• How does my browser know my real location when I’m on a VPN?

    On a computer that doesn’t have GPS and cellular connection, how does your browser get your location?

    The obvious answer is it uses your IP address. But that is not true. You can do two simple tests to confirm this:

    1. Open https://browserleaks.com/geo. Click Allow Location Access when prompted. Check your location and Accuracy. More likely than not, the location is accurate to within a hundred feet.
    2. Connect to a VPN. Your IP address should change to that of your VPN server. Reload the above page. Your location will not change.

    How does your browser get your location?

    The Google Geolocation API takes these inputs in order to return your location coordinates:

    1. Cell towers
    2. WiFi Access Points
    3. IP address

    If your computer does not have cellular connectivity, then cell towers are irrelevant.

    The Google API requires that “two or more WiFi access point” objects be sent with the API call. The implication is that your computer doesn’t need to be connected to a WiFi access point. It just needs you to have WiFi on, so that nearby WiFi access points can be detected.

    An example WiFi access point input looks like this:

    {
      "macAddress": "84:d4:7e:09:a5:f1",
      "signalStrength": -43,
      "age": 0,
      "channel": 11,
      "signalToNoiseRatio": 0
    }

    When WiFi access points are not available, the API falls back to IP address. Indeed, after I turned of WiFi on my computer and connected it to the Internet with cable, my location changed to that of my VPN server, and with much less accuracy.

    What can I do to avoid location tracking by WiFi?

    Well, if you deny location access when prompted by a web site, then the web site won’t get your location. But that doesn’t mean other apps on your computer cannot get your location using WiFi access points. The capability to get your location is still there. Someone may still get your location despite you turning off location services. On the Android phone, it was reported that Google collects users’ locations even when location services are disabled.

    Google suggested that you can add _nomap to your WiFi SSID to exclude it from Google’s location services. But that’s pretty much useless, because you are tracked by WiFi signals around you, which include your neighbor’s WiFi signals.

    If you don’t trust that turning off location service gives you proper protection, then turning off WiFi entirely is your only option to prevent location tracking by WiFi.

Leave a Reply