back to article Google location tracking can invade privacy, hackers say

If you've got a Wi-Fi network, chances are Google has used its top-selling Android mobile operating system to store your router's precise location and broadcast it for all the world to see. Google has been compiling the publicly accessible database of router locations in its quest to build a service, a la Skyhook, that …

COMMENTS

This topic is closed for new posts.
  1. pcsupport
    Big Brother

    Come on then...

    .. you all tore Apple to shreds about their location services file, now its time to do the same to Google.

    Big Brother has arrived.

    1. Anonymous Coward
      Anonymous Coward

      To be fair ...

      ... we did tear into them when they did the Streetview wifi-slurping, and they've pulled back from it. Trouble is the fuckers just found a different way to do it. There is a difference, though, between the Google and Apple activities : Google are treating wifi AP IDs as a public resource, whereas Apple are collecting detailed records of individuals' movements. Much as I hate what Google are doing, I find Apple's activities just a bit more scary.

      On the plus side, Google think my router is in a street three miles away, so I'm not too unhappy. I'd be interested in whether or not that improves over time.

      1. Anonymous Coward
        Anonymous Coward

        @JustaKOS

        Did you read the article? Google is doing the very same tracking on their phones. Which btw is not detailed at all in neither.

        And before people give me the "oh but Google is limited to 50 entries [and 200 wifi points]" that's still enough info to locate your general whereabouts for the past 1 or 2 days, which is what really matters (who cares where you were weeks ago).

        Also Apple's info has a tendency to put you in strange places like Vegas (well documented by several people) or some weird city in France if my own info is to go by, so it's got errors anyway, it's not something that can be used against you. I've not seen anything about errors in Google's data.

        1. Anonymous Coward
          Anonymous Coward

          Fair point ...

          ... and yes I did read the article. If you look again at what I wrote I said I was specifically more concerned about the activity logging, vs the wifi locating. I suppose I could have referred instead to Google's similar activity, but I think it's more inclusive to stick it to Apple as well.

          Anyway, it seems they're all at it and I don't really care how accurate or complete the data is : it is way too much more than is needed to support location services : all you need is current location for that and history is irrelevant (so why keep it?). So I agree that Google's tracking efforts, even though more limited, are just as objectional as Apple's.

          Any apps out there to trash the stuff?

      2. Giles Jones Gold badge

        LOL

        Android does the same location caching as Apple. So two bad things Google are doing versus one bad thing Apple is doing. Who is the "evil" company now?

        http://www.digitaltrends.com/mobile/android-phones-also-track-user-locations/

    2. Anonymous Coward
      FAIL

      Problem is

      this is non-news, where the apple problem is real news.

      Almost all the MAC to location data is obtained from Streetview cars...

      Personally, I am really happy with my Android location awareness, without the need for battery sluping GPS. It's not saving my location, nor is it sending it anywhere UNLIKE apple...

      Seems this whole story is built up around the principle of Apple damage limitation mode....

      1. Anonymous Coward
        Anonymous Coward

        Not at all @AC 19:59

        Google stopped collecting MAC addresses using Street view cars and move to Android phones last year, read up on:

        http://www.theregister.co.uk/2010/10/20/google_has_no_plans_to_resume_street_view_wifi_collection/

        Also try to lay off that Google kool-aid, it's turned bad already.

      2. noodle heimer

        So very glad that my hardware is of service to you and google

        Great. You like Google's location service.

        Google doesn't own my access point, nor collect any fees from me in exchange for using it to sell ads.

        And yet, if you're on my block, my access point's MAC address is being monetized by Google to make your phone give you better location signal and push ads to your phone.

        I'd like to see everyone who's got a MAC in their database send them a bill for providing location services.

        1. Anonymous Coward
          Anonymous Coward

          umm

          "And yet, if you're on my block, my access point's MAC address is being monetized by Google to make your phone give you better location signal and push ads to your phone."

          Then stop broadcasting it?

          1. noodle heimer

            in my jurisdiction

            The fact that I have encryption flipped on is, in the eyes of the law, enough to define my router as a protected computer system.

            Accidentally stumbling upon it looking for your own AP is one thing. Recording it, geotagging the address, and phoning home to store it with Google? That's quite different.

            (You _do_ understand that a MAC address is broadcast whether or not SSID broadcasting is suppressed, I hope.)

    3. Anonymous Coward
      Anonymous Coward

      title

      ".. you all tore Apple to shreds about their location services file, now its time to do the same to Google."

      This pretty much answers all of the complaints in response to this, and gives a good reason not to tear into Google:

      http://www.androfun.com/wp-content/plugins/wp-o-matic/cache/40dd3_googlelocation.png

      See that option there? Where is that on the iPhone? That's why it got tore into.

      Re: +++ak

      "Did you read the article? Google is doing the very same tracking on their phones. Which btw is not detailed at all in neither."

      Well to be fair, reading the article is little help. The article has Google's statement saying it's opt in and is then followed by "We're guessing the only way to opt out is to exchange your Android device for a competing handset." - umm no, see the screenshot above.

      What gets me is all the whiners who are probably using AGPS without even realising it, who are getting accurate location fixes (with 100m) without turning on their GPS and just being happy with their phones then come to whine when they find out how it works.

      It's not magic and it requires information, if you don't like that information being collected, don't use the feature and/or buy a phone that allows you to disable it. But if information scares you... smartphones are probably not the right device for you.

      Damned fanboys.

    4. sT0rNG b4R3 duRiD
      Megaphone

      FIND IT and KILL IT!

      Hmm... Don't know how hard it is to build a custom rom for an Android device is, but theoretically, couldn't one just eliminate the offending code ? (Assuming rooted phone).

      Or does it reside in some stupid daemon with no source code. Still, might be able to do something about that if it doesn't do anything too important.

      Don't know much about Android innards, to be honest. Must check to see if it's been done. Anyone know?

  2. Anonymous Coward
    Black Helicopters

    muthaf***ers

    This is shit. My gf has an android, because I told her that the church of jobs was underspecced and too expensive and I prefer open source based software.

    So now Android is barely open source and they are spying on our hardware. What a bunch of wankers.

    I hate them all, I just want to go and live in a field somewhere, till the land, make clothes out of sheepskin, expect nothing more than a cup of sugar for my birthday, sing fireside songs and fuck my brains out for entertainment....

    No I'm not a luddite, I have a Soft Eng degree, but please stop the world, I want to get off

    1. Fred Pilcher
      Grenade

      MoFos

      What the **** is it about these bastards? What kind of toxic culture exists within these organisations that makes them think it's allright to do this?

      And here I was thinking of buying an Android phone.

      Sue the bastards out of existence.

      1. Ilgaz

        You pointed to right issue

        There is something wrong with the Google culture itself. How google updater works could be a nice example. It will check updates as admin user every 2 hours (yes, hours) and it will run even while no other google app running. It will stay, with same behaviour for 24 hours even all other Google apps removed.

        If you block it with firewall, it will go really crazy. Ask IT admins about the nightmare they lived and the traffic it generated.

        Now such behaviour can't come from a healthy culture. They must change their culture before it is too late.

        1. Paul 135
          Big Brother

          Google culture shakeup

          I think a good way for Google to knock-out these privacy-invading tenancies would be for it to buy every new Google employee a copy of George Orwell's 1984.

      2. Anonymous Coward
        Anonymous Coward

        @Fred Pilcher

        Aw, come on, it's irresistible: all that data from all those phones that other people have bought, automatically collected and uploaded? Wouldn't you do the same? I know I would.

        Now, if all that location information could be put together with the data from *every* search you have *ever* done, combined with every public record of your existence, and fed into the Google Psychological Profiling software at its purpose built facility in Delaware...

        < pauses for evil laugh >

        PS: it will be even more fun when people pay for everything with their phone!

  3. Chris Miller

    Google have the location of my Wi-Fi

    On a country lane in the UK. But OTOH, it's not straightforward to learn the MAC address of a remote device, unless it's broadcasting a Wi-Fi signal and you're in range (in which case it must be, by definition, nearby - and if you have a directional antenna it wouldn't be difficult to locate it).

    1. Ian 14
      Alert

      Yes, it is in some cases.

      "it's not straightforward to learn the MAC address of a remote device"

      It is if the device is running IPv6, The way most people use IPv6 the MAC address of the device is encoded in the bottom 64 bits of the IP address.

      1. Ken Hagan Gold badge

        The bottom 64 bits of their IPv6 address...

        ...will be the MAC address of the ADSL port on their router, not the Wifi port, so I think the point stands. Wireless MAC addresses are really only visible within the range of the device.

        Also, I'm not sure whether the bottom 64 bits really are *usually* the MAC address. Firstly, this is a known privacy issue and various RFCs have addressed it. Secondly, the written (text) form of an IPv6 address provides net admins with a real incentive to use some other method, so that they get a large block of zeroes in the middle of the address.

  4. Anonymous Coward
    Anonymous Coward

    Bloody hell

    It actually works, I've just moved here less than 3 months ago and it's already showing the new location of my router, with high precision.

    This is beyond amazing. I would think Google had this sort of info behind lock and key.

    1. Daf L

      Worried about privacy?

      Well, as you, and plenty of others who are highly concerned about this have demonstrated, a certain amount of bizarre thinking exists.

      You were concerned about Google linking your MAC address to your location so you've entered (what will normally be your own MAC address) into the website of a 'hobbyist hacker' to provide a new database containing your MAC address, your location and you IP address.

      That web page truly is Opt-in - don't enter your MAC address if you don't want your IP address recorded along with it - with no guarantees of privacy - and people on this site, who should be a bit more savvy are flooding to it to give up their private information - bizarre?

      1. Anonymous Coward
        Anonymous Coward

        @Daf L

        Thanks for the warning but I'm not an amateur, of course I used a VPN for this plus full browser lock down.

        But also no I'm not that overly concerned about this sort of privacy. Did you find me complaining about it? Just surprised that Google doesn't have some complex crypto setup for this information, this way it seems their competition can easily use it for their own location solutions for free.

      2. Anonymous Coward
        Black Helicopters

        being that Mr Kamkar is already known to the authorities

        You would hope that they come down on him like a ton of bricks if he's caught collating this data and passing it on. Then again the authorities are probably paying him to do so.

        1. Ken Hagan Gold badge

          "caught collating this data"

          Er, what data? His site is clearly capable of collecting wifi MAC addresses, though we've no evidence that he doesn't just drop them on the floor once he's served up the map. He could also be collecting IP addresses, just like every other site on the planet, but we've no evidence that he is doing that either. He's definitely *not* collecting personal or geographic info, beyond what can be inferred by any other site, since his site does not ask for any.

          Sometimes I wonder just what privacy horrors we are missing, whilst we fret over non-events like this one.

          1. Anonymous Coward
            Anonymous Coward

            "we've no evidence that he is doing that either. "

            yes, but we have no evidence that he is NOT doing it.

            You have to assume that he might be building a database mapping IPs to MACs to locations, since it would clearly be possible, and well within his technical expertise to do so.

            My point is that he is (hopefully) not dumb enough to do so, because he has been in legal trouble in the past, a stunt like this would land him so far behind bars, they would have to pump him oxygen.

            Essentially, if you had bothered reading my post properly, you would know that I was agreeing with you, but from a slightly different point of view. No need to flip your lid over it, honey.

      3. Ken Hagan Gold badge

        Re: your MAC address, your location and you IP address.

        I didn't provide my location, and (almost certainly thanks to an El Reg article a year or two back) I happen to know that my wifi is already mapped on someone's war-driving site, so I'm not terribly concerned about the privacy implications.

        Come to think of it, I'm not too sure I care anyway. Whilst *my* location is quite variable, my *router's* location hasn't changed for quite a few years now and has separate MAC addresses for the ADSL (internet-visible) and wifi (war-driving visible) ports, so it's hard to see quite what the privacy implications are.

  5. Paratrooping Parrot
    WTF?

    I'm speechless

    This is getting REALLY out of hand! Something really needs to be done about this NOW!

    1. Anonymous Coward
      Stop

      No Chance

      The ico (Information Commissioner) who are supposed to protect us are a bunch of lazy, technically illiterate bunch of freetards.

      Due to them Google was let off lightly when steetview was found to be 'accidentally' collecting all our broadband data and mac addresses as it breezed down the streets of Britain. Most other nations (even third world) took this seriously and court cases are still going on.

      The ico could not protect a child from getting his ice lolly pinched.

    2. Asgard
      Big Brother

      @Paratrooping Parrot, "Something really needs to be done about this NOW!"

      Something needed to be done about privacy laws 5 years ago, which would have meant that by now, we would have had some laws in place that were ready to prevent it ever getting this bad in the first place. But no, 5 years ago there were too many brainwashed sheep online repeating what they had been taught to say such as, "if you've got nothing to hide etc.." and that persisted until people interested in history could show the "nothing to hide" argument is a complete pack of lies and the lies come from the people who want to spy on everyone.

      The abuse of our privacy online has become a completely lawless wild west for morally corrupt companies to do whatever they bloody well want and like with our privacy information and we can't stop them and its all done for their gain. Worse still the governments have intentionally done nothing to stop it because they don't really want to stop it. This is shown perfectly by the way Phorm have got away with so much. Its prefect proof of how the government are not interested in protecting our privacy. Thats because the governments know they can also abuse all our privacy information for their gain as well. So as the governments will not stop it, its going to get ever worse.

      For example “Google pledged to stop using its world-roving Street View vehicles to collect Wi-Fi data and said it instead would rely on Android handsets to get the information”

      Which means we are now at the shocking point where Google are trying to use all Android users literally as their spies! ... All to build up information for Google ... That means every Android user is now a spy for Google! We are all becoming effectively like a modern day electronic version of the Hitler youth reporting back to Google high command! It means any information Google wants, they just have to update their OS and then we all spy for them! Hows that for Orwellian and its happening now! So WTF are we to face in the years to come, now we are already at this shocking point!

      Its completely lawless and the governments don't want to stop the companies and it won't stop, it will continue to get ever worse, until finally everyone has had enough of the corruption and exploitation and everyone finally stands together against the governments and says no more. Then and only then will the governments begrudgingly start to slowly, ever so slowly, stop the companies exploitation and it will take years of them delaying at every step, because they don't really want to change and it will get a lot worse in that time.

  6. Gene Cash Silver badge
    Headmaster

    It's an easy to find setting

    Right there under Settings -> Location & Security. You either check or uncheck "Use Wireless Networks" and when you check it, you're presented with "Allow Google's location service to collect anonymous location data. Collection will occur even when no applications are running." and Agree/Disagree buttons.

    Clicking "Disagree" keeps it unchecked and it'll then only use GPS for location, and presumably won't gather data.

    1. Anonymous Coward
      Thumb Down

      Tried it,

      and if I "Disagree", it won't let me on my wireless network. This is on Gingerbread.

      But the identification of my router and location by Google is the last straw. I used to be an Android supporter, but I have now mothballed my Nexus One and I'm back to using my dumb phone. I will terminate my phone 3G tomorrow as well. No real loss there because I will still retain mobile 3G access using a non-phone device.

    2. Stoneshop
      Flame

      THat's YOUR handset only

      But it's not just you who uses an Android phone, so I've gathered.

      And there's the word "presumably" in your post. Given Google's track record, I am fairly sure your presumption is wrong.

    3. Anonymous Coward
      Anonymous Coward

      But does that include

      Other people picking up your Wireless who have it checked?

    4. DF118

      Re: It's an easy to find setting

      It's an easy to find setting which is enabled by default.

      Also, @AC re: "Tried it": not sure about Gingerbread but my Eclair lets me use wifi when the setting is diasbled.

    5. Ilgaz

      wow a setting like that

      A setting like that on a smartphone Os and they became leader. Even while no apps running... Wow really.

    6. Anonymous Coward
      Anonymous Coward

      Fine, but that isn't the point..

      I'm not an Android user, but two of my three wireless routers (at different locations, one approx 2.5 miles from the other two) are pinpointed fairly accurately by this. Incidentally, the one which isn't in the database, is running in a (mainly) shielded room, so I wasn't too surprised it wasn't there.

      I don't really care about what Android users agree/disagree to disclose, *I* did not give Android users (or Google) consent to store the geographical location of these devices, let alone give them permission to flag the existence of these WLANS to all and sundry. That's what's bothering me most about this, these routers are configured not to broadcast their SSIDs.

      1. Ilgaz

        gmail?

        Lets say you communicate with your doctor, sending test results, your conditions to his hospital email.

        That doctor, being clueless or plain lazy, forwarded all his hospital mail to gmail. You don't even know about it.

        Instantly, your data is in Google hands which they have right to parse because of the EULA that Doctor never cared to read before agreeing.

        I think it is worse than your wifi collected.

  7. Anonymous Coward
    Thumb Down

    This post does not have a title

    Yup, my router is there. So how do I get it removed? Or at least stop my phone from sending this data all the time. Is there an Android firewall I can install?

    (Anon because I like to be)

  8. Anonymous Coward
    Anonymous Coward

    Free is free from this...

    Well, I discovered something. The BSSID on the freebox (the modem/router provided by French ISP Free) appears to be randomised on each reboot. The database doesn't know anything about my wifi. However all the other ones nearby from other ISPs are spot on, it can't be any more than a couple of metres off...

    I usually have the GPS off anyway. Turned it on, it'll be interesting to see how soon my wifi shows up in the database.

  9. Anonymous Coward
    Big Brother

    By their own admission...

    "All location sharing on Android is opt-in by the user. We provide users with notice and control over the collection, sharing and use of location in order to provide a better mobile experience on Android devices. Any location data that is sent back to Google location servers is anonymized and is not tied or traceable to a specific user."

    And the phone captures my wi-fi access point, which BTW I didn't give Google permission to do this.

    I don't own a google phone.

    It is 'War Driving' by proxy and its illegal.

    1. Steve Evans

      @By their own admission

      What country are you in? Is war driving illegal?

      Breaking the WEP/WPA and accessing the network would be illegal under hacking laws. Accessing an open AP is a bit greyer depending on your country, but just detecting the existence of a wireless point is simply listening what it is publicly broadcasting.

      1. Ian Michael Gumby
        Boffin

        @ Steve Evans

        I'm in the US.

        War Driving became illegal in the US post TJMAXX.

        Any unauthorized access is illegal. There was a case of a guy driving up to the parking lot of a coffee shop to use their free wi-fi and he was arrested.

        While the law is pretty clear on this... catching someone and prosecuting is harder to do.

        What country do you live in?

        1. Steve Evans

          @Ian Michael Gumby

          I'm in the UK.

          I agree that accessing a wifi point, and actually using it as is the case with your countryman and the coffee shop would be illegal here too (I think!). Although depending on the situation (i.e. accidentally accessing the neighbours open wifi) you could probably get away with it... Not so much if you have driven round and parked to "borrow" some bandwidth though, shows intent.

          Kinda odd really, as in England, the physical trespass laws are such that if you leave the front door open, and somebody walks in, they aren't actually committing a criminal offense.

          Anyway, the difference here is that the content of the message isn't been recorded, the MAC is in the header, and the connection being offered isn't actually being used or exploited.

          After all, every wifi client device in existence that spits up a list of available access points, both encrypted and open when you say "scan for wireless access point" is reading and displaying exactly the same data which google is listening out for.

          Maybe the fact it is recorded/logged might make a difference in the eyes of the law.

          BTW, many years ago the cops tried to make speed camera detectors illegal over here by saying it was listening to police broadcasts. One of the manufacturers successfully defended their position by saying it wasn't allowing the owner to listen to a police broadcast, it was merely indicating the presence of one. IIRC the cops then changed tack and went at it from a "obstructing the course of justice"... sneaky so and sos.

      2. Ian 14

        It is probably illegal in the UK

        Under UK law it's illegal to intercept radio communications not intended for you. Making use of information intercepted (e.g. recording it in a database that others have access to) was always treated as an aggravating offence.

        To quote from ofcom's site:

        There are two offences under law:

        Under Section 5(1)(b) of the WT Act 1949 it is an offence if a person "otherwise than under the authority of a designated person,

        either:

        (i) uses any wireless telegraphy apparatus with intent to obtain information as to the contents, sender or addressee of any message whether sent by means of wireless telegraphy or not, of which neither the person using the apparatus nor a person on whose behalf he is acting is an intended recipient;

        This means that it is illegal to listen to anything other than general reception transmissions unless you are either a licensed user of the frequencies in question or have been specifically authorised to do so by a designated person. A designated person means:

        the Secretary of State;

        the Commissioners of Customs and Excise; or

        any other person designated for the purpose by regulations made by the Secretary of State.

        or:

        (ii) except in the course of legal proceedings or for the purpose of any report thereof, discloses any information as to the contents, sender or addressee of any such message, being information which would not have come to his knowledge but for the use of wireless telegraphy apparatus by him or by another person."

      3. Anonymous Coward
        FAIL

        A title

        "simply listening what it is publicly broadcasting" is OK by me. But they are not just simply listening, they are recording and subsequently publishing or making use of what they 'heard'. Is it OK for me to make and sell recordings of any radio or TV broadcasts that I pick up by "simply listening"?

        1. Ken Hagan Gold badge

          Another title

          "Is it OK for me to make and sell recordings of any radio or TV broadcasts that I pick up by "simply listening"?"

          As long as you have the permission of any relevant copyright holders, I don't see why not. I don't think the *broadcaster* can do anything about it.

          Returning to the wireless access point, the "existence" broadcasts have no copyrightable content and their intended purpose is to be heard by any receiver within range, so I don't think there are any legal problems here either.

          Once the data has been stored by Google and collated with some identifying information, it might be subject to the Data Protection Act. But that's only a wild guess. IANAL.

    2. Anonymous Coward
      Anonymous Coward

      re: By their own admission...

      I completely agree... I don't care if there is an article in the Google Android (or Chromes) terms and conditions that says whatever idiot decided to use their spyware agrees to being used as a proxy to spy on *me* - it is still illegal in my jurisdiction.

    3. M Gale

      Wardriving? Illegal?

      I still see no difference between what Google are doing, and running around with a CB set to channel 19. If you don't want every Joe and Jane in the area being able to see your Facebook password, encrypt your damned connection!

      Anyway, the difference between what Google and Apple are doing, is that Google at least seem to be telling you what they are doing. How many iDevices tell you how much snooping that "free" fart app is doing before you install it? What about all the wibbling that Steve did after he found out third parties had snuck out details of his precious fondle-slab, by snarfing data from the development models as part of advertising programs? Notice how even the Apple developers didn't know their apps were grassing on them.

      You think he was more pissed off that someone was doing it, or more pissed off that HE wasn't? Google, Apple, Microsoft, all want your data and all for the same reason.

      1. Ian Michael Gumby
        Boffin

        @M Gale

        My wi-fi router broadcasts it SSID with the expectation that this will be used by my or permitted users to find my network so that they can connect to it.

        Accessing and using this information outside of its intended purpose is illegal.

        Now here's a funny thing...

        Suppose you have an android phone or iPhone where they are capturing information on SSIDs in your area. Suppose they find an unencrypted wi-fi.... now how hard would it be for the phone to automatically connect to the wi-fi network (if not already connected) to send data back out of channel of the edge/3G/4G network so that its not charged to you?

        Color me paranoid but its possible...

  10. NukEvil
    Stop

    Interesting...

    My router location is in there...within a couple hundred feet. Despite me not having, nor ever owning, an android phone. Which means that either:

    1) Someone ELSE with an android phone just happened to drive by my house

    2) Google used their street view vehicles to grab the location data

    Both of which, as has been said before, are wardriving.

    BTW, I'm from a very rural part of Florida.

  11. Steve Evans

    Well...

    At least this data really is useful for using wifi points for A-GPS, and yes, the Android phone does ask for your agreement if you enable the wifi location options... Only problem is IIRC, this was enabled by default when I got mine, so I didn't ever see the box to agree to!

    Oh well, at least it can be turned off easily.

    So compared to the iphone tracking the data does actually have a proper use, and you can turn it off with a check box... So not quite as evil as apple, but still sneaky.

    Now if you don't mind I've got to go change the MAC on my AP.

    1. sT0rNG b4R3 duRiD

      It's still dishonest.

      Agree?

      Who knows what Google are doing behind your back.

      Look, I wouldn't put it before Google to try and siphon as much data from Android devices as possible, what's more they probably have better infrastructure than Apple to process it.

      What made me buy a googlephone over a jesusphone is that the devices are generally easily rootable and custom roms applied.

      Not all that motivated to do it (my excuse is it'll take too long) but maybe it's time I figured out how Android is actually put together and look at the source.

      At least we have that option or at least I have been given to understand us Androitards have...

      Seriously though, I bought a smartphone fully knowing I could never fully trust it. Sad innit?

  12. Anonymous Coward
    Megaphone

    Be careful who you troll

    Well you better be careful who you troll or annoy online. If you haven't locked down your router properly, or there's an open exploit for it, you could find someone turning up at your house with an axe.

    All they need to do is get into your router, grab the MAC address and plug it into Google. They can then come to your house and take your online argument directly to your face!

    Considering the amount of residential routers that aren't secured properly (default password) or vulnerable to exploits, this is very worrying indeed.

    1. Anonymous Coward
      Anonymous Coward

      Re: Be careful who you troll

      There's a small step you have whizzed past there...

      They need to get your wifi MAC address first. This isn't sent over the internet to forums you are trolling, it's only broadcast over the wireless for as far as the wireless signal reaches. So for them to know your wifi MAC address, they would already need to be shouting distance from you.

      MAC <> IP

      1. Stoneshop
        FAIL

        @AC 07:14

        *You* have whizzed past the step where the person who wants to discharge his annoyance into offline violence breaks into the network (which, because of this internet thingie, might happen from anywhere in the world), and grabs the MAC address the access point is using.

        So, no need at all to be within shouting distance initially.

        1. Daf L

          Break into your router?

          Most routers - even insecure domestic ones don't allow remote management, even if the password is default. The protagonist would also be required to get the IP address of the soon-to-be-victim from the website that is hosting the forum. They would then need to get in to the remotely manageable router and look up the WiFi MAC. however, if you could get access to someone's router it wouldn't take too long to find out where they live and who they are anyway.

        2. Anonymous Coward
          Anonymous Coward

          @Stoneshop

          I'm AC 07:14

          I apologise, I misread the original post. In my defence it was 7am!

          If I had read the post correctly, I would have given the reply "Daf L" posted :-)

          I feel pretty secure with my setup, my wifi is provided by my old router. My DSL connection is provided by my new router. So there are two sets of security to get past :-)

          1. Anonymous Coward
            Anonymous Coward

            Let's have it then

            Those who feel completely secure in their mapping from IP to MAC please post your IP addresses here for us to check :-)

            1. Steve Evans

              @Gk.pm

              Okies.

              192.168.1.33

              1. Anonymous Coward
                Anonymous Coward

                @Steve

                Ah Steve, aren't you the playful one... I'm reading The Register right? An IT website? Or has it become part of the Daily Mail?

                Of course it's NOT your internal IP address.. let's see your WAN address, you know the one which the websites and everything else out on the Internet sees.

                1. Steve Evans

                  @Gk.pm

                  Yup, you're reading the register. Did you really expect everything in the comments to be serious? Come on, REALLY!

                  I could tell you my IP... but then I reboot the router and I get a different one :-)

                  To be honest I think the attack possibilities of knowing an IP far exceed those of knowing the approximate location of a wifi MAC. For a start, anyone more that a few miles away isn't going to bother driving round to your house to attempt to exploit the wifi.

                  Knowing the IP that someone is using allows you to "have a go" from anywhere on the planet. Knowing who the person is gives you a good leg up on the social engineering side of hacking. I'm lucky that my name is only slightly more unique than John Smith, so even assuming I had a public facebook page, you'd still be pulling up 500+ matches in London alone. That does still leave you with the chance my router is set for remote admin, and the password is steverocks...

                  So on that note I'm going to go change my password :o)

              2. Ken Hagan Gold badge

                Hey, Steve...

                The IP address of the *wifi* port on my router is almost the same. Perhaps we're neighbours?

                1. Steve Evans
                  Pint

                  @Ken Hagan

                  Oooh, what are the odds on that!

                  Well you do spell "neighbours" correctly, so there's a distinct possibility!

                  It's a bank holiday, first round is on you!

            2. C 2
              Go

              RE:Let's have it then

              okay it's 127.0.0.1 ... there's no place like 127.0.0.1

        3. This post has been deleted by its author

          1. Ken Hagan Gold badge

            Re: http://iwtf.net/2011/04/23/updated-location-applet/

            So by writing a Java program and then using some social engineering (signed code) to persuade the end-user to run it, you can get their MAC address. Umm, if I put my mind to it, I could probably write a program that *sets* their MAC address. I too would need to use some social engineering to persuade my victims to run it.

            Unless you are pointing to the fact that your program is written in Java and most people don't expect Java code to be capable of malice so your social engineering might be easier. In which case you've found a problem with Java rather than a problem with Google collecting MAC addresses. (Otherwise you'd have written the demo in Javascript, which enjoys far wider browser support.)

            Either way, as soon as you have got arbitrary code running on the end-user's machine you have already accomplished something far more intrusive than querying their MAC address.

  13. XMAN
    Stop

    Was considering an android

    I was consider and android, then I read this.

    I do try and stay away from Goog products as much as possible, because I don't like how much data they slurp up both legally and illegally.

    They pretty much just do what they want and even when they're caught doing something illegal, it's rare that they get punished.

    Not impressed with this at all.

    Anonymised data my arse. Just like they anonymise their online tracking data by using a unique ID instead of your goog ID. Except your goog ID and the new unique ID are tied together in another table. So the data is anonymised as far as no one querying the two tables together.

    The government of each country Google operates in needs to start putting their own people INSIDE the Google offices to directly monitor what they're doing. Charge Google a fee for this. They proven time after time that they'll do anything to get ahead, legal or not.

    1. Anonymous Coward
      Anonymous Coward

      Re: Was considering an android

      "The government of each country Google operates in needs to start putting their own people INSIDE the Google offices to directly monitor what they're doing."

      That's assuming you trust the government more than google, which given the multiple privacy invasions of the last UK govt, I wouldn't!

      1. Elmer Phud
        Headmaster

        Ahem

        It's Coulson and NoW that are accused of phone hacking.

        1. Anonymous Coward
          Anonymous Coward

          Did he say phone hacking?

          The current and previous governments have engaged in a great deal of snooping, peeking, prying, poking and pilfering of private information far above and beyond even the worst commercial offenders. They have attempted to gain knowledge of every ingtimate detail of our lives, spent billions trying to correlate information about us across vast databases in order to build up a more "complete" picture of our activities, and they have the power to spy on us whenever they like for just about any reason without recourse to the courts.

          So, yes, I'd say that phone hacking and wifi data snooping are smallfry in comparison to the reach and attempted actions of the state. I would not trust this or any government to oversee Google or any other company engaging in such activities. They'd probably give them tips. If the government did smack them down it would only because they want to preserve their monopoly on privacy invasion.

          1. Eponymous Howard
            FAIL

            And then the governments...

            ...got thrown out.

            Who's going to throw Google out?

            1. Anonymous Coward
              FAIL

              As The Who would say

              "Meet the new boss. Same as the old boss."

              Changing (or indeed thowing out) governments does not make the slightest difference.

              After one got thrown out last year here in the UK has anything really changed with regard to the snooping they do?

              Oh yes, we've heard a few promises but who, other than those constrained in a straightjacket, believes anything a politician promises?

  14. Beau
    WTF?

    No Surprise Here

    So what in hell did you expect,

    Android = Google; Google = Data mining.

    That is what they do!!

  15. John Deeb
    Big Brother

    such a lovely place...

    It's not that much different than search-engine or archive bots having spider your website uninvited and adding them to some index, with snapshots and caches and all? Was I the only one extremely surprised in the 90's that this service was always opt-out? With some effort at the time! And that after opting-out or even closing the websites the address and URL still shows up in search results years after? You never leave Hotel California..

    All your published, transmitted or broadcasted data, id's and data networks are public, scannable and indexable for the word unless you take effort to protect and secure them. That is the reality we live in and are already living in for 15 years. Unless all information is declared private by default by law this is never going to change.

    1. Stoneshop
      Grenade

      @John Deeb

      Well, websites don't spring online of their own; someone builds them with the intention of publishing whatever they want published. Indexing that is vaguely similar to compiling a telephone directory (which you too can opt-out from).

      Indexing all the WiFi access points of the world might be a laudable effort *IF* those AP's were intended for public access. Which, by and large, they're not. And using their MAC/SSID for geolocation is shady at best; access points don't know their location and therefore don't broadcast it, so their location has to be cross-correlated from known info: GPS, cell data, just to make locating easier for devices that aren't (easily) capable of cross-correlating that info. And for using MY router's MAC address for that it'd be ME who would have to be asked to opt-in, independently of what some minor percentage of Android users chooses.

      We need a "bugger Google with a splintery broomstick" icon.

      1. Ken Hagan Gold badge

        @Stoneshop

        Last time I went hill-walking in anger, I used a map that had houses marked on it. Not infrequently, I would find myself estimating my position using those houses. I'm pretty sure the Ordnance Survey didn't ask the property owners for permission to list them on the map. As far as I can see, the only difference is that houses show up in the 4-700 nanometer band and wifi shows up at longer wavelengths.

        Do you camouflage your house to stop people using it for navigation?

        1. Stoneshop

          Ordnance Survey

          doesn't give out maps with those houses tagged with personal data.

          Google does. And they're freely accessible.

          1. Ken Hagan Gold badge

            Re: Ordnance Survey

            The MAC address on a wifi router is no more "personal" than the house number on my front door, and exists for a similar purpose. If your eyes could see the wavelengths concerned, identifying your house by MAC address would be no more intrusive than using the colour of your roof or the presence of an unusual tree in the front garden. Characteristics such as these have been used for centuries when giving directions to passers-by and *that* (rather than hacking into your network) is the stated and fairly obvious purpose of collecting this data and allowing Android phones to use it.

            I note that this comment thread *still* hasn't established a credible mechanism for remotely discovering someone's wifi MAC address, so I really do mean "passers-by". In order to use this "freely available" information, you need to be close enough that you could find it yourself by listening.

            So why are Google collecting it at all? Well, although *you* can just read the names on the street signs and the house numbers, your phone can't.

  16. Lance 3

    A

    Well, I had 802.11G and 802.11A running and now just have 802.11A running. Google doesn't scan the A side as it wasn't on their map. The location was way off on the G side; not shocking since it is a gated community.

    Might need to set a script up that will randomize the MAC and change it everyday.

  17. This post has been deleted by its author

    1. Ilgaz

      This is why Symbian/Meego should stay

      Well, your symbian privacy exists until you install google search to it. :) it has right to collect location data, runs on startup and has network connectivity enabled. That is the company we are dealing with. It does these for a lame searchbox, nothing else! Running their OS even while you paid for it?

      The only Google thing I would install to any phone is: gmail j2me app. Why? Because. your data is already harvested and they were lazy to get it signed so it can't access to location etc without a very big fat warning.

      If MS/RIM/HP are clever, this is how to hit both Apple and Google. Strict privacy.

  18. Pat 11

    Duplicity I reckon

    It doesn't matter that cell.cache only stores the most recent entries... Each entry is the result of a lookup on google servers. If Google store all your lookups they have a complete location record. It's not clear whether this collection is done regardless of your opt in/out of location services.

    Furthermore, now they have this map, it's such a rich dataset that it is robust - you can break bits of it, say by changing your MAC, and it can use the remaining data to relocate your new MAC.

    Finally, does anyone believe the line that all this juicy personal data is not held in a way that allows it to be directly tied too your id? After all, what on earth could the world's biggest targeted advertiser (and their close friends, the world's most mercenary government) want with such information?

  19. Anonymous Coward
    Unhappy

    You can't opt out!

    All discussion about how to opt out of this seems irrelevant to me. The guy that did thisresearch claims that a phone that is doing this will send data for *any* WiFi network it detects. I don't have an Android phone and my router is listed....

    Still, as a number of people have already mentioned, getting a WiFi mac address remotely is non-trivial. Unless of course you've set up a web site that lets users put in their Wifi mac address to see if it's mapped and lots of people try it out.....

  20. vonBureck
    Black Helicopters

    Holy crap, works here as well

    Pinpointed me right down to the street address, and there's not even been an Android in use in the house since last year. Scaaa-ry. You want one of those touchy-feely phones, but don't fancy spying by the Church of Jobs or Chocolate Factory? Check out Samsung's Wave - very touchy, and not yet accused of covert surveillance.

  21. Anonymous Coward
    Anonymous Coward

    @huh?

    I have a friend who doesn't have an android phone and never has, yet his router is in the database and worse his FULL address including house number is there. How is that opt-in??

    1. Ceiling Cat
      Badgers

      What's a title?

      Found my router in there... Address was wrong, as was postcode etc. Not surprising though, as I am in a medium density resi-mercial area.

      This would be a bit of a hassle if my router wasn't locked down. Of course, I'm pretty sure I could change the BSSID and disable the beacon, but then I'd have to run a wire to my laptop for network access. It's the only machine I use wi-fi on though, and I'd get much better speeds from wired, so it's a toss-up really.

      Would be interesting to see which of the other base stations in my area show up on the map.

  22. Jay Clericus
    Unhappy

    wireless used a few years ago

    went to http://samy.pl/androidmap/ entered my mac and it shows me a nice map of my locality covering approx 100 house or so

    never owned an android, I got a nokia 1112, ie very basic phone

    not used the wifi for a few years either...

    1. Mystic Megabyte
      WTF?

      @jay clericus

      Methinks the ISPs are selling the data, BT most likely as they are a bunch of ***********s

      1. Lance 3

        Not the ISP's

        Mine was listed and the AP is just that, an AP and not a router. The ISP has no knowledge of it as it connects to a firewall. So the ISP would never see the MAC. This AP also has to transmitters and only one MAC was listed of the two; the 802.11G and not the 802.11A.

  23. Rogersen

    Is this news?

    It has been known for a long time that Google and Apple uses WLAN-networks and cell-towers to find the best possible location of your device. I can't understand the uproar. Apple seriously needs to expire the data in it's cache-file after some hours/days, but apart from that there really isn't a big problem here. Who cares if the location of your router's MAC-address is stored in a database? What can anyone possibly do with these data to harm you or your network? It's not like the MAC-address of your router is a big secret. It's broadcasting it ALL the time for anyone to see. Who cares?!

    1. Anonymous Coward
      Anonymous Coward

      One example of harm

      I can think of at least one example where this could cause problems. Let's say a woman decides to move house to get away from an abusive partner. If he records the MAC of the router before she leaves (or to be honest it would be on his laptop if he'd ever connected from there) then if she ever turns on her router in a populated area - he'll be round her house in no time...

      just one example but until someone buys a new router you could follow them around the world like this.

  24. Anonymous Coward
    Anonymous Coward

    Do we want location or not?

    I am glad to see people reacting with similar intensity to Google's revelations, and it's nice to see some familiar faces who were calling me this and that on the Apple thread now eating humble pie (btw if you have a Android phone I'll personally be calling at your locations for an apology - sorry, only joking)

    However I still say the same thing. Why does this matter so much? Most of you with Android phones are already giving Google much more information than this when you use Gmail or sync your contacts with them.

    Also allowing opt-out is useless, all it takes is someone who didn't opt-out to go by your place and it'll pick up your Wifi anyway.

    The thing is for Wifi location services to work, or in the case of Assisted GPS for things like Google Maps, geotagging photos, TomTom navigation etc to work well this information has to be collected somewhere. There is simply no other day we can have these nice things working well on mobile phones without this information.

    Call phone companies already had this information ages ago, we just need to look at research papers on human mobility based on data from mobile phone companies to see how easily they were tracking people. Some researchers (eg see BarabasiLab) even got information on everyone's movements for the whole mobile network. And this was even before smartphones!

    Sure information was anonymized for the researchers, but the mobile company has the raw thing.

    It would be impossible to stop mobile companies keeping this data, they need it for billing/security/quality control, who knows what else. They also sell it should you be interested in buying it (some truck or companies with travelling salespersons do).

    O2 even recently launch a location-based mobile marketing service, which works for ANY phone, not just smartphones. See http://www.theregister.co.uk/2010/10/15/o2_more_location/

    Sure you opt-in to receive the ads, but the information is always there regardless.

    So is it such a big problem that Google, or Apple, - or very likely any other mobile phone maker which has location services - does it?

  25. Robert E A Harvey

    nearly right

    I live at 63. It said my wifi was at 68, and drew the blue blob at 72.

    Nothings perfect, it seems.

    1. Robert E A Harvey

      router location? phone location?

      I'm guessing that the more android phones pick up yer router the better the fix will be. I reckon in my case it is reporting the location of the one house where a visitor had an android phone.

      I bet it has reported about 10 routers at that location, too. We are getting channel congestion round by 'ere.

  26. Deckchair

    is required

    The phone asks for specific permission when you first start it up, its part of the Setup process. You still need the wireless MAC address to get a physical address back and the idea that someone who's breached your network would at that point need to use Google to get your address is laughable.

    Seriously guys, when you are sat there with apps knowing your current location, filling in web forms with your home address and what you had for tea last night did you really think it was all just magic? Or do you just maybe, there's might just be a little data mining going on.

    As for the Appletards trying to crow about how Android is just as bad as iPhone. This changes nothing; you still bought the inferior product. Get over it.

    1. Anonymous Coward
      Anonymous Coward

      Not at all

      It changes everything, because much of your inflated sense of moral superiority comes from Google's "don't do evil" policy.

      It's always great fun to poke at that particular ballon of hot air and see it burst into pieces.

  27. Anonymous Coward
    WTF?

    It's not such a big deal

    If you choose to have wireless, and broadcast a unique MAC address someone is going to record when, and where it is broadcasting from.

    If you don't want it to be recorded, either don't use wifi, or change you MAC address regularly, it may also be prudent to put lower gain antenna's on your equipment so that the signal doesn't propagate as well, and stick to B/G and avoid N.

    Also, if you are that concerned at being located, use an ADSL provider who usually gives you a different IP address every time you connect and put your router on a timer that turns it off and on again every 30 minutes.

    It might also be prudent to cover your walls and windows with aluminium foil, start wearing surgical gloves all of the time and putting you false nose and glasses on when (or more likely if) you leave the house.

  28. Anonymous Coward
    WTF?

    No problem here

    Neither of my wifi points are listed by Google, and I can see about half a dozen wifi APs from my sofa, some of which are presumably owned by Android users.

    Anyway, if you're a celebrity/terrorist/paranoiac/crook/pedophile/control freak/privacy nut or similar, why not change your router's MAC address periodically? Use Google's handy list to pick one somewhere you'd like complete strangers to think you are, a bit like those dodgy POTS numbers that VoIP uses?

    To the person who points out that you can't usually manage home Internet routers from outside the LAN, you get into a machine on the inside and bounce back at the router, but this assumes that the network was set up by someone who shouldn't have.

    As an aside, how many people here use a VPN on at least their wifi links? Now that WPA is relatively trivial to hack unless a proper password is set (63 chars of lion noise), sniffing is likely to be a much bigger risk than Google, Apple, or their murderous hordes of advertisers knowing your approximate whereabouts. Or you could just use cat5.

  29. Tech Hippy

    Now I'm disappointed...

    Not listed - despite having had 3 different android phones and using location services since Android's launch..

    Now I feel left out...

  30. Steve Coburn

    My router isn't there

    but I've had an android phone for over 6 months. Is the data really related to android phones or has it come from elsewhere (i.e. streetview).

  31. Anonymous Coward
    Paris Hilton

    FINALLY PROOF THAT.. no.. hangon.. wait, what?

    So, the article says that IF -YOU MANUALLY GIVE- your wifi *router* MAC address to a hacker, the hacker knows where you are?

    ..which will be true even if you don't own any phone at all...

    But Google are EVIL because, *if* you switched that feature on, *and* someone finds a way to *root* your phone, they can *probably* work out where you are.

    Dude, if someone's in your phone, raping your data, are you sure your router MAC is the most sensitive/personally identifying piece of data you've got in there?

    Or maybe you're worried about the police, who want to know where you've been in that rare case the phone company cell trackers *don't* just tell them.

    Or maybe you're just all up in arms because you've just found out that the wifi MAC address that your router's yelling to the public, is like, public? And this is Google's fault too?

    What happens if you turn off the public SSID broadcast on your wifi router? Hey, Google it.

    Paris, because FFS people...

    1. Anonymous Coward
      Anonymous Coward

      Even with SSID broadcast off

      it's very easy to detect your network and even MAC address of the router.

      Google it.

      1. Anonymous Coward
        Big Brother

        True for real wardriving yes, but true in this case?

        What I want to know is, do Android/Apple report wireless networks that aren't broadcasting their SSID publicly?

        That's tantamount to an opt-out. Is it respected?

  32. Dan 55 Silver badge
    Flame

    Excuse me, I didn't opt into this, I don't even have an Android phone

    My router's there though. I can't say I'm surprised, I can say I'm getting tired of this.

    If you want location-based services you buy some hardware with a GPS antenna in it.

    I didn't read the article where Google said that they were going to switch from Street View cars to their phones but I guessed as much; they can't put all that hardware (or software) into everybody's hands without "getting right up to the creepy line".

    And for those who kidding themselves saying it's only limited to 200 access points or 50 entries, you don't honestly think the Google mothership overwrites old set of data it receives from the Android phone with the new set? It's all getting concatenated and if someone at Google does a SELECT with your Android phone's unique ID it's all going to come back out again. More likely it'll be used as just another step in the process of selecting the most relevant ads for AdWords adverts appearing on your Android phone and possibly (probably) your desktop if you're logged into iGoogle.

  33. John Hawkins
    Big Brother

    But does anybody really care?

    I used to get uptight about all the surveillance going on, but after getting persuaded to join Facebook (account is now wiped; got better things to do with my time) and seeing what people write there I now find it difficult to get wound up about the subject. Apart from a few obsessives in IT and most leftist idealists, I doubt people care about whether they're tracked or not.

    Checked out Samy's site and found my router; kind of cool from a purely technical point of view at least.

  34. M Gale
    FAIL

    Oh, just figure I'll post the results for a giggle.

    "latitude": 34.0918525

    "longitude": -118.3461034

    "country": "United States"

    "country_code": "US"

    "region": "California"

    "county": "Los Angeles"

    "city": "Los Angeles"

    "street": "N Formosa Ave"

    "street_number": "1140"

    "postal_code": "90046"

    "accuracy": 24.0

    Err, no. Wrong side of a very big ocean and a continent, that is. Still, I suppose any passing aliens might know I come from the planet Earth someplace.

    1. Greemble
      Big Brother

      @M Gale - Very interesting...

      I just tried it too (from a proxy address located in Germany, apparently) I got the same results as you...

      Did you use the MAC address that was in the search box or did you put in your own address manually?

      This had me wondering about tracking over the web, until I noticed the WLAN/LAN MAC address (as collected by Google/Apple/Skyhook/et al) will be different to the WAN/External MAC address (as seen/collected by any web site applet visited) - at least, they are on my router.

      For all those that believe the government should do something about this, don't worry, they are monitoring the situation closely and if it looks as though this becomes too invasive, they'll take control over the information - and use it themselves.

      Big Brother - you don't seriously think any government would not use such technology to keep tabs on it's citizens?

  35. Anonymous Coward
    WTF?

    Google's statement is the height of sophistry!

    I hate these un-convicted thieves. I did not and would not knowingly or consciously give anybody permission to collect, hold and make public my WI-FI router information. Maybe I just didn't understand the question....

    I don't care whether or not they say the anonymise it. It is the work of a very few moments to tie the location to a name in the UK. It is called the electoral register.

    As other have said these folks must have an unbelievable arrogance to think up, let alone execute, a plan that allows them to deliberately invade the privacy of people in this way.

    If their business is built upon data mining and selling personal details then the sooner they and all similar business are put out of business the better.

    Maybe I am unique but I'd much rather pay for a service directly than have an MBA suit dream up a way of slipping their dirty little ideas into me for 'free' so that they can exploit my surreptuously acquired information for selling on to someone else or something worse.....

  36. Anonymous Coward
    Unhappy

    What about information saved server-side?

    [Quote] <Kamkar's website was introduced a day after he made public research that Android handsets collect nearby Wi-Fi access points and their geographic location every few seconds and transmit the information, along with the device's unique identifier, to the company several times per hour.> [End Quote]

    The log file on the phone may only store the last 50 entries, but what about data retention on Google's servers? Surely including the phone's UID throws the idea of "Anonymous" out of the window. They may not know your name and date of birth, but they sure know where your phone lives, where it works, where it shops, even if it is currently on holiday!

    There must be something in the Data Protection Act that outlaws collection of information to this level without *Full* explanation of the information you are providing. If google only received "Android phone running 2.2.1" I wouldn't have minded as much, as this is a more generic ID.

    I've sold my daily routine to google without realising it!

  37. Andrew Jones 2

    re: Android.

    OK - I wrote the facts on the Apple article - here they are on Android.

    1) The service is opt-in, if you switch off location services the web request from your phone to Google containing: "nearby cellids, nearby wifi mac addresses" is simply not done - this is OPEN SOURCE software the code is there for ANYONE to read.

    2) WiFi networks that were not picked up by StreetView (not broadcasting, changed MAC address etc etc etc) will eventually be added by people running Mobile Google Maps software (note NOT JUST ANDROID USERS) and despite what the article about a "switch" taking place may have said - it is incorrect - Google have been collecting this data since BEFORE StreetView, what I read was that they were just going to rely on the method of mobile phones providing the data, and ditch the StreetView method of gathering data.

    3) Your WiFi network will not just be added to Google's database because one person who has GPS running drives past and the phone reports your WiFi MAC. The quickest way to find out if Google knows where you are is simply to load Google Maps on a device with WiFi enabled (and GPS if enabled - switched off). If you are not correctly located after clicking the "Locate Me" blue dot thingy, Google doesn't know your WiFi MAC. (do note though that on a device connected to a mobile network, Google will be able to have a very good guess based on what cell phone towers can be seen and the signal strengths.)

    If you are not located correctly, it will take many people picking up your WiFi network and reporting it to Google before you eventually get added to the database.

    Now on to the cache file - I take it people haven't thought this through? So let me try and explain - what is the purpose of a cache file?

    A cache file allows the device to temporarily store some information offline without having to repeat an identical request wasting your bandwidth and the bandwidth of the service provider.

    So is it unreasonable what the cache file is storing?

    50 cell tower ids. Please note this is NOT 50 cell towers the phone has connected to - but 50 cell towers that the device has looked up. In the UK we have 5 main providers - for each area you are in there is a good chance the phone will look up 3 mobile towers. In a highly populated area - a lookup of 50 towers is probably the equivalent to a very large Town / Small city.

    As for WiFi access points - between Greenlaw and Edinburgh (a journey we do quite often) I once ran NetStumbler to see how popular WiFi was (to help make the decision whether offering WiFi in our cafe was going to be worth it) Running on a laptop in the car, using internal wireless (no boosters, external aerials etc) we detected over 3,000 WiFi networks. This was in the Scottish Borders! in 2006. Now - does storing the result of a lookup for the last 200 seem so unreasonable? In Dalkeith there were times were in a single street - we were "seeing" 50 networks at once.

    I know people are trying to suggest this is the same as Apple, but it is not - Apple are not expiring their cache. As it stands at the moment - without additional apps installed, someone stealing your iPhone (which let's face it is more popular and hence more likely) can find out everywhere you have been since you got it. With an Android phone they can probably see where you have been for part of the day (unless like me you have Google Latitude installed).

    I hope this helps some people. (ps as seems to have been overlooked by most people reading the article - http://www.skyhookwireless.com/ were doing this before Google and Apple.

    1. Anonymous Coward
      Anonymous Coward

      Except..

      The problem is the location framework in Android is NO LONGER open source as you say. It's now inside the closed source Google's services framework and only packaged as a binary blob as part of GApps.

      All we have is old source code and so you really have no idea what the current implementation does.

      As iOS doesn't refresh the information that often (people have seen it takes weeks before an update is done) I can also argue that Android will have very fresh timestamps on your whereabouts, while iOS will have old timestamps if you mostly travel to the same places (like home to work and back.

      I also ask why Android needs to have timestamps in its location data at all, if it apparently expires so quickly as you say.

      1. sT0rNG b4R3 duRiD
        Unhappy

        NO LONGER open sourced...

        F@#ck me... that's torn that idea I had then.. Damn....

    2. Anonymous Coward
      Anonymous Coward

      Plus, let's rewind back to what you said before

      Andrew Jones 2, in the previous iPhone thread, right at the top of your "analysis" (and btw, if that was analysis maybe don't give up your other job) you said:

      "If this had been an Android phone - this would now be hitting the national news - "Google secretly stores tracking data on mobile phone users" but as it is - it is Apple - and people are coming up with all sorts of stupid excuses as to why this is a "non-issue"."

      Funny that this has in fact happened to the Android phone and what I see is YOU coming up with all sorts of stupid excuses as to why this is a "non-issue."

      Maybe you should have considered this wasn't a issue from the very start, now you'd have less egg in your face.

      1. Andrew Jones 2

        re: Apple

        ..... and yet - you have still entirely missed the point.

        The article says that researchers have discovered that the android phone has a cache of mobile tower ids and MAC addresses along with lat, long and a timestamp.

        It further says that the last 50 cell ids and the last 200 MAC address lookups are cached.

        You ask why the cache file would need timestamps - it is therefore VERY clear to me that you have absolutely no clue HOW a cache file works.

        The whole point of a cache file is to store some data offline for a period of time so that the information can be quickly retrieved with minimal latency and remain relatively fresh.

        The reason the cache file is storing timestamps is very simple - how exactly do you expect the phone to know when it must perform a lookup of a cellid or a mac address if the result of the last lookup was stored WITHOUT a means of knowing how long ago the last lookup was done?

        The cache file will therefore use the timestamp to be able to figure out "the result of the lookup for mac address xx:xx:xx:xx:xx:xx is now 7/14/31 etc days old - it must now be checked to make sure the information hasn't changed"

        If the cache file could not be used in this way then the information would very quickly become old and probably incorrect - because people move houses and take their WiFi with them.

        --

        Returning to your other point - IF Android was storing the same amount of data as the iPhone then I WOULD be jumping up and down and shouting about it - because Apple are clearly using the information for something other than just caching purposes.

        As a programmer I understand the differences between storing temporary cached data to save battery life, save bandwidth and improve general performance - versus collecting data and storing it indefinitely.

        Further - you seem to of completely missed what I stated again - when you switch off the Wireless Location Services on an Android phone - the phone stops collecting data - if you are actually a technical person you can prove this to yourself with the likes of PFSense, Wireshark and an Android phone - but of course you have no idea who I am and assume that I have no idea what my Android phone is transmitting - well you are VERY wrong there.

    3. John Smith 19 Gold badge
      Thumb Up

      @andrew jones 2

      Nice summary. I note this *appears* to be opt in.

      It wold seem that the only way to scupper this idea (if your Android does not collect the info, every other user Android does) would be to for WiFi operators to randomly reset their hardware and invalidate data that was collected before a certain date.

      Personally I have a router with wireless as an option. I keep it disabled.

      That might not be an option for other people.

  38. anarchic-teapot

    Well I'm not on there

    And to be fair, this option is indeed disabled by default on my HTC handset. Should I be in danger of switching it on by accident, I get a warning about data being sent to Google, as well as heavier battery usage.

    Damn thing needs recharging every 2 days anyway. They can keep their localisation.

  39. Oninoshiko
    WTF?

    you know, if you really are that concerned about this

    stop transmitting a unique identifier from a set location.

    Triangulating the location of a transmitter has been well understood since soon after (insert Tesla or Marconi, at your preference) invented the radio. Strictly speaking, triangulation itself has been understood since the 6th century BCE.

    Of course, if you really WANT to push this, I never gave ANY of you all permission to bombard my body with your electromagnetic radiation.

  40. Just Another SteveO

    Hmmm - do no evil?

    Out of curiosity i had to check my APs MAC address to find it listed in the place I used to live (and very very accurately). I don't use Android by the way.

    Whilst I understand that people will say 'it's your fault, you are broadcasting etc etc', I don't think that's the point really, I see no reason why Google should log and compile all of that data - and this for the ones who talk about 'opting in' - I hate Google, I hate the fact they slurped data on Streetview and lied about what they were doing and I hate that our utterly utterly useless ICO isn't prepared to do anything and therefore I *choose* not to use their services and therefore have *not* opted in. But they log my stuff anyway......

    So, Google, tell me how I opt out of this and you delete my (old) address - you bastards!

    Steve.

  41. JMac
    WTF?

    Have you all lost the plot?

    Presumably none of the negative posters here have ever heard of Skyhooks? It's been around for absolutely YEARS, and has been discussed on el'reg numerous times. If you have heard of it, then how can you be so shocked and horrified?

    If you don't want people (such as me or Google) knowing your MAC address, then turn you access point off! That's all this is. Skyhooks, Google and anyone else who feels like it is free to harvest that information and use it for Geo-location. Get over it, or stop broadcasting your MAC to all and sundry by opting out of Wifi.

    Those who say that they are not going to buy a Android phone because of this are dumb-asses. As an Android phone owner, I have volunteered to collect this MAC address data and submit it to Google. If you are not happy volunteering this data, then don't choose to do so!

  42. The Alpha Klutz
    Megaphone

    Soon there will be no privacy online

    It seems that a number of forces are closing in on a new vision of the World Wide Web that by it's very nature will know who you are, where you are, and what you get up to.

    The steps you can take to protect your privacy from this are simple, yet highly impractical given the sheer number of attack vectors and the pervasive nature of the devices to which they relate.

    As conducting your daily business online becomes more convenient, it follows that hiding your tracks will become exponentially more inconvenient. At some point it is simpler to come to the realisation that you really have no privacy, and to change your behaviour accordingly.

    The alternative would be to juggle multiple identities with all the skill and efficiency of a paranoid schizophrenic. With the added caveat that you will need to be a computer scientist in order to understand and plan around all of the surveillance systems that might exist now or in the future.

    The only solution is to reorder society so that the transparent nature of our activities becomes a benefit rather than a detriment. We want to be reasonably confident that baddies wont take all of our money, and that our government won't abduct us in the night.

    We want freedom to discuss controversial ideas without Mr Lead Pipe paying our noggins a visit. Essentially, assurances need to be made that people will act civil. Until technology is invented that can assure basic human decency, we are basically fucked.

    Maybe such a technology would be to put psychoactive drugs in the water, not that anyone's doing that; doo doo do doo, doo doo do doo. And I certainly wouldn't advocate it. But something needs to be done about Shouty McSkin Head and his vigilante group the McIdiots. Those are the people that will really benefit from total information awareness.

    Everyone already knows Mr Skin Head is a bigot. He has nothing to lose and everything to gain by finding out where YOU live.

  43. Paul 135
    Big Brother

    botnet

    So essentially Google is installing its own botnet with every Android phone and copy of Google Maps?

  44. Anonymous Coward
    Grenade

    You lot are funny

    Half the world is connecting to Foursquare to tell everyone they have 'checked in' at Tesco's and bought a pint of milk. The others (the tech savvy) are whinning about invasion of privacy.

    Of course there should be better privacy laws and if you (yes YOU) get into politics and push that agenda it might happen. Meanwhile i would wager that a number of you are employed in IT somewhere and your company is wondering how it can 'monetize' all the goodies of smart phones... particularly location data...

    I run my android table in airplane mode most of the time, my iPhone is stored in my faraday cage case and i turn on location data when i want something (like a map and route to a client's address). This is more to solve battery and roaming problems but it helps with privacy...

    Use your device, don't let your device use you!! Muppets.

    1. Robert E A Harvey

      umm.

      I thought a foursquare was a phased array antenna.

  45. Gordon Barret
    Unhappy

    I'm not in it

    My router is not in the database, why have they left me out, boo hoo!

    But seriously - google snapped a nice picture of my house for StreetView around 3.5 years ago, and I have been using the same LinkSys router for around 5 years, so why have they left me out?

    1. Anonymous Coward
      Happy

      "...why have they left me out?"

      Are you an accountant, and consequently too boring to be of any interest?

      More seriously, though - is there any chance they have difficulties with particular types of routers? As I said way back at the beginning of this, they're 3 miles off with my router and it too is a LinkSys one that's been in use for 3 yrs-ish. I suppose if I were really paranoid I'd be wondering if my router had been elsewhere while my back was turned, but ...

  46. Anonymous Coward
    Thumb Up

    Do you really care?

    I dont get what all the fuss is about, so what if Google knows where you are and what you look at? Does it affect you in anyway, the only people who wouldnt like it are people who have got something to hide.

    The only bad thing about it is if they were to use it, or make available to others, to display your behaviours in terms of where you are and when to the public so it could be used to rob your house but this would never happen.

    I just forget about and not let it worry me, theres no point, my life wont be any different if they did or didnt have that info.

    Looking forward to the comments flaming me for my opinion...

  47. Anonymous Coward
    Pirate

    time to sue

    This is simply too much to swallow at let it go on at this point. I don't have Android phone, my WiFi network is private (hidden and properly secured) and I'm in a database. Many people here obviously miss the point. If someone is dumb enough to buy a phone that tracks their whereabouts and reports back to the mothership, that's their business but once this person starts snooping (even if unknowlingly) around for private networks, records their location and stores that information in a database, he is commiting a crime.

    I live in the Czech Republic and Google was audited after the street car fiasco so this is definitely illegal here. Now the question is if the gov't can go after Google since they are not spying on me anymore, the phone users that pass by my house every day are. I'm going to the authorities about this, and I'm going to ask Google to remove me from this database otherwise I'm going to take them to court.

  48. Anonymous Coward
    Anonymous Coward

    Actually...

    This might explain something... For a few months when I first got my HTC Android phone, every now and then when at home the HTC weather widget would decide to tell me the weather from somewhere in French Canada!

    Now I don't usually have the mobile data or GPS switched on when I'm at home, just wifi, so the only location methods open to the phone would be from the wifi MAC or the cell ID... Now my cell signal is not good, never has been, so if I don't put the phone on the window ledge it goes out of service, leaving only the wifi MAC as a means to locate me... So I suspect that someone has got or had the same MAC as me. Who knows if this is an accident of production, or some techie messing about and changing his MAC.

    After a couple of months this stopped and the weather widget correctly located me... And the page in the article does come back to my location for my MAC. So I guess my clone ID no longer exists, or hasn't been seen for a while.

    Curious, wish this story had come out a few months back, it would be interesting to see if my MAC was indeed being used by someone else in Canada.

  49. Henry Wertz 1 Gold badge

    Not illegal

    "My wi-fi router broadcasts it SSID with the expectation that this will be used by my or permitted users to find my network so that they can connect to it.

    Accessing and using this information outside of its intended purpose is illegal."

    I don't think your expectation matters, you are broadcasting, in the clear, your SSID. Access points *can* be set to not broadcast SSID, if you really don't want anyone to see it. Cracking some password to log into your AP is one thing, but information you have actively chosen to transmit so it is receiveable from out in the street? I seriously don't think anyone could consider it illegal to pick that up.

    So, I don't care if anyone knows my SSID, it's location, and it's MAC address. This information is absolutely worthless in terms of being able to use my connection, since it doesn't give any information regarding the WPA2 key (*finally* upgraded from WEP recently.. yeah.) My phone should not be logging location info, but it's much better to just record a few data points versus an unlimited amount, possibly gong back years, ala Apple.

    is there any technical reason to do this? Is it calculating average speed for purpose of Google Nav or something? Or is it just for the hell of it?

  50. Henry Wertz 1 Gold badge
    Joke

    Just move around a lot

    Forget rotating your MAC address -- you just have to get an inverter or battery backup and bring your access point around with you. Google won't get your AP's location if it's at home one moment, on the A5 the next, in a coffee shop the next! (In case you missed the icon, I am of course joking. Although, I guess this is true if you get something like a mifi.)

    1. Anonymous Coward
      WTF?

      Re: Just move around a lot

      Bit bored the other day driving round London, I had the wardriving app running my my droid, and there is actually an AP on the M25! I think it is something to do with the roadworks between junctions 27 and 28.

  51. Basic
    Coat

    Y'know it really pisses me off...

    ...when stuff like this happens - I dislike Apple products for a number of reasons and have always promoted Android to friends/family.

    How am I supposed to have a good old self-righteous Apple-bash when Android turns around and does this?

    I just know that one day I'm going to end up having to compile some odd linux distro and install it on my smartphone so it does what it's supposed to do and ONLY what it' supposed to do. It really is very depressing.

    "Here I am, brain the size of a planet and you want me to get my coat"

  52. Anonymous Coward
    Linux

    You could do something about it, sully up the database a bit...

    Unlicensed spectrum means .. well whatever you want right?

    Its pretty easy really, its called rfakeap, you know you want to have a little fun with them .. as a bonus you could setup a few of these and use directional antennas to bounce 3 sets of fake APs off of various metal objects near your neighborhood. Or leave it running on your laptop as you drive around town broadcasting 50,000 fake MAC addresses.

    http://rfakeap.tuxfamily.org/

    Make it small, run it on a hacked Seagate Dockstar for less than 8 watts

    http://wiki.daviddarts.com/Debian_on_the_Seagate_Dockstar

    This could add a whole new meaning to the term 'war driving'.

  53. John Smith 19 Gold badge
    Happy

    Clever stuff this swarm technology.

    A little bit of code on *every* Android

    A few IP packets every now and then back to the chocolate factory.

    Hey presto a *surprisingly* dense new dataset for Google to slice and dice for its customers collected by its users.

    And unlike Earth view they did not even have to pay the drivers.

    Android may be complimentary

    It's not free.

  54. John Smith 19 Gold badge
    Joke

    AC @06:46

    "ts pretty easy really, its called rfakeap, you know you want to have a little fun with them .. as a bonus you could setup a few of these and use directional antennas to bounce 3 sets of fake APs off of various metal objects near your neighborhood. Or leave it running on your laptop as you drive around town broadcasting 50,000 fake MAC addresses."

    You mean *poison* the chocolate factory.

    Noooooooooooooooo.

    1. C 2
      Alien

      @ John Smith 19

      "You mean *poison* the chocolate factory."

      I thought it was the Slurm factory. Slurm is from an episode of Futurama, it is a *highly* addictive drink, made .. well check out the video..

      http://www.220.ro/caAo8xdv5U/Futurama-S02E04-Fry-The-Slurm-Factory

      It even has Oompa Loompas

  55. Stephen Gray

    Where's my commission?

    Without my permission they are using my wireless to improve the accuracy of their apps. I charge £50 per hour for that service, it's available 24/7 and they've been doing it since when? This could be a big invoice.

  56. Anonymous Coward
    Anonymous Coward

    Location Accuracy

    Just entered the MAC address of my router and it centred in on a pair of semi-detached houses in my street; mine and my next door neighbour's. That's pretty damn accurate.

    I was rather suspecting it would identify a section of my street with not even being able to identify which side of the street I am on.

  57. Chris Bennett 1

    Pretty out of date here...

    I've just plugged my MAC into the site, it's popped up a very accurate pinpoint on my uni house, however the router was last at that address almost two years ago, obviously not many Android users near my new location! :)

  58. NoneSuch Silver badge
    Black Helicopters

    For the few who asked...

    I am sure the info is used today for Google to send you locational centric ads. Browse the web in a coffee shop and based on your location and contents of your GMAIL account, a 20% off Calvin Klein coupon pops-up for the jeans shop next door. However, it gets darker for the future.

    If you visit a friend working in an AIDS clinic you might find your medical insurance cost goes up as a result. That's the danger of tying an identity into location tracking.

    Walk near a Mosque and have an MI5/FBI file open automatically cuz the GPS was not spot on for accuracy that day and it thinks you were inside.

    An HR Manager at a company you have applied for can check your past work history / attendance, personal hobbies / habits etc. to see if they are acceptable. Makes sure you don't hang out at porn shops or strip clubs.

    Apple / Google are collecting that info because corporations will pay big £££ for it. There is money to be made and very little controls over it. And I hate to break it to you, it will get much worse, before it gets better, if it ever does...

  59. Colin Guthrie
    Stop

    I'm getting a bit sick of all the "let's get annoyed about this" sheep...

    I've been a pretty vocal privacy advocate for a while, but I'm really struggling here...

    Google is doing something via Android, but (as shown above is ensuring the user is asked first.

    Google used to do this via Street View cars but messed up and "accidentally" logged actual data. If they'd just tracked location+MAC I doubt it would be a massive problem.

    Skyhook used cars to log location+MAC

    So why is Google being berated for it's actions here? The wifi-slurp aside, I don't really see the big deal. I mean if they used a camera on their car to read the big numbers you carefully affix to your front door and map the location to the numbers would that be evil? These numbers are something you "broadcast" via visible light frequencies after all. Is that really any different to broadcasting your MAC's via non-visible frequencies?

    If you are that privacy concious then either find a wifi system that doesn't broadcast a MAC or use wired Ethernet (and don't forget to remove the numbers from your front door too!).

    I take privacy very seriously, but this is something you are consciously broadcasting. If you don't like the fact that someone is picking up that broadcast then don't do it in the first place.

    I'm sorry but all the furore over this issue is just crazy and smacks of people getting annoyed because that's the cool thing to do these days, without really thinking about it for ten minutes.

    I'd like to see all these uber-nerds who are up in arms about Google slurping data immediately stop their SETI@Home systems because, let's face it, it was slurped in the same way... what's the difference?

  60. Dinky Carter

    An old-timer reflects

    The world of smartphones and mobile computing was fun until the Americans finally got in on the act <sniff>

  61. Anonymous Coward
    Anonymous Coward

    Gap in the mar ket?

    For a phone that just works without trying to trace me, or forward my details to someone else, or any other underhanded trick.

    Was going to upgrade my Nokia, but to what?

    iPhone (waste of calories even typing the name)

    Droid (just giving the same info to Google and not Jobby)

    WM7 (what, like microsoft aren't doing the same thing?)

    Seems if you want a smartphone, you have to give up your privacy!

    Unless anyone can suggest otherwise?

  62. Head

    I have a HTC Desire

    If my phone is doing as whats said on this article, then i will happily sign up to any class action against google for this invasion of privacy.

  63. vajra

    we're on there too

    my mac address is there, from Spain. I have no android.

    I like the idea of moving the router around a bit to mess it all up, but I don't suppose I'll ever do it.

This topic is closed for new posts.

Other stories you might like