New Tracking System Can Pin Any Internet User's Location to Within a Few Hundred Meters

marked on map
You Have Been TargetedDan Nosowitz

Unless you explicitly give permission to use your location, interested parties (like, say, advertisers) can only track you with geolocation to within a radius of about 200 kilometers. But researchers in China and the U.S. have figured out a way to get closer--much closer. With a three-stage system using Google Maps, these researchers can, according to New Scientist, get as close as a few hundred meters.

Yong Wang, a computer scientist at the University of Electronic Science and Technology of China in Chengdu, developed a three-stage system to narrow the radius of geolocation without requiring the user's permission. The first stage is the one that's currently used: A packet is sent to the target, and the time it takes to to bounce back is converted into a (very vague) distance. But Wang took it further by realizing that many large organizations, like businesses and schools, usually have their servers in-house, meaning the IP addresses can be tied to a physical location that's easily found. If an IP address is linked to a university, you can just look that university up on Google Maps and have a pretty good idea that the user of the IP address is somewhere nearby.

Wang catalogued about 76,000 such "landmarks" on Google Maps, which leads to the first new stage developed. The new system pings all of the landmarks in that initial 200-km radius, and by analyzing the time that bounce takes, the possible location radius can shrink even further. In this stage, the software might find that ten out of twenty landmarks return similar ping times to the target, and shrink the possible location radius to reflect that result.

After that step, they continue the method until they figure out which landmark is closest to the target. In areas with many targets, like cities, that can lead to unsettlingly accurate tracking--all without the target's permission. The only recourse somebody might have to this method would be to use a proxy, which would effectively confuse the software into returning a null result.

Who would be interested in this? Well, advertisers might not actually care to get this granular with their targeting, although super-local advertisers might be able to target individual neighborhoods. What's more worrying is the possible invasion of privacy from, well, just about anyone, from individuals to small groups to governmental organizations. Is everyone going to have to use a proxy just to avoid any stranger being able to zero in on their laptops? And do the benefits of this kind of tracking outweigh the costs?