Researchers probe Google's geolocation database

Google curbed access to its massive database of Wi-Fi locations after a CNET article appeared, but that hasn't stopped security analysts from trying to figure out how it works.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
5 min read
Samy Kamkar, who's trying to figure out what steps Google took to lock down its geolocation API
Samy Kamkar, who's trying to figure out what steps Google took to lock down its geolocation API Samy Kamkar

Google recently took steps to limit the disclosure of the locations of millions of iPhones, laptops, and other devices with Wi-Fi connections after a CNET article drew attention to privacy concerns.

Since then, the Mountain View, Calif., company has remained unusually tight-lipped--in contrast to the near-daily updates announcing improvements to its Google+ social network--about how it's limited access to its vast Web database, which was compiled over multiple years by Street View cars and Android phones.

Security researchers, however, haven't exactly been deterred. Instead, they've come to view Google's refusal to discuss the topic as both a sporting challenge and invitation to investigate how the limitations work.

One example: this spring, Samy Kamkar created a demonstration Web page that let visitors look up the street address of any device's Wi-Fi hardware address, also called a MAC address, and find out if it was in Google's database.

Google last month "blocked my IP address" to prevent queries from his server, said Kamkar, a reformed computer hacker who analyzed how Android phones update the company's location database. He's since reconfigured his server to bypass Google's blacklisting.

Geolocation privacy time line

Here's how the debate over privacy and geolocation, which allows wireless devices to speed up location fixes, has evolved:

June 2010: Google begins to "crowdsource" its location database through Android phones and some computers

April 2011: Apple iPhones and Android devices not only transmit location data, but also store it

April 2011: Windows Mobile 7 devices also collect records of users' physical locations of customers and transmit them to Microsoft

April 2011: Apple says it will fix iPhone tracking "bug"

June 2011: CNET reports that Google publishes the estimated location of millions of phones, laptops, and other Wi-Fi devices

June 2011: Google curbs Web service that exposed the locations of phones, laptops, and other Wi-Fi devices

July 2011: Confirmation that Google's Street View cars collected the locations of not only Wi-Fi routers, but also devices using those wireless networks

Until late June, if you knew someone's Wi-Fi address, Google's geolocation Web service could let you find their home address, work address, or even a restaurant or coffeeshop they frequented. In a June 15 article, CNET reported that some locations in Google's database were updated a few hours later, meaning tracking a person would be possible in some cases. Google created it to benefit the public by allowing mobile devices to determine their locations faster than they could with GPS alone.

It's true that Wi-Fi addresses aren't typically transmitted over the Internet. But anyone within Wi-Fi range can record yours, and it's easy to narrow down which addresses correspond to which manufacturer. Someone, such as a suspicious spouse, who can navigate to the About screen on an iPhone or a laptop's configuration menu can obtain it in a few seconds as well.

A Google spokesman declined requests from CNET to answer questions about the application programming interface, or API, used to access its geolocation database has changed.

Security researcher Ashkan Soltani says one reason he remains interested in probing Google's geolocation database is the secrecy surrounding the lock-down process. (Here's a list of questions dating back to April, including how someone can opt out and what privacy policy governs this data collection, that Google has still not answered.)

"My only real gripe is the whole 'privacy through obscurity' approach Google has taken," Soltani says. "They won't discuss the issue, and they silently roll out insufficient fixes, and they force researchers like us to consistently play cat-and-mouse highlighting the limitations. It would be much better to just engage the community and help adopt useful 'privacy by design' approaches that provide choice, transparency, and control for those concerned."

One improvement that Google made is ignoring queries for single Wi-Fi addresses. Now, if you want to look up someone's Wi-Fi address, you have to submit the address of a second, nearby one as well, which reduces privacy concerns. (After all, if you show that you know where someone's wireless device is, there's little harm in Google confirming it.)

Security researcher Ashkan Soltani says there should be a way to opt-out of geolocation databases. Declan McCullagh/CNET

Except there's a way around that limitation.

Kamkar said it's possible for a malicious Web page to grab the location of Wi-Fi routers that can be seen from the unsuspecting visitor's computer. The trick is to use a cross-site scripting attack, which he demonstrated through a proof-of-concept last year.

The technique will "grab the MAC address, send it back to the attacker who then does a look-up and determines where the owner of that MAC lives," Kamkar said.

Meanwhile, Kamkar has updated his "Android Map" to allow querying of two Wi-Fi addresses, and took a swipe at Google by saying the search company now will "share information that Google has on you only if you provide them not only information about your router, but unwittingly provide information about otherpeople's routers."

There's another mechanism that could, in theory, be used by stalkers. CNET has confirmed that wireless devices acting as access points--mobile phones used to tether laptops, personal mobile 4G hotspots, and so on--appear in Google's location database.

If a stalker knew the locations a target frequented, such as a home, office, or coffeeshop, he or she could check if the target had visited them. The success of that approach depends on how frequently Google updates its database, of course, as well as any steps that the company takes to filter out devices that constantly change locations.

A source familiar with Google's technology said, however, that location updates are not instantaneous, which would reduce the privacy impact.

It's not entirely clear how close the second Wi-Fi address submitted to Google's database has to be. A pair of valid addressees in Denver about five miles away from one another didn't work. Neither did another pair in Boston separated by about seven miles. A city block, however, is close enough.

Disclosure: McCullagh is married to a Google employee not involved with this issue.