Wi-Fi

Google's Web mapping can track your phone

In an exclusive story on CNET News.com, Declan McCullagh reported that Google is publishing the estimated location of millions of iPhones, laptops, and other devices with Wi-Fi connections turned on.

Here's an excerpt from CNET News blogger Declan McCullagh's story about Google's Web mapping of mobile devices:

Android phones with location services enabled regularly beam the unique hardware IDs of nearby Wi-Fi devices back to Google, a similar practice followed by Microsoft, Apple, and Skyhook Wireless as part of each company's effort to map the street addresses of access points and routers around the globe. That benefits users by helping their mobile devices determine locations faster then they could with GPS alone.

Only Google and Skyhook Wireless, however, make their location databases linking hardware IDs to street addresses publicly available on the Internet, which raises novel privacy concerns when the IDs they're tracking are mobile. If someone knows your hardware ID, he may be able to find a physical address that the companies associate with you--even if you never intended it to become public.

Tests performed over the last week by CNET and security researcher Ashkan Soltani showed that approximately 10 percent of laptops and mobile phones using Wi-Fi appear to be listed by Google as corresponding to street addresses. Skyhook Wireless' list of matches appears to be closer to 5 percent.

Declan explains how the Web mapping works:

Wi-Fi-enabled devices, including PCs, iPhones, iPads, and Android phones, transmit a unique hardware identifier, called a MAC address, to anyone within a radius of approximately 100 to 200 feet. If someone captures or already knows that unique address, Google and Skyhook's services can reveal a previous location where that device was located, a practice that can reveal personal information including home or work addresses or even the addresses of restaurants frequented.

This is Google's response, from a statement:

"We collect the publicly broadcast MAC addresses of Wi-Fi access points. If a user has enabled wireless tethering on a mobile device, that device becomes a Wi-Fi access point, so the MAC address of such an access point may also be included in the database. Wi-Fi access points that move frequently are not useful for our location database, and we take various steps to try to discard them."

For more details, including company responses and one way to filter out mobile MAC addresses, read Declan's entire post in his CNET News.com Privacy Inc. blog.

What is your reaction to this story? Do you agree with security researcher Soltani that the real problem is that there's "zero transparency" about how this crowdsourced data collection works and how people can opt out of it?

Also read:

Mobile privacy flap take two: Starring Google, Skyhook, GPS Act (ZDNet)

Google knows where you've been and they might be holding your encryption keys (TechRepublic)

Disclosure: CNET News and ZDNet are TechRepublic sister sites.

About

Mary Weilage is a Senior Editor for CBS Interactive. She has worked for TechRepublic since 1999.

10 comments
Cell Phones
Cell Phones

Im loving it. Google is changing itself alot in social media, networking and alot. keep it up Thank, Brett cellphonesattraction.com

sanjaimatew
sanjaimatew

I wish somebody could locate my stolen laptop.

fiosdave
fiosdave

Of course, MAC addresses can be spoofed. We used to do that all the time when replacing defective hardware without having to make many modifications to software, HOWEVER, I don't think that the individual visiting a nefarious massage parlor on a regular basis wants his (or her) location known! As the technology improves, the resolution gets finer and these databases can be filtered ever so quickly... In this job market, many businesses would dearly like to know who is visiting local bars, cancer clinics, and any other establishmwents that could point to a current or prospective employee's physical or mental health status. I do not think this is overblown. It is being done today on a smaller scale, but just watch how soon it scales UP!

emoyer
emoyer

They are improving the GPS location so it is more accurate. Besides the data they are using they have your permission to get you agree to the terms when you use the map service. I have a problem with a company that collects all your info and keeps track of where you have been. (Apple) Without informing you that is is being done. The big thing to remember is keep your WiFi off if you are not using it.

rjones
rjones

Calm down people! Think about what's been reported. 1) Google is publishing a List of MAC addresses and locations. NOT a list of Names and addresses. 2) The list is filtered for MAC addresses which consistently appear at the same location - i.e. static routers / WiFi access points. 3) A Cell phone's MAC address will only be picked up if it is being used as a mobile access point. Market research shows only a small percent of users actually have this configured (well under 10%) - mostly because it eats battery life. So put that lot together and you get are far less appealling story form a journalistic perspective: "millions of iPhones, laptops..." becomes ."a few hundred thousand". That's being generous since the "millions of..." number included ALL wifi devices. So more likely the true figure for mobile phones is in the 10's of thousands - or A LOT LESS THAN 1% of phones. Also don't forget that Google tries to filter out those MAC addresses which don't appear in same location consistently, so a cell phone's MAC address will only get included if the owner habitually stops in tha same location for extended periods. Second claim about "...getting home or work addresses or even (shock-horror) the restaurant that you last visted". Google has the MAC address and a location at which it was recorded, NOT a home address. So the "Bad Guy" would need to obtain a list of MAC address Vvs registered address of the MAC owner from somewhere else - e.g. the mobile phone companies billing database - they are pretty hot on security for that stuff. So the "Bad Guy" would have to work pretty hard to get that sort of information. But that doesn't sound as good as implying that once the "Bad Guy" has got your MAC address from Google's public database, they have your name rank and serial number as well. YES OF COURSE everything that is claimed in the article COULD be done, but it is a LOT more effort than is being implied. It seems to me that the article's appeal relies on it's readers not really understanding what's being reported. I'm just waiting for some politico to jump on the band wagon and demand that MAC addresses should be banned ;-)

Spitfire_Sysop
Spitfire_Sysop

Once the hobby of noob hackers around the globe is now a corporate mission?

bboyd
bboyd

Good Intentions, the road to hell is paved with them.

TheShawnThomas
TheShawnThomas

I am so tired of these companies thinking they can just take away my privacy just because they can...

bboyd
bboyd

Kind of like bittorrent style wardriving. Cool, Yes! Evil, Maybe? Happening, whether we like it or not.

Spitfire_Sysop
Spitfire_Sysop

I use my telephone for making phone calls. Imagine that.