Wi-Fi based Positioning Systems
Apple, Google, and Microsoft run large Wi‑Fi positioning systems (WPS) that crowdsource router identifiers and locations from user devices, then use those databases to estimate device location and indirectly enable tracking even without GPS.
How Wi‑Fi geolocation databases are built
Modern smartphones and laptops continuously scan for nearby Wi‑Fi access points, collecting each access point’s SSID (network name), BSSID (MAC address), and signal strength.
When OS‑level location services are enabled, this scan data is periodically sent to the vendor (Apple, Google, Microsoft), often together with the device’s current GPS or cell‑tower–based location, so the service can associate each BSSID with geographic coordinates.
Vendors maintain large, continuously updated databases containing:
BSSID (MAC address) of the access point.
Optional SSID and other basic parameters.
Approximate latitude/longitude and sometimes accuracy metadata derived from many independent observations.
These databases are populated in two primary ways:
Crowdsourcing from end‑user devices (Android, iOS, Windows) as they move around and report visible access points with their locations.
Supplemental collection (for some vendors) using dedicated vehicles or other managed devices that drive around scanning Wi‑Fi, similar to street‑view mapping.
How location is inferred from Wi‑Fi
When a device wants to determine its location without relying solely on GPS, it sends a list of nearby BSSIDs and signal strengths to the vendor’s Wi‑Fi positioning system.
The positioning system then matches those BSSIDs against its database and uses algorithms such as trilateration, multilateration, or RF fingerprinting to compute an estimated device location.
Implementation details vary by provider:
Google: Typically accepts a list of Wi‑Fi access points and returns the device’s estimated coordinates based on its internal database and signal‑strength model.
Apple: Accepts a list of BSSIDs and may return not only the computed location but also the geolocations of the submitted BSSIDs and up to hundreds of nearby BSSIDs, making the API unusually “chatty” and enabling large‑scale enumeration of their database.
Microsoft: Uses Wi‑Fi MAC addresses and cell IDs in its Windows Location Service database, populated via user devices and sometimes drive‑by data collection, to provide location estimates to Windows devices and apps.
Because the database ties specific BSSIDs to fixed geographic points (for most home/office routers), any device that sees those BSSIDs can be located to that physical area, typically with building‑ or street‑level granularity.
How this enables user tracking
Even if IP addresses are obfuscated (for example by a VPN), Wi‑Fi geolocation leaks several privacy‑relevant signals:
Location correlation: A router’s BSSID is effectively a stable, globally unique identifier for the access point; seeing the same BSSID over time links different sessions and devices to the same physical location.
Movement profiling: As a device moves through space, its changing set of visible BSSIDs can be translated into a path through the Wi‑Fi map, allowing reconstruction of routes and visitation patterns.
Cross‑service linking: If multiple apps or OS components use the same vendor’s WPS, they all depend on (and may contribute to) the same underlying location trace for that device and that Wi‑Fi environment.
Apple’s Wi‑Fi Positioning System has been shown to be especially prone to large‑scale tracking misuse, because its API returns geolocations for many additional nearby BSSIDs beyond those explicitly requested, making it trivial for an adversary to bulk‑enumerate router locations and monitor changes.
Implications for Wi‑Fi users and mitigation
From a privacy standpoint, using Wi‑Fi exposes:
The presence and approximate location of the access point itself (via inclusion in these databases).
The physical location of users connecting through or merely near that access point, regardless of whether their traffic is tunneled through a VPN.
Mitigations include:
Preferring wired Ethernet where feasible, which removes Wi‑Fi from the equation entirely at the client side.
Disabling or tightly controlling OS‑level location services and Wi‑Fi scanning features that contribute to these databases.
Using vendor‑provided opt‑out mechanisms (for example, Microsoft’s MAC‑based opt‑out or SSID suffixes some services recognize) to prevent a router from being added or to request removal.
Sources:
Your Wi-Fi Info Is in Google and Microsoft’s Databases: Should You Care?
Windows location service and privacy
Why Your Wi-Fi Router Doubles as an Apple AirTag
Wrong location detected by Windows / Cortana / Maps
Find out how to use Google to locate your home using just your Wi-Fi router!
How Apple Wi-Fi Positioning System can be abused to track people around the globe
Surveillance Risk: Apple’s Wi-Fi-Based Positioning System
Control access point inclusion in Google’s Location services
Apple Wi-Fi network vulnerability could leak your location in real-time