14

I am using a private VPN network for my internet connection. But it seems that if I go to http://m.facebook.com and try to check in, Facebook sees my location properly.

My IP address seems to be from USA.

I have cleared all the cookies. If Facebook can't determine the current location it uses the old one instead,that seems the only explanation I have? How is this done?

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
opc0de
  • 687
  • 3
  • 7
  • 14

5 Answers5

16

If you are using the Facebook app on your phone then you have already agreed to let the app access location services.

Accessing Facebook through the browser on your phone will ask for your location like this:

m.facebook.com wants to use your device's location

The IP address will indicate a very rough location like a city or region. The check-in feature uses precise locations provided by the location service of your phone. Location services use GSM base station ID data, WIFI SSIDs, MAC addresses and the GPS location if available. The phone will then query a server on the internet using the GSM and WIFI data in order to get precise location information. It is similar on a computer although computers typically only have WIFI.

So you must have allowed Facebook access to this kind of location data. IP addreses and foreign VPNs have nothing to do with precise location data.

Chrome has started implementing Geolocation API since 2010:

Wifi based location is only supported on Windows and Mac

Geolocation API by browser:

  • Chrome uses Google Location Services.
  • Firefox on Windows uses Google Location Services.
  • Firefox on Linux uses GPSD - http://catb.org/gpsd/.
  • Internet Explorer 9+ uses the Microsoft Location Service.
  • Safari on iOS uses Apple Location Services for iPhone OS 3.2+.
  • Opera uses Google Location Services.

Source and more details about HTML5 Geolocation API

Cristian Dobre
  • 9,797
  • 1
  • 30
  • 50
4

I suspect that this is the work of the Geolocation API. Here are some scenarios:

  • You've probably added Facebook to the trusted list in your browser to allow it to use Geolocation information without asking.
  • Your browser is misconfigured (advanced configurations) and it allows any website to access Geolocation information.
  • Facebook is loading some third-party contents (liked Ads) that are keeping track on you using cookies that you've probably didn't clear.
Adi
  • 43,808
  • 16
  • 135
  • 167
4

A VPN does not guarantee anonymity from outside the private network. Those packets of information still have to get from you to the VPN gateway and vice versa, and that basically means TCP/IP routing between these two endpoints, so your computer must still know its IP address in the LAN it's currently connected to in order to receive the VPN packets, and the routing chain is still possible to trace as long as all the nodes respond to pings and tell you where they're sending the packet next (this is where an anonymous proxy does its thing; it acts as the front door for one or more other IP addresses, and won't tell anyone who is behind it). Location Services requests information from your device, which will transmit it through the VPN, but that information could still include your non-VPN IP address as assigned by your current local LAN.

In addition, Google Location Services asks for a relatively large amount of data that is widely available, VPN or not. For instance, it transmits the SSIDs of any wireless networks in range. If you're using cell-based internet, the device can transmit cell tower identifiers. Google then uses this information to triangulate your location. It's usually not as accurate as GPS, because there are fewer data points to work with, not all of which can be used by Google to identify a unique location, and because range data from these sources is more variable than the exact timing mechanisms used by GPS. However, given enough of this data regarding your surroundings, Google can figure your position out to neighborhood level at least. If you're within 10 feet of a WAP that is well known to Google (i.e. full bars on "Starbucks 4010 Public Wi-Fi") then your location pretty much is that WAP's location.

KeithS
  • 6,678
  • 1
  • 22
  • 38
  • True, and any devices sharing the same subnet, even behind NAT, can be remembered by Google's servers so there is that. It is defeated by telemetry though (RDP, VNC, Citrix, SSH etc.) – mckenzm Jul 24 '15 at 20:57
2

You mentioned you are accessing the mobile version. Is this on a phone? If so, the GPS may be used or it could use the device's approximation of where it is based on IP and/or wifi hotspots and/or cellular towers and/or any other number of other indicators. A VPN will mask your IP address from the server, but if your computer responds to a request, it has the accurate information to provide to the server which could also give the correct source IP and thus make geolocation by IP possible as well.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
1

Your VPN is probably leaking IPv6 traffic - make sure whatever computer you're using is configured to not automatically make IPv6 connections.

If you're on a Mac (OS X 10.8+) try running # networksetup -setv6off Wi-Fi from your terminal and then confirming Facebook's || Google's non-access to your location.

More discussion can be found here.