The NSA’s advice on limiting location data exposure
This week the US National Security Agency (NSA) published, rather ironically, a 3 page long document on the privacy risks posed by mobile devices.
Ironically, because the wider global public nearly exclusively associates the NSA (for years jokingly referred to as “No Such Agency”) with their mass digital surveillance and privacy infringements programs revealed by the Agency’s most famous whistleblower, Edward Snowden.
This time it seems the NSA is looking out for the average citizen as opposed to spying on them (even though the document appears to be primarily directed to the US military and government employees).
The agency’s report highlights risks posed by mobile phone location data, which can reveal a wealth of details about the number of users in a location, users’ movements and their daily routines.
These findings are nothing new and anybody who is interested in digital privacy is familiar with the topic.
Nevertheless, it’s valuable to have a professional digital intelligence agency highlight these things and organise them according to the risk.
The main takeaways of the NSA report
- Mobile phone carriers are omniscient when it comes to tracking users through cellular networks. They also monetise the location data which they sell to third parties.
- Commercially available rogue base stations* for mobile phone signal transmission can be used for nefarious purposes. Mobile devices will automatically try to connect to those, if their signal is stronger than the real cellular network in a particular locality.
- Websites can use browser fingerprinting to harvest location information, while WiFi access points and Bluetooth sensors can reveal it.
- GPS is NOT the same as location services. Even if GPS / cellular data are unavailable, a mobile device can calculate and identify its own location using Wi-Fi connectivity.
- Location data is also collected by various wearable gadgets such as fitness trackers, smart watches, smart medical devices and Internet of Things (IoT) devices. Their security features can be low or simply non existent. In some cases it is not possible to secure IoT devices and prevent them from sharing their location with cloud services and systems.
- Smartphone apps and social media can still collect and reveal location even if restricted by settings; be it through misconfiguration, errors or hidden metadata.
*A rogue base station is a mobile phone GSM signal interceptor that operates outside of the boundaries set by the regulated mobile network providers. It exploits the vulnerabilities of the over 30-years old GSM technology (traditional SMS and phone calls). A home made, amateur GSM spy kit can be built for about 1000 USD. More details on how this may be done can be found here.
- Disable location services using devices settings.
- Disable any equipment with Wi-Fi capabilities / use airplane mode if a device is not in use.
- Limit apps permissions to the bare minimum. Leverage privacy settings where possible.
- Do not use apps such as fitness trackers, compasses, maps.
- Do not use wearable IoT gadgets.
- Disable advertising wherever you see it. If not possible, reset the advertising ID frequently.
- Do not use the “Find my Phone” features.
- Do not browse the web on mobile devices.
- Use a VPN.
- Avoid using cloud storage.
- The best countermeasure of all is leaving a mobile device behind, turned off, in a Faraday bag…
Do all these privacy precautions sound unrealistic?
That’s because to a large extent they are, at least to the average person who is relying on mobile devices on a daily basis.
Next week I want to cover another angle of digital privacy violations in our homes – the smart TVs…