In recent months, America’s National Security Agency has shown an increasing willingness to share its cyber advice publicly. In April, the agency stepped into the secure messaging debate, ironically recommending encrypted platforms like WhatsApp and Signal which are under scrutiny from lawmakers. And this month NSA has published its views on cellphone location tracking.
In its August 4 guidance, NSA warns that the location of any powered-on smartphone can have its location tagged. How much of an issue that is depends on the specific user and their fear of surveillance. Its advice, NSA says, is intended primarily for military and intel personnel—but all mobile users might find it useful. And, sure enough, it’s another reminder to pay attention to the extent of location tracking on your devices.
The mobile advertising industry and the permission abuse among app developers has borne the brunt of recent criticism. This hasn’t been helped by public examples of just how powerful this data can be—coronavirus and protester tracking maps come to mind. The CEO of one mobile tracking firm told me his company stores “hundreds of petabytes of historic data,” covering 1.6 billion devices and 25 billion daily data points globally. But, beyond apps, any connected radio signal can locate your phone.
“Even if cellular service is turned off on a mobile device,” NSA says, “Wi-Fi and Bluteooth can determine a user’s location. Inconspicuous equipment can determine signal strength and calculate location… Even if all wireless radios are disabled, numerous sensors on the device provide sufficient data to calculate location.”
Clearly, the guidance goes to extremes—everyday users will want their smartphones to keep being useful, and turning off any service that provides any kind of tracking risk is not going to happen. But while this advice is geared towards those in service, it also contains some useful pointers for journalists, lawyers, dissidents and others operating in regimes that might use the network infrastructure to track users.
The location tracking industry’s defense against data collection is the claim it’s all anonymous and amortised, that unique identifiers don’t identify individuals. That, though, has been debunked by previous reports that have reverse-engineered tracking data to specific people. And if you’re targeted by someone with access to network information and your home or work location, then that’s fairly easily done.
The NSA guidance also covers IoT devices, which have promoted a wide range of cyber warnings in recent years as our keenness to connect all manner of smart devices seemingly shows no limits. NSA has military operations in mind, the use of such data to calculate forward positions, troop movements and build-ups, incursions. Taking that advice to its extreme, phones are powered down and stored in boxed locations.
The risks are real. We have seen fitness tracking devices inadvertently disclose the locations and habits of military personnel in the past, and geotagged social media posts have long been an intel source on enemy personnel.
For the rest of us, the advice is to regularly review the location permissions on our Android or iPhone devices, to restrict the apps we install and to carefully review the permissions we give to them and to disable advertising permissions.
For those living and working in more restrictive countries or in high-risk professions, you would also be well-advised to use a VPN, to disable any FindMyDevice service and to limit browsers from being able to tailor content by your location.
Google and especially Apple are cracking down on indiscriminate location tracking. Apple in particular has called time on apps that monetise thousands of daily pings on the locations of its users—a serious issue for the industry and collectors like Facebook. All of which is great news for users—it’s about time.
Be aware, though—and this is the main takeaway from the NSA guidance—that your phone knows where you are at all times when it’s connected to any kind of network. There’s nothing you can do to prevent this, bar physically switching off the phone.