We've been noticing that while virtually all sites reflect Winston anonymous IP exit points, local searches on Google often were not. A little digging turned up that they were in fact receiving requests from the exit points but were correctly guessing the location of the searcher behind them. Very curious!
Further experiments showed that Google has implemented a fast, sophisticated (and obviously) automated machine learning user tracking platform. This platform is correlating IP addresses with searchers and producing accurate guesses as to the location and identity of the searcher. This works even in incognito mode, when using a VPN and when cookies are blocked.
Some of the data we hypothesize is being used as inputs to this tracking platform include:
* Home/Work addresses of users logged into Google
* Mobile device location on Android devices (used to generate the above)
* Tracking codes hidden in the X-Client-Data cookie
* Tracking codes hidden in various query parameters
* Tracking codes hidden in referrer strings
* Fonts supported by the user's device/browser
Furthermore, we detected individual tracking data hidden in Cookies, HTML5 local storage, session storage and IndexedDB.
We've implemented countermeasures which appear to be effective in eliminating enough information entropy to make individual user data difficult to guess provided the user is not logged in to any Google service. This should result in a significantly greater percentage of Google queries being successfully cloaked and we've confirmed that queries are now reflecting a disguised location in most cases.
We'll continue to monitor. We'd like to ensure Google services continue to work properly before we get too aggressive. In the meantime, we'd appreciate any examples of Google queries not being cloaked when they should be. Screenshots, URLs, cookies and other diagnostic information would be very helpful.