Take it from the experts: There is no way to fully eliminate the risk that a mobile device is exposing location data to somebody trying to track it, but there are ways to limit what leaks and why.
That’s the main theme from guidance issued Tuesday by the U.S. National Security Agency, which directed its advice to Department of Defense personnel and other national security programs but published the document publicly.
The guidance explains the different kinds of location information that can be used to locate mobile devices and their users, provides an analysis of misconceptions about location data, and recommends way to help users protect themselves.
The NSA warns, for instance, that in addition to mobile devices storing location data in their own mobile device logs, cellular networks receive real-time coordinates for cellphones every time they connect to the network. That communication with the network also can make location information vulnerable.
“This means a provider can track users across a wide area. In some scenarios, such as 911 calls, this capability saves lives, whereas for personnel with location sensitivities, it may incur risks,” the NSA notes in the guidance. “If an adversary can influence or control the provider in some way, this location data may be compromised.”
Bad actors using devices that imitate legitimate cellular towers could also obtain sensitive location information even without providers’ cooperation, the NSA warns.
The guidance comes amid months of ongoing protests around the U.S. against police brutality and racial injustice. And although the guidance is targeted toward U.S. federal government users, it could have broad appeal as concerns mount that law enforcement agencies are interested in tracking crowds during protests.
The public is definitely in mind
The NSA‘s primary mission is signals intelligence for the U.S. military and the intelligence community, so it is intimately familiar with how to track cellphone locations around the world, as former NSA contractor Edward Snowden revealed in 2013. But the guidance issued Tuesday comes from a new directorate the NSA established in 2019 to focus on cybersecurity. One of its goals has been to issue more public guidance and advice on cybersecurity as part of the recognition it can do more to spread awareness of cybersecurity issues.
“Location data can be extremely valuable and must be protected. It can reveal details about the number of users in a location, user and supply movements, daily routines (user and organizational), and can expose otherwise unknown associations between users and locations,” the NSA warns. “Mitigations reduce, but do not eliminate, location tracking risks in mobile devices … Users should be aware of these risks and take action based on their specific situation and risk tolerance.”
Even if users turn off cellular service on a mobile device, the NSA warns, Wi-Fi and Bluetooth can still be used to identify a user’s location. Disabling a phone’s location services — the geolocation data that devices provide to apps — also has a limited effect.
“Perhaps the most important thing to remember is that disabling location services on a mobile device does not turn off GPS, and does not significantly reduce the risk of location exposure,” the guidance states. “Also important to remember is that GPS is not the same as location services. Even if GPS and cellular data are unavailable, a mobile device calculates location using Wi-Fi and/or [Bluetooth].”
To reduce the risk of location data exposure, the NSA recommends users disable location services, advertising permissions, Bluetooth and Wi-Fi when they’re not in use, and Find My Device settings that allow lost or stolen devices to be tracked. The DOD signals intelligence agency also recommends giving apps as few permissions as possible, minimizing the amount of data containing location information that is stored in the cloud, setting browser privacy settings to block location data usage, and using a Virtual Private Network (VPN).
Smart devices and social media
The NSA also warns that the risks of being tracked through location information are not exclusive to cellphones — users should consider the risks of using smart watches, fitness trackers, and other internet of things (IoT) devices — even gadgets, such as smart thermostats, that don’t leave the house.
The guidance comes approximately one week after the smartwatch and wearables company Garmin confirmed it had been the victim of a ransomware attack.
“Anything that sends and receives wireless signals has location risks similar to mobile devices. This includes, but is not limited to, fitness trackers, smart watches, smart medical devices, Internet of Things (IoT) devices, and built-in vehicle communications,” the NSA states. “These security and privacy issues could result in these devices collecting and exposing sensitive location information about all devices that have come into range of the IoT devices. Geolocation information contained in data automatically synced to cloud accounts could also present a risk of location data exposure.”
Users should also be cautious of what they share on social media since many applications may collect and share information that reveals a user’s location, the NSA warned, noting that sharing photos online may expose sensitive location data stored in metadata.
“Many apps request permission for location and other resources that are not needed for the function of the app. Users with location concerns should be extremely careful about sharing information on social media,” the guidance says. “If errors occur in the privacy settings on social media sites, information may be exposed to a wider audience than intended.”