The deepest privacy threat from mobile phones—yet one that is often completely invisible—is the way that they announce your whereabouts all day (and all night) long through the signals they broadcast. There are at least four ways that an individual phone's location can be tracked by others.
- Mobile Signal Tracking from Towers
- Mobile Signal Tracking from Cell Site Simulators
- Wi-Fi and Bluetooth Tracking
- Location Information Leaks from Apps and Web Browsing
Mobile Signal Tracking — Towers
In all modern mobile networks, the operator can calculate where a particular subscriber's phone is located whenever the phone is powered on and registered with the network. The ability to do this results from the way the mobile network is built, and is commonly called triangulation.
One way the operator can do this is to observe the signal strength that different towers observe from a particular subscriber's mobile phone, and then calculate where that phone must be located in order to account for these observations. This is done with Angle of Arrival measurements or AoA. The accuracy with which the operator can figure out a subscriber's location varies depending on many factors, including the technology the operator uses and how many cell towers they have in an area. Usually, with at least 3 cell towers the operator can get down to ¾ of a mile or 1km. For modern cell phones and networks trilateration is also used. In particular, it is used where the “locationInfo-r10” feature is supported. This feature returns a report that contains the phone’s exact GPS coordinates.
There is no way to hide from this kind of tracking as long as your mobile phone is powered on, with a registered SIM card, and transmitting signals to an operator's network. Although normally only the mobile operator itself can perform this kind of tracking, a government could force the operator to turn over location data about a user (in real-time or as a matter of historical record). In 2010, a German privacy advocate named Malte Spitz used privacy laws to get his mobile operator to turn over the records that it had about his records; he chose to publish them as an educational resource so that other people could understand how mobile operators can monitor users this way. (You can visit here to see what the operator knew about him.) The possibility of government access to this sort of data is not theoretical: it is already being widely used by law enforcement agencies in countries like the United States.
Another related kind of government request is called a tower dump; in this case, a government asks a mobile operator for a list of all of the mobile devices that were present in a certain area at a certain time. This could be used to investigate a crime, or to find out who was present at a particular protest.
- Reportedly, the Ukrainian government used a tower dump for this purpose in 2014, to make a list of all of the people whose mobile phones were present at an anti-government protest.
- In Carpenter v. United States, the Supreme Court ruled that obtaining historical cell site location information (CSLI) containing the physical locations of cellphones without a search warrant violates the Fourth Amendment.
Carriers also exchange data with one another about the location from which a device is currently connecting. This data is frequently somewhat less precise than tracking data that aggregates multiple towers' observations, but it can still be used as the basis for services that track an individual device—including commercial services that query these records to find where an individual phone is currently connecting to the mobile network, and make the results available to governmental or private customers. (The Washington Post reported on how readily available this tracking information has become.) Unlike the previous tracking methods, this tracking does not involve forcing carriers to turn over user data; instead, this technique uses location data that has been made available on a commercial basis.
Mobile Signal Tracking — Cell Site Simulator
A government or another technically sophisticated organization can also collect location data directly, such as with a cell site simulator (a portable fake cell phone tower that pretends to be a real one, in order to “catch” particular users' mobile phones and detect their physical presence and/or spy on their communications, also sometimes called an IMSI Catcher or Stingray). IMSI refers to the International Mobile Subscriber Identity number that identifies a particular subscriber's SIM card, though an IMSI catcher may target a device using other properties of the device as well.
The IMSI catcher needs to be taken to a particular location in order to find or monitor devices at that location. It should be noted that IMSI traffic interception by law enforcement would meet the parameters for a warrant. However, a “rogue” CSS, (not set up by law enforcement) would be operating outside of those legal parameters.
Currently there is no reliable defense against all IMSI catchers. (Some apps claim to detect their presence, but this detection is imperfect.) On devices that permit it, it could be helpful to disable 2G support (so that the device can connect only to 3G and 4G networks) and to disable roaming if you don't expect to be traveling outside of your home carrier's service area. Additionally, it could be helpful to use encrypted messaging such as Signal, WhatsApp, or iMessage to ensure the content of your communications can’t be intercepted. These measures may protect against certain kinds of IMSI catchers.
Wi-Fi and Bluetooth Tracking
Modern smartphones have other radio transmitters in addition to the mobile network interface. They usually also have Wi-Fi and Bluetooth support. These signals are transmitted with less power than a mobile signal and can normally be received only within a short range (such as within the same room or the same building), although someone using a sophisticated antenna could detect these signals from unexpectedly long distances; in a 2007 demonstration, an expert in Venezuela received a Wi-Fi signal at a distance of 382 km or 237 mi, under rural conditions with little radio interference. However, this scenario of such a wide range is unlikely. Both of these kinds of wireless signals include a unique serial number for the device, called a MAC address, which can be seen by anybody who can receive the signal.
Whenever Wi-Fi is turned on, a typical smartphone will transmit occasional “probe requests” that include the MAC address and will let others nearby recognize that this particular device is present. Bluetooth devices do something similar. These identifiers have traditionally been valuable tools for passive trackers in retail stores and coffee shops to gather data about how devices, and people, move around the world. However, on the latest updates on iOS and Android, the MAC address included in probe requests is randomized by default programmatically, which makes this kind of tracking much more difficult. Since MAC randomization is software based, it is fallible and the default MAC address has the potential to be leaked. Moreover, some Android devices may not implement MAC randomization properly (PDF download).
Although modern phones usually randomize the addresses they share in probe requests, many phones still share a stable MAC address with networks that they actually join, such as sharing a connection with wireless headphones. This means that network operators can recognize particular devices over time, and tell whether you are the same person who joined the network in the past (even if you don't type your name or e-mail address anywhere or sign in to any services).
A number of operating systems are moving towards having randomized MAC addresses on WiFi. This is a complex issue, as many systems have a legitimate need for a stable MAC address. For example, if you sign into a hotel network, it keeps track of your authorization via your MAC address; when you get a new MAC address, that network sees your device as a new device. iOS 14 has settings per-network, “Private MAC addresses.”
Location Information Leaks From Apps and Web Browsing
Modern smartphones provide ways for the phone to determine its own location, often using GPS and sometimes using other services provided by location companies (which usually ask the company to guess the phone's location based on a list of cell phone towers and/or Wi-Fi networks that the phone can see from where it is). This is packaged into a feature both Apple and Google call “Location Services”. Apps can ask the phone for this location information and use it to provide services that are based on location, such as maps that display your location on the map. The more recent permissions model has been updated for applications to ask to use location. However, some applications can be more aggressive than others asking to either use GPS or the combination of Location Services.
Some of these apps will then transmit your location over the network to a service provider, which, in turn, provides a way for the application and third parties they may share with to track you. (The app developers might not have been motivated by the desire to track users, but they might still end up with the ability to do that, and they might end up revealing location information about their users to governments or a data breach.) Some smartphones will give you some kind of control over whether apps can find out your physical location; a good privacy practice is to try to restrict which apps can see this information, and at a minimum to make sure that your location is only shared with apps that you trust and that have a good reason to know where you are.
In each case, location tracking is not only about finding where someone is right now, like in an exciting movie chase scene where agents are pursuing someone through the streets. It can also be about answering questions about people's historical activities and also about their beliefs, participation in events, and personal relationships. For example, location tracking could be used to find out whether certain people are in a romantic relationship, to find out who attended a particular meeting or who was at a particular protest, or to try to identify a journalist's confidential source.
The Washington Post reported in December 2013 on NSA location-tracking tools that collect massive amounts of information “on the whereabouts of cellphones around the world,” mainly by tapping phone companies' infrastructure to observe which towers particular phones connect to, and when those phones connect to those towers. A tool called CO-TRAVELER uses this data to find relationships between different people's movements (to figure out which people's devices seem to be traveling together, as well as whether one person appears to be following another).
Behavioral Data Collection and Mobile Advertising Identifiers
In addition to the location data collected by some apps and websites, many apps share information about more basic interactions, such as app installs, opens, usage, and other activity. This information is often shared with dozens of third-party companies throughout the advertising ecosystem enabled by real-time bidding (RTB). Despite the mundane nature of the individual data points, in aggregate this behavioral data can still be very revealing.
Advertising technology companies convince app developers to install pieces of code in software development kit (SDK) documentation in order to serve ads in their apps. These pieces of code collect data about how each user interacts with the app, then share that data with the third-party tracking company. The tracker may then re-share that information with dozens of other advertisers, advertising service providers, and data brokers in a milliseconds-long RTB auction.
This data becomes meaningful thanks to the mobile advertising identifier, or MAID, a unique random number that identifies a single device. Each packet of information shared during an RTB auction is usually associated with a MAID. Advertisers and data brokers can pool together data collected from many different apps using the MAID, and therefore build a profile of how each user identified by a MAID behaves. MAIDs do not themselves encode information about a user’s real identity. However, it’s often trivial for data brokers or advertisers to associate a MAID with a real identity, for example by collecting a name or email address from within an app.
Mobile ad IDs are built into both Android and iOS, as well as a number of other devices like game consoles, tablets, and TV set top boxes. On Android, every app, and every third-party installed in those apps, has access to the MAID by default. Furthermore, there is no way to turn off the MAID on an Android device at all: the best a user can do is to “reset” the identifier, replacing it with a new random number. In the latest version of iOS, apps finally need to ask permission before collecting and using the phone’s mobile ad ID. However, it’s still unclear whether users realize just how many third parties may be involved when they agree to let a seemingly-innocuous app access their information.
Behavioral data collected from mobile apps is used primarily by advertising companies and data brokers, usually to do behavioral targeting for commercial or political ads. But governments have been known to piggyback on the surveillance done by private companies.
Further reading on browser tracking: What Is Fingerprinting?
What is privacy on mobile device? ›
Android 12 includes a privacy dashboard to show what apps have been up to, as well as shortcuts to managing the information that Google collects and stores in one's Google Account. If you are curious, Apple and Google have posted statements about how they use your data.
Applications running on your phone may be granted access to certain sensors or data, and may be sharing that data with the developer (and advertisers). Criminals may infiltrate your phone through malware, hacking, or physical access to your device.Which phone has highest privacy? ›
- Blackphone PRIVY 2.0 – Top-level security.
- Sirin Labs Finney U1 – Best for crypto users.
- Bittium Tough Mobile C – Best for private key management.
- Purism Librem 5 – Best for maximum security.
- Sirin Solarin – Best for preventing incoming threats.
- Google Pixel 5. ...
- Samsung Galaxy S20 Ultra. ...
- Apple iPhone SE. ...
- Silent Circle Blackphone 2. ...
- Sirin Labs Finney U1. ...
- BlackBerry Key2. ...
- Blackberry DTEK50. ...
- BlackBerry KeyOne.
Some experts believe that smartphones pose privacy risks because they can easily be turned into surveillance devices without impairing their functions. They also say that smartphones can be used as tracking devices by private hackers, the government, or cloud service provider.Who can see what I do on my phone? ›
Unfortunately, spyware apps aren't the only way that someone can spy on your phone activity, though. ISPs, governments, WiFi administrators, search engines, website owners, and hackers all have the capacity to spy on certain aspects of what you do on your phone – without having to install any spyware software.Are cell phones really private? ›
Cell phones can be tracked by the government pulling information from your service provider. A person places or receives a call on their cell phone, which connects to the nearest cellular tower transmitting information through the strongest signal.How can we protect our privacy when using smartphones? ›
- Enable two-factor authentication.
- Set a strong passcode (and consider disabling fingerprint or face login)
- Audit app permissions.
- Enable automatic updates.
- Enable Find My Device.
- Keep sensitive notifications off the lock screen.
- Disable personalized ads.
- Give your Google account a privacy check-up.
Short wavelength blue light emitted by smartphones and other types of screens can cause health effects like eye strain and pain. This type of light may even damage the cornea and impact vision. The cornea is a clear lens on the front of the eye.Which phones get hacked the most? ›
|Most hacked phone brands (US)||Total search volume|
What phone is hardest to hack? ›
Among the most secure Phones – Purism Librem 5
The Purism Librem 5 comes with three kill switches, hardware-wise, that can turn off the sensors. These switches are located for the cameras, microphone, Wi-Fi, Bluetooth, and cellular baseband. This phone has all the significant trackers disabled by default.
Apple's mobile devices and their operating systems are inseparable, giving them far more control over how they work together. While iOS device features are more restricted than an Android device, the iPhone's integrated design makes security vulnerabilities far less frequent and harder to find.Which phone does not spy on you? ›
A Security and Privacy Focused Phone
“The Purism Librem 5 is designed with security in mind and has privacy protection by default.”
A phone that is turned off is difficult to track because it stops sending signals to cell towers. However, the service provider or internet provider can show the last location once it's switched back on.Can your phone hear your conversation? ›
Foremost, our phones listen to us to virtually assist us. That's through voice assistant apps, like Siri and “Hey Google,” but also through personalized advertisements that follow conversations had on them.Does government check your phone? ›
Even if the international supply chain of phone location data is opaque, the data often eventually gets into the hands of law enforcement authorities. Overall, you should realize that the state can track your phone, just in the same way they can easily track your physical location.Can you tell if your phone is being monitored? ›
Can you tell if your phone is being monitored? Yes, there are signs that will tell you when your phone is being monitored. These signs include overheating of your device, the battery draining fast, receiving odd text messages, hearing weird sounds during calls, and random reboots of your phone.Can you tell if someone has access to your phone? ›
Pick Digital Wellbeing & parental controls from Android Settings or Screen Time from iOS Settings. There, you can dig in to see which apps have been in use over the past 24 hours or the past few days—if there are apps you don't remember using, it might be a sign that someone else has been on your phone.Can someone watch you through your phone camera? ›
Plenty of spy and stalkerware exists that could compromise your device, and anyone with the right software and expertise could realistically use your phone's camera to spy on you. On top of that, popular app developers aren't immune to accusations of watching you through your phone's camera.Are phones always listening? ›
Smartphones do pick up audio in your environment, but it's not the same as actively listening to your conversations unless you activate a voice assistant. Unless you start your sentences with “Hey, Siri,” “OK, Google,” or “Alexa,” there's no need to worry that your phone could be spying on specific conversations.
Is the government listening to me? ›
Government cannot spy or listen without a search warrant
But the good news is, according to the law, the government or any of its subsidiary bodies has no right to deliberately tap or listen in on any U.S. citizens and resident without a search warrant.
Privacy is important because: Privacy gives us the power to choose our thoughts and feelings and who we share them with. Privacy protects our information we do not want shared publicly (such as health or personal finances). Privacy helps protect our physical safety (if our real time location data is private).How do I make my phone completely private? ›
- The basic principle: Turn everything off. ...
- Avoid Google Data Protection. ...
- Use a PIN. ...
- Encrypt your device. ...
- Keep your software up-to-date. ...
- Be wary of unknown sources. ...
- Check app permissions. ...
- Review your cloud sync.
All sorts of apps can request permission to access the camera, microphone, and other features, such as location information, on your phone or computer. Using the steps below, it's easy to see which apps have requested permission and revoke permissions that you've granted in the past.What are 4 dangers to be aware of for mobile phone users? ›
- other health effects.
- electromagnetic interference.
- traffic accidents.
In fact, modern smartphones are as powerful as desktop computers, but “know” much more about their owners: current and past location, contents of their private text messages, photos and other sensitive information, as well as their online banking credentials and other financial data.What are your privacy settings? ›
Privacy settings are controls available on many websites and apps to limit who can access your profile and what information visitors can see. When online profiles are created, it's often assumed that they will be private by default.How do I make my phone private? ›
- RESTRICTS APP PERMISSION:
- UNINSTALL UNUSED APPS:
- STOP WEBSITES FROM TRACKING YOU:
- SWITCH TO AN ENTIRELY DIFFERENT BROWSER:
- DO NOT TRUST INCOGNITO MODE:
On Android: Open the App Drawer, go into Settings, select Location, and then enter Google Location Settings. Here, you can turn off Location Reporting and Location History.Why is privacy so important? ›
Privacy is important because: Privacy gives us the power to choose our thoughts and feelings and who we share them with. Privacy protects our information we do not want shared publicly (such as health or personal finances). Privacy helps protect our physical safety (if our real time location data is private).
Who can see my data? ›
Internet Service Providers (ISPs) can see everything you do online. They can track things like which websites you visit, how long you spend on them, the content you watch, the device you're using, and your geographic location.Who can see my Google activity? ›
- Go to your Google Account.
- On the left, click Personal info.
- Under “Choose what others see”, click Go to About me.
- Below a type of info, you can choose who currently sees your info.
- Choose one of the following: To make the info private, click Only you. .
You'll lose all the data and content in that account, like emails, files, calendars, and photos. You won't be able to use Google services where you sign in with that account, like Gmail, Drive, Calendar, or Play.Are Iphones really private? ›
Full device encryption scrambles all of the data stored on the device making it unreadable from outside of the device. Lucky for us, today's smartphones come with full device encryption enabled by default, making it almost impossible to steal information from the phone if it is lost or stolen.Can someone steal data from your phone? ›
Skilled hackers can take over a hacked smartphone and do everything from making overseas phone calls, sending texts, and using your phone's browser to shop on the Internet. Since they're not paying your smartphone bill, they don't care about exceeding your data limits.How do I make my iPhone completely private? ›
- Enable two-factor authentication.
- Set a strong passcode (and consider disabling Touch ID or Face ID)
- Change what's accessible on your lock screen.
- Clean up lock-screen widgets and notification settings.
- Audit app permissions.
- Use “Sign in with Apple”
- Enable automatic updates.
- Disable ad tracking.
- Your phone randomly reboots without your permission.
- You notice your phone is slow and takes longer to load than before.
- You receive strange text messages you can't place.
- Your device tends to overheat for no reason.
Plenty of spy and stalkerware exists that could compromise your device, and anyone with the right software and expertise could realistically use your phone's camera to spy on you. On top of that, popular app developers aren't immune to accusations of watching you through your phone's camera.What to dial to see if your phone is being monitored? ›
*#21# This simple code let you find out whether your calls, messages, and other data are being diverted. The status of the different types of diversions that are taking place along with the number the information is being transferred to will be displayed on your phone's screen.