How the NSA Says You Can Limit Location Data Exposure

The mitigations are designed for government officials, but the advice itself can be useful for many more people.

Location data can be one of the most valuable pieces of information for an attacker, and also arguably one of the hardest to protect. Smartphones are constantly providing such data through apps, the phone's operating system itself, or in virtue of just using telecommunications networks or being near other devices.

With that in mind, the National Security Agency (NSA) on Tuesday published its own guidelines for limiting the exposure of location data. The guidelines are geared more for government officials, but the advice itself can be useful for those hoping to stop sending so much location data to tech companies, ad firms, or apps that may then expose it later.

https://www.vice.com/en_us/article/v7gxv3/nsa-location-data-privacy

#us #NSA #privacy #location #data

Los Angeles settles Weather Channel lawsuit, lets it keep selling location data to advertisers

The app will change how it notifies users about location-tracking

Los Angeles has settled its lawsuit against the operator of The Weather Channel app. The city filed litigation against the company in 2019, alleging that the app misled millions of people into granting access to their personal location data and sold that data to third parties.

While IBM is celebrating this moment by calling those original claims “baseless” in a statement to The Verge, it sounds like they were largely true — since the only thing the settlement requires is for The Weather Channel to proactively warn users that yes, your location data is for sale.

https://www.theverge.com/2020/8/19/21376217/los-angeles-the-weather-channel-app-lawsuit-settlement-location-data-selling

#US #LosAngeles #IBM #location #data #lawsuit #privacy

How Your Phone Is Used to Track You, and What You Can Do About It

Smartphone location data, often used by marketers, has been useful for studying the spread of the coronavirus. But the information raises troubling privacy questions.

As researchers and journalists try to understand how the coronavirus pandemic is affecting people’s behavior, they have repeatedly relied on location information from smartphones. The data allows for an expansive look at the movements of millions of people, but it raises troublesome questions about privacy.

In several articles, The New York Times has used location data provided by a company called Cuebiq, which analyzes data for advertisers and marketers. This data comes from smartphone users who have agreed to share their locations with certain apps, such as ones that provide weather alerts or information on local gas stations.

https://www.nytimes.com/2020/08/19/technology/smartphone-location-tracking-opt-out.html

#phone #location #privacy #surveillance

Private Intel Firm Buys Location Data to Track People to their 'Doorstep'

The data comes from hundreds of ordinary apps installed on peoples’ phones around the world.

A threat intelligence firm called HYAS, a private company that tries to prevent or investigates hacks against its clients, is buying location data harvested from ordinary apps installed on peoples' phones around the world, and using it to unmask hackers. The company is a business, not a law enforcement agency, and claims to be able to track people to their "doorstep."

The news highlights the complex supply chain and sale of location data, traveling from apps whose users are in some cases unaware that the software is selling their location, through to data brokers, and finally to end clients who use the data itself. The news also shows that while some location firms repeatedly reassure the public that their data is focused on the high level, aggregated, pseudonymous tracking of groups of people, some companies do buy and use location data from a largely unregulated market explicitly for the purpose of identifying specific individuals.

https://www.vice.com/en_us/article/qj454d/private-intelligence-location-data-xmode-hyas

#intelligence #firm #HYAS #data #location #privacy

All the ways your Phone tracks your location.

Your phone (Android or iPhone) is tracking your location even if you disable Location Services, turn on airplane mode, and disable Bluetooth. Learn how to stop it once and for all.

📹 Watch it via:
YouTube || Invidious

📡 @howtobeprivateonline
#Surveillance #Location #Privacy #Guide

Your phone is LISTENING to you - Ultrasonic cross device tracking

Ultrasonic cross-device tracking uses an inaudible, high-frequency sounds to link your devices − TVs, phones, tablets and PCs − so that advertisers can better track you.

📹 Watch it via:
YouTube || Invidious

📖 Bat in the mobile. An Study on Ultrasonic Tracking Read more...

📡 @howtobeprivateonline
#Surveillance #Ads #IOT #Tracking #Location

How the U.S. Military Buys Location Data from Ordinary Apps

A Muslim prayer app with over 98 million downloads is one of the apps connected to a wide-ranging supply chain that sends ordinary people's personal data to brokers, contractors, and the military.

The U.S. military is buying the granular movement data of people around the world, harvested from innocuous-seeming apps, Motherboard has learned. The most popular app among a group Motherboard analyzed connected to this sort of data sale is a Muslim prayer and Quran app that has more than 98 million downloads worldwide. Others include a Muslim dating app, a popular Craigslist app, an app for following storms, and a "level" app that can be used to help, for example, install shelves in a bedroom.

Through public records, interviews with developers, and technical analysis, Motherboard uncovered two separate, parallel data streams that the U.S. military uses, or has used, to obtain location data. One relies on a company called Babel Street, which creates a product called Locate X. U.S. Special Operations Command (USSOCOM), a branch of the military tasked with counterterrorism, counterinsurgency, and special reconnaissance, bought access to Locate X to assist on overseas special forces operations. The other stream is through a company called X-Mode, which obtains location data directly from apps, then sells that data to contractors, and by extension, the military.

https://www.vice.com/en/article/jgqm5x/us-military-location-data-xmode-locate-x


#US #military #intelligence #privacy #location #why

Salaat First: Another Popular Muslim Prayer App Sells Location Data to FBI, ICE

Salaat First shared location data with a French firm Predicio which had customers including Venntel, a US government contractor.

The methods of surveillance have changed over time. Nowadays, government agencies do not need to follow someone to track their activities. Mobile phone users, unknowingly, hand over their privacy rights to the tech companies that in turn sell it to government contractors. A popular Muslim prayer app, named Salaat First, found selling users' location data to its partner that has customers with the US government agencies including the FBI and the ICE.

Salaat First, which reminds its users about Muslim prayer timings, has been downloaded over 10 million times on Android. To accurately tell users prayer times, Salaat First asks for permission to read precise location, has access to device ID, phone, media storage, USB storage and full network access. However, the app developer was selling the same user data to its partner, a French firm named Predicio.

https://www.ibtimes.sg/salaat-first-another-popular-muslim-prayer-app-sells-location-data-fbi-ice-54843

#US #France #FBI #ICE #surveillance #location #data

USA terrorist group admits to buying citizens’ location data

https://www.theverge.com/2021/1/22/22244848/us-intelligence-memo-admits-buying-smartphone-location-data


#location #tracking #data #usa #gov #military #dia #why

⚠️Update Android A-GPS⚠️

A-GPS sends your IMSI and exact location to the supl server that is selected. On android, the supl.google.com server is standard selected when your Sim provider does not preconfigured its own supl server on android. This is the case in most non US countries. So your IMSI and location will be sent to google.

Do not use supl.vodafone.com, thanks to @ yova777 we know that it redirects to supl.google.com.

The method of changing / disabeling your supl server is different for each device.

You need to find a file like:
-system/etc/gps.conf
-vendor/etc/gps.conf
-vendor/etc/gnss/agps_profiles_conf2.xml
- or files alike where you can edit the supl server

You can use this command to find it, modify xyz:
find / | grep xyz

- or you can try this module, but you should modify it, or it just points to Vodafone/Google by default:
https://github.com/PlqnK/magisk-supl-replacer

You can also use 'localhost' but this will take several minutes if AGPS is requested.

✌

PS
This method is not proven to be working yet!

Thanks @ sennaofficial

This is how some roms deal with it (thanks @ Rimana_a):

GrapheneOS
-Implement toggle for changing between carrier and Google SUPL server.
https://github.com/GrapheneOS/os-issue-tracker/issues/914
-Implement toggle for restricting device identifiers sent to SUPL server
https://github.com/GrapheneOS/os-issue-tracker/issues/915

DivestOS removes imsi

CalyxOS use system provided or network provided supl server. (xtracloud on Qualcomm phones). I couldn't find what fallback server is used.

Both Lineage OS and /e/ have Google's set as fallback.

#agps #gps #location #android

⚠️Update AGPS mediatek devices⚠️

The following method is now proven to work (on the note 8 pro).

1. Download QuickEdit and grant root access.
2. Go to /vendor/etc/gnss/agps_profiles_conf2.XML
3. Edit all the supl.google.com servers as shown in the pictures below. Do no edit or remove ANYTHING else, if you do so the file will be ignored by the GPS app.
4. If you set a server that does not work, it will ping a mediatek server.
5. Reboot and enjoy.

I have included a instruction video on how to do so.

PS
Do not use the vodafone server as in the video!

All servers can be used:

#location #agps #gps

https://t.me/NoGoolag/64
https://t.me/NoGoolag/11136
https://t.me/NoGoolag/11293

⚠️Update AGPS mediatek devices⚠️

The following method is now proven to work (on the note 8 pro).

1. Download QuickEdit, or any root text editor, and grant root access.
2. Go to /vendor/etc/gnss/agps_profiles_conf2.XML
3. Edit all the supl.google.com servers as shown in the pictures below. Do no edit or remove ANYTHING else like the name or port, if you do so the file will be ignored by the GPS app.
4. If you set a server that does not work, it will ping a mediatek server.
5. If you have set your NTP_SERVER to pool.ntp.org your new supl server might not work.
6. Reboot and enjoy

If you still want to use the supl.google.com server you can remove your IMSI from the message by disabling this option (set imsi_enable=false)

I have included a instruction video on how to do so.

PS
Do not use the vodafone server as in the video! This redirects to supl.google.com

https://t.me/NoGoolag/64
Qualcomm https://t.me/NoGoolag/11136
Mediatek https://t.me/NoGoolag/11308

#location #agps #gps #mediatek

#Google sued by DC and three states for ‘deceptive’ Android #location #tracking

https://www.theverge.com/2022/1/24/22898760/google-dc-washington-texas-indiana-attorneys-general-lawsuit-location-data-tracking

#usa #Target shop is tracking you and changing prices based on your #location. You could be charged more just for walking inside a store.

https://www.huffpost.com/entry/target-tracking-location-changing-prices_l_603fd12bc5b6ff75ac410a38

How #USA #gov buys our cell phone #location data

https://www.eff.org/deeplinks/2022/06/how-federal-government-buys-our-cell-phone-location-data

#stalking #surveillance

New documents reveal ‘huge’ scale of US government’s cell phone location data tracking

The Department of Homeland Security (DHS) used mobile location data to track people’s movements on a much larger scale than previously known, according to new documents unearthed by the American Civil Liberties Union (ACLU).

It’s no secret that U.S. government agencies have been obtaining and using location data collected by Americans’ smartphones. In early 2020, a Wall Street Journal report revealed that both Immigration and Customs Enforcement (ICE) and Customs and Border Protection (CBP) bought access to millions of smartphone users’ location data to track undocumented immigrants and suspected tax dodgers.

However, new documents obtained by the ACLU through an ongoing Freedom of Information Act (FOIA) lawsuit now reveal the extent of this warrantless data collection. The 6,000-plus records reviewed by the civil rights organization contained approximately 336,000 location points across North America obtained from people’s phones. They also reveal that in just three days in 2018, CBP obtained records containing around 113,654 location points in the southwestern United States — more than 26 location points per minute.

https://techcrunch.com/2022/07/18/homeland-security-cell-phone-tracking
#dhs #location #tracking

Blocking xtrapath1.izatcloud.net, xtrapath2.izatcloud.net & xtrapath3.izatcloud.net is great for privacy, #Qualcomm gathers a huge amount of user data.

https://github.com/jerryn70/GoodbyeAds/issues/160

Issue
Requests from these domains are needed for people that use their #GPS. I had many GPS issues and didn't find how to get rid of these... After noticing that these domains were making requests each 5 min, I found why I experienced these issues : A-GPS data was not updated at all.

What data is really collected ? Qualcomm official's website answers:
XTRA uploads the following data types: a randomly generated unique ID, the chipset name and serial number, XTRA software version, the mobile country code and network code (allowing identification of country and wireless operator), the type of operating system and version, device make and model, the time since the last boot of the application processor and modem, and a list of our software on the device

They just forgot to mention that this data is sent with no encryption (except in the xtra3grc.bin format, hope that they're exclusively using that now...). Of course it should be blocked. But it's necessary to allow one of those 3 domains in order to make the GPS work properly.

So I whitelisted one of those domains for 5 min and once the request was done I blacklisted it again, GPS is now working as intended. But I know the issue will come back in about 7 days. (I think that I'm still moderately protected from Qualcomm's threat of privacy, because after less than 3 hours these domains were making requests again.)

I tested with Google maps, Waze, TomTom and Mappy, every time all of these apps were unable to refresh my position in real time, and after more than 3-4 months it was just not working at all.

Solution
Like for graph.facebook.com, add a notice to warn users about these GPS issues.

Sources :
https://wwws.nightwatchcybersecurity.com/tag/gps/
https://www.qualcomm.com/site/privacy/services
Also see https://en.wikipedia.org/wiki/Assisted_GPS

#agps #location #android

#Google to pay $93m in settlement over deceptive #location #tracking

via www.theguardian.com
#why

Is This the End of Geofence Warrants?

Google announced this week that it will be making several important changes to the way it handles users’ “Location History” data. These changes would appear to make it much more difficult—if not impossible—for Google to provide mass #location data in response to a geofence warrant, a change we’ve been asking #Google to implement for years.

https://www.eff.org/deeplinks/2023/12/end-geofence-warrants