Are we all handing to Google the SSID of our home routers?

In the sense that your WiFi LAN would continue to function, yes. I don't think it would achieve anything useful though or have any effect on your 'privacy' or security.

Using different makes of router would at least slow down anyone trying to hack into your network. Possibly for several minutes.

I don't know that Google do record the MACs associated with SSIDs, but there's nothing stopping them from doing so. They could store that information for ever - but not necessarily make it available to mobile phones trying to locate themselves, or to anyone else.

Reply to
Whiskers
Loading thread data ...

Changing the User Agent String doesn't stop Chrome and Firefox from being identified by their unique browser ID number.

See your browser's number here:

formatting link

Reply to
pamela

Per pamela:

That would be "Authentication: Your unique ID: xxxxx", right?

Reply to
(PeteCresswell)

Reply to
Frank Slootweg

Per (PeteCresswell):

Or is it "Cache E-Tags)" ?

As expected, when I re-ran using the Iron browser instead of Chrome and both "Authentication" and "Cache (E-=Tags)" changed.

But I would have to think that somebody somewhere (Google?) is diligently creating links between those IDs and people's names/addresses/phone numbers.

Am I on the right track with that ?

Seems like even if somebody gets a new browser and uses it only over VPN, any sites (Amazon, for instance) that the user divulges personal information to can now create a link to that browser instance's unique ID - regardless of whether the user is connecting over a VPN.

If so, what's the workaround?

Reply to
(PeteCresswell)

Per (PeteCresswell):

Oops.... Was a little to quick on the trigger with that one.

Now I see that the IP-Check.info is a site "JonDonym" (as in "John Doe"??) that offers a Proxy app aimed at mitigating those issues - and sells a "Premium" service for better throughput through the proxy.

Haven't read it all yet, but even they do not claim 100% anonymisation... although the seem to make a case for it to be pretty close.

Reply to
(PeteCresswell)

Wait a minute? Something smells fishy.

I went to that site and it did report two supposedly unique browser IDs:

formatting link

But, if they're such a fingerprinting threat, why doesn't Panopticlick report them?

Reply to
Alice J.

All the articles said the MAC was stored, and, it makes perfect sense (since it's actually pretty stable compared to the SSID).

If anyone knows how to get your MAC out of the database, let us know!

Reply to
Alice J.

Yes. I was trying to say that it's there, but it says Google broke them. The fact that it supposedly worked at one time means the Google database is accessible on the net somewhere.

Do apps use an API to access this Google database containing the GPS coordinates of your home router and phone (if you've used the phone as an AP)?

Notice that, if the phone was used as an access point, then it seems to me that Google actually knows the last location of your phone, even if you yourself are not reporting it, because YOUR LOCATION is reported by all the stooopid people standing next to you on the checkout line.

It would be nice if we can confirm those observations above though.

Reply to
Alice J.

Reply to
Andy Burns

Reading that, but not understanding it all, is that document supposed to be the API that you and I can use to find out the last location of any given MAC address or is that a document for people developing apps?

(OT) They define the Cell-ID here (which is something we had wondered about): cellId (required): Unique identifier of the cell. On GSM, this is the Cell ID (CID); CDMA networks use the Base Station ID (BID). WCDMA networks use the UTRAN/GERAN Cell Identity (UC-Id), which is a 32-bit value concatenating the Radio Network Controller (RNC) and Cell ID. Specifying only the 16-bit Cell ID value in WCDMA networks may return inaccurate results.

Reply to
Alice J.

I think what this means, that if you want to track someone, all you need to know is their MAC address of their router or their phone.

The router will stay put, but you can track the last location of their phone if they are using it as an access point, I think.

Sounds very bad to me.

Reply to
Alice J.

MAC address of the phone doesn't come into it.

I created a text file called wifi.json containing

{ "considerIp": "false", "wifiAccessPoints": [ { "macAddress": "C0:A0:BB:CF:DE:50" } ] }

which is one of my neighbour's visible BSSIDs, without the considerIP parameter it can fall back to using my IP for geolocation.

Then I used curl.exe to POST the request, where XXXXX is my google API key

curl -d @wifi.json -H "Content-Type: application/json" -k -i "

formatting link
"

The surprise is that it failed to geolocate for any single MAC addr, either mine or my neighbours.

But if I give it a pair of MAC addresses in the JSON file, e.g.

{ "considerIp": "false", "wifiAccessPoints": [ {"macAddress": "58:1F:28:25:4B:CC", "signalStrength": 4 }, { "macAddress": "C0:4A:00:A6:84:D4", "signalStrength": 8 } ] }

It returns an accurate result, if I omit the signalStrength values, it still returns a result, but with a larger radius for accuracy.

Reply to
Andy Burns

If I'd read the doc a bit closer, that wouldn't have been a surprise

"array must contain two or more WiFi access point objects"

So there's your answer, live in the wilderness such that no other wifi is visible within range of yours, and don't enable dual band :-)

Reply to
Andy Burns

Apologies. Maybe I did some copy-pasting into the wrong reply.

Reply to
pamela

It's a reputable site even if they do have a service to sell.

Reply to
pamela

I don't know how the browser IDs are assigned or why your cached version is different.

Here's a discussion. Soemone says it's stored in a cookie, so you may be able to hex edit it.

formatting link

Reply to
pamela

I'm not sure, but it appears to be something the web site itself generates. Each time I run a new Firefox session, I get a *new* browser ID at that page.

However, "my" Firefox dumps *everything* each time it's invoked, so *you* may get the *same* browser id between sessions when I don't?

If someone else who doesn't have a custom Firefox setup can test whether

*each* browser session gets a *new* ID generated, that would be useful.
Reply to
Alice J.

YOU ARE SIMPLY AMAZING!!!!!!!!!!!!!!!!!!!!!!!!!!!! This is wonderful!

I don't understand it yet, but the concept that we can query the Google database is fantastic, and I would like to ask you some questions.

What if the phone has been used as an access point at the same time that someone stoopid was next to you when you were using the phone as an access point?

This seems like *exactly* what I was asking about!

I don't understand the "considerIP" fallback issue but it's simple enough to set to false, so, I'll just show the documentation on it below: From

formatting link
"considerIp: Defaults to true. Set considerIp to false to disable fall back. Specifies whether to fall back to IP geolocation if wifi and cell tower signals are not available. Note that the IP address in the request header may not be the IP of the device.

Ah. That's something "special". This is the first I'm hearing of a "Google API Key" (I saw it in the document when you first mentioned the doc.)

I wonder (to myself) if I can easily get my own Google API Key? Reading

formatting link

How much identifying information do I have to give Google to get an API key?

I saw your followup that Google documents insist on two WiFi MACs:

Interesting that dual-band routers will give you away more so than single-band routers! It's not that they're triangulating by requiring more than one MAC address.

Reply to
Alice J.

A bit of an edge case, presumably they don't want to fill their database with the MAC addresses of phones at 'random' locations where they happen to have acted as access points?

AFAIK only marshmallow allows creating a 5.2GHz hotspot on dual-band phones, but you can't create a hotspot on both bands simultaneously, so a phone by itself with GPS enabled in the middle of nowhere can't be used to "mark" a location, presumably they filter out MAC addresses that move frequently, and are aren't seen "near" to fixed MACs they already know?

Yes, we knew it's what they do, also my router is newer than the most recent visit of a streetcar to my street, so it has been gathered by phone/tablet.

Just login with a google account, you can restrict the key to one or more IP addresses, but that's optional information.

I does accept the two MAC addresses (2.4GHz and 5.2GHz) from my router which only differ by a single bit, but you can't fool it by giving the same MAC address twice, or by giving it one valid and one fictional MAC address. So they do validate that multiple valid MAC addresses are in use within a certain proximity to each other, which avoids people going on fishing expeditions to find every router's location, without being there, thought dual band routers will negate that to a certain degree with a little guessing, also the API key is limited to a certain number of queries per day.

I tried giving two MAC addresses one with a high the other with a low signal level, flipping the signal levels didn't alter the location they returned. I haven't tried with three MAC addresses.

Reply to
Andy Burns

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.