by Declan McCullagh of CNET
SAN FRANCISCO–If you have Wi-Fi turned on, the previous whereabouts of your computer or mobile device may be visible on the Web for anyone to see.
Google publishes the estimated location of millions of iPhones, laptops, and other devices with Wi-Fi connections, a practice that represents the latest twist in a series of revelations this year about wireless devices and privacy, CNET has learned.
Android phones with location services enabled regularly beam the unique hardware IDs of nearby Wi-Fi devices back to Google, a similar practice followed by Microsoft, Apple, and Skyhook Wireless as part of each company’s effort to map the street addresses of access points and routers around the globe. That benefits users by helping their mobile devices determine locations faster then they could with GPS alone.
Only Google and Skyhook Wireless, however, make their location databases linking hardware IDs to street addresses publicly available on the Internet, which raises novel privacy concerns when the IDs they’re tracking are mobile. If someone knows your hardware ID, he may be able to find a physical address that the companies associate with you–even if you never intended it to become public.
Tests performed over the last week by CNET and security researcher Ashkan Soltani showed that approximately 10 percent of laptops and mobile phones using Wi-Fi appear to be listed by Google as corresponding to street addresses. Skyhook Wireless’ list of matches appears to be closer to 5 percent.
“I was surprised to see such precise data on where my laptop–and I–used to live,” says Nick Doty, a lecturer at the University of California at Berkeley who co-teaches the Technology and Policy Lab. Entering Doty’s unique hardware ID into Google’s database returns his former home in the Capitol Hill neighborhood in Seattle.
Here’s how it works: Wi-Fi-enabled devices, including PCs, iPhones, iPads, and Android phones, transmit a unique hardware identifier, called a MAC address, to anyone within a radius of approximately 100 to 200 feet. If someone captures or already knows that unique address, Google and Skyhook’s services can reveal a previous location where that device was located, a practice that can reveal personal information including home or work addresses or even the addresses of restaurants frequented.
A Google spokesman would not answer whether Android phones or Street View cars have collected the MAC addresses of phones or computers not acting as Wi-Fi access points–a practice that, if true, would pose a greater privacy risk. Skyhook Wireless CEO Ted Morgan says that his company only collects access point addresses. Doty says that his computer may have been used as an access point for testing, but “I certainly didn’t do so commonly.”
Alissa Cooper, chief computer scientist at the Center for Democracy and Technology and co-chair of an Internet Engineering Task Force on geolocation, says that her laptop was never used as a Wi-Fi access point. Her previous street address off of Connecticut Avenue in Washington, D.C., where she lived from 2007 to 2009, nevertheless shows up in Google’s location database.
Over the course of a minute in a coffeehouse in San Francisco’s Mission district, the unique MAC addresses of 76 computers using Wi-Fi connections were visible. Seven appeared in Google’s database with corresponding street locations, and three appeared in Skyhook’s. (A test of 257 devices accessing a public Wi-Fi connection in San Francisco’s South of Market neighborhood also found that Google displayed locations corresponding to about 10 percent of the devices.)
Alas for enterprising snoops, it’s not always trivial to learn a target’s MAC address. It’s generally not transmitted over the Internet. But anyone within Wi-Fi range can record it, and it’s easy to narrow down which MAC addresses correspond to which manufacturer. Someone, such as a suspicious spouse, who can navigate to the About screen on an iPhone can obtain it that way too.
The locations corresponding to the MAC addresses visible in San Francisco were all over the map. An Apple device visible in the coffeehouse had a street address of Grouse Lane in Woodbridge, Conn., meaning it was previously recorded as being present there. Another was listed as being a few miles away, near 170 New Montgomery St. A third was spotted in Los Altos, Calif., and a fourth in Berlin.
The MAC addresses of computers used by two CNET reporters appeared in Google’s location database as located in the CNET newsroom on Second Street in San Francisco. Soltani said a friend’s iPhone is listed as appearing at a Belgian french fry restaurant that he last visited in May.
Google’s location database also can be be used, in a few cases, to track movements. One HTC device connecting to the South of Market Wi-Fi hot spot on Wednesday moved from the BWI airport last Friday afternoon to a street address in an Atlanta suburb that evening. One from the coffeehouse moved from the engineering building of Ruhr-University in Bochum, Germany, across the main road to the university center. It’s unclear, however, how frequently the database is updated, and the locations for those two devices have not changed again since last week.
Facebook, Google, Twitter, Skype and others cosigned a letter “strongly opposing” a bill introduced by California State Senator Ellen Corbett that would force sites to explain privacy settings in “plain language.”
How does the 2nd most trafficked site in the world plan on becoming #1? By hiring a PR firm to plant negative stories about the competition!
That picture of a cat licking a lollipop you found on Google Images may be infected. SANS guesses there are over 5,000 hacked sites, with Google referring about a half million visits to these fake sites each day.
Google is facing new privacy violation charges in Belgium regarding data collection which occurred by Google Street View vehicles that roamed the world gathering GPS locations and taking photos.
Is President Obama the first U.S. President to be branded a techno-snob? Recent news seems to indicate so.
The farce that is the Department of Homeland Security’s attempts at stopping cyber crime continues. TorrentFreak has posted a follow-up on the poorly handled domain seizures of recent months.
In a case of the pot calling the kettle black, software giant Microsoft has accused search giant Google of not being truthful about the security certification of its suite of software programs for governments.
On March 30th, an incident was detected where approximately 2 percent of Epsilon clients’ customer data was exposed by an unauthorized entry into Epsilon’s email system
Google doesn’t make a dime of profit from you, so you aren’t the customer. In fact, all those cool products are just bait to get your information in the Google ecosystem so your attention and eyeballs can be sold to Google’s advertisers.