A new IP location method accurate to a few hundred meters has been developed using a series of refinements that can pinpoint a user's physical location at street level.

Geolocation using IP address is not a difficult idea. You have a table of IP blocks that have been allocated to various entities and use these to work out where traffic is coming from. The only problem with this is that the actual server that the traffic originates from can be many miles from where you think it is.

Now Yong Wang, a PhD student at University of Electronic Science and Technology of China in Chengdu who is currently a visiting student at Northwestern University in Evanston, Illinois, U.S., has worked out an algorithm that can pin down the true location of a server using nothing more than its IP address.

To use the method you first need some servers that you know the location of. Wang used Google Map servers. Next a rough fix of the location of the target machine is performed in the usual way i.e by measuring packet transit time from a number of "ping servers" spread out at known locations. You can determine where the target is located using triangulation from the transit time of the packets from each of the "ping servers". This gives a location fix that is generally accurate to around 200km. The clever part of the algorithm is that with this rough fix you can determine which of the known machines are close to the target machine. You can then use a trace route to compare the routers that the known machines have in common with the target machine. Then, using transit times, the distance from a known server can be refined.

At this point the third level of refinement comes into play. Machines that are at ZIP codes within the area are used to fix the final location of the target machine. The algorithm searches for reliable ZIP code IP associations. Some machines are more likely to be located at the ZIP code of the entity owning them and these make good reference markers. The final measurement gives a location that is as good as 100m but typically is more like 700m. This is good enough to narrow down the location at the street level.

Notice that none of this needs the permission of the target machine and, in theory, it could be used to find out the location of any user to within a few hundred meters. The only defence is to use a proxy server but the technique can detect this and flag the fact that the user's location cannot be determined.

It is clear that this could be used for super localized advertising, finding cybercriminals or even political dissidents. Whatever you think of this we now know where you live - or at least where you connect to the internet from.

More information:

http://www.usenix.org/events/nsdi11/tech/full_papers/Wang_Yong.pdf

Yong Wang's home page