Tuesday, October 20, 2009

Privacy, Firefox Geolocation, Google Location Service

I vaguely knew there was something like a W3C Geolocation API, had earlier read about the Google Gears Geolocation API, figured Yahoo had some Geo Technologies.

I had heard this works on recent mobile devices with built-in GPS, or exploiting cellphone network antenna/network triangulation, with the built-in browsers hooking into the mobile OS and exposing this information, but had always assumed that at home on a lapotp with a classic browser this wouldn't apply - how could it?

Then I stumbled upon the Geolocation support built-into Firefox 3.5, and unsuspectingly clicked "Give it a try!" on the Mozilla.com test page, and... WTF, HOW DO THEY KNOW MY EXACT ADDRESS?? I live on a small street, and just looking at the map there is no doubt that "they" know the exact street - not just the area. (They being Google here, as "Firefox gathers information about nearby wireless access points and your computer’s IP address. Then Firefox sends this information to the default geolocation service provider, Google Location Services, to get an estimate of your location.")

Now, IP-based Geolocation is old news, you could figure out "geolocation" years ago by looking at the DNS names of the router hops shown by a traceroute, but unless my ISP in Switzerland shares details about their network topology with Google, how did this now get to street-level granularity?!

I know more recently there is this WiFi and cellphone tower triangulation stuff, but unless I'm totally not getting it, Firefox could only know my home WiFi SSID, so what? Or I guess may be it can ask the OS for the names of all access points currently being picked up, but still, it's a residential area, they're just neighbors, "they" couldn't have geolocation data on all of them?! And even so, WiFi SSIDs aren't exactly GUIDs..

Now generally speaking I am not a privacy maniac (e.g. I didn't quite "get" the surprising reactions in Switzerland when Google Street View came online recently; that's all already in public anyways!), but here I got... I don't know. Yeah yeah, Firefox respects my privacy and there is this toolbar thingie asking every time if I really do want to share my location... but isn't it still a bit... you know, scary?

PS: Curiously, the German version of that same Mozilla page thinks I'm in "Zurich" (I'm actually about 200km away from it!), and once I visited that even the English page forgot what it first knew, and also said Zurich. But a browser restart and visiting the English page again returns its 007 insight I first noticed. For a moment I suspected that may be Google is simply exploiting my account cookie (which wouldn't be very "location" aware at all), but a test where I logged out of Google and then went to the Mozilla page showed that probably it's got nothing to do with that.

PPS: After having already posted the above, a test/idea occurred to me: I completely switched off the WiFi on the laptop that I'm trying/writing all this from, and got a good old ethernet cable out of the drawer and plugged that into the ADSL router at home. Interestingly, it thought I was in Zurich again! (I noticed you have to best restart the browser for such tests, but then it's definitely repeatable.) So apparently this IS based on WiFi names then (really just SSID names, or do "they" have any other more GUID-like info available??), not simple IP-based location tracking. So "somebody" presumably drove by here, detected/measured and mapped out my and our neighbours access points, and recorded all this in one fr%*#ing global DB?? This is crazy!


Blogger Claude Vedovini said...

May be they are recording the SSIDs at the same time they they pictures for Street View...

20 October, 2009 11:14  
Blogger Phil said...

Very scary! Thanks a lot for this interesting insight!


20 October, 2009 12:38  
Blogger Michael Vorburger.ch said...

A friend pointed to the Geolocation API Network Protocol, which shows that this approach sends a list of MAC addresses of detected surrounding WiFi nodes... that sure makes a pretty powerful set of GUIDs!

20 October, 2009 18:50  
Blogger mac said...

Hi Michael... actually the way this stuff works is explained in the page you linked in your post!

For what is worth - anyhow - it does not work at all under linux (ubuntu 9.04)... the throbber spins and spins and spins... but nothing happens.

Cheers! :)

25 October, 2009 21:01  
Blogger Kai Kreuzer said...

It's actually much worse than you think - it's not Google collecting data by driving through the streets, but it's the smartphone users collecting all this data (most of them unknowingly): Every i- and Android-Phone is used for this; every now and then the current GPS-location is sent to Google/Apple/whomever together with the available SSIDs and their signal strength (and cellular network cell information on top).
All this ends up at Skyhook Wireless in Boston, who calls this a "self-healing mechanism" for their XPS service...

If you want to know more about this, you should watch CCC-TV :-)

19 January, 2010 18:33  

Post a Comment

<< Home