Yikes! My computer can tell websites where I live (thanks to Google)

A few months ago there was a furor as angry Facebook users rallied against the social networking site’s approach to sharing our personal data.  Some people even closed their accounts but at least Facebook’s users choose the information that they post on the site.  OK, so I guess someone else may tag me in an image, but it’s basically up to me to decide whether I want something to be made available – and I can always use fake information if I choose to (I don’t – information like my date of birth, place of birth, and my Mother’s maiden name is all publicly available from government sources, so why bother to hide it?).

Over the last couple of weeks though, I’ve been hearing about Google being able to geolocate a device based on information that their Streetview cars collected.  Not the Wi-Fi traffic that was collected “by mistake” but information collected about Wi-Fi networks in a given neighbourhood used to create a geolocation database.  Now, I don’t really mind that Google has a picture of my house on Streetview… although we were having building work done at the time, so the presence of a builder’s skip on my drive does drag down the impression of my area a little!  What I was shocked to find was that Firefox users can access this database to find out quite a lot about the location of my network (indeed, any browser that supports the Geolocation API can) – in my case it’s only accurate to within about 30-50 metres, but that’s pretty close! I didn’t give consent for Google to collect this – in effect they have been “wardriving” the streets of Britain (and elsewhere).  And if you’re thinking “thats OK, my Wi-Fi is locked down” well, so is mine – I use WPA2 and only allow certain MAC addresses to connect but the very existence of the Wi-Fi access point provides some basic information to clients.

Whilst I’m not entirely happy that Google has collected this information, it’s been done now, and being able to geolocate myself could be handy – particularly as PCs generally don’t have GPS hardware and location-based services will become increasingly prevalent over the coming years.  In addition, Firefox asks for my consent before returning the information required for the database lookup (that’s a requirement of the W3C’s Geolocation API)  and it’s possible to turn geolocation off in Firefox (presumably it’s as simple in other browsers too).

What’s a little worrying is that a malicious website can grab the MAC address of a user’s router, after which it’s just a simple API call to find out where the user is (as demonstrated at the recent Black Hat conference).  The privacy and security implications of this are quite alarming!

One thing’s for sure: Internet privacy is an oxymoron.

Leave a Reply