The NSA released a new advisory in August, cautioning readers to prevent data collection from being collected unless absolutely needed.
The advisory covers how mobile devices give off location and GPS data, independent of any downloaded apps, and how it’s done via bluetooth and other wireless connections, meaning locations can still be determined even if cellular service is turned off on devices.
On the subject of apps, the NSA recommends turning off location services and location data collection on apps unless necessary but also makes a note that photos, within metadata and the contents of the photo itself, may also give off information tied to location.
Ars Technica, covering the NSA document, provides additional recommendations and steps you can take to better improve your app and location privacy on Android and iOS devices.
Here are the NSAs recommendations:
- Disable location services settings on the device.
- Disable radios when they are not actively in use: disable BT and turn off Wi-Fi if these capabilities are not needed.
- Use Airplane Mode when the device is not in use. Ensure BT and Wi-Fi are disabled when Airplane Mode is engaged.
- Apps should be given as few permissions as possible:
- Set privacy settings to ensure apps are not using or sharing location data.
- Avoid using apps related to location if possible, since these apps inherently expose user location data. If used, location privacy/permission settings for such apps should be set to either not allow location data usage or, at most, allow location data usage only while using the app. Examples of apps that relate to location are maps, compasses, traffic apps, fitness apps, apps for finding local restaurants, and shopping apps.
- Disable advertising permissions to the greatest extent possible:
- Set privacy settings to limit ad tracking, noting that these restrictions are at the vendor’s discretion.
- Reset the advertising ID for the device on a regular basis. At a minimum, this should be on a weekly basis.
- Turn off settings (typically known as FindMy or Find My Device settings) that allow a lost, stolen, or misplaced device to be tracked.
- Minimize web-browsing on the device as much as possible, and set browser privacy/permission location settings to not allow location data usage.
- Use an anonymizing Virtual Private Network (VPN) to help obscure location.
- Minimize the amount of data with location information that is stored in the cloud, if possible.
They also have recommendations for “missions” where it’s critical that a location is not revealed. In cases where you’re certain you don’t want your whereabouts tracked or revealed, consider these steps.
- Determine a non-sensitive location where devices with wireless capabilities can be secured prior to the start of any activities. Ensure that the mission site cannot be predicted from this location.
- Leave all devices with any wireless capabilities (including personal devices) at this non-sensitive location. Turning off the device may not be sufficient if a device has been compromised.
- For mission transportation, use vehicles without built-in wireless communication capabilities, or turn off the capabilities, if possible.