SAN FRANCISCO–If you have Wi-Fi turned
on, the previous whereabouts of your computer or mobile device may be
visible on the Web for anyone to see.
Google
publishes the estimated location of millions of iPhones, laptops,
and other devices with Wi-Fi connections, a practice that represents
the latest twist in a series of revelations this year about wireless devices and privacy, CNET has learned.
Android phones with location services enabled regularly beam the unique hardware IDs
of nearby Wi-Fi devices back to Google, a similar practice followed by
Microsoft, Apple, and Skyhook Wireless as part of each company’s
effort to map the street addresses of access points and routers
around the globe. That benefits users by helping their mobile devices
determine locations faster then they could with GPS alone.
Only
Google and Skyhook Wireless, however, make their location databases
linking hardware IDs to street addresses publicly available on the
Internet, which raises novel privacy concerns when the IDs they’re
tracking are mobile. If someone knows your hardware ID, he may be able
to find a physical address that the companies associate with
you–even if you never intended it to become public.
Tests performed over the last week by CNET and security researcher Ashkan Soltani
showed that approximately 10 percent of laptops and mobile phones using
Wi-Fi appear to be listed by Google as corresponding to street
addresses. Skyhook Wireless’ list of matches appears to be closer to 5
percent.
“I was surprised to see such precise data on where my laptop–and I–used to live,” says Nick Doty,
a lecturer at the University of California at Berkeley who
co-teaches the Technology and Policy Lab. Entering Doty’s unique
hardware ID into Google’s database returns his former home in the
Capitol Hill neighborhood in Seattle.
Here’s
how it works: Wi-Fi-enabled devices, including PCs, iPhones, iPads,
and Android phones, transmit a unique hardware identifier, called a MAC address,
to anyone within a radius of approximately 100 to 200 feet. If
someone captures or already knows that unique address, Google and
Skyhook’s services can reveal a previous location where that device
was located, a practice that can reveal personal information
including home or work addresses or even the addresses of restaurants
frequented.
A Google spokesman would not answer whether Android phones or Street View cars have collected the MAC addresses of phones or computers not
acting as Wi-Fi access points–a practice that, if true, would pose a
greater privacy risk. Skyhook Wireless CEO Ted Morgan says that his
company only collects access point addresses. Doty says that his
computer may have been used as an access point for testing, but “I
certainly didn’t do so commonly.”
Alissa Cooper, chief computer scientist at the Center for Democracy and Technology
and co-chair of an Internet Engineering Task Force on geolocation, says
that her laptop was never used as a Wi-Fi access point. Her previous
street address off of Connecticut Avenue in Washington, D.C., where
she lived from 2007 to 2009, nevertheless shows up in Google’s
location database.
Over the
course of a minute in a coffeehouse in San Francisco’s Mission
district, the unique MAC addresses of 76 computers using Wi-Fi
connections were visible. Seven appeared in Google’s database with
corresponding street locations, and three appeared in Skyhook’s. (A test
of 257 devices accessing a public Wi-Fi connection in San
Francisco’s South of Market neighborhood also found that Google
displayed locations corresponding to about 10 percent of the
devices.)
Alas for enterprising
snoops, it’s not always trivial to learn a target’s MAC address. It’s
generally not transmitted over the Internet. But anyone within Wi-Fi
range can record it, and it’s easy to narrow down
which MAC addresses correspond to which manufacturer. Someone, such as a
suspicious spouse, who can navigate to the About screen on an iPhone can obtain it that way too.
The
locations corresponding to the MAC addresses visible in San
Francisco were all over the map. An Apple device visible in the
coffeehouse had a street address of Grouse Lane in Woodbridge, Conn., meaning it was previously recorded as being present there. Another was listed as being a few miles away, near 170 New Montgomery St. A third was spotted in Los Altos, Calif., and a fourth in Berlin.
The
MAC addresses of computers used by two CNET reporters appeared in
Google’s location database as located in the CNET newsroom on Second
Street in San Francisco. Soltani said a friend’s iPhone is listed as
appearing at a Belgian french fry restaurant that he last visited in
May.
Google’s location database also
can be be used, in a few cases, to track movements. One HTC device
connecting to the South of Market Wi-Fi hot spot on Wednesday moved
from the BWI airport last Friday afternoon to a street address in an
Atlanta suburb that evening. One from the coffeehouse moved
from the engineering building of Ruhr-University in Bochum, Germany,
across the main road to the university center. It’s unclear, however,
how frequently the database is updated, and the locations for those
two devices have not changed again since last week.
Sources: http://www.netapplications.com/