Location Tracking

The deepest privacy threat from mobile phones—yet one that is often completely invisible—is the way that they announce your whereabouts all day (and all night) long through the signals they broadcast. There are at least four ways that an individual phone's location can be tracked by others.

• Mobile Signal Tracking from Towers
• Mobile Signal Tracking from Cell Site Simulators
• Wi-Fi and Bluetooth Tracking
• Location Information Leaks from Apps and Web Browsing

Mobile Signal Tracking — Towers

In all modern mobile networks, the operator can calculate where a particular subscriber's phone is located whenever the phone is powered on and registered with the network. The ability to do this results from the way the mobile network is built, and is commonly called triangulation.

One way the operator can do this is to observe the signal strength that different towers observe from a particular subscriber's mobile phone, and then calculate where that phone must be located in order to account for these observations. This is done with Angle of Arrival measurements or AoA. The accuracy with which the operator can figure out a subscriber's location varies depending on many factors, including the technology the operator uses and how many cell towers they have in an area. Usually, with at least 3 cell towers the operator can get down to ¾ of a mile or 1km. For modern cell phones and networks trilateration is also used. In particular, it is used where the “locationInfo-r10” feature is supported. This feature returns a report that contains the phone’s exact GPS coordinates.

There is no way to hide from this kind of tracking as long as your mobile phone is powered on, with a registered SIM card, and transmitting signals to an operator's network. Although normally only the mobile operator itself can perform this kind of tracking, a government could force the operator to turn over location data about a user (in real-time or as a matter of historical record). In 2010, a German privacy advocate named Malte Spitz used privacy laws to get his mobile operator to turn over the records that it had about his records; he chose to publish them as an educational resource so that other people could understand how mobile operators can monitor users this way. (You can visit here to see what the operator knew about him.) The possibility of government access to this sort of data is not theoretical: it is already being widely used by law enforcement agencies in countries like the United States.

Another related kind of government request is called a tower dump; in this case, a government asks a mobile operator for a list of all of the mobile devices that were present in a certain area at a certain time. This could be used to investigate a crime, or to find out who was present at a particular protest.

• Reportedly, the Ukrainian government used a tower dump for this purpose in 2014, to make a list of all of the people whose mobile phones were present at an anti-government protest.
• In Carpenter v. United States, the Supreme Court ruled that obtaining historical cell site location information (CSLI) containing the physical locations of cellphones without a search warrant violates the Fourth Amendment.

Carriers also exchange data with one another about the location from which a device is currently connecting. This data is frequently somewhat less precise than tracking data that aggregates multiple towers' observations, but it can still be used as the basis for services that track an individual device—including commercial services that query these records to find where an individual phone is currently connecting to the mobile network, and make the results available to governmental or private customers. (The Washington Post reported on how readily available this tracking information has become.) Unlike the previous tracking methods, this tracking does not involve forcing carriers to turn over user data; instead, this technique uses location data that has been made available on a commercial basis.

Mobile Signal Tracking — Cell Site Simulator

A government or another technically sophisticated organization can also collect location data directly, such as with a cell site simulator (a portable fake cell phone tower that pretends to be a real one, in order to “catch” particular users' mobile phones and detect their physical presence and/or spy on their communications, also sometimes called an IMSI Catcher or Stingray). IMSI refers to the International Mobile Subscriber Identity number that identifies a particular subscriber's SIM card, though an IMSI catcher may target a device using other properties of the device as well.

The IMSI catcher needs to be taken to a particular location in order to find or monitor devices at that location. It should be noted that IMSI traffic interception by law enforcement would meet the parameters for a warrant. However, a “rogue” CSS, (not set up by law enforcement) would be operating outside of those legal parameters.

Currently there is no reliable defense against all IMSI catchers. (Some apps claim to detect their presence, but this detection is imperfect.) On devices that permit it, it could be helpful to disable 2G support (so that the device can connect only to 3G and 4G networks) and to disable roaming if you don't expect to be traveling outside of your home carrier's service area. Additionally, it could be helpful to use encrypted messaging such as Signal, WhatsApp, or iMessage to ensure the content of your communications can’t be intercepted. These measures may protect against certain kinds of IMSI catchers.

Wi-Fi and Bluetooth Tracking

Modern smartphones have other radio transmitters in addition to the mobile network interface. They usually also have Wi-Fi and Bluetooth support. These signals are transmitted with less power than a mobile signal and can normally be received only within a short range (such as within the same room or the same building), although someone using a sophisticated antenna could detect these signals from unexpectedly long distances; in a 2007 demonstration, an expert in Venezuela received a Wi-Fi signal at a distance of 382 km or 237 mi, under rural conditions with little radio interference. However, this scenario of such a wide range is unlikely. Both of these kinds of wireless signals include a unique serial number for the device, called a MAC address, which can be seen by anybody who can receive the signal.

Whenever Wi-Fi is turned on, a typical smartphone will transmit occasional “probe requests” that include the MAC address and will let others nearby recognize that this particular device is present. Bluetooth devices do something similar. These identifiers have traditionally been valuable tools for passive trackers in retail stores and coffee shops to gather data about how devices, and people, move around the world. However, on the latest updates on iOS and Android, the MAC address included in probe requests is randomized by default programmatically, which makes this kind of tracking much more difficult. Since MAC randomization is software based, it is fallible and the default MAC address has the potential to be leaked. Moreover, some Android devices may not implement MAC randomization properly (PDF download).

Although modern phones usually randomize the addresses they share in probe requests, many phones still share a stable MAC address with networks that they actually join, such as sharing a connection with wireless headphones. This means that network operators can recognize particular devices over time, and tell whether you are the same person who joined the network in the past (even if you don't type your name or e-mail address anywhere or sign in to any services).

A number of operating systems are moving towards having randomized MAC addresses on WiFi. This is a complex issue, as many systems have a legitimate need for a stable MAC address. For example, if you sign into a hotel network, it keeps track of your authorization via your MAC address; when you get a new MAC address, that network sees your device as a new device. iOS 14 has settings per-network, “Private MAC addresses.”

Location Information Leaks From Apps and Web Browsing

Modern smartphones provide ways for the phone to determine its own location, often using GPS and sometimes using other services provided by location companies (which usually ask the company to guess the phone's location based on a list of cell phone towers and/or Wi-Fi networks that the phone can see from where it is). This is packaged into a feature both Apple and Google call “Location Services”. Apps can ask the phone for this location information and use it to provide services that are based on location, such as maps that display your location on the map. The more recent permissions model has been updated for applications to ask to use location. However, some applications can be more aggressive than others asking to either use GPS or the combination of Location Services.

Some of these apps will then transmit your location over the network to a service provider, which, in turn, provides a way for the application and third parties they may share with to track you. (The app developers might not have been motivated by the desire to track users, but they might still end up with the ability to do that, and they might end up revealing location information about their users to governments or a data breach.) Some smartphones will give you some kind of control over whether apps can find out your physical location; a good privacy practice is to try to restrict which apps can see this information, and at a minimum to make sure that your location is only shared with apps that you trust and that have a good reason to know where you are.

In each case, location tracking is not only about finding where someone is right now, like in an exciting movie chase scene where agents are pursuing someone through the streets. It can also be about answering questions about people's historical activities and also about their beliefs, participation in events, and personal relationships. For example, location tracking could be used to find out whether certain people are in a romantic relationship, to find out who attended a particular meeting or who was at a particular protest, or to try to identify a journalist's confidential source.

The Washington Post reported in December 2013 on NSA location-tracking tools that collect massive amounts of information “on the whereabouts of cellphones around the world,” mainly by tapping phone companies' infrastructure to observe which towers particular phones connect to, and when those phones connect to those towers. A tool called CO-TRAVELER uses this data to find relationships between different people's movements (to figure out which people's devices seem to be traveling together, as well as whether one person appears to be following another).

Behavioral Data Collection and Mobile Advertising Identifiers

In addition to the location data collected by some apps and websites, many apps share information about more basic interactions, such as app installs, opens, usage, and other activity. This information is often shared with dozens of third-party companies throughout the advertising ecosystem enabled by real-time bidding (RTB). Despite the mundane nature of the individual data points, in aggregate this behavioral data can still be very revealing.

Advertising technology companies convince app developers to install pieces of code in software development kit (SDK) documentation in order to serve ads in their apps. These pieces of code collect data about how each user interacts with the app, then share that data with the third-party tracking company. The tracker may then re-share that information with dozens of other advertisers, advertising service providers, and data brokers in a milliseconds-long RTB auction.

This data becomes meaningful thanks to the mobile advertising identifier, or MAID, a unique random number that identifies a single device. Each packet of information shared during an RTB auction is usually associated with a MAID. Advertisers and data brokers can pool together data collected from many different apps using the MAID, and therefore build a profile of how each user identified by a MAID behaves. MAIDs do not themselves encode information about a user’s real identity. However, it’s often trivial for data brokers or advertisers to associate a MAID with a real identity, for example by collecting a name or email address from within an app.

Mobile ad IDs are built into both Android and iOS, as well as a number of other devices like game consoles, tablets, and TV set top boxes. On Android, every app, and every third-party installed in those apps, has access to the MAID by default. Furthermore, there is no way to turn off the MAID on an Android device at all: the best a user can do is to “reset” the identifier, replacing it with a new random number. In the latest version of iOS, apps finally need to ask permission before collecting and using the phone’s mobile ad ID. However, it’s still unclear whether users realize just how many third parties may be involved when they agree to let a seemingly-innocuous app access their information.

Behavioral data collected from mobile apps is used primarily by advertising companies and data brokers, usually to do behavioral targeting for commercial or political ads. But governments have been known to piggyback on the surveillance done by private companies.

Further reading on browser tracking: What Is Fingerprinting?

Spying on Mobile Communications

Mobile phone networks were not originally designed to use technical means to protect subscribers' calls against eavesdropping. That meant that anybody with the right kind of radio receiver could listen in on the calls.

The situation is somewhat better today with encryption technologies have been added to mobile communications standards to try to prevent eavesdropping. But many of these technologies have been poorly designed (sometimes deliberately, due to government pressure not to use strong encryption). They have been unevenly deployed, so they might be available on one carrier but not another, or in one country but not another, and have sometimes been implemented incorrectly. For example, in some countries carriers do not enable encryption at all, or they use obsolete technical standards. This means it is often still possible for someone with the right kind of radio receiver to intercept calls and text messages as they're transmitted over the air.

The safest practice is to assume that traditional calls and SMS text messages have not been secured against eavesdropping or recording. Even though the technical details vary significantly from place to place and system to system, the technical protections are often weak and can be bypassed in many situations.

See Communicating with Others to learn how to text and talk more securely.

The situation can be different when you are using secure communications apps to communicate (whether by voice or text), because these apps can apply encryption to protect your communications. This encryption can be stronger and can provide more meaningful protections. The level of protection that you get from using secure communications apps to communicate depends significantly on which apps you use and how they work. One important question is whether a communications app uses end-to-end encryption to protect your communications and whether there's any way for the app developer to undo or bypass the encryption.

More Info

• How to: Use Signal on iOS
• How to: Use Signal for Android
• Why Metadata Matters

Phone Components and Sensors

The following section explains other physical components of smartphones that use various antennas built into the modern phone to communicate different types of environmental information to applications.

GPS

The Global Positioning System (GPS) lets devices anywhere in the world figure out their own locations quickly and accurately. GPS works based on analyzing signals from satellites that are operated by the U.S. government as a public service for everyone. It's a common misconception that these satellites somehow watch GPS users or know where the GPS users are. In fact, the GPS satellites only transmit signals; the satellites don't receive or observe anything from your phone, and the satellites and GPS system operators do not know where any particular user or device is located, or even how many people are using the system.

This is possible because the individual GPS receivers (like those inside smartphones) calculate their own positions by determining how long it took the radio signals from different satellites to arrive.

So, if GPS satellites aren’t tracking users, how is “GPS tracking” done? Usually, this tracking is done by apps running on a user’s smartphone. These apps ask the phone's operating system for its location (determined via GPS). In turn, with modern phone permissions, the user is asked if they would like to share their location before the app can use it. If permission is granted, then the apps are able to transmit this information to someone else over the Internet. There are also GPS-receiving devices like cars and smart home hubs that can transmit over a network as well. Multiband support is now available in modern phones for other government sponsored positioning systems such as GLONASS (RU), BDS (CN), and GALILEO (EU).

NFC (Near Field Communication)

This wireless, radio-frequency based identification system exists in modern phones. It is mainly marketed through contactless mobile payment technologies or contactless identification systems. The range of NFC normally maxes out at 4cm and can store around a few hundred bytes to few kilobytes of data at a time. NFC technology can also passively read RFID (radio-frequency identification) tags embedded in posters and other objects. This information is relevant, because even though this isn’t a technology that accurately knows where you are in the world, it can be logged when you use contactless payment or enter a building, placing you at a specific time and place. NFC technology in phones can also be set up to be used with other “smart home devices”, to turn them on or off. If you’re concerned about this capability, turn the NFC sensor in your phone off. In Android settings, this is normally under Settings > Connected Devices > Connection preferences. In iOS, NFC is limited to applications like Apple Pay, so there is no universal way to turn this off. However, its use is very limited on iOS.

Biometric Sensors

These consist of fingerprint sensors or a facial recognition system to help you log into your phone. These are considered more secure from purely a phone safety aspect, but are not necessarily considered safer in various situations with law enforcement.

Motion Sensors

There are other phone sensors that don’t necessarily provide as much information as cell towers, GPS, or WiFi. The following are listed to build on the knowledge of what exists inside your smartphone, as applications often read sensor information that can potentially identify your device, even though the potential to be detected with these methods is minimal.

Accelerometer: A motion sensor, often used in fitness applications to log what type of activity the user is doing. This is also used in many navigation applications that measure the rate of speed you are travelling. This sensor has been flagged in security research as being able to detect the vibrations of and identify different keystrokes on a nearby computer with 80% accuracy. This is hard to detect by normal means, but putting your phone in your bag or pocket can mitigate this concern.

Gyroscope: A motion sensor that detects orientation and angular velocity. This sensor is constantly sensing new information since we are always moving our phone’s position. This sensor has been noted in previous research as acting as a potential crude microphone, due to their capability to pick up sound waves. There are other sensors that are environmental, motion, and position based that can measure room temperature, humidity, amount of light, Earth’s magnetic field, air pressure, etc. These sensors are normally very low powered and not as useful as the methods used by Location Tracking services to locate someone. The usage model for this sensor varies from iOS to Android (more strict on iOS because developers have to define the reason they are using this sensor). Generally, applications don’t need to ask for permission to use these sensors. However, it takes an active amount of targeting and resources to use these sensors in a way that can compromise a user.

Other sensors to be aware of:

• Magnetometer
• Barometer
• Proximity sensor
• Ambient light sensor
• Soli sensor (Proprietary to Pixel 4 phones)
• LiDAR
• U1 chip (Antenna proprietary to iPhone)

Malware

Phones can get viruses and other kinds of malware (malicious software), either because the user was tricked into installing malicious software, or because someone was able to hack into the device using a security flaw in the existing device software. As with other kinds of computing devices, the malicious software can then spy on the device's user.

For example, malicious software on a mobile phone could read private data on the device (like stored text messages or photos). Malware can normally accomplish this by exploiting a security flaw, such as an outdated phone operating system. It could also activate the device's sensors (such as microphone, camera, GPS) to find where the phone is or to monitor the environment, some malware is capable of turning the phone into a remote listening or surveillance device by covertly turning on the camera or microphone. Malware can also be used to read the contents of encrypted messaging services such as Signal or Whatsapp when such messages are unencrypted on the phone for reading or writing.

For more info, check out How Do I Protect Myself Against Malware?

Governments themselves often forbid people, even government employees, from bringing personal cell phones into certain sensitive facilities—mainly based on the concern that the phones could be infected with software to make them record conversations.

As we discussed above, precautions based on powering off phones could be noticed by a mobile operator; for example, if ten people all travel to the same building and then all switch off their phones at the same time, the mobile operator, or somebody examining its records, might conclude that those people were all at the same meeting and that the participants regarded it as sensitive. This would be harder to detect if the participants had instead left their phones at home or at the office.

Pros and Cons of Turning Your Phone Off

There's a widespread concern that phones can be used to monitor people even when not actively being used to make a call. As a result, people having a sensitive conversation are sometimes told to turn their phones off entirely, or even to remove the batteries from their phones.

The recommendation to remove the battery seems to be focused mainly on the existence of malware that makes the phone appear to turn off upon request (finally showing only a blank screen), while really remaining powered on and able to monitor conversations or invisibly place or receive a call. Thus, users could be tricked into thinking they had successfully turned off their phones when they actually hadn't. Such malware does exist, at least for some devices, though we have little information about how well it works or how widely it has been used. Also, it is generally more difficult to remove batteries from smartphones due to the newer models that have a rear case and front screen that are hard to separate simply by hand (and may void the warranty).

Another method of blocking signals going to phones is using Faraday cages or bags. However, bags are more affordable and practical. These help block signals from reaching the phone while in the bag, even if the device is compromised. These signals include 2G, 3G, 4G, 5G, Bluetooth, WiFi, and GPS.

Burner Phones

Phones that are used temporarily and then discarded are often referred to as burner phones or burners. People who are trying to avoid government surveillance sometimes try to change phones (and phone numbers) frequently to make it more difficult to recognize their communications. They will need to use prepaid phones (not associated with a personal credit card or bank account) and ensure that the phones and SIM cards were not registered with their identity; in some countries these steps are straightforward, while in others there may be legal or practical obstacles to obtaining anonymous mobile phone service.

There are a number of limitations to this technique.

SIM Cards

First, merely swapping SIM cards or moving a SIM card from one device to another offers minimal protection, because the mobile network observes both the SIM card and device together. In other words, the network operator knows the history of which SIM cards have been used in which devices, and can track either individually or both together. Second, governments have been developing mobile location analysis techniques where location tracking can be used to generate leads or hypotheses about whether multiple devices actually belong to the same person. There are many ways this can be done. For example, an analyst could check whether two devices tended to move together, or whether, even if they were in use at different times, they tended to be carried in the same physical locations.

A note on eSIM (embedded SIM) technology, or software based SIM cards. This is an embedded component in the phone that gives a network provider the ability to remotely add or ‘provision’ SIM profiles Over the Air (OTA).

Tracking Patterns and Burner Phones

A further problem for the successful anonymous use of telephone services is that people's calling patterns tend to be extremely distinctive. For example, you might habitually call your family members and your work colleagues. Even though each of these people receive calls from a wide range of people, you're likely the only person in the world who commonly calls both of them from the same number. So even if you suddenly changed your number, if you then resumed the same patterns in the calls you made or received, it would be straightforward to determine which new number was yours. Remember that this inference isn't made based only on the fact that you called one particular number, but rather on the uniqueness of the combination of all the numbers that you called. (Indeed, The Intercept reported that a secret U.S. government system called PROTON does exactly this, using phone records to recognize people who placed phone calls in a “similar manner to a specific target” from new phone numbers.) An additional example can be found in the Hemisphere FOIA document. The document describes the Hemisphere database (a massive database of historical call records) and how the people who run it have a feature that can link burner phones by following the similarity of their call patterns. The document refers to burner phones as "dropped phones" because their user will "drop" one and start using another one—but the database analytics algorithms can draw the connection between one phone and another when this happens, so long as both were used to make or receive calls to similar sets of phone numbers.

Together, these facts mean that effective use of burner phones to hide from government surveillance requires, at a minimum: not reusing either SIM cards or devices; not carrying different devices together; not creating a physical association between the places where different devices are used; not using the burner phone as a long term solution; and not calling or being called by the same people when using different devices. (This isn't necessarily a complete list; for example, we haven't considered the risk of physical surveillance of the place where the phone was sold, or the places where it's used, or the possibility of software to recognize a particular person's voice as an automated method for determining who is speaking through a particular phone.)

Phone Analysis and Seized Phones

Forensic Analysis of Seized Phones

There is a well-developed specialty of forensic analysis of mobile devices. An expert analyst will connect a seized device to a special machine, which reads out data stored inside the device, including records of previous activity, phone calls, pictures, Whatsapp messages, location history, app data, and text messages. The forensic analysis may be able to recover records that the user couldn't normally see or access, such as deleted text messages, which can be undeleted. Forensic analysis can sometimes bypass passcode-protected screenlocks, especially on older phones.

There are many smartphone apps and software features that try to inhibit or prevent forensic analysis of certain data and records, or to encrypt data to make it unreadable to an analyst. In addition, there is remote wipe software, which allows the phone owner or someone designated by the owner to tell the phone to erase certain data on request. However, not all wiping mechanisms are the same and can be potentially prevented, especially if the designated party needs remote access to the phone in order to wipe it.

This software can be useful to protect against data being obtained if your phone is taken by criminals. However, please note that intentional destruction of evidence or obstruction of an investigation can be charged as a separate crime, often with very serious consequences. In some cases, this can be easier for the government to prove and allow for more substantial punishments than the alleged crime originally being investigated.

Computer Analysis of Patterns of Phone Use

Governments have also become interested in analyzing data about many users' phones by computer in order to find certain patterns automatically. These patterns could allow a government analyst to find cases in which people used their phones in an unusual way, such as taking particular privacy precautions.

A few examples of things that a government might try to figure out from data analysis: automatically figuring out whether people know each other; detecting when one person uses multiple phones, or switches phones; detecting when groups of people are traveling together or regularly meeting one another; detecting when groups of people use their phones in unusual or suspicious ways; identifying the confidential sources of a journalist.

These types of pattern-based analysis have become easier now that many people own a smartphone, and therefore have their pockets full of sensors and modules that communicate many types of data. Only each user can define their threat model, and we encourage users to assess their individual risks and the steps they can take to protect themselves.

More Info

• Attending a Protest
• Things to Consider When Crossing the US Border