The National Security Agency recommends that some government employees and those who are generally concerned about data protection turn off Find-My-Phone, Wi-Fi, and Bluetooth when these services are not needed, and restrict the use of location data by apps.
"Location data can be extremely valuable and must be protected," says a report published on Tuesday. "It can display details about the number of users at a location, user and delivery movements, daily routines (users and organization) and uncover otherwise unknown associations between users and locations."
NSA officials recognized that geolocation features are enabled by design and are essential for mobile communications. The officials also admit that the recommended protective measures are impractical for most users. Assignment, location tracking of lost or stolen phones, automatic connection to Wi-Fi networks, fitness trackers and apps are just a few of the things that require fine-grained locations to function.
The cost of convenience
However, these functions are costly. Opponents may be able to retrieve location data that app developers, advertising services and other third parties receive from apps and then store them in large databases. Opponents can also subscribe to services such as those offered by Securus and LocationSmart, two services documented by the New York Times and KrebsOnSecurity, respectively. Both companies tracked or sold locations of customers collected from the cell towers of the major mobile operators.
Not only did LocationSmart share this data with anyone who knew a simple trick to take advantage of a common class of website errors, but a vice reporter was also able to determine the real-time location of a phone by sending $ 300 to another service paid. The New York Times also published this sobering feature, which describes services that use mobile location data to track the history of millions of people over extended periods of time.
The warning also warns that tracking is often carried out even when the cellular service is switched off, since both Wi-Fi and Bluetooth also track locations and can transmit them to third parties connected to the Internet or with a sensor within radio range.
To prevent this type of data breach, the NSA recommends the following:
- Disable the location services settings on the device.
- Disable radios when not in active use: Disable BT and disable Wi-Fi when these features are not needed. Use airplane mode when the device is not in use. Make sure BT and Wi-Fi are disabled when airplane mode is enabled.
- Apps should get as few permissions as possible:
- Set privacy settings to ensure that apps don't use or share location data.
- Avoid using location-based apps where possible, because these apps inherently expose user location data. If used, the settings for data protection / location authorization for such apps should be set so that either the use of location data is not permitted or at most the use of location data is only permitted while the app is being used. Examples of location-based apps are maps, compasses, traffic apps, fitness apps, apps for locating local restaurants and shopping apps.
- Deactivate advertising permissions as much as possible:
- Set privacy settings to restrict ad tracking. Please note that these restrictions are at the discretion of the provider.
- Reset the advertising ID for the device regularly. This should be done at least weekly.
- Disable settings (usually referred to as FindMy or Find My Device settings) that can be used to track a lost, stolen, or misplaced device.
- Minimize internet surfing on the device as much as possible and set the settings for the privacy / authorization location of the browser so that the use of location data is not permitted.
- Use an anonymizing VPN (Virtual Private Network) to disguise the location.
- Minimize the amount of data with location information that is stored in the cloud where possible.
If it is important that the location for a particular mission is not disclosed, consider the following recommendations:
- Determine a non-sensitive location where devices with wireless functions can be secured before starting activities. Make sure that the mission site cannot be predicted from this location.
- leaving everything Devices with wireless functions (including personal devices) in this non-sensitive location. Turning the device off may not be enough if a device has been compromised.
- Use vehicles without integrated wireless communication functions for mission transport or switch off the functions if possible.
Mobile phone use means being tracked
Patrick Wardle, a MacOS and iOS security expert and former NSA hacker, said the recommendations are a "good start", but people who follow the recommendations shouldn't consider them absolutely worth protecting.
"As long as your phone connects to cellphone towers that it needs to use the cellular network … AFAIK that reveals your location," said Wardle, security researcher at macOS and iOS Jamf, the business management company, told me. "As always, it's a compromise between functionality / usability and security. However, if you're using a phone, you assume that you can be tracked."
He said that newer versions of iOS make it easy to follow many of the recommendations. When users open an app for the first time, they are asked whether the app should receive location data. If the user says yes, access can only be given when the app is open. This prevents apps from collecting data in the background over a longer period of time. iOS also does a good job of randomizing MAC addresses, which, if static, provide a unique identifier for each device.
Newer versions of Android also allow the same location permissions and randomly randomize MAC addresses when running on certain hardware (which is usually expensive).
For both operating systems, users must manually disable ad personalization and reset the advertising IDs. On iOS, users can do this under Settings> Privacy> Advertising. The Limit Ad Tracking slider should be enabled. The advertising identifier is located directly below the slider. Press on it and select Reset ID. In the privacy section, users should check which apps have access to location data. Make sure that as few apps as possible have access.
Change some settings
In Android 10, users can restrict ad tracking and reset advertising IDs by going to Settings> Privacy and clicking Ads. Both the reset advertising ID and the personalization to deactivate ads are available. To check which apps have access to location data, go to Settings> Apps & Notifications> Advanced> Permission Manager> Location. With Android, apps can collect data continuously or only when used. Only allow apps that actually require location data, and then try to restrict this access only when in use.
Tuesday's recommendation also recommends restricting the sharing of location information on social media and remote metadata that show sensitive locations before pictures are posted. The NSA also warns that location data from car navigation systems, portable devices such as fitness equipment and Internet of Things devices will be lost.
The advice is primarily aimed at military personnel and contractors whose location data can affect operations or expose them to personal risk. However, the information may be useful to others as long as they consider their threat model and weigh the acceptable risks against the benefits of different settings.