57

How does Google Maps determine my location?

I've gotten some understanding of Google Maps' geolocation methods from here: http://friendlybit.com/js/geolocation-and-google-maps/

In the newer browsers (all but IE6, IE7, or IE8) may ask you for your positioning information from the browser. It usually shows up as a bar at the top of the browser. The browser then gathers two specific forms of positioning information from your computer: your IP address and the signal strength of any wireless network near you. That information is then sent, if you approve it, to Google, which returns the coordinates you are at the moment.

[...]

If your wireless reciever is turned off, or you’re at a stationary computer, all calculations are based on the IP number. These kind of lookups are quite arbitrary and inaccurate, I just get to the nearest big city when trying to use it over a non-wireless line. But mobile connections are slowly taking over landlines, so I guess this problem will solve itself automatically.

According to this article, Google only uses my IP address if I am using a desktop. However, when I use a VPN to go online (and I can confirm that another IP geolocation service shows me as being on another continent), Google Maps is still able to accurately show my location. How does this work?

Iszi
  • 26,997
  • 18
  • 98
  • 163
user10732
  • 673
  • 1
  • 6
  • 4
  • 4
    I'd guess it's got something to do with cookies and/or personalization. – Iszi Jun 19 '12 at 20:27
  • Because it's picking up your local VPN endpoint somehow. – Fiasco Labs Jun 19 '12 at 21:17
  • 3
    change your router.. google obtained the mac of your router, when making google maps. I changed my router after it died, and I no longer appear. –  Nov 01 '12 at 09:37
  • Also if you are on IPv6 most likely the VPN service will not cover all your traffics. It happened to me with ipvanish. Google stopped to see my real location only when I turned off IPv6 on my browser. Read also: http://blog.dave.io/2011/06/vpn-ipv6-privacy/ – Giggi M Gallerano Oct 02 '13 at 11:49
  • 2
    @user15571 Google cannot obtain the MAC of your router, because that is a layer 2 address, not a layer 3 address. Something else changed your location on google maps. – Brain2000 Dec 09 '14 at 18:08

9 Answers9

43

If you consent, Firefox gathers information about nearby wireless access points and your computer’s IP address. Then Firefox sends this information to the default geolocation service provider...

https://www.mozilla.org/en-US/firefox/geolocation/

Firefox knows the IP address, which is used to connect to the VPN provider. Many geolocation services, however, only look at the IP address they see from the server side.

By the way: With java installed, a website can read the local ip-address without asking for permission.

new Socket("http://example.com", 80)).getLocalAddress().getHostAddress()

example.com needs to be replaced with the name website to obey the same origin policy.

Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121
  • 4
    I suspect this has less to do with "your computer's IP address" and more to do with nearby wireless access points (that Google has an inventory of). My local machine's IP address is of no use unless I'm using a public IP address. If I'm using any RFC1918 address, and I'm tunneling my traffic through a VPN then IP address is not the information giving up my location. – BZink Dec 13 '12 at 20:04
  • I also suspect, google being google, they could be using a number of heuristics to 'guess' location. I have noticed google reporting incorrect location information when using a desktop with a wired connection. I'm in a rural location and google will often report me as being in the nearest large metropolitan location. My guess is that if you live in a major city, google's guesswork/voodoo will frequently be correct, but if your in a regional/remote locaiton, more often than not, it will be incorrect unless your using a device with geo-loc facilities. – Tim X Feb 28 '13 at 23:05
  • 1
    I edited out the second half of your answer because it is no longer correct. First, Java applets have to be manually enabled. Second, by default, Java requires permission to be ran in the browser. You can of course grant such permission indefinitely; however, I can only conceive a negligible number of scenarios in which one who would use a VPN would do that. Third, applets are very rare nowadays. The decline in prevalence will only continue. Fourth, it does not answer the question since this question is specifically about Google's practices. Google Maps has never employed applets. – Tyler Crompton Jul 06 '17 at 03:19
19

One possibility is that modern browsers support a feature called the Geolocation API which states the following:

Common sources of location information include Global Positioning System (GPS) and location inferred from network signals such as IP address, RFID, WiFi and Bluetooth MAC addresses, and GSM/CDMA cell IDs, as well as user input. No guarantee is given that the API returns the device's actual location.

This api can be accessed from JavaScript if the user grants permission. Without a position device (like GPS) this API will throw an accuracy warning, but can still provide location information.

Warning: Google maybe using other voodoo to determine your location, after all this is Google...

rook
  • 46,916
  • 10
  • 92
  • 181
  • 2
    +1 if only for the "other voodoo" comment. I'm always fairly amazed at how Google is able to accurately predict or otherwise derive information (i.e.: search auto-completion) which I have not yet given it. – Iszi Jun 19 '12 at 20:56
  • 4
    I just noticed that, aside from the "Google voodoo" comment, this answer doesn't *really* address the situation posed in the question. The user suggests that the *only* geolocation-relevant information he expects is available from his computer, is his IP address. Since it's a desktop, he probably doesn't have a GPS or Wi-Fi adapter. Bluetooth isn't entirely unlikely, but I'm not sure it can be presumed. (And, with Bluetooth's relatively short range and wide mobility, does Google *really* have enough information to correlate that? This is the first I've heard of it.) – Iszi Jun 19 '12 at 21:12
  • 4
    @IsziRoryorIsznti No voodoo. The browser knows the local ip and reports that to the geolocation service, if permission is granted. – Hendrik Brummermann Jun 21 '12 at 08:03
  • @HendrikBrummermann Yes voodoo. If you're signed in to Google Maps and have location history enabled, Google will use GPS data _from your phone_ to determine where you are. See [my answer](http://security.stackexchange.com/a/92044/29865) for more on that. – Ajedi32 Jun 19 '15 at 19:15
7

Are you running NoScript?? Google uses JavaScript to find out most of its data, along with cookies, Flash Cookies, and metadata. Try clearing your cache, clearing your cookies, and using a different browser if you really want to fool google maps, also don't log in to google before you check. You most likely can't fool Google unless you are completely deleting everything in your browser and blocking Javascript, but Javascript is needed to do anything with Google, so good luck. Also see http://samy.pl/evercookie/ to see how many different ways there are for anysite to track you.

James Gibbons
  • 71
  • 1
  • 2
    Alternative to clearing cookies/cache: Run in Private/Incognito/Whatever-Your-Browser-Calls-it Mode. Or, load up a freshly built VM with your VPN software and try from there. – Iszi Jun 19 '12 at 20:53
  • I have NoScript installed, cleared all the cache, cookies and everything. But I need to turn off NoScipt in order to get google maps to work properly. What I am trying to understand is that, I am connected to a VPN and I expect to see the location of the VPN server in google maps – user10732 Jun 20 '12 at 17:34
6

Do you have Google maps on your cell phone? was that phone with you?

I am pretty sure that if you log into Google on your PC via VPN, but yout phone tells Google where you are they correlate the two and take the Phone's GPS location as being more trustworthy than the Geolocation on the IP address of your browser.

Rod MacPherson
  • 1,057
  • 7
  • 11
  • This is correct. If you have location history enabled, Google will sometimes use GPS data from your phone to more accurately determine your location. Obviously, it can do this without using your browser's Geolocation API. If you hover over the location icon in the UI and get a tooltip that says "From your phone (Location History)", then that means Google is using this method. (More info: https://support.google.com/maps/answer/3093609?hl=en) – Ajedi32 Jun 19 '15 at 18:35
  • Also, this method only applies to Google Maps (not third party services not owned by Google) and only works when you're signed in to Google. – Ajedi32 Jun 19 '15 at 18:43
5

From Google's support pages:

How Maps gets location info

When you click Location on your computer, Maps uses different sources to try to get an accurate read on your location. This info might come from:

  • Your computer's web browser location info
  • Your phone's location, if you are a Location History user

To elaborate on that a bit, "your computer's web browser location info" refers to a feature available in modern browsers that lets websites request permission to access your location through your web browser.

If you approve that request, your browser will do the best it can to provide accurate location information to the website. This will include GPS data in the case of websites on a mobile device, location information inferred from the presence of nearby wireless networks in the case of a laptop or desktop with a WiFi or 4G card, and simple IP information as a last resort.

Note that this is your browser which is determining your location, not the website. Therefore, the browser might use your real IP address to determine your location, even if the website you're visiting doesn't know what that IP is.

The second point, "your phone's location, if you are a Location History user" refers to a feature of multiple Google services which tracks your location using data from multiple different devices. From Google's support page on managing your location history:

Your location history allows Google to show you useful information based on where you’ve been with the devices that you’re signed in to with your Google Account. For example, you’ll see predictions for your frequent commutes and better search results. Your location info can also be used by any Google app or service, including the ads you see.

So basically, if you're signed in, Google Maps on your computer could potentially decide to use GPS data from your phone to determine where you are. Google doesn't need any special permissions from your browser for this, since it's getting this information from your phone, not your browser.

You can determine when Google Maps is using data from your phone by hovering your mouse over the GPS icon in the bottom right corner of Maps:

From your phone (Location History)

Ajedi32
  • 4,637
  • 2
  • 26
  • 60
4

When you are using a VPN your routing table gets modified and added the networks for which you can access. Perhaps I misread your question, but according to my understanding from your question - You are routed to Google through your internet connection and not the VPN. Unless you are going to Google from a terminal server through your VPN, which renders my answer invalid.

Franko
  • 1,530
  • 5
  • 18
  • 30
  • 1
    He is connected to a VPN and thus all traffic is suppose to go through the VPN. My guess there is a combination of factors for instance Google is able to get his actually end point. – Ramhound Jun 20 '12 at 10:47
  • I believe you are making a mistake here, my friend. If I am connecting to my organization from home with, let's say a Checkpoint VPN client, upon connecting, my routing table is modified and all of the traffic directed to the "new routes" in my routing table is tunneled to the organization firewall. If I did not get routes to Google, then I will go through the internet. This is mainly the idea of what's called a "VPN Domain" or "Encryption Domain". Please correct me if I am wrong, always happy to learn new things :) – Franko Jun 20 '12 at 15:47
  • 1
    @Ramhound, I am thinking exactly the same thing. I am sending all traffic over VPN connection. – user10732 Jun 20 '12 at 17:43
  • @Franko, could you please explain a bit more? – user10732 Jun 20 '12 at 17:45
  • 2
    In my job, many times I encounter the scenario of a remote access user connecting from home to his office with a VPN connection, and for some reason the user can't access a certain resource on the office network. We then find out that the required resource is not a part of the VPN domain for this user, and hence he tries to access it from his internet connection, and not through the VPN. a simple trace command can show you that. Hope I made myself clear. I repeat - This answer is only valid in case you are not accessing Google through an office resource over the VPN (terminal server etc.) – Franko Jun 20 '12 at 18:22
  • @user10732: The term here is "split tunneling": http://en.wikipedia.org/wiki/Split_tunneling – Piskvor left the building Jun 21 '12 at 09:56
  • @Piskvor, thanks mate. That's exactly what I meant. – Franko Jun 21 '12 at 10:04
  • @Franko Glad you pointed this out. Have exactly the same situation and often have to explain to staff that when they are running the VPN client, it is only traffic going to our domain which is within the VPN tunnel. – Tim X Feb 28 '13 at 22:58
2

Some good information about how Firefox handles Location-Aware Browsing here and also a bit more detail about the Google Location Services here

If you want to ensure that your location isn't passed by the browser and your using firefox then its quite simple to disable it you just do

  1. In the URL bar, type about:config
  2. Type geo.enabled
  3. Double click on the geo.enabled preference
  4. Location-Aware Browsing is now disabled
Mark Davidson
  • 9,367
  • 6
  • 43
  • 61
2

Check the site http://simplesniff.com/ from the proxy. Under the Your HTTP headers from the current request are: section, look for these two values:

X-REAL-IP: 192.117.111.61
X-FORWARDED-FOR: 192.117.111.61

One will be your proxy IP, the other will be your "real" IP address, which the proxy is leaking. Most popular proxies, such as Squid, can be configured not to leak.

dotancohen
  • 3,698
  • 3
  • 24
  • 34
2

Simply using a VPN service doesn't hide your true identity or your location. There are many ways to be identified and tracked, and trying to plug all of the leaks is pointless.

Instead, just use a different VM for each new identity and location, and always connect it to the Internet using the appropriate mix of VPNs and Tor. Also avoid cross contamination through browsing, accounts, interests and so on.

mirimir
  • 726
  • 4
  • 11