The National Security Agency (NSA) on Tuesday rolled out guidance warning that location data from mobile and other internet-connected devices could pose a security threat for users if it were accessed by adversaries.
The guidance was rolled out as a warning for Defense Department personnel and others with access to sensitive federal systems, but the NSA noted that it could be “useful to a wide range of users.”
“Using a mobile device—even powering it on—exposes location data,” the NSA warned in the guidance. “Mobile devices inherently trust cellular networks and providers, and the cellular provider receives real-time location information for a mobile device every time it connects to the network.”
“This means a provider can track users across a wide area,” the agency noted. “In some scenarios, such as 911 calls, this capability saves lives, whereas for personnel with location sensitivities, it may incur risks. If an adversary can influence or control the provider in some way, this location data may be compromised.”
The NSA noted that location data could be tracked even if the GPS and cellular data are switched off, warning that a mobile device can track location through WiFi and Bluetooth connections, while websites and apps can also access or guess the location of the user.
The agency warned that other internet-connected devices — such as fitness trackers, smart watches, medical devices and household smart devices — could also pose a security threat through their potential to collect and expose sensitive location data of any mobile device they are hooked up to.
Apps and social media accounts posed another risk for exposing sensitive location data, particularly for Defense Department personnel, the NSA warned, with pictures posted to social media platforms potentially including hidden metadata revealing locations.
“Anything that sends and receives wireless signals has location risks similar to mobile devices,” the NSA wrote.
In order to limit potential security breaches, the NSA recommended that individuals disable location services settings on internet-connected devices, use airplane mode when mobile devices are not in use, ensure apps are not given permission to track the user’s location and minimize the amount of data stored in the cloud, among other suggestions.
“While it may not always be possible to completely prevent the exposure of location information, it is possible —through careful configuration and use — to reduce the amount of location data shared,” the NSA wrote. “Awareness of the ways in which such information is available is the first step.”
The guidance comes two years after the Defense Department banned the use of fitness trackers, smart phones and other devices with geolocation services for all deployed personnel, according to CNN.
Location data has been a major topic of discussion during the COVID-19 pandemic, as some governments have used location data to track positive cases and fight against the spread of the virus.
These actions have raised strong concerns from privacy advocates worried that data may not be handled responsibly, and that it could be used for greater surveillance of the public.