Exclusive: Google's Web mapping can track your phone

Source: CNET News



SAN FRANCISCO--If you have Wi-Fi turned on, the previous whereabouts of your computer or mobile device may be visible on the Web for anyone to see.

Google publishes the estimated location of millions of iPhones, laptops, and other devices with Wi-Fi connections, a practice that represents the latest twist in a series of revelations this year about wireless devices and privacy, CNET has learned.

Android phones with location services enabled regularly beam the unique hardware IDs of nearby Wi-Fi devices back to Google, a similar practice followed by Microsoft, Apple, and Skyhook Wireless as part of each company's effort to map the street addresses of access points and routers around the globe. That benefits users by helping their mobile devices determine locations faster than they could with GPS alone.

Only Google and Skyhook Wireless, however, make their location databases linking hardware IDs to street addresses publicly available on the Internet, which raises novel privacy concerns when the IDs they're tracking are mobile. If someone knows your hardware ID, he may be able to find a physical address that the companies associate with you--even if you never intended it to become public.

Read more: http://news.cnet.com/8301-31921_3-20070742-281/exclusive-googles-web-mapping-can-track-your-phone

---

Remember when everyone freaked out about 'tracking data' on iPhones a while back. That data could only be found if your personal device was in the possession of others. And Apple quickly released an update to remove that rare, rare possibility.

Steve Jobs said it was Google that was tracking users, not Apple.

It turns out that he was right and No software update can seemingly stop this.

Senator Franken (my favorite Senator), please get on this real problem.

no smartphone here...no desire for one.

It doesn't need to be a smartphone. Carriers use triangulation on all cell phones to determine your location and which cell tower will route the call or if cell towers need to be switched.

They also store this information and, in some cases, sell the data.

If you have a cell phone, your location is tracked and stored.

All google is doing is doing the governments work for them. The full scale assault on privacy has been going on for years and I dont see it ending under Obama or anyone else that has a chance of being elected. At least its not as bad as the UK...yet

...that's the problem with an un-written constitution...you can't point to a specific article or amendment and say "Oi! You just violated that!"...

Try it out. Shows me.

http://samy.pl/androidmap/

How is Google supposed to send a map to your phone if Google doesn't know where you are?

I mean, it would seem to go without saying, no?

for me to get a map of the area.

If you want to use turn-by-turn navigation and other advanced features.

I guess.

I really don't know what folks expect from technology that is based on your position, or how anyone expects to use a radio transmitting device without anyone else knowing where that device is.

1. First, this only impacts you if your device is acting as a wireless AP. That's relatively uncommon.
   
2. Second, your location only gets mapped if ANOTHER device connects to your AP and reports it back to Google. This has to happen at every location you are to be "tracked" at.
   
3. Third, in order for someone to track you, they'd need the MAC address of your device. That's not public information, and is generally only going to be available to people you're already in close proximity to.
   
4. Fourth, as the article point out, they already try to filter these out. There is no way for Google to differentiate between fixed and mobile AP's so they all get logged, but mobile AP's are of no value to them. Keeping them in the DB actually reduces the usefulness of their data.
   

My only real complaint about this is that they're making the data public. I can easily forsee a situation where someone activates the wireless AP on a spouses phone without their knowledge, records their MAC, and uses this service to determine where they're spending their time. It's an imperfect tracking system, but it can still be abused. Google shouldn't be providing this data to third parties.

The article doesn't clearly explain how this works. In a nutshell: If you use WiFi for your Internet connection on your phone, Google Android devices will collect the GPS location and MAC address of the remote wifi access point and transmit it to Google. Not the location of your phone, but of the external network AP that you're getting your connection from. They're not trying to map phones, but network connection locations.

The reasoning behind this is simple. Depending on conditions, it can take several minutes for GPS and cellphone towers to determine your location. This is a problem if you're waiting on that location so that you can get directions from Point A to Point B using Maps or some other program. MAC addresses are available instantly though. Once your phone determines your location, Google can record that AP's GPS location for future reference. If you're in a Starbucks using their network, Google will record the coordinates and MAC address for the Starbucks AP...not your phone. The next time someone walks into that Starbucks, connects to their network, and tries to use a mapping service, Google can respond instantly because it already knows where they are based on their connection point. You've already planted the flag for future users stating that "Wireless AP 'X' is located at 55North/100West". Next time someone connects to X, Google can quickly refer to those coordinates instead of waiting for the GPS and cell towers to deliver the same data.

The problem, and controversy, comes from people using their phones as mobile AP's. Some laptops, Android devices, and iPhones have the ability to be used as mobile hotspots. If your phone is set up to act as a hotspot and someone else connects to it, their phone will report YOUR phone (which is a valid AP at that point) to Google, along with its coordinates. It's simply saying, "Hey, there's a wireless AP at 56North/101West with the ID 00:21:...".

If you don't want to be tracked, there's a simple solution: Don't allow your phone or laptop to be used as a public hotspot. If you want to use it as a private hotspot and want your own Android phone to use it, just turn off the Enhanced Location Services on your phone, which forces it to rely on GPS-only to determine location.

Yet it still shows up in the Google database.

When the geolocation API is called, the phone scans for AP's, then sends the list of AP's with their signal strength along with the cell towers and their signal strengths to the google geolocation server, which estimates the phone location from those.

You are running a radio transmitter which identifies itself.

Yes, other people can detect it and locate it.

That's what happens when you run a radio transmitter which identifies itself.

what assurance do I have that Google will not aquire the access code and store it in their database since the have access to all the information in the phone.

"Unauthorized Access To A Computer Network." It's illegal at both the federal level and at the state level in 49 of the 50 states.

Apple or Microsoft could theoretically backdoor your desktop operating system and go through your files when you're not home. They don't, because anyone doing so would be arrested and jailed. Same thing with Google. People are arrested for this crime EVERY YEAR.

And what would Google gain by retrieving your passwords? If they used them to access your network, that would be an additional felony. If they simply passed them out to others on the web, not only would those OTHERS be committing multiple federal crimes by retrieving and using them, but Google would be committing a federal crime by distributing them.

You're worried about something that has been a "possibility" since the first widescale computer networks went live in the 1970's, and which has been a federal felony since 1984. It's also something that has recently been reinforced as being illegal, with the Patriot Act containing several provisions to modernize cybersecurity laws and stiffen penalties.

18 U.S.C. § 1028 – Fraud and related activity in connection with identification documents, authentication features, and information
18 U.S.C. § 1029 – Fraud and related activity in connection with access devices