NSA Offers Advice On How To Reduce Location Tracking Risks
The U.S. National Security Agency (NSA) today has published guidance on how to expose as little location information as possible while using mobile and IoT devices, social media, and mobile apps.
As the agency explains, protecting your geolocation data can be the difference between being tracked wherever you go or knowing that your location can’t be used to monitor your movements and daily routine.
“Location data can be extremely valuable and must be protected,” the NSA explains [PDF]. “It can reveal details about the number of users in a location, user and supply movements, daily routines (user and organizational), and can expose otherwise unknown associations between users and locations.”
However, as the NSA adds, “[w]hile the guidance in this document may be useful to a wide range of users, it is intended primarily for NSS/DoD system users.”
Also read: Completed DPIA Example: 7 Simple Helpful Steps To Create
Location exposure risks
Devices like smartphones and tablets use a combination of methods to determine a user’s location including Global Positioning System (GPS) and wireless signals such as wireless Wi-Fi, cellular, and Bluetooth.
Disabling these radios can drastically reduce the exposed location data by blocking devices from sharing real-time geolocation information with cellular providers or rogue bases stations when powered on or during use.
This can also prevent threat actors from determining your device’s location with the help of wireless sniffers which calculate it based on signal strength.
However, even if disabled, when some device radios are re-enabled they may still transmit saved location information.
IoT devices also add to the location data exposure risks since they can store location information about other devices in their range, info that can later be exposed when accessed and viewed by unauthorized third-parties.
Using apps with permissions to use your location also increases the risk of exposing your geolocation data, just as photos with embedded location data shared on social media.
“Apps, even when installed using the approved app store, may collect, aggregate, and transmit information that exposes a user’s location,” the NSA adds.
“Geolocation information contained in data automatically synced to cloud accounts could also present a risk of location data exposure if the accounts or the servers where the accounts are located are compromised.
“Other examples of risk exist: websites use browser fingerprinting to harvest location information, and Wi-Fi access points and Bluetooth sensors can reveal location information.”
Mitigation measures to limit location exposure
Depending on the risk level of exposing their location that users are comfortable with, the NSA shared a number of measures that should lower the risk of exposing one’s location while using mobile devices and apps.
However, “[p]erhaps the most important thing to remember is that disabling location services on a mobile device does not turn off GPS, and does not significantly reduce the risk of location exposure,” the NSA explains.
“Disabling location services only limits access to GPS and location data by apps. It does not prevent the operating system from using location data or communicating that data to the network.”
The NSA says that those who want to prevent location data collection from their devices can take these mitigation measures to limit their exposure:• Disable location services settings on the device.
• Disable radios when they are not actively in use: disable BT and turn off Wi-Fi if these capabilities are not needed. Use Airplane Mode when the device is not in use. Ensure BT and Wi-Fi are disabled when Airplane Mode is engaged.
• Apps should be given as few permissions as possible.
• Disable advertising permissions to the greatest extent possible.
• Turn off settings (typically known as FindMy or Find My Device settings) that allow a lost, stolen, or misplaced device to be tracked.
• Minimize web-browsing on the device as much as possible, and set browser privacy/permission location settings to not allow location data usage.
• Use an anonymizing Virtual Private Network (VPN) to help obscure location.
• Minimize the amount of data with location information that is stored in the cloud, if possible.
U.S. Military and Intelligence Community staff taking part in critical missions that require going the extra mile to hide their location can take these additional measures:• Determine a non-sensitive location where devices with wireless capabilities can be secured prior to the start of any activities. Ensure that the mission site cannot be predicted from this location.
• Leave all devices with any wireless capabilities (including personal devices) at this non-sensitive location. Turning off the device may not be sufficient if a device has been compromised.
• For mission transportation, use vehicles without built-in wireless communication capabilities, or turn off the capabilities, if possible.
Last month, the security agency also published guidance on how to secure IP Security (IPsec) Virtual Private Networks (VPNs) against potential attacks.
Also read: Privacy policy template important tips for your business
0 Comments