• Is Google using fingerprinting to track you?

    What’s your location?

    A post on Reddit reported that Google continues to display his actual address despite him using a VPN, turning off WiFi and blocking Geolocation. He even tried fresh installations.

    Intrigued by the post, I did the tests described here to understand the behavior. To eliminate the possibility of tracking by cookies, I did every test in incognito mode.

    My computer is connected to a router that is connected to a VPN.

    Of course, Geolocation is turned off so that the only input to derive your location is the IP address, in theory.

    Is this a Chrome thing?

    The Reddit post used the Chrome browser. So the first question to ask is whether this is a Chrome specific behavior.

    I tested Firefox on Linux, and Microsoft Edge, Firefox, Chrome on Windows. Google always displayed my real location despite my VPN connection.

    I changed my User Agent string, the screen size and disabled WebRTC. Google still displayed my real location.

    It is worth mentioning that the displayed map varied when I reloaded the same page multiple times. Even though the location remained the same, sometimes a marker was displayed on the map, sometimes there was no marker. But when the marker was displayed, it was precisely at my office location. The location was definitely not derived from an IP address (current or stored).

    Then I entered the same location query on Bing. It displayed the location of my VPN service.

    Apparently, Bing was using IP address location as expected. But Google remained a mystery.

    Same VPN on a different router

    I connected the computer to a different router, with the router connecting to exactly the same VPN server as the previous router.

    The location changed. But Google was pretty confident that I was somewhere in California, even though I was not in California and the VPN server was somewhere in Kansas.

    How about a different VPN location?

    Then I switched my VPN connection to a server in New York. Google displayed the IP address location.

    Notice the scale difference of the last two maps. IP based location is far less accurate.

    Then I switched the VPN connection to the Netherlands. Google displayed a warning and asked me to click through a bunch of captchas. Then it displayed the IP address location.

    And it tells you that the location was derived from the IP address. Compare that to the previous tests where the IP address was from the US, where Google just displayed a map without telling you how they calculated your location.

    Conclusion

    Google seemed to have some secret recipe to identify who you are and calculate your location accordingly. My best guess is it’s some type of fingerprinting. Network characteristics seemed to play a part in the algorithm. If the algorithm can’t determine who you are, it falls back to the IP address location. Since fingerprinting isn’t deterministic, when it’s wrong, it can pretty accurately place you on the map, thousands of miles away.

Leave a Reply