Google's Android and Apple's iOS are two of the most popular mobile operating systems. What this means, most people in this world should either be a user of one or the other.
The National Security Agency (NSA) is the national-level intelligence agency of the U.S. Department of Defense. Responsible for global monitoring, collection, and processing of information and data for foreign and domestic intelligence and counterintelligence purposes, the agency certainly has the knowledge, experience and the expertise in tracking people.
In a August 2020 guidance, the agency warned that any location-enabled smartphone can have its position tagged.
NSA's advise is intended primarily for military and intel personnel. But by sharing it to the public, all mobile users should find its guidance useful. For others, the guidance can be use as a reminder that location tracking inside mobile devices are scarier than how they sound.
NSA's guidance even goes to the extremes.
Casual mobile users who don't really care about privacy may be careless about their phone's settings. Those who care a bit more about privacy, may fiddle with their phone's settings to toggle some sensors off. This way, they may think that tracking isn't going to happen.
They are wrong.
“Even if cellular service is turned off on a mobile device,” the NSA said, "Wi-Fi and Bluetooth can determine a user’s location. Inconspicuous equipment can determine signal strength and calculate location... Even if all wireless radios are disabled, numerous sensors on the device provide sufficient data to calculate location.”
Furthermore, trackers that say they only collect data anonymously by not using any unique identifier that can be used to pinpoint the data to the user, is also not completely true.
Big data that contains anonymous user data can be reverse-engineered to target specific people. And if the target has been using an identified network or has been visiting a known physical address, things are getting much easier for anyone to pinpoint.
"Location data can be extremely valuable and must be protected. It can reveal details about the number of users in a location, user and supply movements, daily routines (user and organizational), and can expose otherwise unknown associations between users and locations," the NSA said.
This is what many journalists, lawyers, dissidents and others that operate in the regimes have done to track users.
The NSA also explained a common public misconceptions about the differences between location services and GPS.
"A mobile device provides geolocation data as a service to apps. This is known as location services, and users can disable them in the settings of a device. Perhaps the most important thing to remember is that disabling location services on a mobile device does not turn off GPS, and does not significantly reduce the risk of location exposure," the NSA explained.
This is because disabling location services only limits the device's access to GPS and location data by apps. It does not prevent the operating system from using location data or communicating that data to the network.
The agency clarified that location services aren't the same as GPS.
This is why even if GPS and cellular data are not available, mobile devices can still calculate rough location using Wi-Fi and/or Bluetooth. Apps and websites can also use other sensor data (that does not require user permission) and web browser information to obtain or infer location information
The NSA guidance also covers IoT devices, which have promoted a wide range of cyber warnings. The agency said it again that "anything that sends and receives wireless signals has location risks similar to mobile devices."
This includes, and not limited to: fitness trackers, smart watches, smart medical devices, Internet of Things (IoT) devices, and built-in vehicle communications.
The reason for this is because those devices can have built-in wireless features. And unfortunately, they tend to have very little, if any, security system built inside them.
"These security and privacy issues could result in these devices collecting and exposing sensitive location information about all devices that have come into range of the IoT devices. Geolocation information contained in data automatically synced to cloud accounts could also present a risk of location data exposure if the accounts or the servers where the accounts are located are compromised," the NSA explained.
For precautions, things don't end there.
Apps that are installed inside phones can also collect aggregate, and transmit information that can be used to expose users' location. This is particularly true that is has been common for apps to request certain permission, even when they don't need those to function.
"Users with location concerns should be extremely careful about sharing information on social media. If errors occur in the privacy settings on social media sites, information may be exposed to a wider audience than intended. Pictures posted on social media may have location data stored in hidden metadata. Even without explicit location data, pictures may reveal location information through picture content," the NSA added.
The NSA is known to work alongside other agencies, like the Central Intelligence Agency (CIA), to track and eavesdrop on high-valued targets. In other words, the agency knows more than a thing or two about where these things come from.
What this also means, the agency also knows how to at least prevent them, even in a military scale.
"Different users accept different levels of risk regarding location tracking, but most users have some level of concern," said the NSA, as it described the following general mitigation methods:
- Disable location services settings on the device.
- Disable radios when they are not actively in use: disable Bluetooth and turn off Wi-Fi if these capabilities are not needed.
- Use Airplane Mode when the device is not in use. Ensure Both Bluetooth and Wi-Fi are disabled when Airplane Mode is engaged.
- Apps should be given as few permissions as possible,
- Disable advertising permissions to the greatest extent possible
- Turn off settings (typically known as FindMy or Find My Device settings) that allow a lost, stolen, or misplaced device to be tracked.
- Minimize web-browsing on the device as much as possible, and set browser privacy/permission location settings to not allow location data usage.
- Use an anonymizing Virtual Private Network (VPN) to help obscure location.
- Minimize the amount of data with location information that is stored in the cloud, if possible.
"Mitigations reduce, but do not eliminate, location tracking risks in mobile devices. Most users rely on features disabled by such mitigations, making such safeguards impractical. Users should be aware of these risks and take action based ontheir specific situation and risk tolerance," the NSA said.
While it may not always be possible to completely prevent the exposure of location information, it is possible through careful configuration and use, in order to significantly reduce the amount of location data shared.
"Awareness of the ways in which such information is available is the first step."