Google Promises Privacy With Virus App But Can Still Collection Location Data

An anonymous reader quotes a report from The New York Times: When Google and Apple announced plans in April for free software to help alert people of their possible exposure to the coronavirus, the companies promoted it as "privacy preserving" and said it would not track users' locations. Encouraged by those guarantees, Germany, Switzerland and other countries used the code to develop national virus alert apps that have been downloaded more than 20 million times. But for the apps to work on smartphones with Google's Android operating system -- the most popular in the world -- users must first turn on the device location setting, which enables GPS and may allow Google to determine their locations.

Some government officials seemed surprised that the company could detect Android users' locations. After learning about it, Cecilie Lumbye Thorup, a spokeswoman for Denmark's Health Ministry, said her agency intended to "start a dialogue with Google about how they in general use location data." Switzerland said it had pushed Google for weeks to alter the location setting requirement. "Users should be able to use such proximity tracing apps without any bindings with other services," said Dr. Sang-Il Kim, the department head for digital transformation at Switzerland's Federal Office of Public Health, who oversees the country's virus-alert app. Latvia said it had pressed Google on the issue as it was developing its virus app. "We don't like that the GPS must be on," said Elina Dimina, head of the infectious-disease surveillance unit at Latvia's Center for Disease Prevention and Control. Google's location requirement adds to the slew of privacy and security concerns with virus-tracing apps, many of which were developed by governments before the new Apple-Google software became available. Now the Android location issue could undermine the privacy promises that governments made to the public. Pete Voss, a Google spokesman, claims the virus alert apps that use the company's software do not use device location. "The apps use Bluetooth scanning signals to detect smartphones that come into close contact with one another â" without needing to know the devices' locations at all," reports The New York Times. "Since 2015, Google's Android system has required users to enable location on their phones to scan for other Bluetooth devices, Mr. Voss said, because some apps may use Bluetooth to infer user location. For instance, some apps use Bluetooth beacons in stores to help marketers understand which aisle a smartphone user may be in."

"Once Android users turn on location, however, Google may determine their precise locations, using Wi-Fi, mobile networks and Bluetooth beacons, through a setting called Google Location Accuracy, and use the data to improve location services. Mr. Voss said apps that did not have user permission could not gain access to a person's Android device location."

auto translate sucks

[Narcocide]

title flubbed you did

Re:

[billybob2001]

Meanwhile, in Soviet Russia, Location Data Collection Google.

First we stopped reading TFA
Then we stopped reading TFS
Now we can stop reading TFT

Maybe just deleting posts the other day was a test of making the whole thing more efficient?

Re: auto translate sucks

[BAReFO0t]

How is headline formed?
How MSMash get literate?

Re:

[bickerdyke]

How is headline formed?

A classic. Almost forgot about that one

A quote comes to mind...

[Cylix]

That’s just slavery, but with extra steps...

Re:

[Rosco P. Coltrane]

The choice is to get COVID or get Google. Quite frankly, I know which one I'd rather have, because at least with that one, you have a chance to avoid it with a simple paper mask.

Re:

[OrangeTide]

Sadly our fearless leader frequently gets the numbers wrong.

Winning the grand prize for a state's lotto? I surely hope that's far fewer than 1 in 100 people, else the prize might be around $50 instead of millions. Because .. math.

Re:

[kqs]

"Harmless to 99% of the population" seems to imply that those who were in the ICU for weeks and those who now have lifelong severe health problems were not harmed, which is a new and exciting definition of "harmless".

A privacy "promise"

[Sebby]

...from a privacy rapist [urbandictionary.com]..... oh boy, that just too rich!!!

Re:A privacy "promise"

[AmiMoJo]

Whoever wrote this doesn't understand what the location permission is or what it does.

When you allow an app to do Bluetooth scanning it requires the location permission because Bluetooth beacons can be used to do location. Same with wifi scanning, anyone with a database of wifi APs can use the ones in range to determine approximate location.

The Android OS doesn't need that permission because it's impossible to avoid collecting things that give away location, e.g. the ID of the cell tower currently connected to or the SSID of the wifi network in use. However it's only logged if you sign in to your Google account and allow location history to be saved, same as always. Nothing has changed, and installing a COVID tracking app does not give Google any extra information, and Google doesn't allow COVID tracking apps using the special API to record location data either.

This paranoid BS is just going to make take-up of these apps lower, leading to more deaths and more economic damage because idiots don't understand the technical issues they are panicking about.

Re:

[knorthern knight]

> Nothing has changed, and installing a COVID tracking app does not give Google any extra information,

I know this is Slashdot, but puhlease RTFA

> Since 2015, Google's Android system has required users to enable location on their
> phones to scan for other Bluetooth devices, Mr. Voss said, because some apps may
> use Bluetooth to infer user location. For instance, some apps use Bluetooth beacons
> in stores to help marketers understand which aisle a smartphone user may be in.

> Once Android use

Re:

[aaarrrgggh]

BLE has a minimal impact on battery life, and would be used unless you have an older phone.

GP is right— this is all about Bluetooth location services. Not a big deal.

Re:

[AmiMoJo]

The author of the article is confused. They are incorrectly paraphrasing what Voss said.

You need to give the app the location permission in order for it to be able to scan for Bluetooth devices, because location can be inferred from Bluetooth beacons. That does not mean you need to turn on location tracking, or send that information to Google, or agree to have Google process it (as required by GDPR) or anything like that.

It's all opt in separately, as required by law.

I've been using the German app on my pho

Re:

[gnasher719]

This Mr. Voss is an official Google spokesman, so this is not conspiracy bullshit. In addition to enabling Google to track you, Bluetooth and GPS/location-services drains your battery like crazy.

I read what Mr. Voss said, and that was then totally misinterpreted.

You have separate permissions for location services, bluetooth, and the API for detecting nearby phones. The API uses bluetooth, but only a very limited portion of bluetooth, and therefore doesn't need permission to use bluetooth. And therefore it doesn't need location services.

What Voss said was about how bluetooth and location services work together. Since you don't need either of them for the API, this _is_ conspiracy bullshit. A s

Re:

[guruevi]

Nope, the complainant is right, you need to enable broad location services to enable BLE on Android which includes GPS.

There is no fine tuning to only allow access to BLE only, like Apple does. BT permission = GPS permission according to Google, primarily because the radio access is shared so you need access to the underlying hardware regardless.

The problem does not lie immediately in the app design, it's what the app redirects you to, if it redirects you to an online page (as many of these health apps do),

Re:

[kqs]

The reasoning is "if you can scan for Bluetooth, then you can get location to a disturbingly small margin in much of the world. Therefore we tie Bluetooth and GPS into a single Location setting."

So it sounds like you are happy that Apple allows effective location tracking even if you have GPS disabled, and think Android's honesty is a bug. I'm gonna have to agree with Google on this one.

Re:

[sacrilicious]

This paranoid BS is just going to make take-up of these apps lower, leading to more deaths and more economic damage because idiots don't understand the technical issues they are panicking about.

Calling people words like "paranoid" and "idiots" makes it appear that you're trying to shame them into going along with your point of view.

It sounds to me like there are two very real issues here. One of them (if I'm guessing correctly from the slashdot summary coupled with your reply) would be that permission granularity on Android is essentially too coarse, because it doesn't differentiate between bluetooth perms and gps perms. That makes it impossible for users to be assured from a permissions-grant

Re:

[Okind]

[Android permissions make] it impossible for users to be assured [...] that gps isn't being used to track their location. [...]For a company that has done obscenely privacy-invading things constantly over its entire history, this is at a minimum a huge impediment to gaining user trust at a time when it's arguably most needed.

This is the most important problem: TRUST.

Advertising platforms, including Google & Facebook, are not just analysing your behaviour at a site, they're following you around everywhere. To me, this is stalking, and I view it with the same loathing as stalking by perverts (the only difference being the danger to my body). They have NOT earned my trust.

Re:

[AmiMoJo]

I'm trying to shame people into not publishing BS that makes COVID-19 worse for all of us unnecessarily.

You are making the same mistake as the author of the article. It's not Google requesting this permission. Accepting it does not send any information to Google.

Re:

[Aighearach]

You don't understand the concern, that doesn't mean it isn't real. It means you don't understand it.

It means your opinion has no value.

Re:

[swillden]

permission granularity on Android is essentially too coarse, because it doesn't differentiate between bluetooth perms and gps perms

That's not "coarseness", it's correctness. Android could separate those things into different permissions, but that would be actively misleading because most users don't realize that if they allow an app to use Bluetooth but not GPS, that app could still track their location. This is why using BT, Wifi or GPS requires the ACCESS_FINE_LOCATION permission, because all can narrow the device location down to a few meters. There is also ACCESS_COARSE_LOCATION, which uses cell tower triangulation and can only pro

Re:

[Aighearach]

No. That is coarseness.

Pro tip: Continental is not an English dialect.

Re:

[sacrilicious]

Exactly. [Bluetooth's location-revealing capabilities are] why BT does and should require ACCESS_FINE_LOCATION.

I agree that both gps and bluetooth can deduce location. The mechanism by which it's done differs, and IMO has arguably enough nuanced difference in implication that splitting out the permissions could help users make more informed choices about what they're enabling; for example, gps enables "constant map of where I am at all times", whereas bluetooth enables "intermittent map of my location depending on somewhat unpredictable factors". But the larger point here is that some people claim that idiots (not

Re:

[sacrilicious]

typo: bluetooth CAN reveal your location (which I think is clear enough from context, but typos bother me.)

Re:

[kqs]

I agree that both gps and bluetooth can deduce location. The mechanism by which it's done differs, and IMO has arguably enough nuanced difference in implication that splitting out the permissions could help users make more informed choices about what they're enabling;

Most people I know would say "I set Location Tracking off but my app tracked me to within a few meters with bluetooth, so Google lied." Do you disagree with this? I'm a fan of nuanced differences, but permission settings for the general public must be appropriately granular, defensive, and well named. Which means that nuanced differences are out.

Re:

[sacrilicious]

Most people I know would say "I set Location Tracking off but my app tracked me to within a few meters with bluetooth, so Google lied." Do you disagree with this?

It's correct to say that tracking via wifi/bluetooth proximity is very different from GPS tracking. If you want this demonstrated, try navigating in your car with your GPS off and wifi/bluetooth proximity enabled. You won't get where you're going.

But it's also accurate to say that wifi/bluetooth tracking provides lots of tracking data. When you're within X feet of a basestation or beacon, you can be localized to that basestation (where X is ~300 feet for wifi and ~30 feet for bluetooth). And if you co

Re:

[kqs]

The telcos track all cellphones at all times.

If someone wants to take some measure of control, they need to get off the grid. I'm here to point people that direction.

So you are telling people that the only way to not be tracked is to throw their cell phones away? I agree, actually, but in that case, nuanced messaging is still out, so I'm not understanding your point. You were arguing for nuance before, and now for absolutism...

Re:

[sacrilicious]

I have many points at various times. :)

[Are you] telling people that the only way to not be tracked is to throw their cell phones away?

I'm advocating for people to be aware of the real tradeoffs. To someone who doesn't mind being tracked, I would say perhaps that person shouldn't throw their phone away. If someone DOES mind being tracked, there are still other options. One very simple one: keep your phone off when not calling. Going further, make calls over SIP from a non-SIM'd tablet or computer, carry a hotspot with you in case you absolutely need to make calls when not at home, work, or coffee

Re:

[Aighearach]

That makes it impossible for users to be assured from a permissions-granting point of view that gps isn't being used to track their location. Google may claim they're not using gps, and maybe they're not... but who knows?

Me! I know this one!

If they asked for the permission, they're using the data. If they designed the permission system to require you to accept excess permissions, then they're doing it twice and a bunch of other shady stuff too.

The way you protect private data is by protecting access. Once you give away access, that access will be used.

Re: A privacy "promise"

[Jerry Atrick]

That access to bluetooth beacons implies you could use bt for location is no justification for insisting an app gets comprehensive access to all location services. This is at best lazy permission handling from Google, the permissions system is perfectly capable of warning about unexpected consequences at the point of granting permissions. They could have warned about the tracking possibility without demanding permission to help miscreants actually do it.

Re:

[AmiMoJo]

I take your point, I guess they decided that from a user's point of view they wanted to keep it simple, not "this app may track you using Bluetooth beacons but not the GPS" which would just be nonsense to many people.

Re:

[guruevi]

No, Google Android has no differentiation between BT and WiFi and GPS permissions. Because in Android, the radio system is shared, you have to give the app all-or-nothing. The app or a malicious actor could redirect you to a page in its browser window with the GPS location JavaScript.

NHS does request GPS location through their app when reporting a case.

Re:

[AmiMoJo]

The NHS can't request GPS because there is no GPS permission. There is a location permission that covers all kinds of location sensing.

That's the only way that makes sense. Thinking you turned off GPS tracking but in fact gave them even more accurate location data via Bluetooth beacons would be even worse.

Re:

[guruevi]

The NHS Android app requests ACCESS_FINE_LOCATION (precise GPS coordinates) permissions and ACCESS_BACKGROUND_LOCATION (Always Tracking)

https://github.com/nhsx/COVID-... [github.com]

As I explained elsewhere, some of the pages it requests through its WebView have JavaScript that do request GPS coordinates and I'm assuming future updates may introduce more detailed GPS tracking. The path in the WebView is currently made whenever you submit your cases.

Re:

[kqs]

No, Google Android has no differentiation between BT and WiFi and GPS permissions. Because in Android, the radio system is shared, you have to give the app all-or-nothing.

On my computer, I can give a program permission to talk to some network locations but not others. Yet, all those locations use the same shared ethernet system! I bet that you are amazed that I have this wonderous technology that clearly Google has never heard of!

No, the reason that "Location Tracking" is tied to BT, GPS, and WiFi is not that Google cannot figure out how to distinguish access to hardware. (Why would you even think that?) It's because all of those can, in many cases, give fine-grained loc

Re:

[swillden]

This is at best lazy permission handling from Google, the permissions system is perfectly capable of warning about unexpected consequences at the point of granting permissions. They could have warned about the tracking possibility

That approach was considered and rejected because users rarely read such warnings, and generally don't understand them when they do. Keep in mind that approximately 50% of the human race uses Android, which means that the security decisionmaking it delegates to users has to assume the lowest common denominator.

It's better to say "This app wants to track your location" rather than "This app is wants to use garbledyflook technology which mostly isn't used for tracking your location but could absolutely be u

Re:

[AmiMoJo]

It's worth pointing out that if you do want fine-grained control of this permission it's there in Settings->Location.

That's a good compromise. Simple prompt for most users, advanced settings for power users.

Re:

[guruevi]

This is the same BS spouted by the NHS when I complained on their app design.

The problem is that once you allow GPS location, it stays enabled, and some of the pages the NHS accessed through their apps was not built-in but online and requested a GPS location through JavaScript (with the option to fill in a UK postal code if your browser does not allow) so it DID pass the GPS location to the NHS even though their app states it wouldn't.

This is a piss-poor design that Android has problems with.

Re:

[AmiMoJo]

The author of the article is complaining about Google getting location data, which this permission does not do.

Of course if you give an app the location permission it can get your location. You must trust it not to if it says it won't. There is no way around that, you can't just give it Bluetooth receiving permission because that gives away your location. Saying "Bluetooth tracking is okay, GPS is not" is daft, they both do the same thing and Bluetooth is arguably worse as it was designed to follow you arou

Re:

[guruevi]

For Android:
To access the hardware identifiers of nearby external devices via Bluetooth and Wi-Fi scans, your app must have the ACCESS_FINE_LOCATION or ACCESS_COARSE_LOCATION permissions

For iOS CoreBluetooth permissions and Location Services are handled separately, with various subclasses of location permissions, including, In Use, Always and even has features for calendared time limits or only in a specific location (geofencing)

Re:

[AmiMoJo]

Android has in use and always options as well. If iOS let's you allow Bluetooth scanning without warning you that it's also enabling location data too then that's a flaw.

Re:

[msauve]

"Whoever wrote this doesn't understand what the location permission is or what it does...When you allow an app to do Bluetooth scanning it requires the location permission because Bluetooth beacons can be used to do location."

Whoever at Google made that decision is an idiot. You can't give an app which wants to do Bluetooth (or WiFi) scanning permission to do so without also giving access to GNSS. It should be separate BT/WiFi permissions, and pop up a warning about the potential to use those for tracking

Re:

[AmiMoJo]

What benefit would having separate Bluetooth and GNSS permissions be?

Sounds like the waitress in that Monty Python sketch. It's a choice between spam or more spam. Tracking or even more tracking.

If you don't trust the app with your location then don't use it.

Re:

[msauve]

It's way easier to simply use GNSS to track location directly, anywhere. BT/WiFi scanning requires access to some database, and even then it's spotty. If I'm in the middle of the woods, I don't care if an app can figure out that I'm in the same location as my BT headset, but I might not want it to track me with GNSS.

Anything with media access (i.e. photos) also has potential to do location tracking - hey, there's a new photo, let's check the EXIF data to see if there are coordinates (which, BTW, is the def

Beau, are you a scipt?

[TigerPlish]

That is *the* singularly worst headline /. has *ever* written, since I made my account in 1999.

Go back to school. Oh my god.

Re:

[bobstreo]

That is *the* singularly worst headline /. has *ever* written, since I made my account in 1999.

Go back to school. Oh my god.

I was hoping /. would spend the $10 or $20 to script getting rid of dupe posts, but NOOOOO, they had to go Full Retard on a headline generating script.

Re:

[kqs]

Bah, this one isn't even in the bottom 10. How many headlines have talked about a new release of some obscure software package, whose name is unknown to 99% of slashdot but is composed of otherwise reasonable english words? How many have use the common headline tactic of dropping small words, meaning we have no idea of which noun is acting on which other noun in some subordinate phrase? This one just confuses "collection" with "collect"; this is amateur hour.

Damn

[Powercntrl]

For a moment there I thought Google dropped the pretense and is finally calling their snooping spyware for what it is... a virus. There’s a Matrix joke in there somewhere.

“I'd like to share a revelation that I've had during my time here. It came to me when I tried to classify your software and I realized that it’s not actually applications. An application by its very nature performs useful functions and is not malicious towards its user...”

Re:

[MadMaverick9]

Guess who is the faggot.

You are! Since you do as you're told by big companies and billionaires.

You! Bend over and get fucked in your ass by google et al.

If you have not experienced at least a few things that the parent anonymous coward talks about, then you are clueless.

Re: My daily experiences with the modern Internet:

[BAReFO0t]

But what if it's his fetish? ;)

Too softcore for me, but there you go ...

Re:

[MadMaverick9]

And this for you, you anonymous coward!

You are a Coward!

Because you keep posting this stuff, but you do not engage in a discussion and at least try to talk about how we can fix this shit.

Re: My daily experiences with the modern Internet:

[BAReFO0t]

He feels helpless and it feels like an impossible task, or he would not post this, I think.
I mean, who can blame him? Planet Of The Tards.
I'm mostly with him, but I know the plight of trying to engage people to do something very well.

It can be summarized by this: https://youtu.be/XCGkVyyDOcU [youtu.be]

-1 Incoherent

[Tailhook]

Reading was failed and worked twice.

Google Promises Privacy

[fustakrakich]

Oh murrrrder! Everybody's a comedian!

Hope they don't quit their day job...

Re: Google Promises Privacy

[BAReFO0t]

Promises != does.

You've dabbed in politics before? ;)

Or is this why "people" keep voting for the same two parties again and again like fuckin goldfish?

A subjectivve opinion..

[malkavian]

But I still think of this the same way I did all the other contact tracing apps.
Yes, it may fall foul of regulatory restrictions _that were created before this happened, and had no edge case in for 'societal meltdown protection'_.

The purpose of this app is to help save lives. Period. It collects data to do that. If they've flubbed and gone too far, then remedy that with a point release or corral that data into an oversight area where it's accessed only for the purpose of contact tracing (this is actually highly valuable data for that purpose that's being collected).

It's the same kind of scaremongering that I've been seeing about all kinds of things (woefully, there's a protest against wearing masks to prevent other people getting infected by you if you have COVID, and I keep thinking, are they going to protest having to breathe oxygen next?).
Yes, there's some intrusion, but every person at your locations could provide that data that you were there. This makes it faster and easier to save lives in this current climate.
If there's an attempt to keep this running when things are well in control, then yes, I'd resist, and push for normal condition regulation (and this app would be off my phone in a trice).

Essentially, I see this as a reasonably basic risk assessment. On the one hand you have a biohazard that will spread and kill unless contained and tracked (and there is this tool that lets you do that). On the other hand you have the ephemeral law that says "you have a personal right to privacy".
My personal stance is that I'm quite happy temporarily lapsing an ephemeral privilege to help ensure that I don't accidentally kill lots of people.

Re:

[_merlin]

They aren't talking about the app per se. They're talking about the way location service is implemented on Android. Just by turning location services on, you allow your Android device to send location data, WiFi SSIDs, Bluetooth MAC addresses, etc. to Google. The location API in current Android (since KitKat IIRC) is implemented by Google Play Services, so all applications that use location data get it via Google Play Services. The only way to avoid this is by using a reimplementation that isn't tied to

Re:

[swillden]

They aren't talking about the app per se. They're talking about the way location service is implemented on Android. Just by turning location services on, you allow your Android device to send location data, WiFi SSIDs, Bluetooth MAC addresses, etc. to Google.

This isn't true.

Turning on location services enables your device to determine your precise location, but doesn't enable sending any location information (or the other bits you mention that could be used to derive location) to Google. If you use apps that request location data and you grant them that permission, then those apps can get location data. This includes Google apps with that permission. If you go to web sites with your mobile browser that request location, and you grant it, then those web sites

Re:

[AmiMoJo]

Just by turning location services on, you allow your Android device to send location data, WiFi SSIDs, Bluetooth MAC addresses, etc. to Google.

That is not true. There are fine-grained settings to control this behaviour.

Go to Settings, Location. First note the "Wifi and Bluetooth scanning" setting. Here you can enable or disable using wifi and using Bluetooth for location separately.

Secondly note the "Advanced" section. Open that and you will see "Google Location Accuracy". If you enable that then the phone will send details of nearby wifi and Bluetooth devices to Google servers in return for location information. If you disable it then your phone

Re: A subjectivve opinion..

[BAReFO0t]

No, its point is to save *human* lives!

On a planet that is on the verge of meltdown into an apocalyptic wasteland. Caused by human overpopulation. Caused by short-sighted selfish overvaluation of humanity by itself.

To keep breeding humans and saving humans, at least above ~500 million, is being in denial, willfully ignorant, suicidal for the entire planet, and utterly heartless.

I would have chosen (and in fact, for me, did choose) to use contraception and not make any more humans. You people decided not to!

Re:

[drinkypoo]

(Germany already basically achieved that, but for some reason sees it as a bad thing, rather than a healthy natural reaction to overpopulation.)

There's only one reason why people see negative population growth in their country as bad, and it's racism. Because if you need more people, you can always get them from someplace that has too many of them, but that would dilute their precious purity.

Re:

[bickerdyke]

Nah. There's two reasons. The other one boils down to the capitalistic "Growth is essential. Growth is better. Always"-Mantra. Negative Growth is losing, and who wants to lose something!

But if you look in detail, there is an actual point to this. Pensions largely come out of income taxes(*) and that requires more people having jobs than people retired. Of course the keyword is "having jobs" as compared to having people in your potential demographic workforce..

(*) mandatory insurance to be exact, but tax-lik

Re: Does anyone anywhere still believe google?

[BAReFO0t]

That clause always was a lie anyway.

Advertisement is hostile manipulation with the intent of getting you to make a sub-optimal choice, aka fraud, aka ecil, by definition.

And profit already is evil by definition too. Non-evil income is called "earnings". And defined by one getting something back of equal value. (Like work or its product.) Aka the backbone of a healthily balanced market. The part where you got nothing for, in the spirit of theft, robbery and usury, is called profit.

AOSP itself cannot be calle

Funny Title

[NoWayNoShapeNoForm]

The use of "Google" and "privacy" in the same sentence - positively entertaining - and truly sad at the same time.

Re: Funny Title

[BAReFO0t]

Why, "Google abuses privacy" , "Google destroys privacy" and "Google hates privacy" are perfectly good headlines! :)

Idiots

[richi]

Neither Cecilie Lumbye Thorup, nor Dr. Sang-Il Kim, nor Elina Dimina understand what they're talking about. You can disable Android location services without disabling the Bluetooth proximity detection. Their confusion is about the location permission, not the location service itself.

(Anyway, if you don't want Google to know where you are, why the hell would you carry around an Android phone?)

Re: Idiots

[BAReFO0t]

Because you have no choice?

I have only $100-200 and a working brain.
So an expensive-yet-slow open-fair-whatever phone or an iPhone are simply not a choice.
And no, there is no LineageOS for it. Or none with basic functionality working.

Thanks for that, by the way, ya fuckin luddites!

No need to turn it on!

[BAReFO0t]

I specifically remember reading here, that Google could use GPS and wifi to determine your location with GPS off too!
Something about it not really being off, but special Google apps having the privilege to turn it on while keeping it showing as off, for certain reasons.
And that that is where those precise statistics about which shop is frequented how much on what day come from.
Can anyone find that article?

Re:

[bickerdyke]

It's easier than that. Together with an online service, location can be determined with WiFi alone. Or Bluetooth alone. No need to magically activate GPS without activating it.

And that's the reason why activating one of those requires asking for location permission.

Re:

[AmiMoJo]

Just look in Settings->Location->Wifi and Bluetooth scanning.

You can enable or disable it as you choose. Both are useful for navigating inside buildings, for example I've used it to get around underground train stations with Google Maps.