How a pre-installed system app turns saved locations into a persistent cross-session tracking identifier Samsung devices ship with a weather application that issues periodic HTTP requests to The Weather Company's API ( api.weather.com ) at fixed intervals. Each request includes a placeid parameter - a 64-character hexadecimal string, consistent with a SHA-256 digest, that maps to a saved location in the user's weather configuration. The combination of placeid values across a user's saved locations creates a fingerprint that is effectively unique per device, persists across IP address changes, and is trivially observable by the API provider. This is not a theoretical concern. Analysis of 9,211 weather API requests from 42 Samsung device owners over five days demonstrates that placeid combinations produce unique user identifiers in 96.4% of cases, with stability confirmed across the full observation window. The placeid mechanism The Samsung Weather app polls api.weather.com on a recurring schedule, requesting forecast data, air quality indices, and location metadata for each of the user's saved locations. Every request includes a placeid URL parameter: GET /v2/aggcommon/v3-location-point;v3alertsHeadlines;v3-wx-observations-current ?par=samsung_widget &placeid=49cf42bf46ce84e09f51aee5fd8530b0e2e692de76a8995d2c252e859e75a5bd &language=en-us &units=e &format=json &apiKey=793db2b6128c4bc2bdb2b6128c0bc230 Host: api.weather.com The API responds with a JSON payload that includes the resolved location metadata: { "id": "49cf42bf46ce84e09f51aee5fd8530b0e2e692de76a8995d2c252e859e75a5bd", "v3-location-point": { "location": { "latitude": 22.774, "longitude": -102.573, "city": "Zacatecas", "adminDistrict": "Zacatecas", "country": "Mexico", "countryCode": "MX", "postalCode": "98000" } } } The placeid is a location-level hash, not a device-level hash. Multiple users who save the same city will transmit the same placeid value. Of the 143 distinct placeid values observed in our dataset, 6 appeared in traffic from two or more distinct users - and where location metadata was available, the same placeid resolved to the same city and coordinates regardless of which device transmitted it (for example, b5e620e5b979... resolved to Xi'an, China and 0e5ac78ebe96... resolved to Washington, DC for every user who transmitted them). The remaining 137 values (95.8%) were unique to a single user. The hash is assigned server-side by The Weather Company's geocoding system; we were unable to reproduce any placeid from coordinates alone, including attempts using SHA-256 with the API key as salt. Shared placeid values across users Of the 143 distinct placeid values in our dataset, 6 appeared in traffic from two or more users. These shared values confirm that the hash is location-level, not device-level - the same saved city produces the same hash regardless of which device requests it. placeid (truncated) Users Resolved Location b5e620e5b979... 2 Xi'an, Shaanxi, China (34.259, 108.947) 0e5ac78ebe96... 2 Washington, DC, US (38.92, -77.04) 05930a27a50c... 2 Casper, Wyoming, US (42.84, -106.32) 56e8d585880f... 2 Antipolo, Rizal, Philippines (14.76, 121.04) 5c09f84ce5a5... 2 (insights endpoint only - no location metadata returned) d93c3e9d549a... 2 (insights endpoint only - no location metadata returned) For b5e620e5b979... , the API returned identical location metadata - Xi'an at 34.259/108.947 - for both users who transmitted it, confirming the hash resolves deterministically. The Washington, DC and Casper, Wyoming placeid values likewise resolved to consistent coordinates across the users who shared them. Three of the resolved shared values ( 05930a27... , 56e8d585... , 5c09f84c... ) were transmitted by the same pair of users, indicating two devices with overlapping saved location lists. The remaining 137 values (95.8%) were unique to a single user. This low overlap rate - even in a small sample - illustrates why the combination of a user's placeid values is so distinctive: most individual locations are already rare, and any set of two or more becomes effectively unique. By examining the v3-location-point response bodies across the full dataset, we resolved 44 placeid values to physical locations spanning the US, Canada, Mexico, China, Vietnam, Germany, and India. Two distinct placeid values mapped to Tacoma, WA at slightly different coordinates (47.250/-122.440 vs 47.156/-122.437), confirming that the hash incorporates sub-city-level precision. We also observed placeid values resolving to locations displayed in Chinese characters - Atlanta rendered as 亚特兰大, Houston as 休斯敦, Berlin as 柏林, Mumbai as 孟买, and Kelowna as 基洛纳 - indicating the hash encodes locale-specific location identifiers, not simply coordinates. The fingerprint: combination uniqueness A single placeid identifies a location, not a user. The fingerprint emerges from the full set of placeid values associated with a device's saved locations. When we aggregated each user's distinct pla...