Tell HN: Google Maps location data is used for GeoIP updates
Hi,
I've been meaning to write this for a few years now. I saw https://news.ycombinator.com/item?id=34032484 and lots of great replies there - but I happen to have an insight which I kept track of for years now.
Some background first. Since more than a decade I've been using an always-on VPN on all my devices through a VPS I operate (various cloud providers along the years). Also for context, I stopped using all google services around 2015 or thereabouts - although I still have an account I no longer use it. The only google service that I use rarely is google maps - of course, never logged on. And a few times a month I use google search for the odd obscure thing.
Around 2016 was the first time I noticed that google.com was showing at the bottom of the page my ZIP code. It felt very unusual but I was in the process of moving so I didn't pay too much attention. To my surprise, a few weeks later google.com was showing my new ZIP code.
I shopped around for cloud providers that would allow me to rotate the instance IP easily and thankfully there are many but I was curious how come google picked it up - the only plausible reason was using location data from the Google Maps iOS app.
Here's how you can replicate this.
Get a cheap VPS from a country different than yours. Get an iOS device (ideally an (older?) iPhone but I think it should work on an iPad) - Android devices should be excluded from this test for obvious reasons. Reset it to factory defaults (optional but removes moving parts and false leads like cookies etc).
Install wireguard (or your preferred always-on vpn) and configure the VPS to be used as an exit node. Install google maps (don't login of course) - can be used without being logged on just fine. Install firefox focus (Safari in Private Window mode would work as well).
Confirm via ipinfo (or your preferred whatsmyip website) that you're using the VPS IP Go to google.com and confirm it's showing at the bottom of the page the country of the VPS (could also be shown in a different language if google has a presence in that country).
Use the google maps app a few times a day (ideally navigate from a place to another) - it will take about 2-3 weeks but you'll notice that google.com will now show your actual country for the VPS IP and also the google.com language will change to your own.
If you want to take it one step further, continue to use google maps on the iOS device. You'll notice that after a few more weeks, google.com will show your actual City (based on the IP) - and after a while longer it will be even more precise, will show your ZIP code.
You have to be patient though, it will take 2-4 weeks to start with - and it's imperative that that IP address is dedicated to this test.
Funny enough, I was on holiday on Mexico for a month right before reading the HN article I mentioned (have been using a VPS in the states for lower latency) and I noticed that after 2 weeks the language changed to Spanish and google.com was showing Mexico (I rotated the IP when this happened and it prompted me to write this 'Tell HN'.
Not surprisingly but Google doesn't share the new GeoIP data - MaxMind, ipinfo and others never changed their location data for that IP - they showed the original geoip even a few weeks after google changed theirs - haven't checked longer than that - it could be shared eventually.
In conclusion - I can't say that I'm surprised Google is using the Maps location data - and I don't think there's any way to prevent it (outside of not running Maps - but unfortunately it's one of the few ways of checking restaurant reviews). My "workaround" is to periodically rotate my VPS IP and move on with life :)
Thanks for reading - I hope you found this useful. > Apple provides all developers with access to its Network.framework, Multipath TCP (MPTCP), and other networking APIs, which by design allow any app developer to bypass the Wi-Fi interface and route traffic directly over the cellular interface. Invoking these tools effectively allows any app developer to unmask VPN users on Wi-Fi without notice or consent. By routing device traffic over the cellular interface, app developers are able to bypass VPN protection and obtain the user's cellular IP and other device information that allows that app developer to fingerprint a particular device and/or user. VPNs on iOS are useless, just like almost any advanced usage of any of apples devices. *VPNs for IP masking. I guess that ship has sailed.... > *VPNs for IP masking. ah yes, a great counterpoint because users so often don't use a different IP address under their VPN. Leaking IP addresses is only a security issue for kinds of VPN that are meant to hide these. For corporate VPNs, virtual private networks or just datacenter routings its no problem since they are for other purposes than masking your IP. Is it possible to restrict cellular usage by app by any chance? Yup, in iOS go to Settings -> Cellular. There's a toggle for each app. Thank you. yes, Settings > Cellular, move the slider to the left to disable cellular for the app Summarizing: If you run the Google Maps app on your iOS device, Google will build a correlation between your IP address and your GPS+ location. You can turn off Location Services access for Google apps, if you feel the need to run them at all. Adding a few seconds of panning and zooming is a reasonable trade. > (Google Maps app is) one of the few ways of checking restaurant reviews Apple Maps has restaurant reviews also, if you can stomach Yelp. Google Maps also works in mobile Safari, if you'd prefer to sandbox Google code from your hardware (and again, you do not need to allow access to your location). There is no path forward that permits both "I don't accept Google's data practices" and "I allow Location Services for Google mobile apps on my iOS device". :) I think Apple Maps looks to be starting to accumulate its own set of reviews. It has a ratings feature where you can review overall thumbs up or thumbs down and can upload your own photos of the place. It contributes to apple using your AppleID email. There's small fine print > Ratings and photos are associated with your Apple ID. By contributing you agree to the Terms > https://www.apple.com/legal/internet-services/maps/ratings-p... I think Apple Maps looks to be starting to accumulate its own set of reviews. It is. I get a thing in Apple Maps that asks me for reviews of places I look up. I'm more tolerant than the average bear, so I don't submit reviews. I also don't read reviews, because I don't find any value in them. Again, because I think I have different needs and expectations of the world. I think it's limited to certain individuals right now. I don't know how I got selected. Maybe because my local Starbucks is constantly changing its hours, and I'm constantly sending the updates to Apple Maps. Interesting, they want location data to confirm presence at a given spot. > or not post a Submission that has location data removed or where Apple is unable to verify the location. > There is no path forward that permits both "I don't accept Google's data practices" and "I allow Location Services for Google mobile apps on my iOS device". :) in my case I have a family member sharing my VPN endpoint (DNS blocking does wonders on iOS) - which was part of the initial puzzle as I didn't use any google services at that point. Not a path forward but a workaround - rotate the IP periodically and start "fresh". >You can turn off Location Services access for Google apps, if you feel the need to run them at all. Adding a few seconds of panning and zooming is a reasonable trade. That's not workable if you need it for turn-by-turn directions, which is a pretty common use case. I do use Google Maps, but I don't like tracking. Is it easy to turn off tracking and still receive full mapping services? I do use Google Maps, but don't like tracking. Is there a way to shut trackingand still receive full Maps service? I work for IPinfo, but this is my personal opinion/account. Whenever I see people talking about their IP geolocation being wrong, I will reach out to them and try to fix that issue. Even if it is just one person, it really means a lot to them and to us as well. For some IP geolocation correction, some providers are better than others, but with Google? oof, tough break. It is really weird to see that the best possible chance of fixing your IP address with Google is to get a bunch of android smartphones and start running Google Maps with GPS on. Yes, that is even suggested to organizations with their own ASN (which represents a big IP address block) who are struggling with wrong IP geolocation assignment by Google. I have yet to come across any post about how people were able to contact Google, and they fixed their IP geolocation issues. > Whenever I see people talking about their IP geolocation being wrong, I will reach out to them and try to fix that issue. Even if it is just one person, it really means a lot to them and to us as well. My IP geolocation is constantly wrong (I'm using TMobile home internet). It constantly says I'm in Detroit, or Chicago, or somewhere else potentially hours from where I live. I assume T-mobile is randomizing IP address allocation at everyone routed through some giant midwestern datacenter, and Detroit/Chicago simply have the most people, but I don't know and I don't care. But I like it that way! I don't want random website owners to know exactly where I am. I've disabled location, camera, microphone, and notification requests in my Firefox settings, blocked popups, and installed an ad-blocker. I don't understand why anyone would do any of those things differently. I do prefer some location over global randomness that might not get the language or country right, and it's slightly annoying to constantly have to set the target store when shopping at, say, Menards, REI, or Napa Auto (even though I've been automatically logged in with the same shipping address for a decade, new visits to the pages default to location-based "my store" even when that data is unavailable)... but overall, I'd rather have a level of granularity that merely tells you I'm somewhere in the continental 48 US states. Why does getting geolocation right mean a lot to you? Why should it mean a lot to me? Solid question. There are a ton of reasons why accurate geolocation matters for everyone. For us it matters, because that is what we do as a business, we provide super accurate data. > I don't want random website owners to know exactly where I am. With IP geolocation, it is not exactly "exact" location. City level? Yes. Zip code level? Kinda Yes. Latitude and Longitude? I would put it as a good possible estimation. Our customers are aware of that. Nobody is tracking you with IP geolocation, to be honest. It is used for a ton of reason.....and I just had a long day, please just read the blogs we have on our site. I wrote some of the blogs myself. > Why should it mean a lot to me? Honestly, if you are not being impacted by wrong IP geolocation, it may not mean a lot to you personally. But people who are impacted are being located to a wrong city, state or in some cases to a different country. Us providing accurate geolocation does mean a lot in my opinion. There are no hoops to jump through, we are literally reaching out to you to find a way to solve this problem. > It is used for a ton of reason.....and I just had a long day, please just read the blogs we have on our site. I wrote some of the blogs myself. I scrolled through and found eg. https://ipinfo.io/blog/using-privacy-detection-data/ and https://ipinfo.io/blog/privacy-adtech-online-targeting/ and https://ipinfo.io/blog/governments-ip-address-data/, but while these might be useful to me as a business to filter the zip codes of targeted ads, they're exactly the opposite of something that provides value to me as a user. Accurate geolocation might reduce the number of nuisance captchas I have to complete. You write "Our data is also used by governments around the globe because they know they can trust the insights we offer. Every day our databases are updated with the most accurate information at any given time..." but while your databases are the most accurate available, they're not 100% accurate, they're IMO conflating IP with identity and physical location and that just doesn't make sense. Thank you. It is good to have these conversations. I appreciate you for taking a look. You are right, organizations should not conflate IP with identity on an absolute scale. We are very open about the fact that, with IP geolocation, absolute real-time accuracy is not possible. There are billions of IP addresses and thousands of IP address owners who are shuffling them around randomly. Getting readily updated absolute accurate real-time data is damn near impossible at our scale. The most updated data you can get is on a daily basis, and we process around 1.3 billion requests per day. The alternative you have to IP geolocation is GPS based geolocation. GPS has its place when used properly. IP geolocation is essentially a database. We are not getting any information from the user or their movement. We are largely inferring the data based on various publicly available datasets combined with an incredible amount of analysis. The accuracy of our database on the city level is pretty close to 100%, but it is not 100%. This level of accuracy is acceptable to our customers. But you are right. There is a non-zero chance of error. Now, customers who buy our product have to determine what is the significance of this of error rate. In most cases of IP geolocation, that is acceptable. Imagine traffic data at enterprise scale. Some of these organization are actively fighting cyberattacks on a minute to minute level. So, our data is very helpful for them. It is helpful in providing location context in data enrichment processes. For advertisement and personalization, this low error rate could have significant impact. That is why we are having this conversation here, because some naively constructed personalization solution forces geolocation attributes on users. But what we are seeing here is, GPS based location solutions, believing that they are so damn accurate whatever decision these organizations are making is not their fault, it is the user's fault somehow! Which is freaking absurd. IP location's reasonable accuracy makes a strong case for privacy. There is no tracking involved for a user. For the regular organization with IP geolocation, they have just enough data on the user, and they are not asking the user to agree to a location tracking solution. If organizations chose IP based location, they would be more lenient in providing easier fixes to personalization, because they are aware of the fact of non-zero chance of error rate. I am not trying to market the fact that not providing absolutely accurate data is a selling point somehow, but in fact I am trying to advocate for organizations to be more accepting and supportive of user requests. Most of the people I interact with about IP correction are not our customers or users of our customers. But we want to make sure they don't face these issues when they use our data or when they interact with someone who is using our data. My ISP gives a new ip address every time the connection drops. I've given up using geolocation ip on websites as it is always off by 200 to over a 1000 Kilometres. If you have a peering relationship with Google, they'll give you access to their "ISP Portal", where you can provide a CSV of IP geolocation information for your address space. > CSV of IP geolocation information That is called a geofeed. If you own a large block of IP addresses, it is a good practice to have a geofeed data publicly available. Our IP correction webpage is quite easily accessible for geofeed submissions [1]. You can email us, submit a link to a csv file or even a Google sheets page will work as well. Even though we appreciate geofeed submissions, it is not the most accurate or updated data source for IP geolocation, so we still have a lot of stuff to do to provide accurate data. Could not use Sonarr, because they blocked Russian IPs via Cloudflare.
I was confused, because I used a Hetzner Server from Germany.
Maxminds DB that is used by Cloudflare flagged the /24 subnet as located in Moscow.
I used the wrong data form an it was fixed in about 24 hours. I have my own ASN. Getting the geolocation information updated in the IPinfo database was extremely easy; however, months later Google still doesn't get it right for my IP ranges. Kind of annoying, but I'm assuming Google doesn't even touch geofeeds. Check this out:
https://old.reddit.com/r/networking/comments/zm60vn/google_h... We reached out to OP even though we were very sure that their IP geolocation is definitely correct with us. They checkmarked everything and then some. OP told us that we are providing accurate data. But does Google care about that? Not really. Now they kinda have to use that android phone Google Maps trick and hope that it fixes their problem somehow. Is there an article you can point me to for fixing my geolocation? I route all of my home internet through a VPS so that I can bond (slightly different to load balance) 3 ISPs. I'll randomly have my geolocation show up very wrong. I don't have and kind of wired internet here so this fixes the reliability of wireless internet where the old backup adage "2 is 1, 1 is none" comes into play. I can only suggest our IP correction page: https://ipinfo.io/corrections Submit your IPs, it will go through a verification process and if all checks out the data will be updated. Unfortunately, there is no one size fits all solution. You have to submit IP correction one by one to major IP geolocation providers. How did you bond 3 isps? GeoIP is a product from Maxmind, the post does not actually implicate Maxmind at all. Perhaps a better title is "Google Maps location data is used to localise other Google services" Yes, I was confused by this. Of course, Google will use its own data to get more precise in pairings IPs with locations. And of course, Google won’t share this data with MaxMind’s GeoIP. Very confusing post. I have a wiregaurd VPN in my home server in London. During the pandemic I was stuck in the Middle East for a few months. Obviously while there I was VPN-ing all my traffic from my various devices through my home server. When I got back to London, all my YouTube and TV ads were as if I was still in the middle east. Very annoying. I never tried this - but I would've expected that after using Google Maps for a couple of weeks while in London - the GeoIP data would've been updated again back to the UK? This is likely cookies or account history, not IP geolocation. Probably, I never use GPS when I'm in the city I was stuck in. This is why for anonymity you want to use a commercial VPN provider rather than a self-hosted-VPN-on-VPS solution. In the former, you connect to a pool of servers that shares IP addresses with thousands of users, but in the latter you connect to a single server that's only associated with you. Takeaway: don't use Google if you care about privacy. Your VPN/browser config likely cannot outrun their algorithms. I'm neutral about this - making GeoIP data better improves everybody's life, so I find it hard to be annoyed about it. I encountered something similar to this last month. I was visiting Canada from Spain, and got an esim from https://www.airalo.com/. Due to what I guess is airalo obtaining transit from the cheapest provider, the data connection ended up being bounced through Czechia. This meant that my android phone was a bit confused at times. When on mobile data the weather widget would default to showing me weather for random Czech cities, and search results would be Czech-localised. When on wifi connections, results were in English and Canada-localised, unless I bounced through a VPN exit node at home. After 3-4 days, ads on Youtube started becoming Canada or Czechia-localised depending on if I was watching it via wifi or mobile data. It seems that google eventually decided that I was in Canada, continuing to play me Canadian ads even when I got home to Spain, on both wifi and mobile data. What was even stranger is that my partner started getting Canadian ads on youtube on her ipad too, which doesn't have any details about my google account (other than us living on the same internet connection). It took about 2 weeks for google to start playing us Spanish ads again. Lol folks werent even reading my thread properly, all, before throwing out the most obvious, invalidated assumptions. All of the top replies implying I dont know what im talking about. Sorry folks, devices that ive never, ever signed into, that have never left Seattle, now think theyre in fking Mexico anytime i use a google service. Again, not logged in, but also on browsers that clear everything on exit. The ONLY POSSIBLE EXPLANATION, PERIOD, is that Google took my location data from maps in Mexico and tainted my Seatte IP with it (as i was using my seattle-apt-server as my vpn tailscale exit node) And to elaborate, the ONLY app on my phone with access to my location is Google Maps. OP, I 100% believe you, sorry for the comments that clearly just tapped something out without thinking it through. The computer this screenshot was taken from has never left Seattle. It's a naive Windows machine, no VPN, no nothing, and yet... this: https://i.imgur.com/kVgz1RD.png Yes, I did notice that replies to your post were blaming cookies and some incorrect assumptions - hence I wanted to put the time in writing this post separately. To further validate our assumptions - try to use google maps daily for at least 2 weeks while in Seattle using that exit IP. Logic tells me that it should update once more to the new location (I'd think it's unlikely to be a once off update due to the dynamic nature of IP). As a counterexample, I always have location turned on in Android and use maps for directions from my house. The location at the bottom of a Google search is a different city from where I live. It has never shown the actual city where I live despite it being easily available as my address is saved as home in Google maps. I haven't experienced that, I get random locations that are no where close to my real location in incognito google searches. I have Google Maps on android as well. My IPv6 address (/128) changes get changed by the OS every time wifi gets disconnected and prefix (/64) get changed every week or when the router restarts. I noticed this just recently — DuckDuckGo failed me and then I fell back to google eventually and noticed that the footer showed the village we live in (tiny) which really shocked me/creeped me out. We're not even on a static IP anymore but a dynamic IP...
Noteworthy is that Android by default has an option to 'enhance location accuracy' and it says it sends data back to Google. I consider myself fairly savvy about taming an Android phone but unfortunately this is not one I was aware of. I disabled that on my partner's phone, which is where I suspect the leak came from (they also use Google Maps occasionally; I suspected that probably feeds the information in as well). Since avoiding using these things, IP location seems to be inaccurate as it should be again. Of course they do, was there ever any doubt? Next important step: How can this be used for something entertaining? Does google maps work with forged location data? That would allow to seed the system with an IP that lives in area 51, or something like that. I actually mentioned this in another reply. I never tried but it should work in an android emulator - set the GPS coordinates to something interesting - of course, something that won't potentially get you in trouble. Is this definitely based on GeoIP, or could it possibly be that when you look at the same city on Google Maps every day, it decides that you are likely to want to look at that city? Does the behaviour persist in a private browsing window? I always use private browsing window (and note my recommendation on how to replicate - to use Firefox Focus as this does not have any persistent data) - so yes. It's definitely updated on GeoIP as it's device independent (eg: a laptop using the same exit IP will automatically be redirected to that country when it changes). See my comment on the previous thread, I have an unusual Google geolocation situation, where at work there is no GPS coverage and Google shows my location in random locations as much as 200 miles away from my actual location. I do not believe that my actual IP makes a difference because I have a Wireguard VPN from my phone through my home router, and enabling that (or leaving it on) does not change the location that Maps thinks I am at. But this is on Android so there may be some difference. I don’t doubt that this is happening for some people, but it hasn’t happened to me. I have a similar set up. All my devices always use an Algo VPN with an IP address in the US, which I’ve never changed. I use Google Maps on an iPhone with location services enabled. I’ve been in Mexico for most of the past three years, and yet Google has never considered my VPN IP address as being located in Mexico. Google’s websites always show me as being in the US. You say that the VPN is always on, but wasn't there a post on HN some time ago that showed that on iOS VPN is not 100% used for all data? Might have been this one: https://www.michaelhorowitz.com/VPNs.on.iOS.are.scam.php So potentially your real IP was leaked otherwise, Google became aware of that IP and geolocated you, without Maps data? I am aware of the IP leak in iOS but that's only for Apple services, Google Maps will always use the outbound VPN IP. Something to note though - in my post I never mentioned the "real IP" - all tests were done to change the geoIP data of the VPN IP - and that always works as expected. Other comments here say that the feature is available to any developer and any app may go around the default route and use the cell connection directly. It should not be surprising that, after voluntarily providing your location data to an advertising surveillance company during the use of free services (using Google Maps) that that advertising surveillance company later monetizes that location data. Stop giving Google your location if you don't want Google to know your location. Thats why you should use maps in offline mode, if you need to search something online, use the browser. However i doubt you will be able to cut maps internet access on iOS, as usual its "too advanced" for ios, why would you ever do such a thing /s. Google for many years thought my office in Sweden was in fact in central Tokyo. This happened after a vacation trip there. And then it somehow got stuck with the idea. You have a travel router, I bet. > Install google maps If you install the app locally, it doesn't matter if you use a VPN... Google geolocates you if you use a pop / imap client too. Do you use Google Maps as a logged out user? That’s what I do and hope that they don’t link my information back to me. I think the main concern is less about you (as a unique person) specifically, but more in terms of you as a somewhat aggregated profile. It's not super useful (also in terms of privacy and all that) to advertisers to get your name and exact home address, it's enough to know what "kind of advertising target profile" you represent most closely. I think that is also what many people concerned about privacy are missing — it's not about you, as an individual. It's about you, as a summarised profile, which can be shared with other advertisers. Being logged in or not used to be a bigger deal in the past, for sure, but now your browser and behavior is leaking enough detail to build a shared profile about you across various sites. Yes, never logged on. Linking your location back to you personally is a different topic and depends on your usage - but if you have a static IP for > 2 weeks - google.com should show you your precise location (at the bottom of the page). Tldr: Google associates your static IP to your real location, if you use Google Maps long enough with that IP. My Takeaway: use a shared IP It would be an interesting test if someone has the time and resources - use conflicting location for the same IP.
Could be done in an emulator in Android Studio I assume?
I would think that it would simply treat it as bad (inconclusive) data and not update the GeoIP.
