How the NSA Says You Can Limit Location Data Exposure

Location data can be one of the most valuable pieces of information for an attacker, and also arguably one of the hardest to protect. Smartphones are constantly providing such data through apps, the phone’s operating system itself, or in virtue of just using telecommunications networks or being near other devices. 

With that in mind, the National Security Agency (NSA) on Tuesday published its own guidelines for limiting the exposure of location data. The guidelines are geared more for government officials, but the advice itself can be useful for those hoping to stop sending so much location data to tech companies, ad firms, or apps that may then expose it later.

“Location data can be extremely valuable and must be protected,” the NSA document reads. “It can reveal details about the number of users in a location, user and supply movements, daily routines (user and organizational), and can expose otherwise unknown associations between users and locations.”

Some of the mitigations presented by the NSA include giving apps as few permissions as possible, such as ensuring apps are not using or sharing location data.

Do you work in the location data industry? Did you used to? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

“Avoid using apps related to location if possible, since these apps inherently expose user location data,” it adds.

But as the document notes, turning off location services is not one and the same as turning off GPS in general.

“Disabling location services only limits access to GPS and location data by apps. It does not prevent the operating system from using location data or communicating that data to the network,” the document reads.

Advertising firms are one of the main users and collectors of location data, able to use it to target individuals with particular campaigns. The document recommends resetting the device’s advertising ID regularly; instructions on how to do that for iPhone and Android can be found here and here.

Using a web browser on a device can also generate forms of location data, so the NSA recommends keeping browsing on the device as low as possible, and changing settings on the browser to stop the use of location data.

The document also suggests using an anonymizing Virtual Private Network (VPN) to obscure your location; visiting websites without one can give some clues as to your current location.

Some of this will be a lot to consume for some people, and not everyone needs to necessarily take all of these precautions. As the document notes, “Mitigations reduce, but do not eliminate, location tracking risks in mobile devices.”

Beyond the collection and sale of location data itself, that data can be abused. Last year Motherboard spoke to a stalking victim who said her phone carrier T-Mobile put her “life in danger.”

Subscribe to our new cybersecurity podcast, CYBER.