More than one method
The most confusion about Location-Aware Browsing is the fact that there are two distinct methods used out on the web, which both perform a similar function but are quite different in how they work:
- GeoIP lookups: This is a location lookup done by the web server you connect to. These kinds of lookups are done server-side, do not ask you for permission, and are almost invariably based on IP lookup tables in the possession of the web server operator (known association tables of IP ranges and geographical location). As a web user, you will have no control whatsoever over these kinds of lookups, and the only way to circumvent this kind of lookup is by using an indirect connection (e.g. a proxy server or VPN) that will present a different IP address to the server.
Recently, Google, the default geolocation provider (point 1 above) used in Mozilla products since Firefox 3.5.*, changed the way they provide their geolocation services to web browsers, limiting access to the API by way of a secret key only used by official Mozilla Firefox builds. As a result, geolocation in Pale Moon broke because the Google servers refused to provide a response without the key. Individual developers would have to purchase a business key to continue using the geolocation services, and pay-per-volume.
As a result, Pale Moon (From version 24.3.0 onwards) will be using a different geolocation provider's API to request GPS coordinates. This makes for a difference in how geolocation is handled, and a difference in privacy of your browsing:
The Firefox method
- Gathers data about local wifi networks and access points from the browser.
- Sends this data, along with a secret key, to Google servers. This may include detailed information about your local network.
- Google uses this data and your connecting IP address to look up your GPS coordinates based on known information in tables.
- Receives GPS coordinates (longitude,latitude) and an indicator of the rough accuracy of these coordinates.
- Sends a simple http GET request to the API server. No data is being sent beyond a normal web request, and only the absolute minimum amount of data is requested (just latitude and longitude) to prevent snooping on details like country, isp, organization, etc. by intermediaries.
- The API server uses your connecting IP address to look up your GPS coordinates based on known information in tables.
- Receives GPS coordinates (latitude, longitude) but no indicator of the rough accuracy of these coordinates.