Using signed Java applets under default security settings, Java is allowed access to system calls. Using these calls, one can calculate the default gateway IP of a site visitor (netstat -rn) and then use the ARP table to determine the MAC address of the users default gateway (arp -a).
Plugging that MAC address into Goolge's Geolocation API gives either a pretty accurate location, or a GeoIP only location if google does not know the MAC address. Unscrupulous site operators could then use JSON or AJAX from the running applet to send the resulting location back to their systems and locate website users, with the minimum level of accuracy being GeoIP, the maximum level of accuracy being as accurate as google's DB (it locates me to the house next door)"
Link to Original Source