Google's Web mapping can track your phone

In an exclusive story on CNET, Declan McCullagh reported that Google is publishing the estimated location of millions of iPhones, laptops, and other devices with Wi-Fi connections turned on.

Here's an excerpt from CNET News blogger Declan McCullagh's story about Google's Web mapping of mobile devices:

Android phones with location services enabled regularly beam the unique hardware IDs of nearby Wi-Fi devices back to Google, a similar practice followed by Microsoft, Apple, and Skyhook Wireless as part of each company's effort to map the street addresses of access points and routers around the globe. That benefits users by helping their mobile devices determine locations faster then they could with GPS alone.

Only Google and Skyhook Wireless, however, make their location databases linking hardware IDs to street addresses publicly available on the Internet, which raises novel privacy concerns when the IDs they're tracking are mobile. If someone knows your hardware ID, he may be able to find a physical address that the companies associate with you--even if you never intended it to become public.

Tests performed over the last week by CNET and security researcher Ashkan Soltani showed that approximately 10 percent of laptops and mobile phones using Wi-Fi appear to be listed by Google as corresponding to street addresses. Skyhook Wireless' list of matches appears to be closer to 5 percent.

Declan explains how the Web mapping works:

Wi-Fi-enabled devices, including PCs, iPhones, iPads, and Android phones, transmit a unique hardware identifier, called a MAC address, to anyone within a radius of approximately 100 to 200 feet. If someone captures or already knows that unique address, Google and Skyhook's services can reveal a previous location where that device was located, a practice that can reveal personal information including home or work addresses or even the addresses of restaurants frequented.

This is Google's response, from a statement:

"We collect the publicly broadcast MAC addresses of Wi-Fi access points. If a user has enabled wireless tethering on a mobile device, that device becomes a Wi-Fi access point, so the MAC address of such an access point may also be included in the database. Wi-Fi access points that move frequently are not useful for our location database, and we take various steps to try to discard them."

For more details, including company responses and one way to filter out mobile MAC addresses, read Declan's entire post in his CNET Privacy Inc. blog.

What is your reaction to this story? Do you agree with security researcher Soltani that the real problem is that there's "zero transparency" about how this crowdsourced data collection works and how people can opt out of it?

Also read:

Mobile privacy flap take two: Starring Google, Skyhook, GPS Act (ZDNet)

Google knows where you've been and they might be holding your encryption keys (TechRepublic)

Disclosure: CNET News and ZDNet are TechRepublic sister sites.