NSA Offers Tips To Limit Location Data Exposure

Recent guidance from the National Security Agency describes steps Defense Department and National Security Systems users should take to limit exposure of location data from devices like cell phones and smart watches. 

Leaving location data open to scrutiny is a risky business, particularly for federal employees who need to protect the sanctity of their missions, according to the report. Details that would be otherwise difficult to determine—such as associations between people—can be constructed using location data alone. It’s impossible to eliminate exposure completely, but mitigation steps can reduce risks.

Neal Ziring, NSA Cybersecurity Directorate technical director, told Nextgov in an email the coronavirus pandemic means cybersecurity risks are increasing.

“COVID-19 has created an environment rich with opportunity for our cyber adversaries, risks—not just limited to location data exposure—are certainly increasing,” Ziring said. “As long as mobile devices are being used, your location data could be exposed.”

First, it’s critical to understand what location data is and what devices are transmitting it—cell phones aren’t the only culprit. 

The guidelines stress that turning off location services means stopping your device from sharing your whereabouts with third parties like apps, but the operating system on your device itself can still use your GPS location. But data used for location services doesn’t come from GPS alone. It’s also calculated using WiFi and Bluetooth connections. This information gets collected even if GPS and cellular service is turned off. 

There are many vectors beyond just mobile phones that can lead to location data exposure. Anything that uses wireless connections represents another vector, including tech like fitness trackers or even smart medical devices, according to the guidelines. The same goes for internet of things technologies such as smart home devices. 

“Such IoT devices can be difficult to secure, most have no way to turn off wireless features, and little, if any, security built in,” according to the guidelines. 

Apps often aggregate location data that’s irrelevant to their function, as well. The NSA guidelines indicate social media is risky, too, because pictures a user may post contain location data in the image metadata. 

Mitigation strategies in the guidelines include: 

• Disable location service settings on the device and engage privacy settings within apps so their access to data is minimized.
• Disable Bluetooth and WiFi when they aren’t in use and turn on airplane mode if you aren’t using your device.
• If possible, avoid apps that are heavily dependent on location data such as maps, compasses or fitness apps.
• Disable advertising permissions as much as possible and reset your device’s advertising ID at least on a weekly basis.
• Disable apps like FindMy that allow tracking of lost devices.
• And use a virtual private network, or VPN, enable privacy settings on web browsers and minimize web browsing on mobile devices as much as possible. 

Ziring said not all of these mitigation strategies are necessary across the board. But when the exposure of location data could compromise a mission, users need to prioritize mitigating risks to the greatest extent possible. 

According to the guidelines, this means leaving devices at a non-sensitive location prior to the start of a mission rather than just turning the device off. And for mission transportation, it’s best to avoid traveling in cars that have wireless communication capabilities built-in. 

For workers with less sensitive missions, it’s still important to minimize exposure. There’s just a little bit more leeway. 

“For example, if traveling to a new restaurant and wanting to use a map app for directions, some of the mitigations included are impractical for that situation,” Ziring said. “This report is meant to help people understand how location data can be shared in various ways so that they can make informed decisions for using or disabling mobile features. Ultimately, each end user needs to make a risk decision based on their own level of risk tolerance, and the specific situation.”

Members of the federal workforce should work with their home agency’s security office to make certain they are following agency-specific guidelines regarding location data exposure, Ziring said. The NSA guidelines are also useful to any member of the general public interested in protecting their privacy.