Waze is one of those apps that feels like magic. You're stuck in traffic, someone ahead reports a jam, and suddenly your route updates. Police speed trap ahead? A fellow driver already flagged it. It's crowdsourced navigation at its finest, millions of people helping millions of other people get where they're going faster.
But here's something most people don't think about: every time you tap that little "report" button, you're broadcasting your exact location, the precise time, and your username to anyone who knows where to look. And I mean anyone.
This isn't a vulnerability. It's not a bug. It's how the system was designed. Waze makes this data available through their public web map, and with a bit of patience and some basic scripting, you can turn that helpful traffic app into a global surveillance system capable of tracking individuals across 60 countries.
Let me show you how.
The Core Problem
When a Waze user submits a report, police ahead, traffic jam, hazard on road, whatever, that report appears on Waze's public web map. And attached to that report is the username of the person who submitted it.
That's it. That's the whole vulnerability. You report a pothole, and your username is now tied to a specific GPS coordinate at a specific time. Do that a few times a day during your commute, and you've just given anyone watching a detailed map of your daily movements.
The data captured for each report includes:
Exact GPS coordinates (latitude and longitude)
Timestamp (down to the millisecond)
Username of the reporter
Report type (police, traffic, hazard, etc.)
Country
String enough of these together for a single username, and you can build a surprisingly detailed profile of where someone lives, where they work, and what routes they take in between.
Getting Around Waze's Limitations
Waze isn't completely naive about this. They cap the number of alerts returned per query to 199, regardless of how large an area you're searching. Query all of Los Angeles? You'll get 199 alerts. Query a single intersection? Still capped at 199.
This makes it impossible to scrape an entire city in one request. A place like LA generates thousands of reports per hour, you'd miss the vast majority of them.
So I got creative.
Instead of querying entire cities, I segmented them into hyperlocal geographic grids based on population density. Each grid cell covers roughly one million residents. Dense urban cores get smaller cells; sparse suburbs get larger ones.
Then I wrote a script that systematically queries each grid cell every 3-5 minutes. The script:
The result? I'm capturing approximately 95% of all new alerts across every major city in 60 countries. Every few minutes. Around the clock.
The Scale of the Data
Let me show you what this looks like when you plot it on a map. Each orange pixel represents a single user report:
Europe:
Middle East:
The coverage is remarkable. You can literally see the road networks emerge from the data—highways glow bright orange, arterial roads are clearly visible, even smaller streets in dense urban areas show up.
Understanding Waze Usernames
Here's where it gets interesting from an intelligence perspective. Waze usernames fall into two categories:
Custom Usernames: When users sign up, they're prompted to choose a username. And people being people, they often pick the same username they use everywhere else. `johndoe1985` on Waze is probably `johndoe1985` on Instagram, Twitter, LinkedIn, and a dozen other platforms.
Allocated Usernames: Users who skip registration get an auto-generated username following a specific pattern: `world_` followed by random characters (e.g., `world_xl868g9m`, `world_spy06g4z`).
Custom usernames are trivially easy to deanonymize. A quick search through any username lookup service, and you can often link a Waze username to social media profiles, which leads to real names, photos, employers, and more.
Tracking a Single UserTracking a Single User
Allocated usernames are harder, but not impossible. More on that in a moment.
Tracking a Single User
Once you have a username, you can filter the historical data to see everywhere that user has submitted reports. Here's what that looks like for a single user over a three-day period in Amsterdam:
Each number on that map is a separate report. In just three days, this one user generated enough data points to clearly establish:
The general area where they likely live (cluster of morning reports.
The area where they likely work (cluster of daytime reports)
Their regular commute routes
Their approximate schedule
And remember: this user thought they were just helping other drivers avoid traffic.
Deanonymizing "Anonymous" Users
What about users with allocated usernames like `world_xl868g9m`? They didn't choose their username, so you can't search for it on other platforms. Game over, right?
Not quite.
You can deanonymize allocated usernames by correlating their location data with other open-source information. The process looks something like this:
It's not instant, but it's absolutely doable. And for high-value targets—politicians, executives, intelligence officers—it's worth the effort.
The Intelligence Applications
Let's be blunt about why this matters. This data is an intelligence goldmine.
Proactive Monitoring:
Want to know who's regularly driving past your embassy? Set up an alert for any username that appears within a certain radius more than X times per week. When someone trips the threshold, you've got a starting point for investigation.
Want to identify potential intelligence assets? Flag users who make reports in two geographically or politically interesting locations—say, someone who reports traffic in both Tehran and London, or both Moscow and Washington.
Reactive Investigation:
Already investigating someone? Search your database for usernames they're known to use. If there's a match, you've just added a detailed movement history to their file—possibly going back months or years.
Have a location connected to an investigation? Set up a radius alert and get notified whenever anyone submits a report nearby. Correlate the timing with other intelligence, and you might identify who was present at a specific place and time.
The Traffic Camera Multiplier
Here's where it gets properly dystopian.
Thousands of cities have publicly accessible traffic cameras. These cameras often have live feeds available on municipal websites. And Waze reports are timestamped to the millisecond.
Do you see where this is going?
The report timestamps are precise enough that you could, in theory, automatically identify the vehicle (and by extension, the owner) of anyone who submits a Waze report in a camera-monitored location.
I haven't built this. But someone will. Maybe someone already has.
Who's at risk?
Let's be realistic about the threat model here.
Definitely at risk:
Politicians (or their drivers)
Executives and celebrities
Intelligence officers and military personnel
Journalists working sensitive beats
Anyone with a stalker or abusive ex-partner
Probably at risk:
Activists in authoritarian countries
Criminals (useful for law enforcement, concerning for vigilantes)
Anyone involved in custody disputes
Really, anyone who values their location privacy
The uncomfortable truth is that *anyone* who uses Waze regularly and submits reports is continuously broadcasting their location to anyone patient enough to collect it.
Global Coverage
This isn't a US problem or a Europe problem. The data collection covers 60+ countries:
Albania, Argentina, Australia, Austria, Belgium, Bosnia and Herzegovina, Brazil, Bulgaria, Canada, Chile, China, Colombia, Costa Rica, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, India, Indonesia, Ireland, Israel, Italy, Japan, Korea, Kosovo, Latvia, Lithuania, Luxembourg, Malaysia, Mexico, Namibia, Netherlands, New Zealand, Nicaragua, Norway, Peru, Poland, Portugal, Romania, Russia, Serbia, Singapore, Slovakia, Slovenia, South Africa, Spain, Suriname, Sweden, Switzerland, Thailand, Turkey, Ukraine, the United Kingdom, the USA, and Vietnam.
If Waze operates there, the data can be collected there.
Why I Built This
The honest answer? To prove it could be done.
It's one thing to say "Waze could theoretically be used for surveillance." It's another to actually build the system, collect the data, and show what a global movement-tracking database looks like.
My hope is that this demonstration prompts Waze (and Google, who owns them) to reconsider the privacy tradeoffs in their design. There are ways to maintain the crowdsourced benefits while protecting user privacy, anonymizing reporter usernames on the public map, for instance, or adding a delay before reports become visible.
Whether they'll actually do anything is another question. But at least now people know what's possible.
Protecting Yourself
If you use Waze and you're concerned about this:
Don't submit reports. The tracking only works if you actively report things. Passive navigation doesn't expose you.
Use an allocated username. Don't sign up with Google or choose a custom username. The `world_xxxxx` usernames are harder (though not impossible) to deanonymize.
Avoid patterns. If you must report, avoid doing it at the same times and places every day. The patterns are what enable identification.
Consider alternatives. Google Maps and Apple Maps offer similar navigation without the public reporting system.
Or just accept that this is the world we live in now, where using a helpful traffic app means broadcasting your movements to anyone who cares to look.
Your call.
This research is published by Covert Labs to raise awareness about location privacy risks in consumer applications. The data collection methodology described here is provided for educational purposes. Please use this information responsibly.
