Posted by imalerba 3 hours ago
1. I don't speak authoritatively and
2. I don't have knowledge of the whole product - there's always a rogue team here and there doing stuff.
We've had that feature turned on at MSFT for some time now. It does not allow your manager to see that you're at Starbucks, at home, on the shitter or anything like that. There's a new toggle in the calendar settings called "Share location with my organization", and the settings are: "all details: building, desk, etc.", "general location: office or remote", "can't view any location information". What it does when turned on is just adding, at the top of your calendar, icons that tell you which of your colleagues are in office, and if they share and you click on someone's picture, what building they're in (when it works).
The whole "it will tell your manager what your wifi is" is just baseless extrapolation, and plainly false from what I can tell.
Edit: from https://news.ycombinator.com/item?id=46827312, it does sound like the feature isn't really opt-in for end users though?
End users should not have an expectation of empowerment when using Teams or its predecessors... the administrator can override basically anything.
If you work in a large enterprise they already control everything—or have the capability.
Apologies you both have to deal with this.
This location either uses the named locations I have set up in Entra (we use our public IP ranges for it) or it prompts users for their address if isn't sure. https://learn.microsoft.com/en-us/microsoftteams/emergency-c...
Hence the explicit statement.
This is how I expected the feature to work once I read the real product brief, so that's a plus at least. You might want to tell your product people to ask whoever deals with this stuff at Microsoft anymore if they can, like, talk to the press about it? Various outlets have been running stories for almost a year now about how Teams is going to start sending your WiFi data to your boss.
The wording on the product page also makes it sound like tenant administrators will get to decide how opt-in works (ie - that they could select which options the end-user is allowed to pick, and at Microsoft they happened to give you the freedom of choice); this makes sense from my experience in enterprise software management but also makes the feature seem like it will be incredibly yucky/annoying. Is that just a case of poor wording?
This still seems like a super weird feature to push through in terms of "yuck" to "value," but I also know how that goes.
Kind of like how Microsoft provides services to ICC judges until they won’t?
Given that not every device has built in GPS, it sounds like the Network Team is going to have to provide the locations of APs for that to work.
Curious how Teams will resolve that. If you're on your phone using a VPN back to your home network will it know or show you as at home? What happens if you have multiple APs at home?
It's like in Minority Report. Though with not perfect accuracy yet.
Pretty sure that's how it works across all phones. I know that's how Apple gets their location services database at least.
2. The feature is in fact useful, so most people enable it. It may even become company policy to have it enabled.
3. Companies who buy this feature ask for a way to force their employees to use it, as it's "confusing" if location data is only available for 90% of the employees. Not it's an opt-out feature, in the best case.
4. VeryGoodCorp is in a bit of trouble with its shareholders. Revenue growth hasn't been as great lately. They realize that they are sitting on a mountain of location data, aggregated from multiple harmless features, that would tell its customers if their employees are slacking off at work. Surprisingly, the customers are willing to pay good money for a "employee productivity score".
5. Profit..
Edit: formatting
Edit 2: Now you may say "well that wouldn't be legal", and depending on the jurisdiction I'm sure it isn't. But that hasn't kept VeryGoodCorp from collecting this data, they just forgot to turn off the toggle for EU you know, honest mistake. But they still have the data, and laws can change, or, you know, made to change.. (Prop 22 anyone?)
Why in the f does Word need my location (access to location services) for me to write a document? Pops up every time.
Teams already has a location setting, if you wanted to automate that a more correct way would seem to be adding the feature and offering users the opportunity to turn it on. Microsoft hasn't really changed since the IE days it seems.
https://www.microsoft.com/en-us/microsoft-365/roadmap?search...
The actual feature brief is:
"When users connect to their organization's Wi-Fi, Teams will soon be able to automatically update their work location to reflect the building they're working from. This feature will be off by default. Tenant admins will decide whether to enable it and require end-users to opt-in."
Yuck.
The roadmap just makes the whole thing user-facing so there's a status in Teams of where you currently are. But IT knew all along. And if IT didn't have tools deployed to get this info already count yourself lucky to work at an immature org security-wise.
I will say that "IT knows where I am" and "my manager / manager's manager / whatever sees where I am on Teams" would represent two very different personal annoyance levels at most companies I've worked at; at most places I've worked getting someone's location through IT required them to be doing something questionable or illegal (ie - working from an unapproved country) or breaking some obnoxious return-to-office policy, not just "hey is Bob out to lunch again or is he over in Building 6 so I can drive-by him with some questions real quick"
But I'll agree that Teams is packaging this information into something more digest-able for middle managers, and that's the rub. There are always manager types who have the epiphany that not everyone is working 100% of the time and it bothers them enough to call it out to subordinates, or if they don't like someone enough they might do a deep dive with IT. Teams already has this indicator to show if you're online, on mobile, in a meeting, AFK, or offline entirely. Its not that the information wasn't there, its just much more front-and-center for managers to be annoying about it.
IT having the information for security is one thing.
In the hands of power-hungry lower middle managers, it becomes a weapon.
First security job I had, the CISO had already declared that enforcing "no Youtube, porn, whatever" at work was a managerial problem and not a security problem [0]. And when management needed data from computers about an employee, they had to go through security -- they couldn't just fish around on their own. HR was involved, there was a paper trail, and requests were scope limited.
There are companies that do incredibly invasive employee monitoring, but those dystopias don't use EDR or whatever. They use some other vendor's spyware to replace management with creeping.
For some reason I'm reminded of the chains or cables used to keep operator hands (Posson's pull-backs) from being crushed in a press brake.
[0] The malware, etc that can come from those sites was a security problem -- but checking if creepy Bob was looking at boobs on company equipment or even just wasting time had nothing to do with infosec.
I followed several articles and the tree I found seems to end with this Neowin article https://www.neowin.net/news/microsoft-delays-controversial-l... but it doesn't actully clear up the sourcing. I.e. the quote in the article is the same roadmap item, yet the article talks directly to that as if it's the home SSID which will be put into Teams - where is that information in the quote it's describing? I'm not sure if they just didn't source that bit or if it's plain confusion about whether it's really limited to "connecting to your organizations Wi-Fi" which is then being picked up as a hot story.
Honestly, to me the feature seems so incredibly low-functionality that I'm surprised they're pushing it forward after all of the controversy it's generated. Like, sure, it might be nice to see if someone was out to lunch or in Building 17 or whatever without needing to message them, but at the cost of the whole "teams is spying on you" narrative and yuck-factor it pushes, I'm surprised they haven't pushed harder on either clarifying the functionality or just pulling it.
The understanding I always got from legal was "it's continually the company's legal liability under the RAY BAUM's Act whether the address is correct when the user dials 911 on/via the corporate systems, not the user's". Sometimes the conversation sounded like you could potentially have users sign something to transfer that liability, other times legal didn't seem to even want to entertain the idea as valid. Regardless, none of the companies ever ended up wanting to go that route for either concern of general friction/overhead or concern there would be employees pushing back that they don't want to sign it and instead would just want 911 to work (which is also a reasonable position for an employee to want to hold). I.e. implementing automatic VOIP location for some users but not others was either impossible on some systems or just seen as a nightmare to try to track/audit, even if they were willing to try to make every employee perfectly happy about it. A bit of a legally induced quagmire for a good intent (accurate 911 not being something a place could opt out of providing) which had trade offs in reality.
RAY BAUM's compliance requirements for for nomadic endpoints in went active in 2022 but most companies had already started trying to be compliant a little prior to that when fixed endpoints needed it anyways. Some companies of course don't bother, either knowingly or unknowingly assuming that compliance risk. Before that it wasn't really a topic.
That aside, if it is SSIDs it's dead simple to fake. If it's BSSIDs it's a little more difficult and not every AP may expose a way to spoof it (but it's not too difficult to find ones which will).
The tracking is still gross, but limited to opt-in on office WiFi seems a lot less dramatic of a headline, especially given the main concern people have is work from home
If a company policy says you have to opt in, not opting in means you're breaching the policy and might get fired. Entirely legal in at-will employment places, but potentially not in places with better worker protections.
Saying that, I just got announcement from my employer they will not be turning it on for now.
https://www.euronews.com/next/2026/01/27/france-to-ditch-us-...
That's not a bad thing.
But I think its totally unrealistic and impractical to deal with this kind of thing by being so choosy that you won't work for an org that uses Microsoft. Actually acting that way probably just means choosing to be unemployed (for the vast majority, at least).
I mean, that's not really how "opt-in" works for features that your company owns; you might have to "opt-in" technically but your company will probably make that a little more mandatory.
I do agree that the blog post, headline, and HN comments are as usual quite an overreaction, but this feature is pretty gross. It's also weird because the controversy/grossness-to-utility ratio seems awful, which either means that Microsoft product management has gotten as bad as everyone thinks it has or there's some future plan to make it more "robust."
Can't you just rename your home wifi SSID to be whatever your Work wifi is called?
If I were to try to implement the given task description, I'd start with assuming this would need to be "Enterprise gives an exports of BSSIDs and locations, Teams uses that table to set the location when you connect to your organization's AP". I'm not even sure how else to make this really work right.
If it really is SSID based, the feature would be relatively useless for most organizations even before discussion trying to spoof it. E.g. the last place I worked had ~3,500 physical addresses with APs (and many more individual buildings/"office" names), all with the same "Corp_Name_Employee" SSID because otherwise it's way more work to have unique SSIDs. So how would this feature even do what it's supposed to do based on SSID?
Maybe the enterprise exports a table of AP MAC addresses, mapped to locations. It could be the SSID stuff is just a way to spy on what non-office location you were at.
E.g. in the above deployment each Aruba AP could have up to 16 BSSIDs/MACs per radio, but we really had an average of ~5 in use per band at any given site. So a single 2.4 GHz + 5 GHz AP would have 10ish BSSIDs/MACs associated with it in the export (which would then roll up to be BSSIDs/MACs at that office).
Then any of the SSID stuff seems to be more pure speculation (at least from what I've been able to find sourced from Microsoft so far, they are very light on details). Maybe tEAMS does something with SSID, maybe it doesn't - but the roadmap item doesn't even mention that half of the behavior at all, the Neowin article at least looks to be just inserting stuff about SSIDs without any source (and this site doesn't seem to source much at all). It certainly could use SSID as a fallback when there is no location, but where are the articles finding the plan actually has anything about doing that and why would it help more than setting the status to "Remote".
At the end of the day BSSID isn't unspoofable either (companies that care that much probably just want mobile device management or to look at the wireless controller itself), but it at least enables the actual goal of saying which office to be achieved.
(Or phone tether, if you have a good data plan)
Also if they cared so much about where I was to punish me for it, I’d quit that company. The only companies I will work for are ones that treat me like an adult, it’s fairly simple.
Currently I manually check device IPs.
So, either this minimal description is A: an attempt to mask the feature's true purpose of dystopian pocket spying under an innocent-sounding cover, or B: negligently deploying a technical capability with far-reaching consequences without proper diligence or care.
Even if the goal was to enable a pocket panopticon for middle manager spying on WFH staff, in less than 10 seconds I came up with a list of other negative impacts and threat vectors which should freak out any large org's corporate security, legal, compliance and HR teams.
* Like lower level employees not in the 'shielded compartment' seeing that {M&A exec} is currently on {potential acquisition target company's} guest wifi. This kind of accidental location knowledge leak has actually happened between MSFT and Google via a freak analog coincidence and it changed the course of a huge acquisition. This feature makes that accident 1000x more likely.
* Or an employee sues for being dismissed and their lawyer proves through discovery that a manager could have seen they were connected to the wifi of a competitor they might have been interviewing with or an abortion clinic or gay bar, etc.
* Or as part of a harassment claim an employee says the company's required app showed them the phrase "Big Titz Rule!!!" because it was the name of a wifi network another employee was connected to.
Just having an opt-out or hours limit is woefully inadequate. Even if those should prevent senior execs and M&A teams location being accidentally visible to employees not in a trust circle (or worse contractors, vendors or customers looped into a Teams group), it STILL creates huge new threat surfaces. At a minimum the 'feature' needs ways to limit it to only show wifi network names: A. On an approved list, B. Matching a regex pattern, C. limited within a list of IP sub-domains, etc. And at many companies, as part of compliance, all those wifi network names will need to be passed through the "problematic words" list maintained by the HR and security teams (and in many companies hits on those lists trigger auto-reports which will now create discoverable "evidence" in any future lawsuit keyword search).
The unintended-but-foreseable consequences stretch for miles. And this isn't the MSFT Office/Teams group's first self-inflicted trip to this rodeo. I just don't understand how they keep repeating the Same. Obvious. Mistakes.
Ultimately if you are at the type of company which practices presenteeism, then the technology used is immaterial
> Remember when you could text Dave from the office to turn your PC on because you were stuck in traffic?
I honestly don't. This was a thing? Why?
> So if you decide to take a "working lunch" and connect to "Starbucks_Guest_WiFi", your boss sees it instantly.
I would have a lot of fun with "creative" names for my Wi-fi network.
If you work in a factory with time cards that need to be punched in, and you punch in a buddy's who is late, that's a thing -- a very risky thing if you get caught, since it's fraud.
But the idea that you'll give a coworker your password so they can boot up and log in and somehow make it look like you're online...? Not a thing. And doesn't even make sense today when you can just open your chat client on your phone anyways and be present there. We've been in an era of remote work for a long time now.
Yes, MAC addresses can be spoofed, but that isn't going to be what most employees will do.
If you think it’s normal to call in to have someone pretend you’re there because your manager can’t forgive you some bad traffic you’re pretty far away from a healthy working relationship.
It's also kind of unclear whether the blog post is correct that it would show the name of another network if you connect to it - I'd sort of assume it would just show "Out of Office" instead of "connected to YO_MAMAS_WIFI" or whatever, but who knows.
> what building you're in at the office
On Windows you can see this (from an elevated context and, in newer versions, with location services enabled) by running: "netsh wlan show interfaces"
There's already the Big Brother Awards [0] and EFF's smattering of Worst Government and Worst Data Breach articles each year. [1]
But I think we need more.
Personally I would love to nominate:
- Mark Stefik and Brad Cox for their contributions to DRM
- Erick Lavoie for his work on Wildvine DRM
- Vern Paxson for his contributions to DPI (Deep Packet Inspection)
- Latanya Sweeney and Alexandre de Montjoye for their contributions to re-identification of anonymized data
- Steven J. Murdoch and George Danezis for their work on de-anonymization attacks
[0]http://www.bigbrotherawards.org/
[1]https://www.eff.org/deeplinks/2025/12/breachies-2025-worst-w...
It seems like highlighting how anonymization is a lot harder than a lot of people assume is a really useful service. If researchers can do it, without any particular secret sauce, so can a lot of other people. (Unless I'm totally misunderstanding your comment.)
Some of Sweeney's most well-known work in this area is from the LATE 1990s. She was sounding the alarm about problems with anonymized data in medical datasets: https://en.wikipedia.org/wiki/Latanya_Sweeney#Medical_datase...
Her work almost certainly contributed highly to awareness of these risks.
More recently she has apparently worked on things like protecting voting rights in the US by notifying voters if their registration records change.
But, yeah, at some point in the 90s, Massachusetts decided to release some "anonymized" health records for research purposes (I think just state employees). One was governor William Weld who obviously had a lot of public information widely available. As I recall, Sweeney wrote the governor's office a bit later basically saying "I have your medical records."
I used this as a slide or two in some AI presentations in the mid-2000s or so pre-LLMs when I had some peripheral involvement with some of the privacy-preserving research going on (differential privacy, multiparty computation, fully homomorphic encryption). Haven't really followed most of this for a while.
You can be pretty sure some three-letter agency trash had been already using it around the world along with shady spyware startups.
Most other professions have you take ethics classes, have ethics boards and even ethics legislation. We're severely lacking in this area as a community. It really shows when every year there's a new company building the Maximum Oppression Orb from the book Dont Build the Maximum Oppression Orb. Its like we're dealing with the moral equivalent of a mentally challenged person all the time
The requirements for this sort of stuff come from top down. Do you expect C-Level and and the top layers of sycophants beneath them to be ethical?
If they hadn't done it, you can bet that bad guys would have done it instead (and maybe were already doing it). What the researchers did is publicly show that the existing schemes were broken, hence motivating the design of better schemes.
Like, you fundamentally misunderstand computer security research if you think that shitting on people publishing attacks is a good thing.
Should issue the award!
You're assuming Hollywood studios would ever release their content without DRM of some kind. They were quite content to ignore computers entirely if they didn't bend.
The world where Widevine doesn't exist isn't a DRM free one; but a world where an iPad or Smart TV can stream and a PC can't. I would support giving them an award though for "most repeated invention that keeps failing."
I don't see it anywhere.
I also find it hard to get offended about because there is basically no job, outside of tech, which doesn't involve physical location. >95% of jobs require physical location. Do you think a concrete worker, a plumber, an electrician, or literally anyone who works with their hands, has a right to location privacy? What does that even mean? "I'm totally clocking in to work today and totally installing a light fixture for a client right now and I won't tell you which one"? "I'm totally making a cappuccino for an old lady right now at one of our 30,000 branches, but trust me, you don't need to know which one"? Whining about this is extremely hard for me to generate sympathies for.
Overall it's just kind of a yucky and weird feature; when I worked in an office I really didn't really want my coworkers having a real-time automated feed about where I'm located and one of my chores as a manager was always picking a seating position where I could at least take the drive-by questions before my team got interrupted, which stuff like this bypasses. I could actually see it being useful for field-deployed employees but it's not part of the stated implementation and most people in that scenario already have a solution for that.
I agree that the typical HN-meltdown isn't warranted here; the HN Meltdown Factor on anything related to privacy, cryptography, and security lately has gotten really out of hand (the post you're replying to is a perfect example, actually). But I also don't think these counterpoints are very strong; they're justifying other useful features and products that almost everyone already has. It's weird to me that Microsoft haven't either clarified or backed down on this one given how much press it's gotten vs. the seemingly tiny advantage the feature presents.
The really weird thing is going to be when people start internalizing the LLM voice and writing that way. It's probably happening already.
Eventually no space where people can just 'publish' things will be safe from being completely filled with LLM writing/video/images. The only way to combat it is by forcing people to get punished for this behaviour and making it difficult to circumvent.
Some invite system where people get punished for the bad people they bring in, one that's linked to your identity/workplace/education. Even if these options were available, I doubt many people would care enough, they'd rather be in 'enshittified ' spaces.
I have flagged this article on principle. Idk if it it's in the spirit of HN to do that or not, but the button's there, and I'm going to use it.
However badging data is much more coarse-grained than WiFi. For one, because the building is large, you can’t tell which part of the office the employee is. For two, you can’t tell when the employee has left work because no badging is needed to exit the building.
https://www.derstandard.at/story/3000000306516/windows-11-is...
"Windows ist kaputt" = "Windows is broken"
And now 365 tracking people. So the whole company seems to now just be about sniffing after people. In the past it alleged at the least to enable folks, say, Win95 perhaps up to WinXP. Now somehow the customer became the enemy. It's really strange to see.