The U.S. National Security Agency has urged the Department of Defense and other national-security personnel to deactivate Bluetooth, Wi-Fi and GPS on their phones if those features are not being used.
In a new NSA advisory publicly issued yesterday (Aug. 4), the agency warned that these functions can put smartphone users at risk of being located when conducting sensitive government business. In fact, these functions could let any smartphone user be physically tracked.
“Location data can be extremely valuable and must be protected,” states the advisory. “It can reveal details about the number of users in a location, user and supply movements, daily routines (user and organizational), and can expose otherwise unknown associations between users and locations.”
While admitting that geolocation services are increasingly incorporated in mobile devices “by design” and serve an “essential” role in mobile communications, the NSA advisory said “users should be aware of these risks and take action based on their specific situation and risk tolerance.”
“When location exposure could be detrimental to a mission, users should prioritize mission risk and apply location-tracking mitigations to the greatest extent possible,” said the agency.
The advisory went on to explain how geolocation information can be easily exposed by mobile devices.
“Mobile devices inherently trust cellular networks and providers, and the cellular provider receives real-time location information for a mobile device every time it connects to the network.
“This means a provider can track users across a wide area. In some scenarios, such as 911 calls, this capability saves lives, whereas for personnel with location sensitivities, it may incur risks.”
NSA officials also warned that “disabling location services on a mobile device does not turn off GPS” and that this “does not significantly reduce the risk of location exposure.”
It said: “Disabling location services only limits access to GPS and location data by apps. It does not prevent the operating system from using location data or communicating that data to the network.”
The NSA added that location can be left exposed “even if cellular is turned off”, by other connected devices (including smartwatches, smart home products and other IoT products) and by apps that ask to access location data.
In addition to suggesting that users turn off Wi-Fi and Bluetooth, the NSA had other recommendations for smartphone users who want to preserve their location privacy.
“Apps should be given as few permissions as possible,” said the NSA advisory. “Set privacy settings to ensure apps are not using or sharing location data.”
The NSA warned against installing any apps directly related to location, such as “maps, compasses, traffic apps, fitness apps, apps for finding local restaurants, and shopping apps.”
If such an app must be installed, it can be set to collect location data only when the app is actively in use.
The agency also urged that smartphone users minimize the collection of location data by ads: “Set privacy settings to limit ad tracking” and “Reset the advertising ID for the device … on a weekly basis” at minimum.
Several studies have shown that it’s fairly easy and cheap to use mobile ads to locate and track individual smartphone users.
Many owners of expensive smartphones might not like this recommendation, but the NSA also urged users to “turn off settings (typically known as FindMy or Find My Device settings) that allow a lost, stolen, or misplaced device to be tracked.”
It also suggested that smartphone users to “minimize web browsing on the device as much as possible, and set browser privacy/permission location settings to not allow location-data usage.”
Finally, the agency suggested that users might want to “use an anonymizing Virtual Private Network (VPN) to help obscure location.”