WASHINGTON — The National Security Agency released guidance Tuesday recommending that U.S. intelligence personnel take steps to mitigate the exposure of personal location data from mobile devices.
The guidance, targeted to intelligence community and Defense Department mobile device users, warned that hardware used every day, from cellphones to fitness trackers, can expose their location to adversaries — potentially endangering personnel.
“Location data can be extremely valuable and must be protected. It can reveal details about the number of users in a location, user and supply movements, daily routines (user and organizational), and can expose otherwise unknown associations between users and locations,” the guidance read.
The guidance warned national security employees that mobile devices inherently trust cellular networks and providers, and those same providers collect real-time location data.
“If an adversary can influence or control the provider in some way, this location data may be compromised,” the guidance read. Citing public reports, it added that providers sell near real-time location data to third parties.
The guidance offered several steps users can implement to limit the exposure of their location. Turning off cellular services aren’t enough to ensure security, the NSA warned, because adversaries can still determine location if Bluetooth and Wi-Fi are still enabled due to wireless sniffers that can determine location based on the strength of a device’s signal — even if the device is not in use.
The NSA suggested users disable location services, turn off Wi-Fi and Bluetooth if those services aren’t needed, and place devices in airplane mode when not in use. It also recommended giving mobile applications minimal permissions and suggested avoiding apps that rely on location services.
The Department of Defense has grappled with personnel across the globe using applications that track users. In 2018, the GPS tracking app Strava, a digital platform to used to log running routes, exposed the exercise routes of DoD personnel around the world. The incident led to several reviews of department policies pertaining to cellphones and other GPS-enabled tracking devices
The DoD also has similar concerns about the app TikTok, a Chinese-owned social media platform. Officials worry it may expose troops’ personal information. President Donald Trump in recent weeks has threatened to ban the app from use in the United States.
The NSA also recommended mitigation steps for missions where it is “critical” that location information not be exposed. The agency suggested users determine a nonsensitive location where “all” devices with wireless capabilities can be stored beforehand. It also said personnel should use vehicles that don’t have built-in wireless capabilities or, at the very least, turn off those settings.
“While it may not always be possible to completely prevent the exposure of location information, it is possible — through careful configuration and use — to reduce the amount of location data shared. Awareness of the ways in which such information is available is the first step,” the guidance said.
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.
