I recall from my time in Google Geo years ago that the idea of integrating Search and Maps was a big part of the "New Maps" release that happened around 2014. The rumor I heard was that someone (possibly even Larry himself) wanted to be able to have interactive maps directly on the search results page, so that the navigation from a search query to a map wouldn't involve even a page reload. So the big Maps frontend rewrite actually ended up merging MFE into GWS, the web search frontend server. I recall seeing maps hosted at google.com/maps around that time, but I don't know if that was ever launched fully or if it was just an experiment.
In any case, though, my understanding is that the technical capacity for this has existed for nearly 10 years now, just behind a configuration setting. So it's possible that this change is just a code cleanup. It's also possible that someone is trying to increase the percentage of searches that have location information, that doesn't seem terribly far-fetched either, and I can imagine lots of ways people could try to rationalize it as actually benefiting users. (Whether it actually does benefit users is of course debatable.)
It is absolutely bizarre to me how half-assed Google is with integrating its products.
I have a week of events coming up in Google Calendar each with a different event location. Why can't I see a map of all those event locations alongside the calendar with all the same event details listed? Why can't I associate a Google Calendar event with a specific album or set of photos in Google Photos and see those in the map and calendar as well?
This is why I'm building https://visible.page with my brother. We have all these capabilities of visualizing data on the web, yet no one has actually put them together in a convenient and consumer friendly way to visualize any type of information together in one place.
All these big tech companies seem to just give up on any kind of significant innovation as soon as they reach a certain level of monopoly on their market. Twitter, Spotify, Facebook, Google, etc. I can think of a dozen significant feature experiments they could try that would make my daily life better using those tools yet they don't.
> It is absolutely bizarre to me how half-assed Google is with integrating its products
The answer can be summed up in one word: "privacy".
There are two forces at play here. One side wants privacy. When they give data to Google Calendar, they don't want Google Maps or Ads know about it. The other side (your opinion above) wants more integration between services.
In this political climate, the privacy side has an edge. This means if Google Photos want to access data on Google Calendar to provide the integration you asked above, they will have to jump through multiple quarters of privacy reviews, with a very high odd of being shutdown.
> All these big tech companies seem to just give up on any kind of significant innovation as soon as they reach a certain level of monopoly on their market
After I see how the sausages are made, I think claims like these are naive. It's worth learning more about the factors at play before criticizing something. More often than not, the agents are acting pretty rationally based on the situation.
first, showing maps for a location it is already showing on the screen... the data is already all there. it is pure and simple calendar team didn't want to bother using maps team's api. nothing else. nobody had a meeting and decided against it because of user privacy.
second, no matter the product, the only integration all of them MUST have is to both advertising and profile. those two internal apis respectively serve ads against your profile (ssp) and add events to your profile to later target ads.
so no, absolutely nothing on google deserve the privacy argument.
The privacy argument doesn’t make sense to me. The addresses are already in Google Calendar. They don’t need to be saved into a different service to be viewed anonymously in Google Maps. You can already do it in Google Calendar for one event/address at a time.
Yes there are business/internal-politics reasons why some obvious features or experimentation doesn’t happen, but those aren’t necessarily good reasons beyond short term benefit to specific individuals at a company.
But I do think some of it can generally be blamed on large companies losing their ability to be nimble due to the inherent friction of the politics and logistics that build up as an organization grows.
FWIW, I worked on the integration with calendar and maps - the GP comment is exactly right, it was due to privacy concerns. The terms of service for Workspace say that user data can never be used for anything not related to Workspace, so moving any user data from Workspace to another service has to be done very carefully.
In the example of this integration, allowing it to open in the sidebar was okay because it was a user action, and there is some data anonymization that happens (I don't recall the details, this was a few years ago).
But we couldn't share a list of your appointments with maps ahead of time to allow them to generate the view you describe, because there wasn't a way that guaranteed that the data wouldn't be associated back with the original user.
I don't think privacy has anything to do with it. Google Maps doesn't need to capture any user data to implement OP's suggestion. Google Calendar just needs to render a map with a set of locations marked on it using Google Maps. It doesn't need to tell Google Maps what or who the locations are for. This is something Google Calendar should already be able to accomplish using a public API. All other aspects of the feature could be implemented as part of the Google Calendar service without any further integration with Google Maps.
Further, I don't think users are generally against services using the information - which the user has presumably already provided intentionally - to better serve them. The problem is when that information is shared with third parties or used for purposes which are not obviously in the users' best interests. IMO, any user data stored externally should be subject to an opt-in permissions system which strictly defines how the data can be used. That doesn't stop companies like Google from being able to offer me useful services that I might actually be interested in. The notion that privacy discourages innovation is just silly.
After I see how the sausages are made, I think claims like these are naive. It's worth learning more about the factors at play before criticizing something. More often than not, the agents are acting pretty rationally based on the situation.
All of these concerns could be trivially addressed by leaving them up to the user. Add the necessary controls to the user account page, pick default settings biased in favor of privacy, and allow users to change them if they prefer.
IMO you’re spot on. The catch being that between showing an ad and matching photo locations, the former has a near straight impact on the bottomline while the latter is murkier. When both are going through reviews, that’s a lot of weight difference in the arguments and we’ll see more of one that the other.
The answer can be summed up in one word: "privacy"
I don't understand this.
Once Google has my data, how does it affect my "privacy" if Google Service A shares it with Google Service B?
I'm somewhat privacy conscious, but I don't understand the concern there. I assume that once I give them my data, they're already doing whatever with it internally.
It's amazing to me that people have already forgotten that Google had in fact already successfully done that with Google Inbox. It's not that they weren't able to do it.
It's that in their infinite wisdom they shut it down. Just like they shut down hangouts in their infinite wisdom.
what even was project inbox? at most five people used it.
hangout is now integrated in meet, which is integrated in gmail.
it's google doing a microsoft/apple and trying to be the leader in video calls/remote work/remote classes by forcing people to have it ready just by having the gmail app.
just like apple with facetime (but they have no idea how to expand on it) or Microsoft adding teams to windows status bar, you like it or not.
Both AOL and Google had, around the same time, secondary mail interfaces that provided extra features. Google's was Inbox; I've forgotten the name of AOL's. They were quite similar to each other, with each slightly better than the other in some ways. Both sites were slower* to load than AOL's and Google's standard email interfaces. Neither reached the market penetration or current-account conversion management wanted., and those of us who used them were sad to see them go.
* Google eventually added so many features to Gmail that they had to add a progress bar during page load.
An example of poor google integration that bugs me from time to time - when you search for a geographic feature, the info panel shows a great preview map with the outline of the feature. E.g. https://www.google.com/search?q=rhine+river
If you click into google maps, the outline is gone. Searching "Rhine River" just puts a marker at one point along the river.
This is not the case for me. I just now searched in mobile Chrome for "Lakeview Chicago" and the mini-map static image has a purple outline around the neighborhood. Clicking on that took me to Google maps with the neighborhood outlined in a red dotted line (which is harder to see, but obscures less of the other features/labels on the map). This was on Android, in the maps app, just now, but I've seen the same thing in a desktop browser.
Ah, you're right. It looks like the issue I'm complaining about only happens for "line" features - e.g. a river, or a road (https://www.google.com/search?q=route+66).
Innovation, oh my, sometimes it feels like the fat ones (and, by proxy, everyone else) are living in some alternate fantasy world where the mantra "you're not gonna need it" is taken to the extreme, so they're not even trying.
The pendulum should swing back to complex and more complicated interfaces sometime — but right now these are the dark times where, for example, Netflix, this huge, popular movie and show library, doesn't even have a way to find out exactly what movies with some actor or director it has available. It's hard for me to wrap my head around that.
Your project does look useful and on point though!
The rumor/theory I have heard about Netflix is that increasing discoverability too much would allow people to see two negative traits of Netflix: How often things come and go from the platform (which other apps like Criterion Collection embrace), and just how limited their library actually is at a given time.
Scroll through recommendations. It looks like they have hundreds of great movies for you to watch! And yes, technically they do. But look how many times they try suggesting the same movies in different categories, inflating the view in a way to make the library seem bigger. One movie might show up "Because you liked comedy..." then "Because you watched <comedy movie>" then "Light-hearted movies".
TLDR money and masking their poor library quality.
I wonder if AppleTV's atrocious single-line onscreen keyboard fits into this picture of making things less discoverable, or if it's just an extreme of form over function.
Definitely not, because Apple gives users the ability to type search in on an iPhone or iPad instead of using the apple TV remote. They also let you do voice-to-text, which is nice.
I’m about to enable the new Facetime Live Transcription feature in iOS 16 so my wife can have conversations with her father, who is rapidly losing his hearing. For this reason (and I can think of many) I strongly disagree.
Fair enough, but that’s also a cool new feature that drives sales.
I meant it more like, why wouldn’t they fix this objectively bad input mechanism? It would take tiny effort but it wouldn’t improve their sales or they might even calculate that it drives usage of iPhones and therefore good for them even though it’s bad for the users.
For the record I own both an Apple TV and an iPhone, inasmuch one can pretend to own these devices.
This makes perfect sense product wise, if I'm searching "bakery" on my mobile phone I probably want the ones around me and not the generic location-agnostic google search of it, just like I would if I was searching on map. Matter of fact, this is actually something I do a couple times a month, search then clic the maps tab to see localized results then from them click the website result to find their webpage.
As a techie I hate any direct change to the user-agnostic absolute search, but as a user I get it.
> if I'm searching "bakery" on my mobile phone I probably want the ones around me
And yet for me, even in google maps on my iphone, when I search for bakery, the first one is almost always one that's ~40 miles away, and the closest one is almost always the second in the list. The rest of the list is definitely not sorted descending by distance. If I've searched for a _particular_ ABC bakery, I get other bakeries commingled in the list even if I know damn well there are other ABC bakeries closer than those.
This behavior works exactly the way you would expect in Apple Maps. A search for a bakery returns relevant nearby results.
The fact that Google doesn’t see the blatantly obvious problem, or that they try to argue that the users are wrong is a textbook case of why Apple has been doing OK in the market downturn while Google’s business continues to crash. Apple prioritizes their core products and human interface design, Google prioritizes short-term (advertising) revenue, while neglecting their core products in favor of the latest shiny thing.
Somehow DuckDuckGo has taken this to absurd extremes. Almost any search that doesn’t get many natural hits shows branches of my local government toward the bottom of the first page of results.
What we see is likely the attempt to squeeze even more juice from advertising over which Google virtually have a monopoly. Google is trying to continue its exponential growth while relying on selling advertisements. The market had already been saturated and optimised to crazy levels. Smart thing would be to expand to other sources of revenue, but other projects inside Google fail. As they are failing to compete internally for resources against that crazily optimised source of revenue.
It is doubtful that Google can overcome that internally. Perhaps regulators should break up the monopoly in advertisement and search.
No, eg when I'm at the office, and we talk about where to go eat and I type restaurant, or I need a new stapler and I type office supply, etc ...
> Only if you're not at home?
Not really, eg "movie theater" or "flower shop" come to mind for things I would request while at home
> What if you want to find out what a bakery is?
I would type what is a bakery or define bakery ?
I'm a long time tech user, I miss the days of keyword centric search as I felt I could more easily communicate to the search engine what I wanted, but let's be honest those days have passed, most people type sentence and thus the engine interpret sentences
Not in my country - unless your ISP is in the business of selling customer PII to advertisers (coughvirgincough) your IP geolocation will often be a completely different city.
Of course, personally if I wanted to search for nearby bakeries on my phone I'd have just opened the google maps app....
Coming from the CDN land this isnt true. We didnt put too much effort in to precision, but on the order of 99% of IP addresses get down to metro area. Cheap commerical providers like Maxmind get to the right postcode on the order of 90-95% of the time. Building your own latency and peering maps bridges that gap to 99% or better. Simply based on network topology and latency we should be able to get you down to post code or general area of a city.
Google is my ISP. My geolocated IP is accurate within a 15 mile radius. It doesn't matter if I have location services turned off or I'm using my desktop, searching "bakeries near me" finds them without issue.
I suspect that isn't all just one big coincidence.
Google has what 3 or 4 cities where they operate as an ISP, each with a pretty small footprint. It's no surprise anyone knows where you are.
A cable or telephone company has generalized coverage measured in states; some of them organize their network and customer IPs by small geographies, but sometimes all of southern california is in a single pool of IPs.
"Achievable" is quite charitable from my experience. With the previous ISP I would get located in a city some 2000kms away, sometimes the scam ads would detect my location as null.
funny how that works. I never ever allow location access to anything Google or any website for that matter, and have a muscle memory to hit deny when the browser prompts me. The other day I was searching something and then clicking my bookmarked Google News and suddenly all news were UK specific, and my search results fro "heatpumps" were are UK companies and products.. I was confused until I noticed that my work VPN chose a UK endpoint because the NL one where I am had higher latencies.
So, Google heavily tailors the results based on where it thinks you're at.
Also, I was delighted to know that inspire all the tracking Google probably does on me, it was easily fooled to think I was in the UK :-)
It gets really annoying when you are trying to search for some specific term in English and google keep guessing that you wanted something that sounds similar in your native tongue.
I have links to google.com/maps in my IRC logs dating back from June 2014, so this absolutely tracks.
I actually remember google.com/maps being launched at IO in 2014 -- the presentation had a broken link in it for the new version of Maps, and a few of us DoS SRE watching the livestream were able to hack together a config change in a few minutes to fix it without waiting for a urlmap push :)
> It's also possible that someone is trying to increase the percentage of searches that have location information, that doesn't seem terribly far-fetched either, and I can imagine lots of ways people could try to rationalize it as actually benefiting users.
Could you speak more to how this kind of thing figuratively plays out? With privacy on most of our (tech-focused) minds, I’m mostly curious how openly an initiative like this is/would be carried out. Would you imagine it as a buried lede or as a very transparent, explicit OKR?
It's easy to rationalize it as benefiting the users, so I'd imagine it's an explicit OKR, maybe even a few levels up in the org.
Like, one thing I've wanted on occasion is the ability to search for brick and mortar stores in a given radius who have the thing I want -- either because I want to physically inspect it before committing to a purchase or because for whatever reason the time/cost of shipping wouldn't be practical.
That sort of query is hard for Google to serve right now though for reasons including the lack of relevant location information in both the search results and the queries whose user behavior would help drive relevance rankings for those location-specific results.
Location information is a bit of a double-edged sword too though, even ignoring privacy concerns. I have to spoof my location and change my search language to get some results because of aggressive filtering happening behind the scenes. If a given query doesn't match Google's current understanding of the user then the right results existing in the corpus often won't imply that the user is able to find them with _any_ search operators.
With the document policy changes over the last 5 years, most decisions are now very opaque. Google TTLs everything except Docs and code history & reviews, at this point: emails, chats, bug reports, ...
There's probably a tech debt focused OKR for this work, but some other teams probably has OKRs that indirectly benefit from the data, and they're probably providing staffing support, tied to the tech debt OKR. OKRs are for telling people why you're great, if you're at the bottom of the pyramid, and for giving the rank-and-file some direction, if you're at the top. The top level OKRs are usually very precise and very vague at the same time.
So there's probably an OKR in search to improve the quality of the location signals. It can be vague on how. Plus, having more and better data filters into your downstream systems, so even without an OKR for the data you know it will make your models more powerful.
I remember the spiffy demo where the thumbnail in search results morphed into the full Maps UI without reloading.
But unification had started even earlier than that. Pretty much since Larry became CEO again, he pushed this mantra of "One Google", which brought the infamous Kennedy redesign across all services, as well as more of them available under the google.com host (e.g. maps as discussed here, but also flights and more). One of the ideas behind the latter was that you had to log into your Google account just once, which gradually made it all the way to YouTube(!). I vaguely recall other factors, such as compensating for the increased latency from going HTTPS everywhere, but also discussions about securing and hardening cookies.
As far as I know, google.com/maps has been around the entire time, but perhaps now it might be simply the canonical URL in a larger number of cases.
Funny, because there is a crummy form of Google maps present into he SERP, and it behaves completely differently from actual Google maps. It constantly annoys me, usually when searching for a business, that something that looks exactly like google maps, in Google, doesn't behave the same as google maps.
100%! I always ascribe it to some PM somewhere, but when I click on the "search maps" I would _love_ to be taken to the "real Google Maps".
The search maps is just a terrible experience, half implemented, doesn't do what I want, even down to little things.
My hack is to pick directions, which will get me to Google Maps, then cancel directions, this loses all state, but you're still in the location you want and can usually then just click the business you were looking for.
This reminds me of how Google integrated Maps into Calendar as a sidebar a while ago, a move that I absolutely hated. And instead of providing a preference setting to disable it, you have to “hide” the sidebar in a non-intuitive way [0]. I had to search to figure it out.
This is a fantastic example of motivated reasoning. This "change" (which apparently isn't even new) can have so many different reasons, some of which are less harmful and some of which are probably worse (privacy-wise) than the one mentioned here. There is no indication that re/mis-using permissions is specifically what they wanted to do here, there is also no example of them doing it right now. Don't get me wrong, there is also no evidence that this isn't the real reason and that they wouldn't do that in the future. But the blog post basically list a single symptom and jumps right to the one conclusion that fits what the author expects.
1. The change does exist (although it apparently has been live for quite some time in some regions at least)
2. The change does have the effect of Google gaining more permissions (and subsequently more data) than previously
3. The author assumes that (2) is the (main) reason why (1) was done in the first place
Regardless of whether (3) is correct or completely wrong - and regardless of whether the author truly believes (3), or only uses it as a rhetorical trick to increase the controversy (and therefore the reach) of their post - both (1) and (2) remain fact.
And (2) is the actual problem here - regardless of whether it was done intentionally by Google or not.
As for (3) - there's no proof either way, as you already said.
But collecting more of that data which their marketing business makes it's profits from, is likely to have a positive effect on their bottom line.
And since the change already has been live for a while in some regions, it seems likely that Google is well aware of how much impact this change has on their revenue.
You decide for yourself if money is or isn't the reason why a big corporation like Google would do something like that.
> The change does have the effect of Google gaining more permissions (and subsequently more data)
There's a huge logic gap here. Obtaining more permissions doesn't at all imply obtaining more data when it's caused by an incidental change. Maybe the permissions aren't being used outside of the Maps context, or maybe it doesn't matter because the data was already be known.
It’s true that we can’t really know whether Google is exploiting these expanded permissions to collect more data unless we have some insider information.
However, it’s generally very easy to predict what a company is going to do by observing their business model and incentive structure. In Google’s case, collecting as much data as possible is a major part of their business, so without more information, there’s no good reason to assume they won’t do it.
> It’s true that we can’t really know whether Google is exploiting these expanded permissions to collect more data unless we have some insider information.
You could track usage and see what pages on google.com are accessing these APIs.
I doubt that it's a lot. Google already has fairly good geo-localization based on IP, GPS-level accuracy isn't necessary for ads. They could've already connected your data from maps.google.com to www.google.com, because both are using consent.google.com and you're getting a .google.com unique cookie.
This is mostly just outrage because people don't understand how things work.
It may not be the only reason, but you’re being too generous if you don’t think this was at least one of the reasons they did it.
Other than some abstract “branding” campaign, I cannot really see many other reasons why they would be doing this.
And as someone who worked in adtech in the past, it was very well known that Google used their domain as their tracking cookie domain as it’s nearly impossible for adblockers to just block without crippling other functionality. So they even have a history of using precisely these types of techniques.
> but you’re being too generous if you don’t think this was at least one of the reasons they did it
If you consider it absolutely unthinkable that it was not one of the reasons, it's you who is being too generous. Unconsidered side effects occur plentiful and all the time.
This is cute, but 100% no. In this case, those involved in the decision were aware of the privacy implications. Whether this was discussed openly, or whether the change was made 'pass-the-buck' style, it doesn't really matter. The association of privacy settings with domains is a well-established basic function in the browser.
> If you consider it absolutely unthinkable that it was not one of the reasons, it's you who is being too generous.
The person you are replying to didn't use the word "unthinkable" or even imply it.
I think you are being either incredibly naive or disingenuous if you believe an adtech giant like google doesn't factor changes to data gathering into every single decision they make.
My default mode is to trust everyone until they break my trust. Now that I am old, I have realized that trusting everyone by default is not a good idea, especially big tech.
In cases like this, I think it is better to assume malice, even if we are proved wrong later. This is not our fault, this is big tech screwing with us repeatedly for years, with no shame or conscience
Exactly. If you trust people you will often be rewarded by friendship and future help. If you trust cooportations they just exploit that to maximize shareholder profit with no value to me.
Perhaps you mean persons deserve the benefit of the doubt? People seems to be the root problem.
I expect there is no difference between an individual and a corporation operated by a sole individual. If one is trustworthy, they will remain equally trustworthy if they happen to have a stock certificate in hand. The corporation isn't able to act autonomously. It acts with equivalency to the person it is represented by.
Large corporations, involving people, is where communication breaks down, which leads to unintended consequences that wouldn't necessarily be realized if an individual was acting alone. When you have people there are bound to be competing interests created in the confusion and it is not always a straightforward answer who is best to honour. Even where intentions are pure humans are bound to make mistakes in their choosing.
I think the question is whether a effective feedback loop exists.
If a local dealer does something bad they quickly receive corresponding response.
A big corp is detached and anonymous. As long as there is no broad boycott there are rare cases where response really reaches them.
If a big corp has a sales force the sales force is responsive to feedback, however the corp then quickly turns anonymous to them and whatever they put in the system doesn't reach the right places ...
Even if it's entirely innocuous at present, that's still little better. It would signal modern-day Google engineers lack the nuanced understanding and user-first deliberation of their predecessors.
Given the breadth of services the company provides, a user ought to be able to restrict the permission to the scope of the maps tool.
bro, data is money and those corporates extract as much as they can. don't try to reason that google would not be interested in exactly that. one does not have to find a specific evidence for exactly this scenario in my opinion. this evidence likely might never emerge, while the spying definitely will happen. otherwise you would need to come up with a huge scenario where they actually farm a ton of benefits by doing this change, because a move like that you don't "just do for a better experience".
> But the blog post basically list a single symptom and jumps right to the one conclusion that fits what the author expects.
That conclusion isn't wrong though. Your comment basically claims author is twisting facts but the conclusion remains that giving google.com/maps permission to geotrack does give google.com permission to geotrack.
"Pinky swear I won't enforce that clause" is not reassurance enough.
The real reason or intention isn't that important, compared to the outcomes of the change. The author correctly evaluated one of those outcomes and the respective implications.
Given Google's track record, I think it is a sensible evaluation of the situation.
When companies like Google are involved, I believe the Hanlon's Razor works in reverse. I.e. never attribute to stupidity that which is adequately explained by malice.
I will accept motivated reasoning when in a friendly setting but big tech is not my friend. Their only and only purpose is to extract as much value (data or money) from me as possible.
Looking at Heartbleed and other famous security we should know that minor mistakes "disguised" as "typos" can have devastating effects.
The change may have happened for any of many reasons. Regardless of which reason was the motivator, it's clear impact is reducing user privacy. When talking about a tracking/advertising company, so it's kinda natural to assume that this was kept in mind.
Recently I have been trying to recover my gmail account. Besides sending verification code to my phone number, it also sent a code to YouTube app, high on the list. I have lost access to my google account, so I cannot open my YouTube. So it sent a verification code to the exact gmail address I am trying to recover. The whole process is unreal. This YouTube verification thing is definitely new, I don't know the motivation behind it, it couldn't even detect if my YouTube App was activate or not (or maybe it knows I wasn't using YouTube, maybe it is encouraging me to log in YouTube or open YouTube. Either way, I am not impressed.
Meta: my answer here is probably also a good example of motivated reasoning because I likely read a bit more into what the author wrote than is factually in the blog post. Oh boy.
I think my critique is somewhat correct in that you seem to suggest that this change was made to allow for expanding the permissions from one product to all products, which I don't think one can derive from the things we know.
I think I was somewhat wrong in that I may have suggested that you said this was the only reason (which you didn't explicitly) and also in that I dismissed that they factually can use these permissions from other products now, i.e., no matter whether it was intended or not, the permissions set for other products is broader now.
> [...] though I'm sure they're just beginning to transfer their services to the main google.com domain.
This and the wording across the article imply more than the factual changes. But granted, hooby's comment above is probably more correct than what I wrote.
Are people really surprised when they hand their location off to a domain that any other part of the domain might have access to it? Like, taking away the technical specifics of how location allows actually works, you’ve given the data to the _company_. At the very least, they throw it on an internal service and allow other parts of the company’s infra to grab it.
The only conclusion this article made is that google now has the permission to-do so, and this is 100% correct - motivated or not. Although, given you overly defensive response makes me suspect you have more insight than we do..
I disagree on the former, but I agree on the later, technology is not a good substitute for consent.
Regarding the privacy:
If you are using a VPN to protect your privacy, then you are effectively transferring your trust from your ISP to your VPN provider. The VPN provider is your new ISP. So you have to make sure you trust the VPN provider more than your ISP.
I don't use VPN when I'm on my home ISP but I do when I'm someplace where I don't control the gateway. My VPN is on a vultr VPS I control (in as much as I can control a VPS), and I do trust vultr (or digitalocean or any of the major VPS providers) more than I trust, let's say, the person who set up the wifi at the holiday inn.
If only there was a drop in replacement for Google Workspace… even if you use Fastmail for email you don’t have Google docs anymore and that’s a huge piece…
I believe that's only if the GA account is connected to an Ads account (or set up to collect demographics, I think). By itself, GA will only use https://www.google-analytics.com/j/collect (or /g/collect for GA4).
google.com/maps would result in a DNS request for google.com so anyone monitoring DNS would know they are connecting to a google service but wouldn't know which one.
maps.google.com would result in a DNS request that show they are connecting to maps.google.com and could presume they want some maps.
DoH (and ESNI on the server side) would fix it, but iirc Chrome (the most used browser) doesn't use DoH by default.
My point about Chrome is not that it can’t do DoH but by default it doesn’t so relies on the system settings which for the vast majority of users (not us geeks who explicitly opt in) never change and use ISP supplied values so DNS snooping is still a thing for the majority.
Should a browser override system settings? That’s another question, because doing so can impact other things for the avg Joe. For example my mobile providers self serve website plays up when I use custom DNS, free hotspots with captive portals also can be an issue when you override the DNS provided by the access point.
I understand your point, but anyway, no app, no browser should ever think that "it knows better" and attempt to fix what it considers incorrect. It may think that it protects the user, but in reality, it will break what the user configured. Private DNS zones are common, and if the browser ignores user configured DNS, they will break. And as I wrote elsewhere, just because the machine is configured to use 53/udp for a resolver, it doesn't mean that the resolver is forwarding over 53/udp too.
If you want to solve unsafe defaults, this is not the way. Pushing for configuring safe defaults is.
If a general purpose browser can empower hundreds of millions or even billions of regular users with better privacy (and ultimately, security) by making a change that might disrupt a small handful of power users who manually configure this stuff, I say the browser should go for it. The power users are the very people who can, without much effort at all, reconfigure their stuff, or easily find a special purposed browser, so they'll be just fine.
Spock was right, logic clearly dictates that the needs of the many outweigh the needs of the few.
The problem I fear is the needs of the few who are not technology minded, don't want their browser (or in their eyes their internet connection) to stop working because their ISP issued router uses a DNS based captive portal to onboard people (I've seen this used by atleast one major ISP in the UK to on-board devices onto their per-device content filtering system - BT, however I think they rolled back on that after it was caused issues with IOT devices).
However I believe (not read the docs in a while) FireFox works around this by falling back to DNS if an issue with DoH is detected.
EDIT: However I'm still on the fence if it should be a browser decision. Yes browsers move more quickly then OS & ISP changes and can make things better for the masses quickly, but i'm also wary of those changes screwing up the avg person, the people like my mother who can just about order things online via her ipad but thats about it, if she accidentally lowers the screen brightness of her ipad I soon get a call about it. Its for those kind of people I don't like the idea of a browser messing around with a connection in unknown network conditions.
> If a general purpose browser can empower hundreds of millions or even billions of regular users with better privacy
This statement makes a huge assumption, that the DoH provider is more trustworthy than your existing DNS provider. Personally, I trust my ISP (Small, locally owned) with my query history than I trust Google (Massive, exploitative advertising company). The fact that Google is automatically turning this on to scoop up DNS information without users consent should be illegal.
…, I get the "wrong" IP for anything hosted by Akamai (i.e. an IP address that corresponds to a part of their CDN which has abysmal peering with my ISP and is completely unusable in the evening)
Even if you are using DoT, the DNS provider will still know you're using Maps if it resolved the subdomain, and the DNS provider itself might well be the biggest privacy threat here.
> DoH (and ESNI on the server side) would fix it, but iirc Chrome (the most used browser) doesn't use DoH by default.
It would fix it for some specific circumstances. Since maps.google.com resolves differently than www.google.com, you can ignore DNS and just look at TCP connections to tell what service is being talked to.
Granted that Google is basically the exception here. But when I query the IP's for maps.google.com I get 142.250.179.238 and when I query google.com I get 142.250.200.14
If make a http get request to 142.250.179.238/ (the maps IP) but with the host header set to "www.google.com" I get the search page returned to me. If I make a http get request to 142.250.200.14/maps I get google maps.
OK. /maps might be a bad example because well google.com/maps is already a thing :-p
So if I make a request to 142.250.179.238 with the host youtube.com I get youtube. This is because most of googles public facing servers can act as the front door for many other google services not just the service that its dns is set to.
Not really sure it it comes under "domain fronting" because isn't that tactic many used to bypass censorship, pretend your connecting to one CloudFront customer when really wish to connect to another. Where google explictly configured their services to do this so they can easily load balance as demand and network conditions allow. Anyways I'm rambling now.
My point is, with google you can't rely on the ip address alone to determine the service (however it still wouldn't stop you peeking into connection and pulling out the host header unless ESNI was used) but as I said at the start, Google is more the exception here.
> iirc Chrome (the most used browser) doesn't use DoH by default.
Last I checked, Linux was behind other platforms because there’s a lot of complex custom dns configuration that chrome (understandably) didn’t want to be accused of overriding/ignoring, but which isn’t all easily visible to the browser
Which is the correct behavior; if the user wants to configure his computer to DoT/DoH, system resolver is the correct place and Chrome has to respect it.
Even if the computer is using 53/udp to the configured local resolver in the local network, it doesn't mean that the resolver itself is using 53/udp. Many of them can forward queries using DoT/DoH/IPoAC and the app on the users computer will be none the wiser.
As others have noticed, this is not a new move. For the past several years I've been accessing Google Maps simply by typing in maps.google.com and it has always redirected me to google.com/maps.
Even more confusing and a regular cause of annoyance for me that's been ongoing for a while now is there's like a knockoff version of Google Maps built into Google search that it'll kick you into if you click a map from search results. e.g. you type "gyms near me" and it shows you a map in the search results, and you click it to expand. It's still at the google.com/search domain and while you can zoom and pan around, there doesn't seem to be a way to arbitrarily jump into street view wherever you want, which I frequently want to do.
I'm constantly ending up in this view, fighting with it before remembering I need to go to real Google Maps and do my search again.
Same. It's so annoying and I feel like they do not always include the relevant info like the URL in that mode. Though looking now I did not find examples of that.
Funny, for me it’s the opposite. I always try to use the web view, and there’s an annoying pop up that redirects me to download Google maps. When I switch back into the web browser to go back to the web view, it auto redirects me to the app download again. Super annoying.
Yeah, but do you want to bet that during the management call and the subsequent engineering call that made this decision, the main topic of discussion was the direct financial benefit from improved tracking?
We'll never know, but if we could find out, say 1 year from now, I'd bet 100:1 that was the main driver.
The 2 things aren't mutually exclusive. Because it reduces complexity you will likely see a financial benefit from the cost of the engineering team alone. Having managed an infrastructure with a ton of subdomains I can say that it's almost certainly in their best interest to standardize the domain across all tools at least for engineering. Your data is just an added bonus :)
I actually find that somewhat reassuring, similarly to a Google employee criticising the security practices of a Google-operated certificate authority in public[1]: it demonstrates that the team responsible for instituting security policies in the interest of users still has some autonomy.
thought they have moved mail.google.com to google.com/mail a while ago. Tracking would still be possible over 2 domain, but then google would have to do a bit of ETL operations. Guess this will save some more engineering.
Genuine question. Is it reasonable as a user to expect data collected by Google via maps.google.com to not be shared with other Google applications e.g. mail.google.com?
I'd have thought data collected on any of their domains would be meshed/merged behind the scenes where it suits them to do so?
I think the concern is less about other Google businesses having access to maps data as you suggest.
It’s more about the fact that using non map Google services on google.com will not prompt asking for location service permissions, if they’ve been granted when prompted on google.com/maps already.
Users may not want location to be collected for searches, but are okay with the privacy tradeoff for it being collected when using maps.
I think the concern is more about when Google is able to collect said data, not whether it's shared or not.
I don't have location enabled for Google maps in the browser, but if I did, then presumably Google could collect that data also when I'm just searching for a website.
No, what they are talking about is all Google properties (eg Google search) now being able to collect your location every time you use them, if you granted permission for maps to get your location.
So it’s now not possible to block location for search, and grant it to maps (at least using the standard browser domain permissions model).
But they could've been doing that all along because they control both sites, they would've just needed to use an iFrame. What changed beyond "it's a little easier now"?
Is that how browser permissions work? Naively I’d assume the browser grants only search.google.com permissions on that url, even if maps.google.com is opened as an iframe.
It's been ages since I've played with iframes, but I'm pretty sure it does (or at least did?). You might have to specify an allow policy [0] but that's no problem if you control both sides. Since iframes are secure, data wouldn't leak unless the iframe explicitly posts it.
I don't know if you can request permissions from the iframe (might confuse people), but if you already have them, it ought to be fine.
Thanks for the docs. The examples (2 & 3, https://github.com/w3c/webappsec-permissions-policy/blob/mai...) seem to me to say that search.google.com can’t grant location permissions to an iframe if the parent was forbidden them, but I didn't find an explicit example for what happens if the iframe domain already got permission previously.
As you say the UI for requesting in this case would be weird, and this seems like a big security hole to me, but I can’t see a bit of the spec that explicitly forbids (though I only scanned the doc.)
They can already join your activity across everything. This is about access and collection. So if they move store.google.com to google.com/store, they will have access to all browser permissions you gave google.com/maps or google.com/flights.
I'm ok with sharing my location with maps (and therefore google) WHILE USING MAPS.
Not when I'm reading my emails, or searching for something on the web.
It could be tricky with permissions on different users: for instance you authorize google.com/maps to track your location while logged as user A.
You logout and switch to user B to look at another Google service, but google.com is still allowed to get your location, and will stick it to user B, which is something you might not have wanted. This didn't happen with the previous domains, so could be a surprise.
Oh having though about it I agree, I just think we're probably a minority.
As others have pointed out the line has been blurred between search and maps so far that maps has search embedded, and search has maps embedded. A lot users of Google search likely expect results to be location aware without realising what privacy has been eroded to enable that.
Applications are not juridical entities, so at the absolute best it is debatable.
Most probable version is that they share as much data as their internal regulations say, or a bit more. They definitely have some form of internal regs on this, for basic security hygiene, but they write it.
FWIW, there's an EU regulation coming that prevents companies from using data necessary for a product (like maps) to be used to improve a different product (like search).
I'd be interested to find out whether this works as intended. There's a good argument that maps is a subset of search. Most people don't open Google maps just to look at a map, they search the map for a place.
IIUC, maps would send your location to search if-and-only-if you make a search from inside maps, since that is necessary to do the precise location-based search.
I suspect this may more be to do with large organisations (and equally foreign governments) wanting to block Google translate, since it can be used as a proxy in some cases.
It's a very strange move indeed. maps.google.com implies an application lives there, far better than being on the root domain.
It also means that when you start typing maps.google, you'd get all your history searchable related to maps, although arguably that's useless.
I can't think of a reason why this would be a good technical move for Google (ignoring the don't do evil thingie), other than simplifying... certificates? Less lines in the firewall config... I'm stretching here, help me understand.
Other things: slightly simpler external DNS surface, probably tiny speed improvements because users only need to have the IP of www.google.com, not one for maps, one for www, one for whateverelse.
More possibility for connection re-use, as you'd only need to have a connection open for www.google.com, not one for each service.
And security wise: ISPs can now only see that you're accessing something at google, but not which service exactly. If they also bring in accounts.google.com into the fold, that would make it harder to see whether you have an account or not.
True. I’m sure being a beyondcorp company they can’t figure out how to add dns entries. Those google guys really should learn more about the internet and it’s technologies.
I don’t buy the simplicity argument for a second. The infrastructure exists, has existed for many years, and is not particularly exotic in the world.
The only thing that matters to a surveillance and advertising company is surveillance and advertising. You don’t need to overthink this one.
That’s a rather simplistic take; a company that makes money by surveilling you as you use their products also must care about the quality of their products. If their products suck, fewer people will use them = fewer people to surveil = less money! So not all changes are necessarily directly in the service of surveillance.
Also, I don’t think your reply to the above comment was entirely fair; they didn’t say anything about adding DNS records, and also mentioned several other potential benefits of not using subdomains.
All changes are in the service of surveillance. If making the honey pot sweeter works then they’ll do it. If making it more pervasive and intrusive while not offending anyone away they will do it. They will do nothing that hurts the mission to mine and sell advertisements, and all actions will lead to that.
I know you mentioned other things but they’re all sort of in the same bucket of “not that hard once done” and “google can surely do that without blinking an eye”. I would posit the move away from a subdomain to a root domain is hard and complex and benefits end users not one bit. Perhaps the end state is easier on the margins, but again, I doubt given it’s been that way for so long it’s effectively any easier for engineers or operators at google in any way what so ever.
Well, other than those responsible for surveilling all the things.
As you mention there are plenty of performance reasons to run everything under a single hostname. There's also one especially vital for Maps, it loads a tonne of resources and maps are used in various other services at Google. Now that caches are being siloed down to the host level, having all the resources accessible in a same-origin cache will save bandwidth and increase performance for users.
> "It's a very strange move indeed. maps.google.com implies an application lives there, far better than being on the root domain."
How does "maps.google.com" imply an application "lives there" any more than "google.com/maps"?
Technically speaking, "google.com/maps" is far superior to "maps.google.com" (check out the rest of the comments in this thread for examples: simpler DNS configuration, simpler certificate management, CORS, cookies, etc).
google.com/maps is simpler to type on a mobile phone and more consumer friendly, I’ve always used google.com/ pattern, way easier to leverage autocomplete, type a g to autocomplete google.com then if you are looking for flights type f and in 2-3 clicks you are on google.com/flights
Yeah, but flights.google.com or translate.google gets you there even faster.
dns segments are shown backwards for a reason. it was done so that the most specific part shows up first when searching for something.
I have to admit as a data structure snob. I vaguely wish it were the other way around, sigh, as much as I hate to admit it java classes got it right. I also have to admit it does not really matter that much.
Yep. Noticed when I didn't want to enable JS on the whole of Google's domain in μBlock Origin. I switch to another browser for this task alone—especially as some regions have incomplete data for OpenStreetMap
- "Organic Maps" (a fork of the old MapsMe codebase) if you want a clean, simple user experience
- "OSMAnd" if you want a very powerful, highly customizable map application, which comes at the cost of a steeper learning curve
Both apps are open source and support navigation, offline maps and POI search.
The things I miss most compared to Google Maps is live traffic information and the powerful search. However, this has a privacy cost, so I generally try to use OSM first, and only fall back to Google Maps (in the browser) if I really need to.
Lets not forget StreetComplete is a dead easy app to use to help contribute to OSM. It just asks you a few questions like "is this bench still here" or "is there a bike lane on this road" etc
Can I use this app to suggest issues? In one of my projects I found a bunch of buildings that have either the wrong direction or the wrong coordinates. Think "Random street 1, 2 and 4 are next to each other, but Random street 3 is 500m away". But since it's a city I don't live in I can't go there in person and confirm.
I use OSMand for walking and biking and it's great, much better than Google Maps in my region. Just remember to choose the right kind of traffic in the settings when starting navigation.
Organic Maps is also significantly more optimized in my experience (or maybe a more fair thing to say would be: is faster because it does less). So it pays to have both because OM is basically the "fast path" for its use case in more ways than just the interface.
The performance is good (especially on a budget Android device, better than the recent versions of Google Maps, even), they're reasonably accurate (I'm in Eastern Europe) and include navigation, traffic information, public transportation, as well as the ability to save regions for offline browsing.
I can't comment on the company behind it, though, but it's a nice alternative nonetheless (and there are simple prompts for choosing whether you want to send them any data, e.g. to enrich traffic information).
Edit: as a criticism, some Android reviews suggest that recent updates have made the app less performant than previous versions, though I didn't notice anything in particular on my current device (2020 budget phone). Some also suggest that navigation needs more work.
From where do they get traffic information? The only viable app that I've ever seen for traffic data is Waze, because of the huge install base. I do remember HERE from when they were a Nokia brand, but even with that history I think that they'd be too small to have good traffic information.
Is panning and zooming in OSMAnd not a huge pain for anyone else? The map rendering (of downloaded maps) is extremely sluggish and absolutely useless for me to use. (Even worse than the tile-based rendering of early Maps on iPhone.)
Organic and MagicEarth work fine for me. I really wonder if it is just my setup or if everyone else suffers from this. I am on a Pixel 5 with CalyxOS using the OSMAnd+ from Fdroid (but same with normal OSMAnd from Aurora)
I have the exact opposite experience with OSMAnd on Android.
The map rendering of OSMAnd is faster than Google Maps (using a 3+ year old smart phone with a low-end Realtek SoC). Like really way way faster/snappier.
My setup is a Chinese brand Android 10 with default OS (rooted)and OSMAnd+ from Fdroid.
The only possible cause I could think of is that CalyxOS is somehow missing proper video drivers for your Pixel?
It may be a bug of Android:
Newer Android versions have further locker down sd card access. The implementation is apparently super slow for stuff like what Osmand uses. Dont put the map data onto the sd card or use one of the predefined locations
Edit:
If that is not the culprit then check if OpenGL rendering is activated.
You can also deactivate unneeded features from being rendered (buildings, areas, etc). And lastly there are smaller road-only maps (no POI data and no adresses though)
Thanks for letting me know. I don't have a sd card, activated the dev plugin and enabled opengl but did not see any real improvement. I will open an issue with a screen recording on their repo now that I know it is not supposed to be this bad.
It's not just you. This comment claiming better performance than Google Maps is baffling to me. OSMand has been slow on every phone I've owned (OnePlus 2, Pixel 3a and Pixel 6a). Enabling OpenGL and restarting improves panning/zooming framerate, but tiles are generated at the same slow speed (maybe even slightly slower).
What really matters is the amount of data. In my local town I can scroll around no problem, but in a more actively mapped area like Amsterdam it takes at least couple seconds to load.
I'm a OSMand user and OSM contributor. However, sometimes I hate the routing OSMand provides, taking me through narrow streets with awkward turns. Wish they used GraphHopper...
A nice feature in OSMand is that even if you get the free version off the Play store, if you log in with OSM and are active, you get free map updates and all the "plus" functions. And on top of that, the full plus version is available off F-Droid.
By the way, OSMand has some support for reporting traffic issues (police, crashes), but it's very very limited due to low adoption way below a critical mass. Also, reporting traffic status would probably require OSMand to run a pretty beefy server and get the current speed/traffic info from all the users - many chose it exactly because they don't want that.
Maybe you know. I've been told twice that OSMand can show the altitude above sea level of a location, but I cannot for the life of me figure out how. Have you any idea?
- go to pugins section and activate the contour lines plugin
- then go to download maps and load the contour lines data for your region
- go to configure map and check the show contour lines option
I think you need the f-droid Version or the paid pro Playstore version or the subscription. Please note that this will only show marked contour lines and not interpolate/estimate the elevation for any point. So you need to search for the next line and get your own idea what that means for the specific location. Not ideal for very flat areas with sparse contour lines.
For the current position you can show GPS elevation (settings, configure screen, widgets)
On iOS, I have mine configured to show the altitude in the top right corner of the map view. The settings are admittedly confusing but if you just poke around in the map display settings you should find it!
I have Organic Maps, because I thought it would be nice to have in case of an emergency where I don't have internet, but sadly just a few weeks ago, I had such a case and Organic Maps couldn't find the address and the map itself didn't have all the roads on it (nor satelite or topology map), so I couldn't even use it as a normal map... In the end I had to resort to one archaic ways and ask local humans for directions...
Google maps does offer being able to download for offline use, but if you don't have internet it quite often doesn't want to do navigation, unless you trick it with saved directions.
How does Garmin do it (I'm guessing map licencing issue)?
I hope the author of OSMAnd makes enough money from the play store to finance continued development, because the application is amazing, it has an interface that is not dumbed down, it does not phone home to the mother ship, it gives you great tracks, in short it is a great tool that respects the end user.
I wish more applications were like it, first thing I install on my phone.
Unfortunately this is really not an option for (some) areas in the US. After having moved to a populous LA area from Germany I was baffled at the lack of detail in the maps. Basic things like building numbers are entirely missing. Even after adding more and more details I would never fully rely on OSM here sadly. And if it only works sometimes why even bother using it in the first place? At least this was my progression. From fully using OSM, I am back to Google.
The only good in-between solution is MagicEarth which supplements OSM maps with data from lord knows where. However although they claim to be privacy cautious they are quite opaque.
Also, do not fully rely on Google Maps knowing house numbers. Looks like in some areas (in UK for example) Google used some sort of OCR to find house numbers. There are houses and Wales with random house numbers that only have a house name; Numbering ends a few houses into dead-end alley where the Street View car didn't come; Or totally wrong numbers where house number sings are hard to read.
Australia went to mandatory house numbers in, I think, the 60s but my grandmother refused and gave out only her house name until she passed away in the 21st century.
Does your location have a Place ID? Google originated Place IDs for exactly this type of use case, so that people could find places like yours without an address.
A lot of the US road map was imported from TIGER (<https://en.wikipedia.org/wiki/Topologically_Integrated_Geogr...>). This is an electronic mapping system set up in the 90s by the US Government to aid in conducting the census. The TIGER data doesn’t have any address information at all, just road shapes. No information about the type of road, the number of lanes, the quality of the surface, presence of sidewalks, signals at intersections, anything. Just the paths the roads follow, and those paths are often of extremely poor quality. The resulting OSM maps are barely usable; sometimes they are not even recognizable by locals.
So OSM has decent geographical coverage of the US, but relies very heavily on individual contributors to correct the deficiencies and add useful information to the maps. The only way it will be usable for you is if others have improved it. The only way it will be usable for others is if you jump back in and do the same.
> TIGER data doesn’t have any address information at all
In the EDGE tables it does have ZIP codes and house number ranges, split into left and right side of the road. ZIP codes were imported into OpenStreetMap data. House number ranges are imported into the OpenStreetMap search into a separate database table, so searching works in a lot of areas but it's far from complete, all the issues you mentioned with roads that don't even exist etc
Not heard of MagicEarth before - looks interesting but what's missing is a "Why/how is it free" statement. They don't cover how they monetise this, what's their business model.
Makes more sense to switch to bing maps, since they have ever so slightly better satelite imagery and there's no way in hell anyone would use bing for anything else anyway.
Interesting. In my experience, OSM's level of detail in Amsterdam is much higher than Google's. Especially in bike routes, an area that Google often sucks at.
I live about 1 mile from suburbs in a town called Bingley in Yorkshire, England.
I can't trust Google maps locally (though its good for local business searches), as the mapping quality is terrible.
My village and local town have roads missing, numerous public rights of way missing (over both public and private land). Major areas of trees missing. OSM is much, much better.
I am noticing more and more how poor Google maps is for non-drivers (such as myself recently having to stop driving), such as not being able to do walking routes over local foot bridges, OSM with OSRM or Grasshopper is fine:
Sorry, I don't know. I used the OSM website for the purpose of this comparison.
I use the Magic Earth app on my phone, which has proprietary route planning (using open street maps).
While I like OSM for some use cases, and have contributed, it can not work as a replacement for google maps for every day use. My biggest problem is the search - absolutely unusable.
Technical nit: OSM as such does not have "a search". Geocoding (as it's known) is a separate component and if you dislike the one used by the openstreetmap.org there are other services that render OpenStreetMap data for you – perhaps with a better search!
Here's a question for someone who understands cross-site cookies (which isn't me): Why does www.google.com/maps 's site permissions show https://www.openstreetmap.org/ as one of the sites 'that can use cross-site cookies and site data'?
I found OsmAnd absolutely essential in my extensive off-road travels in Central America and Spain, paid to support it via Google Play, but i could not for the hell of it figure out how to submit photos and places. It forced me to create a separate account and then always gave me errors when i tried to submit
The separate account is needed for openstreetmap uploads/notes/corrections. You can add places on osm.org also or retry with the osm account using Osmand.
I have what i think is a separate account. Could you link a GitHub where i can create an issue and upload error screenshots? Even if it's not a bug but a feature, it should still be useful, because this flow is very confusing.
osm and wikipedia are proof that an alternative, more desirable, digital universe is not utopically distant but begging to be born. imagine if the world would somehow muster to dedicate something more than token support to such projects / designs
prediction: osm will eventually surpass wikipedia as the most successful crowdsourced effort because the more objective and simple nature of its data allows dramatic scaling. if even 1% of the billions of the world's roaming mobile devices get into the habbit of augmenting the osm database (e.g. using streamlined UI's like streetcomplete or yet to be build apps) the disruption will be on its way
Would you bet money on that? Google Maps is pretty entrenched. A competing 2.4 trillion dollar company that preinstalled their app on the most popular phone in the US couldn't dethrone Google Maps.
The problem is you loose a certain percentage of businesses and also user recommendations (no real alternative there). There is no real incentive for businesses to make yourself visible on OSM (probably many don't even know it exists).
Really depends, it can be much better than Google depending on country/region. Google Maps is not in every country good. Definitely better for any kind of outdoor activity like hiking, bicycle, ski etc. and offline usage.
I think this change probably has more to do with corporate firewalls than anything else. A lot of corporate internet access isn't set up to MITM the requests (a lot of places are setup for this, but a lot aren't). If they places all their services under google.com as suffixes, places that don't MITM won't have any way of stopping it as all they can see is the request to google.com.
Given the history of Google's stance towards privacy and tracking, I think it's naïve to assume technical reasons.
It may have been ok to fall for that argument for 10 years, but after AMP, manifestv3, android's location log disaster, the recording of wifi names and countless lawsuits across the globe, it seems that the resource of good faith assumptions has been depleted. Some may even say that trusting google (the corporation) to act on technical or altruistic reasons is delusional.
I'm as skeptical as anyone about Google's privacy record but I'm not so convinced that this really helps google invade our privacy more than it already does.
I haven't forgotten because my YouTube account to this day has remnants of that move. The same with my Google Contacts, it is an absolute mess of G+ and Orkut stuff that got shoved in there at some point and Google never cared to clean their absolute mess.
Indeed. If you use Chrome, you should just assume that your location is shared with Google at all times, since they likely collect it via telemetry anyway.
If you use Firefox, assume your location is always shared with Mozilla via telemetry... and likely indirectly to Google as well, since they use Google Analytics for so much of their infra.
Likewise for Apple/Google/Microsoft collecting data from iOS/macOS/Android/Windows. And of course your cellular provider.
As far as I know the only way to ensure your personal data isn't shared with your browser publisher is to use a verifiable, open source browser that has telemetry disabled, like Iceweasel or Librewolf. And an open source, verifiable OS with telemetry disabled, like... Fedora, maybe? Manjaro? But you're being spied on by your ISP or cellular provider anyway, and the US government indirectly through your ISP and cell provider. And let's be honest, foreign governments through some combination of ISP/cellular provider/govt backdoors.
Oh, and if you've read "Trusting Trust" you'll know that even OSS isn't necessarily verifiable unless you wrote the compiler yourself from scratch.
So I'm not sure there's much benefit to any of it?
> Oh, and if you've read "Trusting Trust" you'll know that even OSS isn't necessarily verifiable unless you wrote the compiler yourself from scratch.
And even a compiler you wrote yourself from scratch isn't necessarily verifiable unless you designed from scratch the hardware that you used to write it. Almost nobody knows what those Management Engines are doing!
Chrome users are probably okay with tracking anyway, but Firefox, Brave, Vivaldi, etc could implement more fine grained controls. Not only for geolocation.
Recently safari (on macos 10.15) started auto completing „maps.“ to „maps.apple.com“, although I only tried Apple maps once and always use gmaps. Maybe google noticed this and tries to circumvent safari‘s „preference“ for Apple Maps
Isn't maps.apple.com in your bookmarks? Most browsers suggest from bookmarks before anything else. Maybe it got added there in an update to. you know, improve your experience with the Apple ecosystem.
Its definitely not in my bookmarks. when i start typing, its under the section titled "top hits". google maps is right beneath it, but never first place
I have never shared my location via browser, including google maps. Still, google very well knows where I live and focuses on my home as default, when I open google maps. I'm curious what do you seek by sharing your location with google (maps)?
Perhaps your home router has a public IP. Google gets the location of the home router from just one Android phone connecting to it. I'm guessing.
But some home routers are behind CGNAT infrastructure: Then it's possible that TCP connections from the same browser can go through different public IP addresses.
Sharing the location helps Google to help users. And Google to target ads better.
I got this a couple of years ago, and noticed immediately. Just as quickly denied the request, because I have fingers and can type my current address. It's a minor inconvenience.
Not trying to be snarky, but it might be that I don't get what you mean: I just look at the street name, which is posted on every street? I've never been anywhere that has no address at all, but I guess in those situations it wouldn't make any difference if I only knew roughly (like when I'm camping?).
I wonder if this is why the mega-app model is so common for Chinese companies. It's far easier to justify collecting a million permissions when your app does a million things.
I think that is more a resurrection of the department store and mega-corp models: if you do a bit of everything then the bottom falling out of one market won't affect you badly as the other areas can soak up the temporary loss. Also, if you have positive name recognition in some areas this can benefit the others, and there is a passive advertising pressure of people using you for one thing seeing something else you have in store or linked to your name (where a more organic search to fulfil a need might be as likely to lead to a competitor as to you).
The difference that might break this analogy being that with a mega-app there isn't really a diversity of revenue streams despite the diversity of products/features: it all comes down to stalking to be able to better sell advertising.
Can you load, let's say maps.google.com/somepage in a hidden iframe and use postmessage to send location data if it already has access? Or do browsers force top level navigation for such permissions?
There were probably covert ways to obtain the same information but it's now easier for Google to grab the information using regular APIs.
It also means if app X and app Y on their own subdomains were previously using location APIs without any tricks, you are now effectively opting into both apps.
Bottom line: technically it doesn't matter but it probably makes a difference in practice.
Browser could implement finer grain permissions (i.e. only permit the API use for a given top level path regexp) but I bet most users won't bother fine tuning their grants.
What about other apis such as web notifications or webcam and mic access?
With separate domains we could allow notifications for one (e.g calendar) and disallow for another (e.g mail) at the browser level.
Seems like it would now be a blanket allow for all of google.com (with a toggle for each product setting, maybe?) which sounds like a very user hostile move.
I guess it depends if one considers Google products to be separate apps or Google as a whole to be a "Web OS".
(Also on the technical side there's not just google.com but also google.<2 letter country TLD>, which is even worse in terms of CORS, certs, or whatever. Would they get rid of that?)
Google Maps could have set your location in a cookie that is shared with google.com. Then search would have your location anyway when you next visit it.
It asked my for the permission earlier. I thought I'd granted it already and I didn't notice the sneaky domain switch, I've now revoked it.
I wish browsers had a more granular way to grant this and other permissions. E.g. Firefox just has allow/deny, and then "remember".
Granting it only if the user clicks the "show my location" UI element on the web page would be a closer match to user expectations, and would preclude pages from getting the permission in the background.
Of course that would introduce extra complexity, e.g. worrying about web pages sneakily making normal looking links the "get location" UX element.
There's probably no secure way to do it except for the webpage to communicate that it's a page that might want your location, and for the browser to show the "send my location" UX element itself (e.g. in the toolbar).
This made me think how much would I lose if I'll just block all *.google.com domains in the browser? I was using DDG for search and Firefox for browsing for many years without problems, but I also still use Gmail and Google docs (or whatever they are called these days, Google for Work?). Maybe, a blanket ban plus a few exceptions like mail.google.com, docs.google.com, tables.google.com and drive.google.com would not cripple my workflow too much.
Some years back (my memory suggests somewhere between early 2017 and early 2019), Google moved reCAPTCHA to www.google.com, so now anything that uses reCAPTCHA (and that’s a lot, far more than is reasonable when I contemplate the absurdly high efficacy of a simple hidden-by-CSS honeypot when it’s just junk you’re filtering rather than targeted abuse) depends upon www.google.com frame, script and xhr, and www.gstatic.com script.
There may have been other reasons as well, but I have been strongly inclined to consider this a hostile and even malicious action (organisationally, if not individually) from the start, more than the maps.google.com → www.google.com/maps shift (though I think it’s still at least hostile).
Thus you probably can’t quite block even www.google.com even if you never use any Google services yourself.
> (or whatever they are called these days, Google for Work?)
Gmail is currently branded as part of Google Workspace, and shows the Workspace logo upon sign in. It probably has been that way architecturarly for a long time, but I think they have made it more explicit relatively recently, at least for non-corporate users.
It looks like "Google for Work" is an old name of Google Workspace.
On another note, I feel like EVERY day my iPhone asks me if I want to share my location with google. I’ll be searching something in Safari on google that’s obviously location based and I get a dialog that pops up. I have allowed it 100s of times.
I hate this and don’t want to see it ever again. Allow always, allow never, I don’t care. This reminds me of the GDPR popups… I feel like once you have popups everywhere, they lose their value and become an annoyance
Just FYI. After this rant, looked it up and apparently you can set in OS settings to allow for all websites, or deny for all websites. No granular control though
This makes it problematical to block. Previously you could give location permission to map.google.com and not elsewhere. Now you can't be more selective: remove permission from search/other and maps stops working (or doesn't work as well).
As others have pointed out, there are technical benefits too – but most (all?) of these technical benefits are essentially because it works around features designed to limit the scope of permissions.
Most people don't check their accounting settings, to see the massive amounts of data that Google is collecting on them or the amount of tracking they are doing. Even if a person adjusts the settings, its not really known to what extent the continual collection is actually mitigated or privacy is being ensured. To include users data being sent to 3rd parties or governments at Google's prerogative or their employees, or to the extent results and services are manipulated for Google's own internal purposes and benefit.
I’ve noticed that Google searches often request location. I never say yes but most people will to maps. So yeah this makes sense… as a way to make sure I don’t use Google.
I'd appreciate a shred of evidence to back this up. It's been my finding that people don't have any expectations of URLs at all. People expected .com in the 2000s, but times have changed.
I kinda like the new url. The other reason could be that browsers won't be able to autocomplete the url any more if you start typing map... and hit enter to go directly to the site. Now you probably have to do a google search for "maps" first and then click on the first link driving more traffic to Search.
I think the main issue here is people conflate the security boundaries defined by the website operators with the security or privacy boundaries a user might want to enforce. The web origin chosen for the service operator's XSS sandbox is not necessarily what a privacy-focused user wants. It's only useful when a trustworthy operator is designing for the benefit of the user.
There should really be a more granular way for the user's policy to adjust the origin definitions used for cross-origin logic as well as other types of content blocking and enforcement.
Why shouldn't they be able to grant any permission to be used in a single page https://example.com/app1/usefulpage and not in other pages on the site?
The multi-container approach to browser session isolation faces the same issues. Different users may have different preferences for when navigation shares the session and when navigation should kick you into a new session that lacks authentication, tracking, or app state.
It makes sense to use geolocation for search. It's not just for searching for businesses, as the meaning of a word you are searching for will depend on where you are.
IP-based geolocation isn't very reliable. And if people are using VPNs then it's useless.
Google maps is pretty much one of the only Google products that I still actively use. It's funny that this article was written and published today, since I had noticed the exact same thing yesterday! Does anyone know when it first started?
I’ve been seeing this redirect to google.com/maps for at least a year now because my default has always been to type maps.google.com and I find it weird every time it redirects.
Google has been prompting me with an Accept / Reject dialog on Maps and YouTube for years. It used to be split in several sections but luckily it became only two buttons a few months ago. I click reject and start mapping / watching.
I've been using Mozilla's extension[0] that contains everything Facebook-related automatically with Firefox containers and it's been working great.
This morning I looked for a similar extension for Google and I've found this fork[1] of Mozilla's extension. It's working as expected so far but I'd love for it to be officially maintained by Mozilla at some point. There is an open issue about it[2].
Probably the best tech we have against tech giants today. I mean, heavier solutions exist (like QubesOS), FF containers are so easy to use, I hope more people learn they exist.
If you put all G-services in their own container, google.com/mail can't access google.com/maps cookies, so, will it also not track location. Not sure actually, they indeed probably store your "consent" on their server. Could you block location services per container perhaps?
Hmm this is a smart move indeed, all of a sudden I'm logged into G-maps whereas I wasn't before... FireFox helpfully opened google.com/maps in my Google container...
I noticed that Google Search itself has very recently become much more aggressive about asking for location permission. Coincidence, or is collecting more location data someone high up’s KPI for the year?
I've tried to avoid logging into my Google account on Safari on my iPhone because I am scared of them tracking me, but I also wanted to use the Google Keep app for sharing a shopping list with my partner.
But when you launch the Google Keep app, iOS asks you whether you want to allow the app to share data with "google.com". It turns out that there is no way to sign into the Google Keep app without also signing into Google in Safari! I don't know how this works, but it is horrible! If I want to use a Google app on my phone, I basically have to give them permission to track me everywhere!
> It turns out that there is no way to sign into the Google Keep app without also signing into Google in Safari!
If you're wondering why you're getting downvoted it's because this isn't true at all. I'm signed into (several) iOS google apps and my Safari browser is not signed into google.
All I know is that I was not able to sign into Google Keep without accepting the data sharing prompt, and I was signed into my Google account in Safari after logging into the Google Keep app. It was of course possible to sign out of Safari afterwards.
I don't know how to reproduce the issue. I've tried uninstalling the Google Keep app, to trigger the alert again, but when I reinstall the app it remembers my Google account!
I'm really surprised how hard it is to get these cookies or app preferences or whatever off my device after signing in once.
EDIT: It seems the Google Keep app stores my account in the iOS keychain and there is no way to delete the item from the keychain without deleting all data on the phone, so I can't reproduce the "new device" situation easily.
However, if I try to add a new account, I get the same dialog. It says something like (rough translation) "Google Keep wants to use google.com for logging in. If you allow this, the app and the website are allowed to share data about your person".
If I tap "cancel" in this alert, I can't log in.
So as far as I can tell, what I said is correct. Maybe it was different in the past, but this is what the situation on iOS 16 currently looks like.
I think they probably did this for SEO. Having /maps on the root domain will help it rank higher in search.
This was a joke, but now I'm wondering if Google services are special cases that are hard-coded in the search results. Or are they just treated like normal websites and use the same pagerank algorithm as every other site? If I search for "maps", I see Google Maps at the top, and Apple Maps in second place, but they both look like regular website links.
They did this with Gmail years ago. Same scheme, I warned everyone that gmail.com would change over to a google related domain, and it didn't take long. And I tried to explain how it meant every email could be directly related to your internet traffic.
"What do I have to hide?" was always the response...
It did, I watched it explicitly for this reason, but I guess unless it's documented somewhere, oh well. It was even googlemail.com for awhile.
Edit: It's possible my concern was the subdomain and my memory is off. It moved from a subdomain to a /gmail at one point (or something similar). That is when I swore off it.
What clearly recall is that there was something wrong, either it was how it did a redirect to google.com first and then back or shared cookies in a very sneaky way that alerted me. (I was building sites at the time and I was privacy conscience early on in my career)
It looks like the result of the arm race with DNS based ad/tracker blockers. This move will for sure force the users to make a hard decision of "all or nothing".
If this ever was a race, it was always a losing one.
DNS-based content-blocker are woefully inadequate. I'd know since I co-maintain one and the barrage of complaints I get make it plenty clear where unaddressable limitations lie.
The GDPR does care about different “purposes”, it’s not just about the person/company relationship.
I’m not a lawyer but my interpretation of this is that consent for Google to use location data for maps doesn’t allow them to use that same location data for email.
> Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them.
the GDPR cares about the rights the company asks for, how long it keeps it, does it need the rights for the purpose, does it give you an easy way to opt out of the rights collection and so forth.
If in order to not let all of Google have your location information you need to opt out of letting maps have your location information it might be a GDPR problem. Considering also that this was not a problem that people had before if indeed it is a problem now it might be taken as a wilful circumvention of GDPR.
Exactly. The consent was provided for the specific processing, not the TLD. The processing and all of those that are not incompatible with it, that it asked permission for that furthermore adhere to the requirements imposed regarding specific and informed consent in the GDPR (see Article 4, sub 11 GDPR and article 7 GDPR.
I don't use the maps.google.com URL anymore because, 99% of the time, I use the app. Whether it's the PWA desktop app on Windows, or the Android app on my phone, I just don't go to the website of Google properties anymore, I use them through an app and that doesn't expose a raw URL.
I recall from my time in Google Geo years ago that the idea of integrating Search and Maps was a big part of the "New Maps" release that happened around 2014. The rumor I heard was that someone (possibly even Larry himself) wanted to be able to have interactive maps directly on the search results page, so that the navigation from a search query to a map wouldn't involve even a page reload. So the big Maps frontend rewrite actually ended up merging MFE into GWS, the web search frontend server. I recall seeing maps hosted at google.com/maps around that time, but I don't know if that was ever launched fully or if it was just an experiment.
In any case, though, my understanding is that the technical capacity for this has existed for nearly 10 years now, just behind a configuration setting. So it's possible that this change is just a code cleanup. It's also possible that someone is trying to increase the percentage of searches that have location information, that doesn't seem terribly far-fetched either, and I can imagine lots of ways people could try to rationalize it as actually benefiting users. (Whether it actually does benefit users is of course debatable.)
It is absolutely bizarre to me how half-assed Google is with integrating its products.
I have a week of events coming up in Google Calendar each with a different event location. Why can't I see a map of all those event locations alongside the calendar with all the same event details listed? Why can't I associate a Google Calendar event with a specific album or set of photos in Google Photos and see those in the map and calendar as well?
This is why I'm building https://visible.page with my brother. We have all these capabilities of visualizing data on the web, yet no one has actually put them together in a convenient and consumer friendly way to visualize any type of information together in one place.
All these big tech companies seem to just give up on any kind of significant innovation as soon as they reach a certain level of monopoly on their market. Twitter, Spotify, Facebook, Google, etc. I can think of a dozen significant feature experiments they could try that would make my daily life better using those tools yet they don't.
> It is absolutely bizarre to me how half-assed Google is with integrating its products
The answer can be summed up in one word: "privacy".
There are two forces at play here. One side wants privacy. When they give data to Google Calendar, they don't want Google Maps or Ads know about it. The other side (your opinion above) wants more integration between services.
In this political climate, the privacy side has an edge. This means if Google Photos want to access data on Google Calendar to provide the integration you asked above, they will have to jump through multiple quarters of privacy reviews, with a very high odd of being shutdown.
> All these big tech companies seem to just give up on any kind of significant innovation as soon as they reach a certain level of monopoly on their market
After I see how the sausages are made, I think claims like these are naive. It's worth learning more about the factors at play before criticizing something. More often than not, the agents are acting pretty rationally based on the situation.
> privacy
Do Not Give google credit for privacy.
first, showing maps for a location it is already showing on the screen... the data is already all there. it is pure and simple calendar team didn't want to bother using maps team's api. nothing else. nobody had a meeting and decided against it because of user privacy.
second, no matter the product, the only integration all of them MUST have is to both advertising and profile. those two internal apis respectively serve ads against your profile (ssp) and add events to your profile to later target ads.
so no, absolutely nothing on google deserve the privacy argument.
The privacy argument doesn’t make sense to me. The addresses are already in Google Calendar. They don’t need to be saved into a different service to be viewed anonymously in Google Maps. You can already do it in Google Calendar for one event/address at a time.
Yes there are business/internal-politics reasons why some obvious features or experimentation doesn’t happen, but those aren’t necessarily good reasons beyond short term benefit to specific individuals at a company.
But I do think some of it can generally be blamed on large companies losing their ability to be nimble due to the inherent friction of the politics and logistics that build up as an organization grows.
FWIW, I worked on the integration with calendar and maps - the GP comment is exactly right, it was due to privacy concerns. The terms of service for Workspace say that user data can never be used for anything not related to Workspace, so moving any user data from Workspace to another service has to be done very carefully.
In the example of this integration, allowing it to open in the sidebar was okay because it was a user action, and there is some data anonymization that happens (I don't recall the details, this was a few years ago).
But we couldn't share a list of your appointments with maps ahead of time to allow them to generate the view you describe, because there wasn't a way that guaranteed that the data wouldn't be associated back with the original user.
I don't think privacy has anything to do with it. Google Maps doesn't need to capture any user data to implement OP's suggestion. Google Calendar just needs to render a map with a set of locations marked on it using Google Maps. It doesn't need to tell Google Maps what or who the locations are for. This is something Google Calendar should already be able to accomplish using a public API. All other aspects of the feature could be implemented as part of the Google Calendar service without any further integration with Google Maps.
Further, I don't think users are generally against services using the information - which the user has presumably already provided intentionally - to better serve them. The problem is when that information is shared with third parties or used for purposes which are not obviously in the users' best interests. IMO, any user data stored externally should be subject to an opt-in permissions system which strictly defines how the data can be used. That doesn't stop companies like Google from being able to offer me useful services that I might actually be interested in. The notion that privacy discourages innovation is just silly.
After I see how the sausages are made, I think claims like these are naive. It's worth learning more about the factors at play before criticizing something. More often than not, the agents are acting pretty rationally based on the situation.
All of these concerns could be trivially addressed by leaving them up to the user. Add the necessary controls to the user account page, pick default settings biased in favor of privacy, and allow users to change them if they prefer.
IMO you’re spot on. The catch being that between showing an ad and matching photo locations, the former has a near straight impact on the bottomline while the latter is murkier. When both are going through reviews, that’s a lot of weight difference in the arguments and we’ll see more of one that the other.
Once Google has my data, how does it affect my "privacy" if Google Service A shares it with Google Service B?
I'm somewhat privacy conscious, but I don't understand the concern there. I assume that once I give them my data, they're already doing whatever with it internally.
It's amazing to me that people have already forgotten that Google had in fact already successfully done that with Google Inbox. It's not that they weren't able to do it.
It's that in their infinite wisdom they shut it down. Just like they shut down hangouts in their infinite wisdom.
what even was project inbox? at most five people used it.
hangout is now integrated in meet, which is integrated in gmail.
it's google doing a microsoft/apple and trying to be the leader in video calls/remote work/remote classes by forcing people to have it ready just by having the gmail app.
just like apple with facetime (but they have no idea how to expand on it) or Microsoft adding teams to windows status bar, you like it or not.
Both AOL and Google had, around the same time, secondary mail interfaces that provided extra features. Google's was Inbox; I've forgotten the name of AOL's. They were quite similar to each other, with each slightly better than the other in some ways. Both sites were slower* to load than AOL's and Google's standard email interfaces. Neither reached the market penetration or current-account conversion management wanted., and those of us who used them were sad to see them go.
* Google eventually added so many features to Gmail that they had to add a progress bar during page load.
An example of poor google integration that bugs me from time to time - when you search for a geographic feature, the info panel shows a great preview map with the outline of the feature. E.g. https://www.google.com/search?q=rhine+river
If you click into google maps, the outline is gone. Searching "Rhine River" just puts a marker at one point along the river.
This is not the case for me. I just now searched in mobile Chrome for "Lakeview Chicago" and the mini-map static image has a purple outline around the neighborhood. Clicking on that took me to Google maps with the neighborhood outlined in a red dotted line (which is harder to see, but obscures less of the other features/labels on the map). This was on Android, in the maps app, just now, but I've seen the same thing in a desktop browser.
Ah, you're right. It looks like the issue I'm complaining about only happens for "line" features - e.g. a river, or a road (https://www.google.com/search?q=route+66).
FWIW, OpenStreetMap can do it. I went to https://osm.org, entered "Rhine" into the search and clicked on the first result. Deeplink: https://www.openstreetmap.org/relation/123924
oh wow, it's actually worse for me: there's no marker at all, just a map of western europe: https://www.google.com/maps/place/Rhine+River/@49.34645,7.87...
Innovation, oh my, sometimes it feels like the fat ones (and, by proxy, everyone else) are living in some alternate fantasy world where the mantra "you're not gonna need it" is taken to the extreme, so they're not even trying.
The pendulum should swing back to complex and more complicated interfaces sometime — but right now these are the dark times where, for example, Netflix, this huge, popular movie and show library, doesn't even have a way to find out exactly what movies with some actor or director it has available. It's hard for me to wrap my head around that.
Your project does look useful and on point though!
The rumor/theory I have heard about Netflix is that increasing discoverability too much would allow people to see two negative traits of Netflix: How often things come and go from the platform (which other apps like Criterion Collection embrace), and just how limited their library actually is at a given time.
Scroll through recommendations. It looks like they have hundreds of great movies for you to watch! And yes, technically they do. But look how many times they try suggesting the same movies in different categories, inflating the view in a way to make the library seem bigger. One movie might show up "Because you liked comedy..." then "Because you watched <comedy movie>" then "Light-hearted movies".
TLDR money and masking their poor library quality.
I wonder if AppleTV's atrocious single-line onscreen keyboard fits into this picture of making things less discoverable, or if it's just an extreme of form over function.
Definitely not, because Apple gives users the ability to type search in on an iPhone or iPad instead of using the apple TV remote. They also let you do voice-to-text, which is nice.
It is entirely possible to both provide a useable onscreen interface and the iPhone connection option.
Whatever the reason (and I can think of many) it just shows how Apple is past the point of caring for their users.
I’m about to enable the new Facetime Live Transcription feature in iOS 16 so my wife can have conversations with her father, who is rapidly losing his hearing. For this reason (and I can think of many) I strongly disagree.
Fair enough, but that’s also a cool new feature that drives sales.
I meant it more like, why wouldn’t they fix this objectively bad input mechanism? It would take tiny effort but it wouldn’t improve their sales or they might even calculate that it drives usage of iPhones and therefore good for them even though it’s bad for the users.
For the record I own both an Apple TV and an iPhone, inasmuch one can pretend to own these devices.
I had to look up this linear keyboard they created, pretty unique.
Seems like it can be changed.
Settings > General > Keyboard, then switch from “Automatic” to “Grid”.
Wow! Thanks!
For some reason I wasn’t getting automatic updates but after a manual update I can now see and set this option.
I retract my earlier statements, thank you Apple devs!
Your app looks beautiful. This is something that I've wanted to build some time. Would love to help out if possible.
This makes perfect sense product wise, if I'm searching "bakery" on my mobile phone I probably want the ones around me and not the generic location-agnostic google search of it, just like I would if I was searching on map. Matter of fact, this is actually something I do a couple times a month, search then clic the maps tab to see localized results then from them click the website result to find their webpage.
As a techie I hate any direct change to the user-agnostic absolute search, but as a user I get it.
> if I'm searching "bakery" on my mobile phone I probably want the ones around me
And yet for me, even in google maps on my iphone, when I search for bakery, the first one is almost always one that's ~40 miles away, and the closest one is almost always the second in the list. The rest of the list is definitely not sorted descending by distance. If I've searched for a _particular_ ABC bakery, I get other bakeries commingled in the list even if I know damn well there are other ABC bakeries closer than those.
The first one is the one that put the most coins into the AdWords slot, I'd guess.
I live in the UK. I recently searched for “pizza” and the top result was in Thailand.
This behavior works exactly the way you would expect in Apple Maps. A search for a bakery returns relevant nearby results.
The fact that Google doesn’t see the blatantly obvious problem, or that they try to argue that the users are wrong is a textbook case of why Apple has been doing OK in the market downturn while Google’s business continues to crash. Apple prioritizes their core products and human interface design, Google prioritizes short-term (advertising) revenue, while neglecting their core products in favor of the latest shiny thing.
Somehow DuckDuckGo has taken this to absurd extremes. Almost any search that doesn’t get many natural hits shows branches of my local government toward the bottom of the first page of results.
I have seen this too, also on bing. Not just government though, sometimes it manages to find a local house for sale instead.
You do realize that duckduckgo is primarily a frontend for bing right?
https://en.wikipedia.org/wiki/DuckDuckGo#Search_results
What we see is likely the attempt to squeeze even more juice from advertising over which Google virtually have a monopoly. Google is trying to continue its exponential growth while relying on selling advertisements. The market had already been saturated and optimised to crazy levels. Smart thing would be to expand to other sources of revenue, but other projects inside Google fail. As they are failing to compete internally for resources against that crazily optimised source of revenue.
It is doubtful that Google can overcome that internally. Perhaps regulators should break up the monopoly in advertisement and search.
> if I'm searching "bakery" on my mobile phone I probably want the ones around me
Only when you're using a phone? Only if you're not at home? What if you want to find out what a bakery is?
(Apologies for rapid fire, I'm not having a go at you, just curious)
> Only when you're using a phone?
No, eg when I'm at the office, and we talk about where to go eat and I type restaurant, or I need a new stapler and I type office supply, etc ...
> Only if you're not at home?
Not really, eg "movie theater" or "flower shop" come to mind for things I would request while at home
> What if you want to find out what a bakery is?
I would type what is a bakery or define bakery ?
I'm a long time tech user, I miss the days of keyword centric search as I felt I could more easily communicate to the search engine what I wanted, but let's be honest those days have passed, most people type sentence and thus the engine interpret sentences
There isn't a necessity for an "or"
One could show a map preview of local results, which can be expanded as well as generic search results below/aside/...
Or a header along the lines of
We're showing you local results. To search the internet for "bakery" click here
It'd be great if they did that for anything personalized as well while they're at it
This is achievable with geolocation based on IP address, which is how it works on, e.g. a desktop web browser.
Not in my country - unless your ISP is in the business of selling customer PII to advertisers (coughvirgincough) your IP geolocation will often be a completely different city.
Of course, personally if I wanted to search for nearby bakeries on my phone I'd have just opened the google maps app....
Less than half the population has decent geolocation by IP. Most people the IP address will only identify the country or even nothing at all.
Not much use if you want to search bakery's.
Coming from the CDN land this isnt true. We didnt put too much effort in to precision, but on the order of 99% of IP addresses get down to metro area. Cheap commerical providers like Maxmind get to the right postcode on the order of 90-95% of the time. Building your own latency and peering maps bridges that gap to 99% or better. Simply based on network topology and latency we should be able to get you down to post code or general area of a city.
Google is my ISP. My geolocated IP is accurate within a 15 mile radius. It doesn't matter if I have location services turned off or I'm using my desktop, searching "bakeries near me" finds them without issue.
I suspect that isn't all just one big coincidence.
Google has what 3 or 4 cities where they operate as an ISP, each with a pretty small footprint. It's no surprise anyone knows where you are.
A cable or telephone company has generalized coverage measured in states; some of them organize their network and customer IPs by small geographies, but sometimes all of southern california is in a single pool of IPs.
"Achievable" is quite charitable from my experience. With the previous ISP I would get located in a city some 2000kms away, sometimes the scam ads would detect my location as null.
Maybe it's more effective in places like the US.
No, I’m randomly placed 2 states away. A solid day of driving.
funny how that works. I never ever allow location access to anything Google or any website for that matter, and have a muscle memory to hit deny when the browser prompts me. The other day I was searching something and then clicking my bookmarked Google News and suddenly all news were UK specific, and my search results fro "heatpumps" were are UK companies and products.. I was confused until I noticed that my work VPN chose a UK endpoint because the NL one where I am had higher latencies. So, Google heavily tailors the results based on where it thinks you're at. Also, I was delighted to know that inspire all the tracking Google probably does on me, it was easily fooled to think I was in the UK :-)
IP-based location is mostly usable for country. I've rarely found it gets the city right, often it doesn't even get the county right.
It gets really annoying when you are trying to search for some specific term in English and google keep guessing that you wanted something that sounds similar in your native tongue.
I have links to google.com/maps in my IRC logs dating back from June 2014, so this absolutely tracks.
I actually remember google.com/maps being launched at IO in 2014 -- the presentation had a broken link in it for the new version of Maps, and a few of us DoS SRE watching the livestream were able to hack together a config change in a few minutes to fix it without waiting for a urlmap push :)
> It's also possible that someone is trying to increase the percentage of searches that have location information, that doesn't seem terribly far-fetched either, and I can imagine lots of ways people could try to rationalize it as actually benefiting users.
Could you speak more to how this kind of thing figuratively plays out? With privacy on most of our (tech-focused) minds, I’m mostly curious how openly an initiative like this is/would be carried out. Would you imagine it as a buried lede or as a very transparent, explicit OKR?
It's easy to rationalize it as benefiting the users, so I'd imagine it's an explicit OKR, maybe even a few levels up in the org.
Like, one thing I've wanted on occasion is the ability to search for brick and mortar stores in a given radius who have the thing I want -- either because I want to physically inspect it before committing to a purchase or because for whatever reason the time/cost of shipping wouldn't be practical.
That sort of query is hard for Google to serve right now though for reasons including the lack of relevant location information in both the search results and the queries whose user behavior would help drive relevance rankings for those location-specific results.
Location information is a bit of a double-edged sword too though, even ignoring privacy concerns. I have to spoof my location and change my search language to get some results because of aggressive filtering happening behind the scenes. If a given query doesn't match Google's current understanding of the user then the right results existing in the corpus often won't imply that the user is able to find them with _any_ search operators.
With the document policy changes over the last 5 years, most decisions are now very opaque. Google TTLs everything except Docs and code history & reviews, at this point: emails, chats, bug reports, ...
There's probably a tech debt focused OKR for this work, but some other teams probably has OKRs that indirectly benefit from the data, and they're probably providing staffing support, tied to the tech debt OKR. OKRs are for telling people why you're great, if you're at the bottom of the pyramid, and for giving the rank-and-file some direction, if you're at the top. The top level OKRs are usually very precise and very vague at the same time.
So there's probably an OKR in search to improve the quality of the location signals. It can be vague on how. Plus, having more and better data filters into your downstream systems, so even without an OKR for the data you know it will make your models more powerful.
I remember the spiffy demo where the thumbnail in search results morphed into the full Maps UI without reloading.
But unification had started even earlier than that. Pretty much since Larry became CEO again, he pushed this mantra of "One Google", which brought the infamous Kennedy redesign across all services, as well as more of them available under the google.com host (e.g. maps as discussed here, but also flights and more). One of the ideas behind the latter was that you had to log into your Google account just once, which gradually made it all the way to YouTube(!). I vaguely recall other factors, such as compensating for the increased latency from going HTTPS everywhere, but also discussions about securing and hardening cookies.
As far as I know, google.com/maps has been around the entire time, but perhaps now it might be simply the canonical URL in a larger number of cases.
Funny, because there is a crummy form of Google maps present into he SERP, and it behaves completely differently from actual Google maps. It constantly annoys me, usually when searching for a business, that something that looks exactly like google maps, in Google, doesn't behave the same as google maps.
100%! I always ascribe it to some PM somewhere, but when I click on the "search maps" I would _love_ to be taken to the "real Google Maps".
The search maps is just a terrible experience, half implemented, doesn't do what I want, even down to little things.
My hack is to pick directions, which will get me to Google Maps, then cancel directions, this loses all state, but you're still in the location you want and can usually then just click the business you were looking for.
This reminds me of how Google integrated Maps into Calendar as a sidebar a while ago, a move that I absolutely hated. And instead of providing a preference setting to disable it, you have to “hide” the sidebar in a non-intuitive way [0]. I had to search to figure it out.
0: https://www.howtogeek.com/695504/how-to-stop-google-calendar...
This is a fantastic example of motivated reasoning. This "change" (which apparently isn't even new) can have so many different reasons, some of which are less harmful and some of which are probably worse (privacy-wise) than the one mentioned here. There is no indication that re/mis-using permissions is specifically what they wanted to do here, there is also no example of them doing it right now. Don't get me wrong, there is also no evidence that this isn't the real reason and that they wouldn't do that in the future. But the blog post basically list a single symptom and jumps right to the one conclusion that fits what the author expects.
1. The change does exist (although it apparently has been live for quite some time in some regions at least)
2. The change does have the effect of Google gaining more permissions (and subsequently more data) than previously
3. The author assumes that (2) is the (main) reason why (1) was done in the first place
Regardless of whether (3) is correct or completely wrong - and regardless of whether the author truly believes (3), or only uses it as a rhetorical trick to increase the controversy (and therefore the reach) of their post - both (1) and (2) remain fact.
And (2) is the actual problem here - regardless of whether it was done intentionally by Google or not.
Upvoted, this looks more correct than what I wrote.
As for (3) - there's no proof either way, as you already said.
But collecting more of that data which their marketing business makes it's profits from, is likely to have a positive effect on their bottom line.
And since the change already has been live for a while in some regions, it seems likely that Google is well aware of how much impact this change has on their revenue.
You decide for yourself if money is or isn't the reason why a big corporation like Google would do something like that.
I think your original comment was spot on. The reply above didn't really add anything imo.
> 1. The change does exist (although it apparently has been live for quite some time in some regions at least)
Pretty sure I’ve been experiencing this change for many years at this point.
> The change does have the effect of Google gaining more permissions (and subsequently more data)
There's a huge logic gap here. Obtaining more permissions doesn't at all imply obtaining more data when it's caused by an incidental change. Maybe the permissions aren't being used outside of the Maps context, or maybe it doesn't matter because the data was already be known.
It’s true that we can’t really know whether Google is exploiting these expanded permissions to collect more data unless we have some insider information.
However, it’s generally very easy to predict what a company is going to do by observing their business model and incentive structure. In Google’s case, collecting as much data as possible is a major part of their business, so without more information, there’s no good reason to assume they won’t do it.
> It’s true that we can’t really know whether Google is exploiting these expanded permissions to collect more data unless we have some insider information.
You could track usage and see what pages on google.com are accessing these APIs.
I doubt that it's a lot. Google already has fairly good geo-localization based on IP, GPS-level accuracy isn't necessary for ads. They could've already connected your data from maps.google.com to www.google.com, because both are using consent.google.com and you're getting a .google.com unique cookie.
This is mostly just outrage because people don't understand how things work.
Google search asks for geolocation. So the permission absolutely is being used.
It may not be the only reason, but you’re being too generous if you don’t think this was at least one of the reasons they did it.
Other than some abstract “branding” campaign, I cannot really see many other reasons why they would be doing this.
And as someone who worked in adtech in the past, it was very well known that Google used their domain as their tracking cookie domain as it’s nearly impossible for adblockers to just block without crippling other functionality. So they even have a history of using precisely these types of techniques.
> but you’re being too generous if you don’t think this was at least one of the reasons they did it
If you consider it absolutely unthinkable that it was not one of the reasons, it's you who is being too generous. Unconsidered side effects occur plentiful and all the time.
This is cute, but 100% no. In this case, those involved in the decision were aware of the privacy implications. Whether this was discussed openly, or whether the change was made 'pass-the-buck' style, it doesn't really matter. The association of privacy settings with domains is a well-established basic function in the browser.
> If you consider it absolutely unthinkable that it was not one of the reasons, it's you who is being too generous.
The person you are replying to didn't use the word "unthinkable" or even imply it.
I think you are being either incredibly naive or disingenuous if you believe an adtech giant like google doesn't factor changes to data gathering into every single decision they make.
My default mode is to trust everyone until they break my trust. Now that I am old, I have realized that trusting everyone by default is not a good idea, especially big tech.
In cases like this, I think it is better to assume malice, even if we are proved wrong later. This is not our fault, this is big tech screwing with us repeatedly for years, with no shame or conscience
The way I see it, people deserve the benefit of the doubt when it comes to their motivations but corporations don't.
Exactly. If you trust people you will often be rewarded by friendship and future help. If you trust cooportations they just exploit that to maximize shareholder profit with no value to me.
Perhaps you mean persons deserve the benefit of the doubt? People seems to be the root problem.
I expect there is no difference between an individual and a corporation operated by a sole individual. If one is trustworthy, they will remain equally trustworthy if they happen to have a stock certificate in hand. The corporation isn't able to act autonomously. It acts with equivalency to the person it is represented by.
Large corporations, involving people, is where communication breaks down, which leads to unintended consequences that wouldn't necessarily be realized if an individual was acting alone. When you have people there are bound to be competing interests created in the confusion and it is not always a straightforward answer who is best to honour. Even where intentions are pure humans are bound to make mistakes in their choosing.
I think the question is whether a effective feedback loop exists.
If a local dealer does something bad they quickly receive corresponding response.
A big corp is detached and anonymous. As long as there is no broad boycott there are rare cases where response really reaches them.
If a big corp has a sales force the sales force is responsive to feedback, however the corp then quickly turns anonymous to them and whatever they put in the system doesn't reach the right places ...
Also, by most reasonable metrics, Google broke that trust long time ago anyway.
Even if it's entirely innocuous at present, that's still little better. It would signal modern-day Google engineers lack the nuanced understanding and user-first deliberation of their predecessors.
Given the breadth of services the company provides, a user ought to be able to restrict the permission to the scope of the maps tool.
I think the grand master of user tracking and the developer of the web's most used browser knows exactly what they are doing.
Google is huge. You'd be surprised how something that's common knowledge in one team is completely unknown to other teams.
Hanlons Razor is a fallacy on it's face and I'm so tired of the incompetence excuse for actors who are repeatedly bad.
You're a fallacy on your face.
I admit this made me laugh, and now have adopted it into daily usage. Thanks!
I doubt that a URL change is the solely decision of the maps team.
bro, data is money and those corporates extract as much as they can. don't try to reason that google would not be interested in exactly that. one does not have to find a specific evidence for exactly this scenario in my opinion. this evidence likely might never emerge, while the spying definitely will happen. otherwise you would need to come up with a huge scenario where they actually farm a ton of benefits by doing this change, because a move like that you don't "just do for a better experience".
Cannot agree more. Money is the most important if not the sole driver of decision making in those large organizations.
> But the blog post basically list a single symptom and jumps right to the one conclusion that fits what the author expects.
That conclusion isn't wrong though. Your comment basically claims author is twisting facts but the conclusion remains that giving google.com/maps permission to geotrack does give google.com permission to geotrack.
"Pinky swear I won't enforce that clause" is not reassurance enough.
They've promised nothing, to boot. Google does not deserve the benefit of the doubt here.
The real reason or intention isn't that important, compared to the outcomes of the change. The author correctly evaluated one of those outcomes and the respective implications.
Given Google's track record, I think it is a sensible evaluation of the situation.
When companies like Google are involved, I believe the Hanlon's Razor works in reverse. I.e. never attribute to stupidity that which is adequately explained by malice.
I will accept motivated reasoning when in a friendly setting but big tech is not my friend. Their only and only purpose is to extract as much value (data or money) from me as possible.
Looking at Heartbleed and other famous security we should know that minor mistakes "disguised" as "typos" can have devastating effects.
They know what theyre doing alright.
The change may have happened for any of many reasons. Regardless of which reason was the motivator, it's clear impact is reducing user privacy. When talking about a tracking/advertising company, so it's kinda natural to assume that this was kept in mind.
Recently I have been trying to recover my gmail account. Besides sending verification code to my phone number, it also sent a code to YouTube app, high on the list. I have lost access to my google account, so I cannot open my YouTube. So it sent a verification code to the exact gmail address I am trying to recover. The whole process is unreal. This YouTube verification thing is definitely new, I don't know the motivation behind it, it couldn't even detect if my YouTube App was activate or not (or maybe it knows I wasn't using YouTube, maybe it is encouraging me to log in YouTube or open YouTube. Either way, I am not impressed.
Meta: my answer here is probably also a good example of motivated reasoning because I likely read a bit more into what the author wrote than is factually in the blog post. Oh boy.
> Oh boy.
Do you mind pointing out where you think this applies?
I think my critique is somewhat correct in that you seem to suggest that this change was made to allow for expanding the permissions from one product to all products, which I don't think one can derive from the things we know.
I think I was somewhat wrong in that I may have suggested that you said this was the only reason (which you didn't explicitly) and also in that I dismissed that they factually can use these permissions from other products now, i.e., no matter whether it was intended or not, the permissions set for other products is broader now.
> This is a fantastic example of motivated reasoning.
Did we read the same short article? [not parody]
It's so short, we can copy paste it here and then you can point out where he reasoned that Google did this with intent to track.
> But the blog post basically list a single symptom and jumps right to the one conclusion that fits what the author expects.
OP is simply stating a consequence of this change!
"Congratulations, you now have permission to geo-track me across all of your services."
> [...] though I'm sure they're just beginning to transfer their services to the main google.com domain.
This and the wording across the article imply more than the factual changes. But granted, hooby's comment above is probably more correct than what I wrote.
I think it’s the part where he says “Smart move, Google.”
Are people really surprised when they hand their location off to a domain that any other part of the domain might have access to it? Like, taking away the technical specifics of how location allows actually works, you’ve given the data to the _company_. At the very least, they throw it on an internal service and allow other parts of the company’s infra to grab it.
Didn't know this has a name. It feels that it's the main mode of reasoning in society.
The only conclusion this article made is that google now has the permission to-do so, and this is 100% correct - motivated or not. Although, given you overly defensive response makes me suspect you have more insight than we do..
Funny thing is, it depends on your threat model.
Using google.com/XXX for all its services protect the user from being spied by external actors such as ISP because everything is hidden behind HTTPS.
Whereas, with XXX.google.com, external actors knows that you are using service XXX.
The whole "threat model" thinking is useful for security, but I don't think it translates well to privacy and data sharing consent matters.
I disagree on the former, but I agree on the later, technology is not a good substitute for consent.
Regarding the privacy:
If you are using a VPN to protect your privacy, then you are effectively transferring your trust from your ISP to your VPN provider. The VPN provider is your new ISP. So you have to make sure you trust the VPN provider more than your ISP.
It is a matter of trust, but by choosing a VPN you are not limited in your options by your geographical location as is the case with an ISP.
In my town there are 2 ISP I can choose to trust, whereas with VPN I can choose to trust from a much greater selection.
I don't use VPN when I'm on my home ISP but I do when I'm someplace where I don't control the gateway. My VPN is on a vultr VPS I control (in as much as I can control a VPS), and I do trust vultr (or digitalocean or any of the major VPS providers) more than I trust, let's say, the person who set up the wifi at the holiday inn.
The threat here is google.
If your threat is google, it would be wise not to use google in the first place.
As other mentioned, OSM is an alternative (not equivalent) of Google Maps.
If only there was a drop in replacement for Google Workspace… even if you use Fastmail for email you don’t have Google docs anymore and that’s a huge piece…
You might want to check out:
https://framapad.org/abc/ (this organisation has a lot of FLOSS cloud alternatives to Google products)
https://cryptpad.fr/
thanks!
Unfortunately it seems there is only text editing, not spreadsheets or forms (those I use a lot)
But I'll look into it, and probably transfer my docs there
It is important to use user respecting software when we can :)
sorry, my bad, cryptpad seems to have it all!
The worse problem is you give Maps location permissions and that can translate now to the 3 billion sites that use Analytics isn't it?
No, google-analytics.com is where analytics is being served from and sends tracking-requests to.
It also connects to https://stats.g.doubleclick.net/j/collect
I believe that's only if the GA account is connected to an Ads account (or set up to collect demographics, I think). By itself, GA will only use https://www.google-analytics.com/j/collect (or /g/collect for GA4).
drop in replacement for Google Workspace?
has everybody forgotten it was replacing Microsoft?
Office365, Zoho, there are many options.
I’m pretty sure you can still identify specific services from trafic patterns. It is more expensive, but within reach for well funded actors.
Google could enable ESNI, if they wanted.
I presume they are talking about the DNS "leak".
google.com/maps would result in a DNS request for google.com so anyone monitoring DNS would know they are connecting to a google service but wouldn't know which one.
maps.google.com would result in a DNS request that show they are connecting to maps.google.com and could presume they want some maps.
DoH (and ESNI on the server side) would fix it, but iirc Chrome (the most used browser) doesn't use DoH by default.
Chrome uses DoT, if you have configured one of the well-known resolvers that do support DoT. Otherwise, it respects your local settings.
My point about Chrome is not that it can’t do DoH but by default it doesn’t so relies on the system settings which for the vast majority of users (not us geeks who explicitly opt in) never change and use ISP supplied values so DNS snooping is still a thing for the majority.
Should a browser override system settings? That’s another question, because doing so can impact other things for the avg Joe. For example my mobile providers self serve website plays up when I use custom DNS, free hotspots with captive portals also can be an issue when you override the DNS provided by the access point.
I understand your point, but anyway, no app, no browser should ever think that "it knows better" and attempt to fix what it considers incorrect. It may think that it protects the user, but in reality, it will break what the user configured. Private DNS zones are common, and if the browser ignores user configured DNS, they will break. And as I wrote elsewhere, just because the machine is configured to use 53/udp for a resolver, it doesn't mean that the resolver is forwarding over 53/udp too.
If you want to solve unsafe defaults, this is not the way. Pushing for configuring safe defaults is.
If a general purpose browser can empower hundreds of millions or even billions of regular users with better privacy (and ultimately, security) by making a change that might disrupt a small handful of power users who manually configure this stuff, I say the browser should go for it. The power users are the very people who can, without much effort at all, reconfigure their stuff, or easily find a special purposed browser, so they'll be just fine.
Spock was right, logic clearly dictates that the needs of the many outweigh the needs of the few.
The problem I fear is the needs of the few who are not technology minded, don't want their browser (or in their eyes their internet connection) to stop working because their ISP issued router uses a DNS based captive portal to onboard people (I've seen this used by atleast one major ISP in the UK to on-board devices onto their per-device content filtering system - BT, however I think they rolled back on that after it was caused issues with IOT devices).
However I believe (not read the docs in a while) FireFox works around this by falling back to DNS if an issue with DoH is detected.
EDIT: However I'm still on the fence if it should be a browser decision. Yes browsers move more quickly then OS & ISP changes and can make things better for the masses quickly, but i'm also wary of those changes screwing up the avg person, the people like my mother who can just about order things online via her ipad but thats about it, if she accidentally lowers the screen brightness of her ipad I soon get a call about it. Its for those kind of people I don't like the idea of a browser messing around with a connection in unknown network conditions.
> If a general purpose browser can empower hundreds of millions or even billions of regular users with better privacy
This statement makes a huge assumption, that the DoH provider is more trustworthy than your existing DNS provider. Personally, I trust my ISP (Small, locally owned) with my query history than I trust Google (Massive, exploitative advertising company). The fact that Google is automatically turning this on to scoop up DNS information without users consent should be illegal.
…, I get the "wrong" IP for anything hosted by Akamai (i.e. an IP address that corresponds to a part of their CDN which has abysmal peering with my ISP and is completely unusable in the evening)
Even if you are using DoT, the DNS provider will still know you're using Maps if it resolved the subdomain, and the DNS provider itself might well be the biggest privacy threat here.
> DoH (and ESNI on the server side) would fix it, but iirc Chrome (the most used browser) doesn't use DoH by default.
It would fix it for some specific circumstances. Since maps.google.com resolves differently than www.google.com, you can ignore DNS and just look at TCP connections to tell what service is being talked to.
Granted that Google is basically the exception here. But when I query the IP's for maps.google.com I get 142.250.179.238 and when I query google.com I get 142.250.200.14
If make a http get request to 142.250.179.238/ (the maps IP) but with the host header set to "www.google.com" I get the search page returned to me. If I make a http get request to 142.250.200.14/maps I get google maps.
OK. /maps might be a bad example because well google.com/maps is already a thing :-p
So if I make a request to 142.250.179.238 with the host youtube.com I get youtube. This is because most of googles public facing servers can act as the front door for many other google services not just the service that its dns is set to.
Not really sure it it comes under "domain fronting" because isn't that tactic many used to bypass censorship, pretend your connecting to one CloudFront customer when really wish to connect to another. Where google explictly configured their services to do this so they can easily load balance as demand and network conditions allow. Anyways I'm rambling now.
My point is, with google you can't rely on the ip address alone to determine the service (however it still wouldn't stop you peeking into connection and pulling out the host header unless ESNI was used) but as I said at the start, Google is more the exception here.
> iirc Chrome (the most used browser) doesn't use DoH by default.
Last I checked, Linux was behind other platforms because there’s a lot of complex custom dns configuration that chrome (understandably) didn’t want to be accused of overriding/ignoring, but which isn’t all easily visible to the browser
Which is the correct behavior; if the user wants to configure his computer to DoT/DoH, system resolver is the correct place and Chrome has to respect it.
Even if the computer is using 53/udp to the configured local resolver in the local network, it doesn't mean that the resolver itself is using 53/udp. Many of them can forward queries using DoT/DoH/IPoAC and the app on the users computer will be none the wiser.
Google poses a larger threat to most people I guess.
DNS over HTTPS is the solution here.
SNI is still in the plaintext.
It it still an improvement; you need to DPI the traffic then, which is more demanding than just logging 53/udp queries.
Anyone who is trying to invade your privacy is going to do DPI.
My prosumer grade harder does DPI without any issue.
Doesn't change the fact that the SNI is sent in clear text.
https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypt...
As others have noticed, this is not a new move. For the past several years I've been accessing Google Maps simply by typing in maps.google.com and it has always redirected me to google.com/maps.
Even more confusing and a regular cause of annoyance for me that's been ongoing for a while now is there's like a knockoff version of Google Maps built into Google search that it'll kick you into if you click a map from search results. e.g. you type "gyms near me" and it shows you a map in the search results, and you click it to expand. It's still at the google.com/search domain and while you can zoom and pan around, there doesn't seem to be a way to arbitrarily jump into street view wherever you want, which I frequently want to do.
I'm constantly ending up in this view, fighting with it before remembering I need to go to real Google Maps and do my search again.
Same. It's so annoying and I feel like they do not always include the relevant info like the URL in that mode. Though looking now I did not find examples of that.
Funny, for me it’s the opposite. I always try to use the web view, and there’s an annoying pop up that redirects me to download Google maps. When I switch back into the web browser to go back to the web view, it auto redirects me to the app download again. Super annoying.
It's new for me as well. I hadn't seen google.com/maps before.
Also a great way to share cookies, avoid CORS, and probably a zillion other complexities that result from running on multiple subdomains.
Yeah, but do you want to bet that during the management call and the subsequent engineering call that made this decision, the main topic of discussion was the direct financial benefit from improved tracking?
We'll never know, but if we could find out, say 1 year from now, I'd bet 100:1 that was the main driver.
Wow...i didn't for even a second think it was anything other than a way to get a financial benefit. Kudos to you for not be as cynical as me.
The 2 things aren't mutually exclusive. Because it reduces complexity you will likely see a financial benefit from the cost of the engineering team alone. Having managed an infrastructure with a ton of subdomains I can say that it's almost certainly in their best interest to standardize the domain across all tools at least for engineering. Your data is just an added bonus :)
It's funny for browser vendor to push those "security" features, only to work around them in their own products
I actually find that somewhat reassuring, similarly to a Google employee criticising the security practices of a Google-operated certificate authority in public[1]: it demonstrates that the team responsible for instituting security policies in the interest of users still has some autonomy.
[1] e.g. https://bugzilla.mozilla.org/show_bug.cgi?id=1709223#c19
And to increase XSS blast radius!
thought they have moved mail.google.com to google.com/mail a while ago. Tracking would still be possible over 2 domain, but then google would have to do a bit of ETL operations. Guess this will save some more engineering.
Genuine question. Is it reasonable as a user to expect data collected by Google via maps.google.com to not be shared with other Google applications e.g. mail.google.com?
I'd have thought data collected on any of their domains would be meshed/merged behind the scenes where it suits them to do so?
I think the concern is less about other Google businesses having access to maps data as you suggest.
It’s more about the fact that using non map Google services on google.com will not prompt asking for location service permissions, if they’ve been granted when prompted on google.com/maps already.
Users may not want location to be collected for searches, but are okay with the privacy tradeoff for it being collected when using maps.
I think the concern is more about when Google is able to collect said data, not whether it's shared or not.
I don't have location enabled for Google maps in the browser, but if I did, then presumably Google could collect that data also when I'm just searching for a website.
But isn’t collected/shared inherently the same thing here?
No, what they are talking about is all Google properties (eg Google search) now being able to collect your location every time you use them, if you granted permission for maps to get your location.
So it’s now not possible to block location for search, and grant it to maps (at least using the standard browser domain permissions model).
https://support.google.com/chrome/answer/114662?hl=en&co=GEN...
But they could've been doing that all along because they control both sites, they would've just needed to use an iFrame. What changed beyond "it's a little easier now"?
Is that how browser permissions work? Naively I’d assume the browser grants only search.google.com permissions on that url, even if maps.google.com is opened as an iframe.
It's been ages since I've played with iframes, but I'm pretty sure it does (or at least did?). You might have to specify an allow policy [0] but that's no problem if you control both sides. Since iframes are secure, data wouldn't leak unless the iframe explicitly posts it.
I don't know if you can request permissions from the iframe (might confuse people), but if you already have them, it ought to be fine.
[0] https://github.com/w3c/webappsec-permissions-policy/blob/mai...
Thanks for the docs. The examples (2 & 3, https://github.com/w3c/webappsec-permissions-policy/blob/mai...) seem to me to say that search.google.com can’t grant location permissions to an iframe if the parent was forbidden them, but I didn't find an explicit example for what happens if the iframe domain already got permission previously.
As you say the UI for requesting in this case would be weird, and this seems like a big security hole to me, but I can’t see a bit of the spec that explicitly forbids (though I only scanned the doc.)
Do you mean:
- is it reasonable for a user to expect that Google will collect all bits of information about them, because Google isn't prevented from doing that?
or
- is it reasonable for a society to allow Google (and competitors) to do this?
I think the answers are respectively yes and no.
The different Google Apps surely rat you out to each other.
But now google.com will know where he is when he browses it, not just when he uses Google Maps.
They can already join your activity across everything. This is about access and collection. So if they move store.google.com to google.com/store, they will have access to all browser permissions you gave google.com/maps or google.com/flights.
I'm ok with sharing my location with maps (and therefore google) WHILE USING MAPS. Not when I'm reading my emails, or searching for something on the web.
It could be tricky with permissions on different users: for instance you authorize google.com/maps to track your location while logged as user A.
You logout and switch to user B to look at another Google service, but google.com is still allowed to get your location, and will stick it to user B, which is something you might not have wanted. This didn't happen with the previous domains, so could be a surprise.
I think it is reasonable to expect Google to share the data and get sued for it, because it isn't reasonable.
Oh having though about it I agree, I just think we're probably a minority.
As others have pointed out the line has been blurred between search and maps so far that maps has search embedded, and search has maps embedded. A lot users of Google search likely expect results to be location aware without realising what privacy has been eroded to enable that.
Applications are not juridical entities, so at the absolute best it is debatable.
Most probable version is that they share as much data as their internal regulations say, or a bit more. They definitely have some form of internal regs on this, for basic security hygiene, but they write it.
FWIW, there's an EU regulation coming that prevents companies from using data necessary for a product (like maps) to be used to improve a different product (like search).
I'd be interested to find out whether this works as intended. There's a good argument that maps is a subset of search. Most people don't open Google maps just to look at a map, they search the map for a place.
IIUC, maps would send your location to search if-and-only-if you make a search from inside maps, since that is necessary to do the precise location-based search.
Ask your local Information Commissioner whether this is GDPR-compliant.
Its reverse for translate. https://google.com/translate redirects to translate.google.com
I can understand why: Translate is the only service that works in China. Countries with censorship laws can easily choose what they allow.
I suspect this may more be to do with large organisations (and equally foreign governments) wanting to block Google translate, since it can be used as a proxy in some cases.
They don't work in China anymore.
And when they worked, the domain was translate.google.cn instead.
...this redirect has been in place for years. Honestly maybe even a decade at this point, it's been a long time.
I've also been using earth.google.com etc for many years, can confirm not new at all
It's a very strange move indeed. maps.google.com implies an application lives there, far better than being on the root domain.
It also means that when you start typing maps.google, you'd get all your history searchable related to maps, although arguably that's useless.
I can't think of a reason why this would be a good technical move for Google (ignoring the don't do evil thingie), other than simplifying... certificates? Less lines in the firewall config... I'm stretching here, help me understand.
Other things: slightly simpler external DNS surface, probably tiny speed improvements because users only need to have the IP of www.google.com, not one for maps, one for www, one for whateverelse.
More possibility for connection re-use, as you'd only need to have a connection open for www.google.com, not one for each service.
And security wise: ISPs can now only see that you're accessing something at google, but not which service exactly. If they also bring in accounts.google.com into the fold, that would make it harder to see whether you have an account or not.
True. I’m sure being a beyondcorp company they can’t figure out how to add dns entries. Those google guys really should learn more about the internet and it’s technologies.
I don’t buy the simplicity argument for a second. The infrastructure exists, has existed for many years, and is not particularly exotic in the world.
The only thing that matters to a surveillance and advertising company is surveillance and advertising. You don’t need to overthink this one.
That’s a rather simplistic take; a company that makes money by surveilling you as you use their products also must care about the quality of their products. If their products suck, fewer people will use them = fewer people to surveil = less money! So not all changes are necessarily directly in the service of surveillance.
Also, I don’t think your reply to the above comment was entirely fair; they didn’t say anything about adding DNS records, and also mentioned several other potential benefits of not using subdomains.
All changes are in the service of surveillance. If making the honey pot sweeter works then they’ll do it. If making it more pervasive and intrusive while not offending anyone away they will do it. They will do nothing that hurts the mission to mine and sell advertisements, and all actions will lead to that.
I know you mentioned other things but they’re all sort of in the same bucket of “not that hard once done” and “google can surely do that without blinking an eye”. I would posit the move away from a subdomain to a root domain is hard and complex and benefits end users not one bit. Perhaps the end state is easier on the margins, but again, I doubt given it’s been that way for so long it’s effectively any easier for engineers or operators at google in any way what so ever.
Well, other than those responsible for surveilling all the things.
As you mention there are plenty of performance reasons to run everything under a single hostname. There's also one especially vital for Maps, it loads a tonne of resources and maps are used in various other services at Google. Now that caches are being siloed down to the host level, having all the resources accessible in a same-origin cache will save bandwidth and increase performance for users.
> "It's a very strange move indeed. maps.google.com implies an application lives there, far better than being on the root domain."
How does "maps.google.com" imply an application "lives there" any more than "google.com/maps"?
Technically speaking, "google.com/maps" is far superior to "maps.google.com" (check out the rest of the comments in this thread for examples: simpler DNS configuration, simpler certificate management, CORS, cookies, etc).
Technically speaking it goes around any security CORS and friends provide
> "Technically speaking it goes around any security CORS and friends provide"
CORS wasn't designed to "offer any security" in this specific scenario anyway.
By using "google.com/maps" they can simplify their systems (by not worrying caring about CORS).
Security is hard, money is easy. Simple choice!
google.com/maps is simpler to type on a mobile phone and more consumer friendly, I’ve always used google.com/ pattern, way easier to leverage autocomplete, type a g to autocomplete google.com then if you are looking for flights type f and in 2-3 clicks you are on google.com/flights
Yeah, but flights.google.com or translate.google gets you there even faster.
dns segments are shown backwards for a reason. it was done so that the most specific part shows up first when searching for something.
I have to admit as a data structure snob. I vaguely wish it were the other way around, sigh, as much as I hate to admit it java classes got it right. I also have to admit it does not really matter that much.
I was curious where this is from, and found it's from "1,000 Eyes" from Death.
https://genius.com/Death-1000-eyes-lyrics
From 1995 - prophetic, almost.
What a pleasant surprise! I hadn't listened to Symbolic in a while.
Are you missing a Not operator in that last line?
It's lyrics from a song - the last line sounds like a new sentence, so it's punctuation that I'm probably missing.
I've added it for clarity.
Has this not been the case for a while? I think I've been getting /maps for at least the past year.
Yep. Noticed when I didn't want to enable JS on the whole of Google's domain in μBlock Origin. I switch to another browser for this task alone—especially as some regions have incomplete data for OpenStreetMap
the /maps URL worked for a while, but I never noticed the redirect from maps.google.com (but I wasn't paying attention to that).
Note that Google before can just have an iframe to load maps.google.com to get your location info. Don’t change much in term of privacy.
https://www.openstreetmap.org
If you need OSM on Android, I can recommend:
- "Organic Maps" (a fork of the old MapsMe codebase) if you want a clean, simple user experience
- "OSMAnd" if you want a very powerful, highly customizable map application, which comes at the cost of a steeper learning curve
Both apps are open source and support navigation, offline maps and POI search.
The things I miss most compared to Google Maps is live traffic information and the powerful search. However, this has a privacy cost, so I generally try to use OSM first, and only fall back to Google Maps (in the browser) if I really need to.
Lets not forget StreetComplete is a dead easy app to use to help contribute to OSM. It just asks you a few questions like "is this bench still here" or "is there a bike lane on this road" etc
https://streetcomplete.app/
Can I use this app to suggest issues? In one of my projects I found a bunch of buildings that have either the wrong direction or the wrong coordinates. Think "Random street 1, 2 and 4 are next to each other, but Random street 3 is 500m away". But since it's a city I don't live in I can't go there in person and confirm.
You can report issues by long pressing and tapping "Create a note" which people will eventually review and fix.
I love this app and use it frequently. Great excuse to take little walks around town.
I use OSMand for walking and biking and it's great, much better than Google Maps in my region. Just remember to choose the right kind of traffic in the settings when starting navigation.
It's not as good for driving.
Organic Maps is also significantly more optimized in my experience (or maybe a more fair thing to say would be: is faster because it does less). So it pays to have both because OM is basically the "fast path" for its use case in more ways than just the interface.
I also had some success with HERE maps: https://wego.here.com
Their Android app: https://play.google.com/store/apps/details?id=com.here.app.m...
Their Apple app: https://apps.apple.com/app/id955837609
The performance is good (especially on a budget Android device, better than the recent versions of Google Maps, even), they're reasonably accurate (I'm in Eastern Europe) and include navigation, traffic information, public transportation, as well as the ability to save regions for offline browsing.
I can't comment on the company behind it, though, but it's a nice alternative nonetheless (and there are simple prompts for choosing whether you want to send them any data, e.g. to enrich traffic information).
Edit: as a criticism, some Android reviews suggest that recent updates have made the app less performant than previous versions, though I didn't notice anything in particular on my current device (2020 budget phone). Some also suggest that navigation needs more work.
One of the best features of HERE maps is the ability to download entire countries' maps and turn off data.
This was a life saver when roaming when data charges were really exorbitant.
Google Maps Android also supports offline maps downloading of selected regions. However the download is only valid for a year.
From where do they get traffic information? The only viable app that I've ever seen for traffic data is Waze, because of the huge install base. I do remember HERE from when they were a Nokia brand, but even with that history I think that they'd be too small to have good traffic information.
HERE is currently owned by a consortium of Mercedes-Benz, BMW and Audi. So I guess that's where their traffic info is from.
Thank you. Sounds like they'll have a ton of data for LA, not so much data for Detroit ))
I can also recommend this app for driving. My experience is better with this than with goggle and speed limit information is very useful.
Is panning and zooming in OSMAnd not a huge pain for anyone else? The map rendering (of downloaded maps) is extremely sluggish and absolutely useless for me to use. (Even worse than the tile-based rendering of early Maps on iPhone.)
Organic and MagicEarth work fine for me. I really wonder if it is just my setup or if everyone else suffers from this. I am on a Pixel 5 with CalyxOS using the OSMAnd+ from Fdroid (but same with normal OSMAnd from Aurora)
I have the exact opposite experience with OSMAnd on Android.
The map rendering of OSMAnd is faster than Google Maps (using a 3+ year old smart phone with a low-end Realtek SoC). Like really way way faster/snappier.
My setup is a Chinese brand Android 10 with default OS (rooted)and OSMAnd+ from Fdroid.
The only possible cause I could think of is that CalyxOS is somehow missing proper video drivers for your Pixel?
Hmm interesting, thanks for letting me know. I always wondered why people recommend OSMAnd when it performs so poorly. Will look into this.
It may be a bug of Android: Newer Android versions have further locker down sd card access. The implementation is apparently super slow for stuff like what Osmand uses. Dont put the map data onto the sd card or use one of the predefined locations
https://github.com/osmandapp/OsmAnd/issues/12046 https://github.com/osmandapp/OsmAnd/issues/13254
Edit: If that is not the culprit then check if OpenGL rendering is activated.
You can also deactivate unneeded features from being rendered (buildings, areas, etc). And lastly there are smaller road-only maps (no POI data and no adresses though)
Thanks for letting me know. I don't have a sd card, activated the dev plugin and enabled opengl but did not see any real improvement. I will open an issue with a screen recording on their repo now that I know it is not supposed to be this bad.
It's not just you. This comment claiming better performance than Google Maps is baffling to me. OSMand has been slow on every phone I've owned (OnePlus 2, Pixel 3a and Pixel 6a). Enabling OpenGL and restarting improves panning/zooming framerate, but tiles are generated at the same slow speed (maybe even slightly slower).
What really matters is the amount of data. In my local town I can scroll around no problem, but in a more actively mapped area like Amsterdam it takes at least couple seconds to load.
I'm a OSMand user and OSM contributor. However, sometimes I hate the routing OSMand provides, taking me through narrow streets with awkward turns. Wish they used GraphHopper... A nice feature in OSMand is that even if you get the free version off the Play store, if you log in with OSM and are active, you get free map updates and all the "plus" functions. And on top of that, the full plus version is available off F-Droid.
By the way, OSMand has some support for reporting traffic issues (police, crashes), but it's very very limited due to low adoption way below a critical mass. Also, reporting traffic status would probably require OSMand to run a pretty beefy server and get the current speed/traffic info from all the users - many chose it exactly because they don't want that.
Maybe you know. I've been told twice that OSMand can show the altitude above sea level of a location, but I cannot for the life of me figure out how. Have you any idea?
Thanks!
It's these steps:
- go to pugins section and activate the contour lines plugin
- then go to download maps and load the contour lines data for your region
- go to configure map and check the show contour lines option
I think you need the f-droid Version or the paid pro Playstore version or the subscription. Please note that this will only show marked contour lines and not interpolate/estimate the elevation for any point. So you need to search for the next line and get your own idea what that means for the specific location. Not ideal for very flat areas with sparse contour lines.
For the current position you can show GPS elevation (settings, configure screen, widgets)
Perfect, thank you! In fact most of my apps are from F-droid when possible.
On iOS, I have mine configured to show the altitude in the top right corner of the map view. The settings are admittedly confusing but if you just poke around in the map display settings you should find it!
I have Organic Maps, because I thought it would be nice to have in case of an emergency where I don't have internet, but sadly just a few weeks ago, I had such a case and Organic Maps couldn't find the address and the map itself didn't have all the roads on it (nor satelite or topology map), so I couldn't even use it as a normal map... In the end I had to resort to one archaic ways and ask local humans for directions...
Google maps does offer being able to download for offline use, but if you don't have internet it quite often doesn't want to do navigation, unless you trick it with saved directions.
How does Garmin do it (I'm guessing map licencing issue)?
And how come this isn't already a solved issue?
Both Organic Maps and OsmAnd are available on iOS as well.
I hope the author of OSMAnd makes enough money from the play store to finance continued development, because the application is amazing, it has an interface that is not dumbed down, it does not phone home to the mother ship, it gives you great tracks, in short it is a great tool that respects the end user.
I wish more applications were like it, first thing I install on my phone.
Unfortunately this is really not an option for (some) areas in the US. After having moved to a populous LA area from Germany I was baffled at the lack of detail in the maps. Basic things like building numbers are entirely missing. Even after adding more and more details I would never fully rely on OSM here sadly. And if it only works sometimes why even bother using it in the first place? At least this was my progression. From fully using OSM, I am back to Google.
The only good in-between solution is MagicEarth which supplements OSM maps with data from lord knows where. However although they claim to be privacy cautious they are quite opaque.
Also, do not fully rely on Google Maps knowing house numbers. Looks like in some areas (in UK for example) Google used some sort of OCR to find house numbers. There are houses and Wales with random house numbers that only have a house name; Numbering ends a few houses into dead-end alley where the Street View car didn't come; Or totally wrong numbers where house number sings are hard to read.
House names, rather than numbers, are very common in rural UK.
Australia went to mandatory house numbers in, I think, the 60s but my grandmother refused and gave out only her house name until she passed away in the 21st century.
Searching for my address just straight up doesn't work.
Named house rather than a number, and the postcode isn't a particular street but covers a number of little tracks up to various farms.
I also don't have a road name.
The address syntax is:
Building name
Town
County
Post code
The combination of no road and no number means Google absolutely fails. It just gives suggestions of businesses nearby... Ish.
Does your location have a Place ID? Google originated Place IDs for exactly this type of use case, so that people could find places like yours without an address.
A lot of the US road map was imported from TIGER (<https://en.wikipedia.org/wiki/Topologically_Integrated_Geogr...>). This is an electronic mapping system set up in the 90s by the US Government to aid in conducting the census. The TIGER data doesn’t have any address information at all, just road shapes. No information about the type of road, the number of lanes, the quality of the surface, presence of sidewalks, signals at intersections, anything. Just the paths the roads follow, and those paths are often of extremely poor quality. The resulting OSM maps are barely usable; sometimes they are not even recognizable by locals.
So OSM has decent geographical coverage of the US, but relies very heavily on individual contributors to correct the deficiencies and add useful information to the maps. The only way it will be usable for you is if others have improved it. The only way it will be usable for others is if you jump back in and do the same.
> TIGER data doesn’t have any address information at all
In the EDGE tables it does have ZIP codes and house number ranges, split into left and right side of the road. ZIP codes were imported into OpenStreetMap data. House number ranges are imported into the OpenStreetMap search into a separate database table, so searching works in a lot of areas but it's far from complete, all the issues you mentioned with roads that don't even exist etc
I stand corrected. Maybe the TIGER data or the import process was improved at some point in the last decade?
Not heard of MagicEarth before - looks interesting but what's missing is a "Why/how is it free" statement. They don't cover how they monetise this, what's their business model.
Makes more sense to switch to bing maps, since they have ever so slightly better satelite imagery and there's no way in hell anyone would use bing for anything else anyway.
Interesting. In my experience, OSM's level of detail in Amsterdam is much higher than Google's. Especially in bike routes, an area that Google often sucks at.
OSM is usually better in Europe. Even some rural paths were mapped as streets in Google maps. But in USA it is probably other way around.
Obviously YMMV.
I live about 1 mile from suburbs in a town called Bingley in Yorkshire, England.
I can't trust Google maps locally (though its good for local business searches), as the mapping quality is terrible. My village and local town have roads missing, numerous public rights of way missing (over both public and private land). Major areas of trees missing. OSM is much, much better.
See the difference:
https://ibb.co/fk74k3s https://ibb.co/GTKMTzn
I am noticing more and more how poor Google maps is for non-drivers (such as myself recently having to stop driving), such as not being able to do walking routes over local foot bridges, OSM with OSRM or Grasshopper is fine:
https://ibb.co/NtTf6kr https://ibb.co/sq60YQy
> OSM with OSRM or Grasshopper
Is this usable on mobile? Can you tell a bit more?
Sorry, I don't know. I used the OSM website for the purpose of this comparison. I use the Magic Earth app on my phone, which has proprietary route planning (using open street maps).
I see, thanks.
While I like OSM for some use cases, and have contributed, it can not work as a replacement for google maps for every day use. My biggest problem is the search - absolutely unusable.
Technical nit: OSM as such does not have "a search". Geocoding (as it's known) is a separate component and if you dislike the one used by the openstreetmap.org there are other services that render OpenStreetMap data for you – perhaps with a better search!
Here's a question for someone who understands cross-site cookies (which isn't me): Why does www.google.com/maps 's site permissions show https://www.openstreetmap.org/ as one of the sites 'that can use cross-site cookies and site data'?
I found OsmAnd absolutely essential in my extensive off-road travels in Central America and Spain, paid to support it via Google Play, but i could not for the hell of it figure out how to submit photos and places. It forced me to create a separate account and then always gave me errors when i tried to submit
The separate account is needed for openstreetmap uploads/notes/corrections. You can add places on osm.org also or retry with the osm account using Osmand.
I have what i think is a separate account. Could you link a GitHub where i can create an issue and upload error screenshots? Even if it's not a bug but a feature, it should still be useful, because this flow is very confusing.
There are two ways to login
Oauth and user/password, you can try both under plugins/openstreetmap editing/settings/Login to Openstreetmap
The official Telegram support group is also good for getting help:
https://t.me/OsmAndMaps
https://github.com/osmandapp/OsmAnd/issues
osm and wikipedia are proof that an alternative, more desirable, digital universe is not utopically distant but begging to be born. imagine if the world would somehow muster to dedicate something more than token support to such projects / designs
prediction: osm will eventually surpass wikipedia as the most successful crowdsourced effort because the more objective and simple nature of its data allows dramatic scaling. if even 1% of the billions of the world's roaming mobile devices get into the habbit of augmenting the osm database (e.g. using streamlined UI's like streetcomplete or yet to be build apps) the disruption will be on its way
Would you bet money on that? Google Maps is pretty entrenched. A competing 2.4 trillion dollar company that preinstalled their app on the most popular phone in the US couldn't dethrone Google Maps.
my prediction was careful to pitch osm against wikipedia (both of which I love) not against the well known elephant in the room :-)
but on your real point, yes its going to be a long slog...
The problem is you loose a certain percentage of businesses and also user recommendations (no real alternative there). There is no real incentive for businesses to make yourself visible on OSM (probably many don't even know it exists).
But is the app as good as Google's? I always struggle with OSM maps.
I think at the moment there's a massive discount on OsmAnd+. Worth it?
Really depends, it can be much better than Google depending on country/region. Google Maps is not in every country good. Definitely better for any kind of outdoor activity like hiking, bicycle, ski etc. and offline usage.
This article is not about one specific service and how an alternative can solve the problem.
It is an example of how companies are dying to permission to track is.
Or, you know, use the Google maps app (like the company is always haranguing us to do) and turn on “only allow while using” for geo location.
I think this change probably has more to do with corporate firewalls than anything else. A lot of corporate internet access isn't set up to MITM the requests (a lot of places are setup for this, but a lot aren't). If they places all their services under google.com as suffixes, places that don't MITM won't have any way of stopping it as all they can see is the request to google.com.
Given the history of Google's stance towards privacy and tracking, I think it's naïve to assume technical reasons.
It may have been ok to fall for that argument for 10 years, but after AMP, manifestv3, android's location log disaster, the recording of wifi names and countless lawsuits across the globe, it seems that the resource of good faith assumptions has been depleted. Some may even say that trusting google (the corporation) to act on technical or altruistic reasons is delusional.
Google: push security theathe features like CORS to make it hard to run cross domain
Also Google: decides to use single domain so any permission you ever give work for all of their apps
I'm as skeptical as anyone about Google's privacy record but I'm not so convinced that this really helps google invade our privacy more than it already does.
> after AMP, manifestv3, android's location log disaster, the recording of wifi names and countless lawsuits across the globe
Tangentially, it's funny how the whole Google+ fiasco with forcing G+ account creation for YT etc. was quickly forgotten.
I haven't forgotten because my YouTube account to this day has remnants of that move. The same with my Google Contacts, it is an absolute mess of G+ and Orkut stuff that got shoved in there at some point and Google never cared to clean their absolute mess.
This is actually something that browsers can mitigate. Allow users to give tracking permissions not only for subdomains, but also for paths.
Something like that.Yeah but, the biggest browser is Chrome, by Google; they have an incentive to allow tracking and access across their services.
Indeed. If you use Chrome, you should just assume that your location is shared with Google at all times, since they likely collect it via telemetry anyway.
If you use Firefox, assume your location is always shared with Mozilla via telemetry... and likely indirectly to Google as well, since they use Google Analytics for so much of their infra.
Likewise for Apple/Google/Microsoft collecting data from iOS/macOS/Android/Windows. And of course your cellular provider.
As far as I know the only way to ensure your personal data isn't shared with your browser publisher is to use a verifiable, open source browser that has telemetry disabled, like Iceweasel or Librewolf. And an open source, verifiable OS with telemetry disabled, like... Fedora, maybe? Manjaro? But you're being spied on by your ISP or cellular provider anyway, and the US government indirectly through your ISP and cell provider. And let's be honest, foreign governments through some combination of ISP/cellular provider/govt backdoors.
Oh, and if you've read "Trusting Trust" you'll know that even OSS isn't necessarily verifiable unless you wrote the compiler yourself from scratch.
So I'm not sure there's much benefit to any of it?
> Oh, and if you've read "Trusting Trust" you'll know that even OSS isn't necessarily verifiable unless you wrote the compiler yourself from scratch.
And even a compiler you wrote yourself from scratch isn't necessarily verifiable unless you designed from scratch the hardware that you used to write it. Almost nobody knows what those Management Engines are doing!
Chrome users are probably okay with tracking anyway, but Firefox, Brave, Vivaldi, etc could implement more fine grained controls. Not only for geolocation.
I don't think DOM permissions are going to stop Google if they want to share the data between services.
Recently safari (on macos 10.15) started auto completing „maps.“ to „maps.apple.com“, although I only tried Apple maps once and always use gmaps. Maybe google noticed this and tries to circumvent safari‘s „preference“ for Apple Maps
Isn't maps.apple.com in your bookmarks? Most browsers suggest from bookmarks before anything else. Maybe it got added there in an update to. you know, improve your experience with the Apple ecosystem.
Its definitely not in my bookmarks. when i start typing, its under the section titled "top hits". google maps is right beneath it, but never first place
I have never shared my location via browser, including google maps. Still, google very well knows where I live and focuses on my home as default, when I open google maps. I'm curious what do you seek by sharing your location with google (maps)?
Perhaps your home router has a public IP. Google gets the location of the home router from just one Android phone connecting to it. I'm guessing.
But some home routers are behind CGNAT infrastructure: Then it's possible that TCP connections from the same browser can go through different public IP addresses.
Sharing the location helps Google to help users. And Google to target ads better.
I got this a couple of years ago, and noticed immediately. Just as quickly denied the request, because I have fingers and can type my current address. It's a minor inconvenience.
> because I have fingers and can type my current address
How would you always know your current address? I often use maps with gps to find out where I am. Many places have no address.
Not trying to be snarky, but it might be that I don't get what you mean: I just look at the street name, which is posted on every street? I've never been anywhere that has no address at all, but I guess in those situations it wouldn't make any difference if I only knew roughly (like when I'm camping?).
I use maps only for route planning. If I don't know where I am, I use an offline GPS.
I never type my current address but a location nearby. (I am sure that google know exactly where am I, still..)
I wonder if this is why the mega-app model is so common for Chinese companies. It's far easier to justify collecting a million permissions when your app does a million things.
I think that is more a resurrection of the department store and mega-corp models: if you do a bit of everything then the bottom falling out of one market won't affect you badly as the other areas can soak up the temporary loss. Also, if you have positive name recognition in some areas this can benefit the others, and there is a passive advertising pressure of people using you for one thing seeing something else you have in store or linked to your name (where a more organic search to fulfil a need might be as likely to lead to a competitor as to you).
The difference that might break this analogy being that with a mega-app there isn't really a diversity of revenue streams despite the diversity of products/features: it all comes down to stalking to be able to better sell advertising.
huh? You were always able to share sub-domain cookies with top-level domain cookies no?
Set-Cookie: name=value; domain=google.com
Setting cookies doesn't allow using Browser APIs lie GEO-Location
Can you load, let's say maps.google.com/somepage in a hidden iframe and use postmessage to send location data if it already has access? Or do browsers force top level navigation for such permissions?
There were probably covert ways to obtain the same information but it's now easier for Google to grab the information using regular APIs.
It also means if app X and app Y on their own subdomains were previously using location APIs without any tricks, you are now effectively opting into both apps.
Bottom line: technically it doesn't matter but it probably makes a difference in practice.
Yeah it makes a lot of sense to do it this way, however it does not feel that nefarious when there were plausable workarounds anyway.
Browser could implement finer grain permissions (i.e. only permit the API use for a given top level path regexp) but I bet most users won't bother fine tuning their grants.
What about other apis such as web notifications or webcam and mic access?
With separate domains we could allow notifications for one (e.g calendar) and disallow for another (e.g mail) at the browser level.
Seems like it would now be a blanket allow for all of google.com (with a toggle for each product setting, maybe?) which sounds like a very user hostile move.
I guess it depends if one considers Google products to be separate apps or Google as a whole to be a "Web OS".
(Also on the technical side there's not just google.com but also google.<2 letter country TLD>, which is even worse in terms of CORS, certs, or whatever. Would they get rid of that?)
Google Maps could have set your location in a cookie that is shared with google.com. Then search would have your location anyway when you next visit it.
It asked my for the permission earlier. I thought I'd granted it already and I didn't notice the sneaky domain switch, I've now revoked it.
I wish browsers had a more granular way to grant this and other permissions. E.g. Firefox just has allow/deny, and then "remember".
Granting it only if the user clicks the "show my location" UI element on the web page would be a closer match to user expectations, and would preclude pages from getting the permission in the background.
Of course that would introduce extra complexity, e.g. worrying about web pages sneakily making normal looking links the "get location" UX element.
There's probably no secure way to do it except for the webpage to communicate that it's a page that might want your location, and for the browser to show the "send my location" UX element itself (e.g. in the toolbar).
Hey now, it used to be local.google.com! I sometimes use that just to see if it still works.
This is not new. I'm pretty sure Google has done that kind of redirection for ages for me.
This made me think how much would I lose if I'll just block all *.google.com domains in the browser? I was using DDG for search and Firefox for browsing for many years without problems, but I also still use Gmail and Google docs (or whatever they are called these days, Google for Work?). Maybe, a blanket ban plus a few exceptions like mail.google.com, docs.google.com, tables.google.com and drive.google.com would not cripple my workflow too much.
Some years back (my memory suggests somewhere between early 2017 and early 2019), Google moved reCAPTCHA to www.google.com, so now anything that uses reCAPTCHA (and that’s a lot, far more than is reasonable when I contemplate the absurdly high efficacy of a simple hidden-by-CSS honeypot when it’s just junk you’re filtering rather than targeted abuse) depends upon www.google.com frame, script and xhr, and www.gstatic.com script.
There may have been other reasons as well, but I have been strongly inclined to consider this a hostile and even malicious action (organisationally, if not individually) from the start, more than the maps.google.com → www.google.com/maps shift (though I think it’s still at least hostile).
Thus you probably can’t quite block even www.google.com even if you never use any Google services yourself.
> (or whatever they are called these days, Google for Work?)
Gmail is currently branded as part of Google Workspace, and shows the Workspace logo upon sign in. It probably has been that way architecturarly for a long time, but I think they have made it more explicit relatively recently, at least for non-corporate users.
It looks like "Google for Work" is an old name of Google Workspace.
Like their chat apps, they change names so often that I just call them Google Docs most of the time.
This title is as clickbaity as it gets
On another note, I feel like EVERY day my iPhone asks me if I want to share my location with google. I’ll be searching something in Safari on google that’s obviously location based and I get a dialog that pops up. I have allowed it 100s of times.
https://imgur.com/gallery/LleCkEo
I hate this and don’t want to see it ever again. Allow always, allow never, I don’t care. This reminds me of the GDPR popups… I feel like once you have popups everywhere, they lose their value and become an annoyance
Just FYI. After this rant, looked it up and apparently you can set in OS settings to allow for all websites, or deny for all websites. No granular control though
I've been seeing this redirect for literally years. It's not new.
> Congratulations, you now have permission to geo-track me across all of your services.
I don't think Google needed to do this move to track you across their services. Pretty sure they were able to do that before.
This makes it problematical to block. Previously you could give location permission to map.google.com and not elsewhere. Now you can't be more selective: remove permission from search/other and maps stops working (or doesn't work as well).
As others have pointed out, there are technical benefits too – but most (all?) of these technical benefits are essentially because it works around features designed to limit the scope of permissions.
Most people don't check their accounting settings, to see the massive amounts of data that Google is collecting on them or the amount of tracking they are doing. Even if a person adjusts the settings, its not really known to what extent the continual collection is actually mitigated or privacy is being ensured. To include users data being sent to 3rd parties or governments at Google's prerogative or their employees, or to the extent results and services are manipulated for Google's own internal purposes and benefit.
I’ve noticed that Google searches often request location. I never say yes but most people will to maps. So yeah this makes sense… as a way to make sure I don’t use Google.
I wonder, why Google hasn't moved to .google domains, as they own TLD? maps.google, mail.google, search.google seems to be shortest versions possible.
Most people are confused with this, they expect websites to end with .com.
I'd appreciate a shred of evidence to back this up. It's been my finding that people don't have any expectations of URLs at all. People expected .com in the 2000s, but times have changed.
Slightly different but I find it super confusing when search shows maps. For example
https://www.google.com/search?tbs=lf:1,lf_ui:9&tbm=lcl&q=clo...
This looks like maps but it's not, it's search, so the UI is different. Features I expect from "maps" are missing
It just started doing this now? I've been using google.com/maps for years, and that isn't the canonical address?
According to my browser's history, March 31st, 2022 was the last time maps.google.com didn't perform a redirect.
I kinda like the new url. The other reason could be that browsers won't be able to autocomplete the url any more if you start typing map... and hit enter to go directly to the site. Now you probably have to do a google search for "maps" first and then click on the first link driving more traffic to Search.
A bit reason for using separate subdomains originally is because there are security benefits.
If there is an XSS attack that leaks cookies from Google Keep, you would prefer that not get your cookie for Google Maps.
As browser security models have evolved, subdomains are no longer as isolated as top level domains, so I dunno...
I think the main issue here is people conflate the security boundaries defined by the website operators with the security or privacy boundaries a user might want to enforce. The web origin chosen for the service operator's XSS sandbox is not necessarily what a privacy-focused user wants. It's only useful when a trustworthy operator is designing for the benefit of the user.
There should really be a more granular way for the user's policy to adjust the origin definitions used for cross-origin logic as well as other types of content blocking and enforcement.
Why shouldn't a user be able to isolate https://example.com/app1 as much as https://app1.example.com?
Why shouldn't they be able to grant any permission to be used in a single page https://example.com/app1/usefulpage and not in other pages on the site?
The multi-container approach to browser session isolation faces the same issues. Different users may have different preferences for when navigation shares the session and when navigation should kick you into a new session that lacks authentication, tracking, or app state.
This is also so they can invade your privacy, and correlate all of your searches to your geolocation.
It makes sense to use geolocation for search. It's not just for searching for businesses, as the meaning of a word you are searching for will depend on where you are.
IP-based geolocation isn't very reliable. And if people are using VPNs then it's useless.
Google maps is pretty much one of the only Google products that I still actively use. It's funny that this article was written and published today, since I had noticed the exact same thing yesterday! Does anyone know when it first started?
I’ve been seeing this redirect to google.com/maps for at least a year now because my default has always been to type maps.google.com and I find it weird every time it redirects.
A/B testing?
Living up to their name
Definitely been a while. Like, perhaps a year or more.
I'm in Asia btw.
Google has been prompting me with an Accept / Reject dialog on Maps and YouTube for years. It used to be split in several sections but luckily it became only two buttons a few months ago. I click reject and start mapping / watching.
Firefox containers to the rescue.
I've been using Mozilla's extension[0] that contains everything Facebook-related automatically with Firefox containers and it's been working great.
This morning I looked for a similar extension for Google and I've found this fork[1] of Mozilla's extension. It's working as expected so far but I'd love for it to be officially maintained by Mozilla at some point. There is an open issue about it[2].
[0] https://github.com/mozilla/contain-facebook
[1] https://github.com/containers-everywhere/contain-google
[2] https://github.com/mozilla/contain-facebook/issues/758
Mozilla probably gets too much money from google to do this
Probably the best tech we have against tech giants today. I mean, heavier solutions exist (like QubesOS), FF containers are so easy to use, I hope more people learn they exist.
Does it also contain permissions you give to a website? Will it block it if run within a container?
> Does it also contain permissions you give to a website? Will it block it if run within a container?
No.
How? Access to location will stick regardless if you use containers or not.
If you put all G-services in their own container, google.com/mail can't access google.com/maps cookies, so, will it also not track location. Not sure actually, they indeed probably store your "consent" on their server. Could you block location services per container perhaps?
Hmm this is a smart move indeed, all of a sudden I'm logged into G-maps whereas I wasn't before... FireFox helpfully opened google.com/maps in my Google container...
> google.com/mail can't access google.com/maps cookies, so, will it also not track location
google.com has now direct access to your location, it doesn't need any cookies.
But it "doesn't" know who you are if you have not logged in. Or do you mean that the permission isn't container-specific?
(Of course it can probably make a pretty good guess, just as well it could do before this change.)
Would be nice if you could spoof or block access to your location per FF container. I'll see if I can put in a feature request.
I noticed that Google Search itself has very recently become much more aggressive about asking for location permission. Coincidence, or is collecting more location data someone high up’s KPI for the year?
It's even worse with their iOS apps.
I've tried to avoid logging into my Google account on Safari on my iPhone because I am scared of them tracking me, but I also wanted to use the Google Keep app for sharing a shopping list with my partner.
But when you launch the Google Keep app, iOS asks you whether you want to allow the app to share data with "google.com". It turns out that there is no way to sign into the Google Keep app without also signing into Google in Safari! I don't know how this works, but it is horrible! If I want to use a Google app on my phone, I basically have to give them permission to track me everywhere!
> It turns out that there is no way to sign into the Google Keep app without also signing into Google in Safari!
If you're wondering why you're getting downvoted it's because this isn't true at all. I'm signed into (several) iOS google apps and my Safari browser is not signed into google.
Please tell me how!
All I know is that I was not able to sign into Google Keep without accepting the data sharing prompt, and I was signed into my Google account in Safari after logging into the Google Keep app. It was of course possible to sign out of Safari afterwards.
I don't know how to reproduce the issue. I've tried uninstalling the Google Keep app, to trigger the alert again, but when I reinstall the app it remembers my Google account!
I'm really surprised how hard it is to get these cookies or app preferences or whatever off my device after signing in once.
EDIT: It seems the Google Keep app stores my account in the iOS keychain and there is no way to delete the item from the keychain without deleting all data on the phone, so I can't reproduce the "new device" situation easily.
However, if I try to add a new account, I get the same dialog. It says something like (rough translation) "Google Keep wants to use google.com for logging in. If you allow this, the app and the website are allowed to share data about your person".
If I tap "cancel" in this alert, I can't log in.
So as far as I can tell, what I said is correct. Maybe it was different in the past, but this is what the situation on iOS 16 currently looks like.
Maybe they'll fix the ~5yo regression where a search for
no longer results in the obvious (and previous) behavior.Good observation! This is the only reason for this change. A very cunning workaround for the privacy barriers, but still within the legal bounds.
HN title "moderation" (ie, arbitrary ex post facto editing) is frankly infuriating. It doesn't add meaning, it removes it.
I think they probably did this for SEO. Having /maps on the root domain will help it rank higher in search.
This was a joke, but now I'm wondering if Google services are special cases that are hard-coded in the search results. Or are they just treated like normal websites and use the same pagerank algorithm as every other site? If I search for "maps", I see Google Maps at the top, and Apple Maps in second place, but they both look like regular website links.
Potentially a black hat SEO trick?
We might see Google services' rankings punished on Google from now on...
I already assumed this was the case to begin with, so I sold my soul even before it was up for auction.
This changed yesterday? What the hell? Don't you people know there's a freeze going on?
The chances are, geotracking or not google knows a lot about you and this just adds on to the data.
recently gmail.com became unreachable and was moved to mail.google.com dont know if its related
for me, gmail.com has been redirecting to mail.google.com/mail for a long time...
I'm wondering how much time browsers will take to implement URL match permission granting.
If that was the goal, google could simply &tbm=maps it further.
Nah, Google will never do it because url parameters have terrible SEO... Um wait
Now if someone could just update movies.google.com to point to literally anything else.
They did this with Gmail years ago. Same scheme, I warned everyone that gmail.com would change over to a google related domain, and it didn't take long. And I tried to explain how it meant every email could be directly related to your internet traffic.
"What do I have to hide?" was always the response...
I don't believe your alleged change happened. Gmail was hosted under google.com literally from the day it launched [0].
[0] http://googlepress.blogspot.com/2004/04/google-gets-message-...
It did, I watched it explicitly for this reason, but I guess unless it's documented somewhere, oh well. It was even googlemail.com for awhile.
Edit: It's possible my concern was the subdomain and my memory is off. It moved from a subdomain to a /gmail at one point (or something similar). That is when I swore off it.
What clearly recall is that there was something wrong, either it was how it did a redirect to google.com first and then back or shared cookies in a very sneaky way that alerted me. (I was building sites at the time and I was privacy conscience early on in my career)
Sure, this is what that Wikipedia page says:
> As of 22 June 2005, Gmail's canonical URI changed from http://gmail.google.com/gmail/ to http://mail.google.com/mail/.
As you can see from your own source, the canonical URL has always been under google.com, not under gmail.com.
Edit: the parent post was originally linking to https://en.wikipedia.org/wiki/History_of_Gmail, before being edited
Gmail.com was redirecting (still does) and that at the time sub-domains could share cookies with the main domain.
Therefore, gmail.google.com could track cookies and activity via google.com.
This has been fixed since then, so I think the memory of the internet is short and wouldn't understand how bad this was in retrospect.
(my previous edits: Yep, I didn't want to drag this out. My memory was off on something.)
It is for SEO. Maps product will ride on the widely used google.com domain. ;)
Now?
On my PC this is happening since years!
Yuck!
Any suggestions for an good open street maps app on iOS?
Offline capability would be a huge plus.
https://apps.apple.com/us/app/mapy-cz-navigation-maps/id4114...
Isn't Apple Maps that? They use openstreetmap in a lot of places.
Maybe they think the subfolder approach will help their SEO.
Now how long until they put ads under google.com/*
It looks like the result of the arm race with DNS based ad/tracker blockers. This move will for sure force the users to make a hard decision of "all or nothing".
If this ever was a race, it was always a losing one.
DNS-based content-blocker are woefully inadequate. I'd know since I co-maintain one and the barrage of complaints I get make it plenty clear where unaddressable limitations lie.
I am having a hard time figuring out how this would be affected by GDPR.
Does the GDPR care about the concept of apps and URLs? If not, all it matters is the person/company relationship.
The GDPR does care about different “purposes”, it’s not just about the person/company relationship.
I’m not a lawyer but my interpretation of this is that consent for Google to use location data for maps doesn’t allow them to use that same location data for email.
> Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them.
https://gdpr-info.eu/recitals/no-32
the GDPR cares about the rights the company asks for, how long it keeps it, does it need the rights for the purpose, does it give you an easy way to opt out of the rights collection and so forth.
If in order to not let all of Google have your location information you need to opt out of letting maps have your location information it might be a GDPR problem. Considering also that this was not a problem that people had before if indeed it is a problem now it might be taken as a wilful circumvention of GDPR.
Exactly. The consent was provided for the specific processing, not the TLD. The processing and all of those that are not incompatible with it, that it asked permission for that furthermore adhere to the requirements imposed regarding specific and informed consent in the GDPR (see Article 4, sub 11 GDPR and article 7 GDPR.
I don't use the maps.google.com URL anymore because, 99% of the time, I use the app. Whether it's the PWA desktop app on Windows, or the Android app on my phone, I just don't go to the website of Google properties anymore, I use them through an app and that doesn't expose a raw URL.
You guys are still using google and dreaming about working for them?!