Edit: this has prompted me to go find a way to turn off location permission requests in the browser settings. It turns out you can do it under Privacy and Security > Site Settings in Firefox and Chrome.
At the same time, there is no reason to not implement this pattern today and require user intent prior to requesting the permission
So on the first vist you still need to click the button. On the second visit the callback will be triggered directly.
But, well, nothing prevents a big fat html modal on the page pointing to the button, now does it? If you want to annoy your product^H^H^H^H^H^H^Husers then you can always find ways to do so.
Most browsers allow setting default permissions for all sites at once.
The original flow is awkward, but also renders the permission element in a location that can't be clickjacked, thus offering some protection from geolocation.
I've had to deal with plenty of people who couldn't do things like use Jitsi or other web apps because they missed or denied the permission prompt before reading them. The tiny icons in the address bar are barely recognised as clickable items by most users, which is a good thing for toning down annoyances but an awful inconvenience when trying to help people.
In a few cases, the solution to "accidentally dismissed permission popup" was "make everyone else download an app full of trackers".
Geolocation based on IP address is always done in the background, so they already know what city you are from. But Google wants to have the nice high-precision location from our GPS chips so they can permanently associate the IP address, and available WIFIs/Bluetooth/network devices and all related MAC addresses to a specific building.
And they want to have this specific functionality so they can organically trick non-power-users who got accustomed to the permission popup dialogs into re-sharing their location.
They don't. Maybe the trackers do, but most websites place me 100km to the west. When I want to look up opening times for supermarkets near me, I like the "show nearby" button.
Even Google gets confused because I VPN back to my home network. Every time I spend a few days somewhere else, Google's IP-based geolocation is broken again.
And IP-based geolocation is really unreliable beyond the country level. It depends on ISPs using a different pool of IP addresses for each city. That seems to be the norm in the US, but is not how every ISP runs their operation
1: https://developer.chrome.com/origintrials/#/view_trial/37362...
Google is internally fusing data from all devices that were ever in your LAN or near your WIFI access point. It merges them based on:
- outside IP address given by ISP and mobile phone carriers
- list of network devices incl. IP address & MACs (do you have a 3d printer or not?)
- any info they can extract via their Smartphone Apps both on Android and IOS
- Android devices share geolocation data with google anyways
- user agents & browsing history on google properties and 3rd party websites
- every time your IP addresses hit anything in google cloud or google CDNs (e.g jquery from googlestatic.com or google fonts)
- all data you have ever provided to them (payment data, gcloud, gmail)
- all the tracking that is already built into chrome and other google software
The large tech companies have significant incentive to mutually share data with each other, that's why you often see Javascript from one tech company included in the website or product of another one. It's enough to touch a google dc with a single packet included in the facebook app for them to associate your session with the new IP address and vice versa.
Google has years of data on how often user agents and devices behind a certain IP address change. They can very confidently say if your ISP-provided IP address has been rotated or not, and where it was rotated to. They most definitely have enough GPS positions from smartphones that they can predict where you sleep, so if your smartphone shows up under another IP address but the network devices around it stay the same they can easily deduce that this is your new dial-up IP address.
All of this not even discusses unethical or clearly illegal ways these companies have acquired data by abusing a lack of security measures on the smartphone operating systems. An example is Facebook uploading entire smartphone contact books to their servers to fuel their "organic" growth - Google most definitely has done exactly the same.
The "careless people" book highlights that Facebook deployed spyware with their smartphone apps which monitored what other apps the users were using - this is how they figured out that WhatsApp was going viral and based on this data they did the surprise acquisition of WhatsApp. I'm confident that google abuses the same security vulnerabilities in order to further collect data.
Of course they don't share the final database, because it is their core asset. And if the common public catches a glimpse of the data that google has saved they would be really upset.
(It didn't take me long to realize the implications.)
It's still permission-based. And the article mentions that the same ux is being done for media objects.
- scribble on a napkin (explainer)
- ask others for their position
- ship regardless of position or any outstanding issues
- claim it's a new standard
The line about being open to feedback while they're encouraging sites to start building using this really feels disingenuous. At least they could own their choice that they want to go it alone on this.
we're planning to push ahead with our implementation in Chromium, continuing to iterate with your feedback in mind.
https://github.com/WebKit/standards-positions/issues/545#iss...
If clicking on it does trigger a location permission prompt: what's the point? The "issues" with prompts getting denied can already be solved by web developers doing this themselves, rather than just blindly firing off a request on page load.
If clicking on it does not trigger a location permission prompt: have we forgotten about the Line Of Death [0]? Clicking random website-styled elements should never result in dangerous actions being taken - and leaking the user's physical location is definitely dangerous. Sure, they are trying to restrict the styling, but that's a fools' errant: somebody will just make a browser game where the button looks to refer to something ingame, but actually leak your real-world location.
Besides, who's actually asking for this? Location is perhaps useful for Google Maps-like websites to save you a few seconds of scrolling, but in practice it has mostly been spammy websites trying to get me to "subscribe to local news". Making geolocation easier is the last thing I want in my browser!
[0]: https://textslashplain.com/2017/01/14/the-line-of-death/
Does that mean identifying the browser and trying to tell the user how to go into the browser settings and un-block permission prompts?
The only reason people block it in settings is because they get sick of nagging prompts they never asked for.
Using geolocation on the web is not something I do daily, but I do use it every now and then. The "locate stores near me" button for looking up store closing times is a lot easier than manually panning across a map.
I find Chrome's current implementation (on Android) to be acceptable as long as measures are taken to prevent clickjacking and such to automate repeating prompts after denying permissions. I expect other browsers like Firefox to be more conservative in showing popups like that.
So we make it easier for the user to actually do the thing they intend to do. Seems good to me.
jsdelivr.com is much more reliable (Multi-CDN, Multi-DNS). Comparison: https://www.jsdelivr.com/unpkg
I am not affiliated in anyway to jsdeliver or unpkg. I simply used to be a user on unpkg.
But I have no doubt there is a play happening here.
Probably it will change over time to make gathering data easier?
Or something else that makes Google money.
Not to mention Google's history of pushing some non-standard behavior into Chrome single handedly to make it the de facto behavior, ignoring voices questioning the motivation, timeline and technical implementation. They are discussed here on HN and everywhere else and easy to find.
Coming back to this, my response is the same: the status quo works, why change it? Similar to how Mozilla responds to replacing user agent with "Hints API" nonsense. I don't want another way to get my location, because I already block all location requests. Google wants site owners to get location more easily out of unsuspecting users. I can't see how this is good for anyone but Google and its friends.
As you assume that GP has not read the post, how about you?
Because google clearly state that the "high denial rates" are a problem, but their framing of the issue is that the users have a "context gap" which needs to be fixed. Because they are convinced that even though users have decided against geolocation sharing with a specific website they want to get prompted about it over and over again as part of the organic interface of the website. And if they un-block it once over the new interface then the previous block will be forgotten and the permission will forever be granted.
A solution respecting their users would be to allow geolocation for duration of the browser tab, but that is clearly not in line with their data collection goals for their advertisers.
Is there any major browser vendor that isn't US based? The only two I can think of are Vivaldi and Opera, which are Chromium based, ergo US tech.
Thinking that everything Google produces might not be positive is NOT jumping into conspiracy theories.