How google and other companies know your location all the time

Friend lost his phone so I helped him using “Google find my device” service. Then I started wondering… Does it work if the phone has no GPS on? And yes it did work.

Started doing some research on this and I found out that Google (And other companies for example Apple) uses BSSID information from your WLAN Access Point to get an approximation of where you are located. So they basicly build a Database which links WLAN BSSIDs to a geographic location.

So why is that? Why would they really need to capture your location 24/7 and how do you not give your location to them? Probably mission impossible atleast on IOS devices. On android you could just change your ROM which can be hard process especially if you are Huawei user as in Huawei it’s nearly impossible to open it’s boot loader. Does companies sell that location data they capture? Well I have some answers for you that I have taken from: Google Policies site.

We collect information about your location when you use our services, which helps us offer features like driving directions for your weekend getaway or showtimes for movies playing near you.

They also say that:

The types of location data we collect depend in part on your device and account settings. For example, you can turn your Android device’s location on or off using the device’s settings app. You can also turn on Location History if you want to create a private map of where you go with your signed-in devices.

And of course we tried to turn those off and use the Google Find My Device app again and guess what? It worked. It could track the phone even if those options were off and GPS was off. This might of course be because the app is literally made to track your device which might mean that while using it you allow Google to see the location while using the application.

So does google sell this data? What are the other methods they possibly get you location?

In some circumstances, Google also collects information about you from publicly accessible sources. For example, if your name appears in your local newspaper, Google’s Search engine may index that article and display it to other people if they search for your name. We may also collect information about you from trusted partners, including marketing partners who provide us with information about potential customers of our business services, and security partners who provide us with information to protect against abuse. We also receive information from advertisers to provide advertising and research services on their behalf.

We use various technologies to collect and store information, including cookies, pixel tags, local storage, such as browser web storage or application data caches, databases, and server logs.

Good article of how to turn off google’s location tracking: https://www.theguardian.com/technology/2018/aug/14/how-to-turn-off-google-location-tracking
Not sure if it even helps… Couple moths back researchers found out that Android devices transfer data to google every 15 minutes. No one’s sure what data.

Also thanks to everyone who isn’t crying “I already knew” on the comments. Some people don’t know and I think this is important and interesting topic. Please comment more information if you know something!

Even though I have done as in the article and turned everything off I still don’t believe that it is truly off and Google aren’t still tracking my location.

I have been using tracker control [0]

To block trackers and also block all system apps from connecting to the Internet.

Also it’s worth noting that Google got into hot water pulling WiFi data from their Google Map cars exploring around all of the time, and I’m pretty certain that information obviously helps them with tracking data, or at least finite location.

An excerpt:

“Android users are therefore unable to prevent the disclosure of their location to Google. Even if Google Location Services and Location History are disabled and they know enough to disable Web & App Activity settings, the IP address of Android devices will still be transmitted to Google. Again, Google notes that part of the operation of messaging and notification systemson Android, “it is important for a device to keep its connection alive for as long as possible”, and as a result, “Android devices and servers send pings to each other (referred to as “heartbeats”).”18 These device “heartbeats” disclose the user’s Android device IP address to Google independently of any location related user device settings. As such, Google can – and does - determine a user’s location with Location Services disabled in order to target and sell ads.” -[3]

• 1: Google uses google map vehicles to essentially war drive Article
• 2: Google StreetView WIFI-Scandal White Paper
• 3: Google research done by Oracle White Paper
• 4: EFF’s article on Google’s SesorVault Article

A video explaining GeoCoding and Reverse GeoCoding

Another Good Read for users on this thread.

first of all use a good ROM. Like Lineage/CalyxOS/GrapheneOS. Change the DNS server(dont use cloudflare, it uses GCP). Change the captive portal (captive portal is basically used to check the internet connection, so everytime you want to connect to the internet, google captive portal will be used). Change the SystemWebView to Bromite because Chromium does contain google libraries. Use aurora store and f-droid. Use micro-g if you still want to use google services. Always have a habit to use open-source apps, as they do not contain crapy ads. Now google will freak out!

The location tracking doesn’t simply occur using GPS. As FindMyPhone is a distress call, it can override certain settings. When we conventionally send a SOS using our phone, an AML message is sent, something you can google upon.
For services as the above, android had come with FLP(fused location provider), which is basically using all sort of wireless networks, such as your Wi-Fi, Bluetooth, Cell carrier, GPS and so on to keep a tab on your geolocation.
So no, it isn’t as simple as GPS. Infact this is the reason the Wi-FI settings on an android phone give the option of using randomized MAC addresses.
Anyways it’s quite a long topic, and i’ll leave two links to ponder upon. One is a simple demonstration of data collection, the other is the explanation by FLP in android meet
Explanation of FLP
Data Collection

Tracking location data via inclusion of code within the applications themselves is extremely popular in the US; by accessing this data through private companies, this allows authorities (US military & law enforcement for one) to bypass the slim privacy protections still in place, namely FISA.

Also, application libraries that utilize technologies like IR beacons are likely still being used. Do not count on legality to protect your privacy/anonymity. For many companies, the profits far outweigh the penalties.

Youtube/Alphabet’s violation of COPPA is a good example of this; Google has violated US & EU law multiple times, but even “record” penalties are a meager % of their yearly profits.

Use tools like Logcat to watch the traffic leaving your device; use applications that allow you to watch interactions between applications. Many applications will still run on Android versions at 5.0 and below, which will allow user supplied certificates so you can further sniff traffic via Burpsuite.

Also remember: the age of AI/ML-assisted surveillance & data analytics will make steps like anonymous Ad account identifiers almost useless as association/quantification of datapools via things like E-biometrics will become faster & more efficient.

This doesnt mean you shouldnt use steps like anonymous Ad account identifiers; it just means that better privacy/anonymity means adding more layers & carefully auditing the technologies you use vs your personal level of risk/threat.

Xposed Framework, GrapheneOS, LineageOS, FDroid, MicroG, etc. are your friends, but all setups/configurations should be audited by at least sniffing traffic (also, at least on some older Android OS, you can change hardcoded device identifiers with a little bit of programming knowledge & certain applications).

Also remember: spoofing device identifiers, Tor, proxies, VPNs, multihops, tethering & tunneling/encapsulating traffic through non-14/5 Eyes/UKUSA Agreement countries (in the US & other participating countries) can also add layers.

This topic was automatically closed after 121 days. New replies are no longer allowed.