (even more in low population density places)
    This location service will speed the device position for currents versions of OrganicMaps or Magic Earth ?

    4 months later

    GrapheneOS

    So guys instead, contribute to BeaconDB!

    1. Install NeoStumbler
    2. Change the endpoint to https://api.beacondb.net
    3. If you like, go into developer options and disable "wifi scan throttling"
    4. Enable background data for the app
    5. Disable battery optimizations entirely for the app
    6. Enable "automatic upload"
    7. You can also make it only collect data when you move to save battery
    8. Turn it on and forget it!

    Whenever you use GPS, it will use your GPS location and scan for nearby wifis and bluetooth beacons, if you have cell data enabled also for cell towers.

    Once GrapheneOS has it's network geolocation app, you can directly profit from the data you have uploaded, and dont need GPS in the areas you frequently visit anymore!

    I am doing this every day, really fun!

    screenshot 1

    screenshot 2

      missing-root
      How does this affect privacy? I read BeaconDBs privacy statement, but I am worried about my home WiFi information being sent to this database.

      But staying at the points on privacy.

      LibreGeoLocation has a lot of information on what could be possible to anonymize that data

      • geohash the SSIDs and MACs of Wifis and bluetooth beacons
      • truncate that hash, so on earth there will be multiple ones with the same hash
      • use methods like DNS and ping speeds for looking up continent and country, so you know where to look

      I am not sure if BeaconDB or the respective data collection apps (NeoStumbler, Towercollector) do this.