(This article by request, written while chewing a piece of gum…)
Cell phone tracking (done via GPS – Global Positioning System) can be very useful – it makes Google Maps work and can tell you to turn left in a quarter mile, or in an emergency it can tell loved ones where you are. It can be helpful when using a dating app so it doesn’t set you up with someone on the other side of the planet and it can tell you where that bus stop you’ve been looking for is.
Unfortunately, the part that makes it do things that are helpful can be also be used against you, as a GPS’s job is to “be helpful”, even if it’s not you it’s helping. What we’re all really after is to allow tracking when you want or need it, but safeguard your location information when you don’t. Smartphone security can be complicated, but here are the primary elements when it comes to location tracking (grab a cup of coffee, they don’t make it easy or quick!):
Government and Utility Tracking
The system that allows our phones to work is provided by the carrier (AT&T, Verizon, Sprint, etc) and they have complete control of your smartphone and its location at all times. The carrier is always aware of where your phone is so that, for example, while you’re driving your phone can switch towers seamlessly and you don’t get dropped calls. Unfortunately almost all businesses are in the pocket of our government who, while they’re supposed to follow due process, usually do not.
I used to work for a very large company and I was on the CALEA2 implementation team for another very large carrier. It was my job to implement a monitoring system that would lawfully intercept and record phone calls (yeah, that was me… sorry everyone!). How do I know the government and businesses do not follow due process? Because when the Patriot Act passed after 9/11 the use of the system I helped create went up 400% in the first month alone, while the number of warrants went down to zero. These were staff using it to record their girlfriends, agents spying on their wives, etc, etc. The Patriot Act allowed them to get away with it by stripping necessary oversight provisions and it’s only gotten worse since.
Even if a given mobile provider is not in the government’s pocket, law enforcement can deploy an “IMSI catcher” – a surveillance van that will park next to your house and make all local smartphones go through that van. They do it all the time.
What can you do about it? Powering off your smartphone isn’t enough, it transmits location even when shut down because it’s a function so innate to the phone it doesn’t need the operating system (iOS, Android) to do it. If you’re attending a protest, either pull the battery entirely or leave it in the car. Alternately, new pocket-sized faraday cages for your phone have been made available, such as the FawkesBox – this will allow you to keep your phone with you for emergencies while still preventing it from being tracked. (Reminder: put it in airplane mode before putting it in a FawkesBox or it’ll drain the battery in a half-hour trying desperately to reach the cell towers!)
Websites
Google Maps can query your mobile browser for your current location while giving you driving hints, but unless you specifically configure your Google account it’ll hold on to everywhere you’ve been in perpetuity. Facebook does the same as do a number of other sites, and some of those sites will report your location in real time to your friends list unless you specifically turn that “feature” off. Truth of the matter is the businesses who run these sites capitalize on your information and that includes your location, so unless you tell them not to track you (and check in on that setting from time to time in case they revert it to default!) you can bet they are.
How can you deal with this? Every site you use that you have an account with (GMail, Facebook, etc) should have a way to disable tracking. Google it, such as “how disable tracking google | facebook” (etc) and see what you find. If there’s no option to disable tracking you may seriously want to reconsider your use of their website.
Apps You Know About
Apps you know about are relatively easy to deal with but time consuming – you have to go through every single app and determine whether it should have permission to track you.
iPhone: Go to Settings, Privacy, Location Services. From here you can turn the Location Service on or off completely (can still be monitored by the carrier, though!), or you can determine which apps you want to allow access to that tracking data.
Android: Go to Settings, Security and Privacy, Location Services (though this may vary depending on your Android phone type and OS details). From here you can disable location tracking entirely (again, doesn’t affect the carrier data), set how closely it can track and then determine which app has access to that data, app by app.
Be aware, sometimes changing permissions can break the app even if your location data isn’t necessary (they want that data, after all). Again, you may have to reconsider whether you want an app if it tracks you all the time and won’t let you do anything about it!
Lastly, as mentioned below – don’t get app-happy! If you don’t use an app, get rid of it.
Apps You Don’t Know About
This is the number one concern that most people have. Did your ex husband put a tracking program on your phone? Is your wife looking to see if you’re really in the office? Is your angry and violence-prone boyfriend going to rough you up later because that new coffee shop you’re trying is in a residential area and he thinks you’re cheating on him (I’ve seen this happen personally) ? People have a right to privacy but other people try hard to break into your phone anyway.
iPhone: The good thing about iPhones (and there are only a few good things about iPhone when it comes to security..) is that they’re almost bullet proof when it comes to malware. There is not antivirus software available for an iPhone because apps are so well jailed that if you have malware in an app (such as from a rogue developer in China) you just uninstall it and that’s it, it’s gone. That said, the way to ensure you don’t have spyware on your phone is to be aware of every single app you have and where you got it from. is there anything on there you don’t recognize? If so, blow it away, your phone will work fine. If you realize you needed it, reinstall it from the app store – no problem. Also, don’t be app-happy: just install what you need, blow away what you don’t use.
Android: Malware can run amok on an Android and it can stay hidden from the user. The way to fight rogue software is with other software, I recommend ESET, it’s powerful antivirus/antimalware software and it’s free, just install it from the app store. It will hunt down and notify you of any tracking software it finds. Don’t bother with McAfee or Symantec software, they’re “feel good” apps that don’t find as much of the down-n-dirty stuff, and Avast and others are okay… but not as effective as ESET in my experience.
Lastly: always set a passcode on your smartphone, no matter what. Note – the government can compel you to provide a fingerprint, but they can’t (… depending…) force you to reveal a passcode.
Information Leakage
Lastly, it’s possible that even after all of the above you could “leak” your location unintentionally. Let’s assume you don’t want Facebook to track your location so you’ve shaped both the app and the website to not track you. Now you’re out with friends at a bar you didn’t tell your parents you were going to with them and you take a closeup selfie with your friend in front of an anonymous brick wall and post it on Facebook. “Wish you were here!”
Your smartphone camera – by default – tags your pictures with your GPS coordinates in the photo metadata along with the timestamp. Anybody can now view that picture, download it and read that metadata, then punch those coordinates into Google Maps and OOOPS – there you are at the bar. You have to go into the phone’s photo app and turn that off, then make darn sure it stays off by checking every once in a while.
If you use a web browser to use a site, you can shape the browser to not report your location. If you use an app, sometimes you can configure that behavior and sometimes you can’t. Do you get your email with the Yahoo Mail app? Do you chat with Facebook’s Messenger app? These are “apps you know”, you need to follow the instructions above and shape that behavior even before sending a single email.
The premise here is that sometimes you get cross-app behavior that you don’t expect and can rat you out. If you really need to hide your location for a window of time, best to use a FawkesBox faraday cage or put your phone in Airplane mode and don’t use it while you’re doing what you’re doing.
I hope this information has been helpful. This is one facet of computing out of very, very many that everyone needs to pay attention to and eventually it gets to be too much. This is why government and business surveillance is rife – it’s a PITA to go through all this, but in the end it’s worth it. Decide for a week that “today is browser day” and focus on Chrome, Firefox settings (don’t use MS Internet Explorer, which has nothing to do with privacy!), and “tomorrow is smartphone day” where you’ll sit down at the coffee shop for an hour and go through all those settings. “Wednesday is laptop day”, “Thursday is TV/Roku/DVD Player security day”… etcetera.
By the end of a single week your security will be worlds better than it was the week before and next time, you’ll know where to look!
Did I miss anything, do you have any suggestions? Please comment below, I’d love to hear about it.