Tell HN: Google is correlating location data to your IP
I just got home from being in Mexico where I used my VPN (because of course US financial apps panic if you access them outside the US).
I fired up my LG TV running the YouTube app (which I'm not signed into) and every, single, ad is in Spanish.
My Edge browser on my desktop computer gives results in Mexico and claims I'm in Quintanna Roo. In many places, I cannot override this, at least without signing in and/or apparently explicitly feeding it more accurate location data to "fix" it's perception.
Is this expected/known? At one point, it even said "based on your IP address" despite the fact that my IP clearly looks up to a Washington State IP address.
I just wish I could make this known to Google's advertisers. Are they aware that when I travel, they're pay to show me ads that I can't understand?
134 comments
[ 0.67 ms ] story [ 459 ms ] threadto be clear: my VPN is Tailscale configured to use an exit node running out of the apartment I'm currently sitting in.
My Public IPv4 is: 198.244.xx.yy
My Public IPv6 is: 2604:4080:redact
My IP Location is: Seattle, WA US
My ISP is: Wave Broadband
This is at the bottom of the Google search results page on mobile right?
If so, that location is based on signals from a bunch of places. The logic takes as input:
* Location history in your Google account (if enabled)
* IP address location lookup from the most recent request (if sufficiently accurate)
* HTML5 location API response from previous requests to Google search on your account (since the html5 location API is quite slow, and you don't want to wait 30 seconds for search results).
My guess is you have location history disabled. And you have the html5 location API disabled. And your Seattle IP address doesn't resolve to a very precise location (so is rejected). So the last fallback is the last known location for you, which was probably the hotel WiFi in Mexico, which probably did have a precise geocode associated.
If you want to fix that, you can set a manual location IIRC, or you can enable some other location source.
Yeah, but I can't. The only way I've seen hinted at doing that is letting my browser share location to Google.com and my desktop Firefox can't estimate my location anyway, on top of the fact that I'm not about to give in and fix this by just arbitrarily granting them access to more data about me.
Especially when they clearly have all of this effort around it, dialogs to try and tell me why it thinks I'm in Mexico and won't just give me a way to tell it where I am.
When I was looking for where to buy an SSD and used "shopping.google.com" earlier, I absolutely could not find how to convince it that I was in Seattle. Ironically, a private browser worked there.
And yet, I literally just sat through 3 spanish ads, again on my unsigned in TV that has been sitting in Seattle for a year.
I think you're absolutely right, it's this myriad of data. But it's frustrating that I /can't just easily override it/.
Various companies including Google have systems to determine a phone or computer's location via WiFi. To do this they have a table of the approximate locations of routers worldwide.
How does that table get updated? In part it's due to cell phone traffic. If a cell phone's location is determined in some other way (such as via the cell phone network), they will assume any visible router is nearby. So, for example, this would be a way of finding out where a coffee shop's WiFi is.
If, say, a mobile phone is in Mexico (determined via the cell network or GPS) and it's using an exit node in a different country, the inferred router location is going to be wrong. Ironically, using the VPN from Mexico is probably what broke it.
One way to fix it might be to change the exit node somehow. Or maybe connecting to the VPN while at home, using a cell phone, would fix it?
Have you been living under a rock?
To me, it's absolutely news that Google Maps data can taint my entire IP address across all Google services.
Ultimately, sure, great, I realize Google is going to Google, but this is absolutely not something I've seen discussed previously.
When in .mx your cell phone location was on, and you used apps like Google maps at least partially through the house/hotel wifi which you tunneled to exit in USA? If so, that tied the "trusted" phone location to the IP you used to exit traffic in USA.
This should not surprise you.
It's not surprising me, it's baffling me because it's just stupid to do this.
Nobody cares, the business is making 10x what it would need to survive. Worst case scenario they still have their reputation (I still remember conversations before buying Azure: "it's Microsoft, it can't be that bad"...)
A small company either does things right or eventually gets destroyed.
Getting it wrong in this way is rather puzzling, but it's unlikely that anyone here is going to be able to debug it without a whole lot more information about your computers. Maybe there are cookies you can delete?
But again, my gaming PC, which was offline in my apartment in Seattle, has been showing me Mexico/Spanish results in Edge. And my TV, which sits in my apartment in Seattle, is inundated with Spanish ads.
I'm starting to suspect that different Google properties are using different signals, too, which makes this extra confusing.
It's really as if YouTube has modified it's profile of me and said "oh, since he was in Mexico for 2 weeks, he must speak Spanish now" the same way they *infuriatingly* insist on switching my results to Spanish whenever I first landed (which literally was why I started using the VPN).
It's a kafka-esque nightmare of them trying to be smart and absolutely making things harder.
J/K. Have you tried all the stupid stuff like clearing your cache and logging out and back in?
Idk why everyone is so gung-ho to disbelieve me. Theres NO EXPLANATION for what im seeing other than Google keeping a hint for my IP and it being currently set to "being in Mexico".
For example, I receive quite a few devices for reviews, and I mostly give things away after using those. Many years ago, I gave a friend in another city a router. For a few weeks his computer and other devices reported his location as being my city instead of his. It took a couple of weeks for Google services to catch up.
Google logs your current location and the MAC address of any access point visible to your phone. In your case, if you used your phone via the VPN for more than a few hours, Google associates that MAC address with the finer location from your phone's GPS. It may not link that data to your account, but it uses it to help getting a GPS location.
If you live in a location with low traffic/human density then it may take longer for Google to change it back.
This information is also used for a GPS cold start. Actual GPS takes a few moments to get a fix, even more if indoors. A GPS get a fix faster if you are using it close to where it was last used, or how fresh the stored almanac data is, otherwise it may not find expected satellites in certain locations in the sky. While a fix is not available phone GPS uses any visible MAC address to determine its coarse location.
On laptops and desktops with no GPS, browsers will use this access point data to set a location - IP addresses databases are not up to date enough and sometimes they are linked to the ISP office address and not to specific towns and cities and certainly not to a specific address.
I tried some quick packet sniffing browsing Google and did not see my MAC transmitted—as I’d expect (bc like you said, ARP not thing at this layer) also research on “MAC included in http metadata” turns up no results…
If you have any more info on this I’d love to learn more—as I’m puzzled to know why this would happen?
I believe they also track and log other Wifi networks that you arnt even connected to.
I'm sure they gather all sort of other metrics from any sensors and signals they can access.
It is way before HTTP even happens. This data is collected while you are driving around, walking down the street, etc.
If you want coarse location to work but don't want Google to know it, try microG with a non-Google location provider (I use Apple and Mozilla and it's pretty good).
> Google's location service improves location accuracy > by using Wi-Fi, mobile networks, and sensors to help > estimate your location. Google may collect location > data periodically and use this data in an anonymous > way to improve location accuracy and location-based > services. > > Turning this off will result in your device only using GPS > for location. This may impact the accuracy of location > used by apps such as Maps and Find My Device.
Based on that description, that should turn off the data collection, although it can also make GPS fixes take longer, and there may well be other apps collecting this data as well.
Software typically obtains BSSIDs from your mobile OS’s wi-fi frameworks.
The BSSID looks like a MAC address, and in many but not all cases, a given AP’s wireless network BSSID is within a byte or two of its actual wi-if radio MAC.
Google and Apple maintain their own massive geolocation databases of BSSIDs, signal strength, and latitude/longitude.
Google Maps still thought I was living in my old address. My phone was stuck on the old location for days iirc.
Also, is it your private tunnel? I think it also looks at the language settings of the bulk of users coming from that IP address. As an example, try using any public VPN hosted in a German datacenter, with a German IP address on a German AS, but created by Iranians (either as help to circumvent the crackdown or as a honeypot; they routinely post these en masse on Telegram), and you'll be detected as Iranian and start getting results in Farsi.
(don't try it actually, or at least use precautions and while not logged in)
Go to google.com/history and clear out all history from all services. Go to YouTube and do the same. Clear everything from your browsers, meaning you have to log in again. If it's allowed, return the phone to its default state.
Just for good measure, power the phone off, take the battery out, wait an hour, put the battery back in, and power back up again (this part is cargo-cult, I know).
There are probably even more sanitary measures I'm missing here.
In the same vein, I was holidaying overseas. I wanted to book a hotel back home for a ski weekend after I return. Despite Maps knowing my home address and probably a lot of other info (like my credit card billing address), it was showing the hotel prices for in the foreign currency...
I live in Canada, but came to Australia for an extended period to visit family.
I'd been in Australia, using wifi and a local Aussie SIM for over 6 months and Facebook and google were still showing me ads for Canadian things. I wonder if people paying for FB and Google ads know they're being shown to people outside the country like that. I'd be mad if I were paying for that.
This [1] shows the attributes Facebook Custom Audiences allows match on, and it includes email, phone, first/last name, address, dob, and age. So if any of those were shared with the store, they can upload them to FB (and very similar to Google) to show you ads.
[1] https://www.facebook.com/business/help/2082575038703844?id=2...
Google is clearly collecting its tracking from a variety of sources but integrates it sporadically.
https://www.wired.com/story/eu-hits-google-third-billion-dol...
What would actually happen for users if they added a zero? Would poor people be SOL if they want high quality maps?
But what about stuff like Google Assistant? Seems like Google does a lot that doesn't serve ads, so I assume it must be either to sell their hardware or to spy. Are the hardware sales alone worth it to a CEO?
Eh? Google Assistant is the quickest shortcut so serve you an ad, but also can do your calendar.
> Are the hardware sales alone
No way, especially the Google branded ones. But the ability to shoehorn it's ads on almost every device - is priceless. Don't forget, the Android smartphones are practically useless without Play Store and every Play Store install not only allows you to install apps, but:
links the device with your account (so any data explicitly known to come from this device is now can be correlated with you)
sends your location data
provides the way for you to spend the money, including RL
servers as a giant ad sink - every freemium game/app there has the ads from... you know whom?
They seem to mostly just exist to do tracking to enhance the stuff that does do ads, or to add value to some other thing that shows them, but they're not directly ad supported, they're tracking supported or pure promotions.
This is both expected and known and waaaay deeper than what you think.
The ad brokers - of which there are thousands - are tracking you and sharing information collected between different apps to each other. Each app has several analytics packages that send this data.
Any ad server can get this from an analytics package, or from another ad broker. Many ad brokers function as every other component in this web too. Just like Google has both Google Analytics, an ad serving platform, an ad brokering platform and ability to get data from other ad brokers, all alongside the ability to directly track you like you imagine. But probability wise, it’s not “Google tracking you”, its everyone.
That can include any number of avenues, including from implants they've put on devices you may carry. For example, even if you don't have location services on, depending on the model it will keep the last X number of AP points and cell towers that came into range, and that information may be used to correlate your location regardless of if the feature was turned on or off by you. I'm pretty sure intermediate cell towers sell some of this information to Accurint which is where most governments agencies go for information when not Palantir.
Google has a lot of ad fraud because of their pernicious use of surveillance may indicate you fall within a demographic to their ad companies that you do not, but they are the only marketshare in town for ad providers.
No there isn't a way to game the system in any way, you have no control over their algorithms, or even your own hardware.
You may also notice that if you talk about a specific thing hitting the same keywords over and over within a few minutes, within range of one of those devices all the ads switch to that thing. Like a purple dog collar. Technically that's wiretapping, and should be illegal, but no ones holding them to account because someones decided its not illegal if an algorithm does it?
For anyone not aware of the tech involved in this, this may seem like a tinfoil hat like response invoking the I can't believe it response. That's fine, but it is happening regardless of people thinking those thoughts, and you have no agency to change or stop it which was by design.
If you are unhappy with that, the only option is to become an expert in the technology, or bury your head in the sand.
The thing that most people don't get about privacy is, privacy is your future. If you give up your privacy, you are giving up your future.
Whatever that may be, its what you are trading when you use anything made by companies involved in this despicable and evil trade.
You become a victim to anyone who pays to have access to that information or some derivative of it, and its done in a subtle way that you don't concretely know when that's been used against you or when its happening.
Those companies won't give you enough information to make an informed decision about it because they are deceitful and malevolent by design and have used leveraged buyouts to consolidate that power in a global game of monopoly, and most likely received funds from people within the government to set this up in the first place.
They have gotten where they are now at by stripping agency, and voice, and corrupting and subverting the areas they would normally be held to account.
So the only real alternative without specialized knowledge is to become a luddite and not engage in society (in the US).
This mostly because everything is being forced through compulsion into the online space without proper safeguards, you have companies who are acting as arms of government without government oversight, which is also by design.
Most people can't become a specialist at tech overnight, and the people that do go the luddite route are ostracized, and have less opportunities for anything that falls in the social spectrum.
Many people do not realize just how bad things have gotten because they rely on institutions to get their news, such as from the Sinclair's of the world.
If you have a chance look at the deadspin Sinclair video. That was made years ago, and despite that and other issues, they were still authorized for further mergers to consolidate their business.
The reason the world is getting so crazy and going off the rails is because these 'evil' people have been allowed to continue this attack on agency and speech without restriction, and the people responsible for not taking action agai...
The same people responsible for Havana Syndrome have coerced their way into the tech industry and, as you said, privacy will only be had with a fight.
Petty criminals are recruited online and given unfettered access to systems that have complete dossier and real-time tracking of anyone, enabling harassment, surveillance and sabotage.
Just disconnecting isn't enough, tinfoil won't shield against the advanced electromagnetic surveillance used and only a rebuild of our society, with housing that can absorb and nullify radiation, will bring privacy and security back.
You would have to equate "em surveillance" with all radio (that is em after all), and coverage of course varies by location.
As for inner speech and bodily actions that does go too far because its much simpler, and has little to do with the other.
They use a combination of psychological blindspots, mass media, and indoctrination to influence the latter. It could be as simple as a sound that previously was associated with a dopamine hit, or other conditioned response. Cialdini wrote a book on the subject covering the most common blindspots.
As for the rest, that's a bit off the rails sir.
I logged into the WiFi of a Russian airport once and from that day I had Russian spam in my email, fake invites on Google calendar, attempt to break into my Shopify account and others (probably using data from breaches)
[1] https://support.google.com/websearch/workflow/9308722?hl=en
I've always wondered what I'm supposed to do when on holiday in a country with a different script that I can't make heads or tails of. I'll have to practice my japanese or amharic then I guess?
The other extreme is DDG which will try to find English results for a query that very clearly uses Dutch words, matching pages that don't have those words on them rather than bringing up the Dutch page that contains all of the keywords.
whereas it could just do keyword matching like I ask it to
United Airlines is actually the worst offender for this - they constantly revert pricing to GBP. They somehow manage to know which home airport to set though.
Edit: It only works if you stay logged in to your Google account.
With Firefox, you can (with some difficulty) specify your location, but most still pull something out of their ass.
After a while, Google would associate the IP address of the local side of the tunnel with the location of the remote side of the tunnel.
I assume this is from Android devices connecting to the network on the remote side, being geolocated by Google Play Services, and Google tying this location with the IP address.