Some wireless access points have a fixed IP over time, which lets IBM reasonably predict "anyone coming from ipaddr X is probably using wifi Y which is provably at lat/long Z" with sufficient levels of certainty.
This probably works better with "My Home AP Uses A Cute Name That's Hilarious" if your IP rarely changes and you have other software leaking data to IBM, but less well for "xfinitywifi".
In order for that to work in the way I am imagining, it would be necessary for the SSID to be available and correlated to access point's IP address. While this could be performed by wardriving open WIFI networks, it would be harder to gather this on a protected network.
Again, I'm not an expert here, and would be happy to learn more about whether this sort of data collection is possible.
edit: this is quite an interesting rabbit-hole I've stumbled into. It seems that there are databases correlating SSID to location, but aren't collecting IP addresses of those networks:
If you have a static IP address at home, that IP address can be searched in public geolocation databases online. Try it. It will list a number of possible physical addresses.
That's available freely on the web. Hedge funds and others buying data from IBM can buy data from higher quality sources, including wireless carriers, financial institutions and data brokers.
Long-lived DHCP leases work. There are many examples, try the client IP addresses from the headers of emails that you receive. Geolocation dbs are not magical, but they are often close enough for practical use.
This probably works better with "My Home AP Uses A Cute Name That's Hilarious" if your IP rarely changes and you have other software leaking data to IBM, but less well for "xfinitywifi".