Even Tor, the anonymizing network dedicated to protecting the user’s anonymity and location, does not protect perfectly against this attack. However, “it deploys good protection features,” Yaoqi said, and is likely the best browser defense one has against geo-inference attacks.
The vulnerability stems from the fact that some of the world’s most popular websites are “location-oriented,” meaning they’re necessarily aware of visitors’ location information. Craigslist sites let users narrow their search by city or even neighborhood. Google directs users to a country-specific page—Google.com is just for the U.S., for example; Canadians get Google.ca. And then there are services like Google Maps, which caters to exact addresses and remembers specifically where almost all of its users live.
The problem comes when the location information known by sites like Google and Craigslist leaks and becomes available to third parties that have no permission to know where you live.