I've never heard anybody think setting "location services" to "off" prevented your cell service from detecting your location and presence, which can then of course be shared with law enforcement.
The toggle is for not sharing your location with installed applications.
I think everybody knows that if it's important not to be tracked by law enforcement (e.g. attending an illegal protest), you don't take your phone in the first place. (And certainly everyone on HN already knows.)
I think amongst the technically literate here on HN, probably 99% know what the switch does. But amongst the public at large there are ABSOLUTELY people that think the location button is magic. Non-technically literate people need protection just as much as us, and this the way this button is labelled fails them.
Easy to do on a laptop running linux -- network manager even has built-in GUI functions to randomize your MAC -- but a little more challenging on a locked down cellphone that's tied to a SIM card
Have you done a survey? I’d be surprised if a sizable percentage of the population wasn’t aware of that distinction after multiple decades of watching actors trace people using cell towers. They even talk about the difference as a plot point since it means the actors have to search around looking heroic instead of just watching someone use a computer map.
And watching other actors pop batteries in and out of burner phones. "The network knows where your phone is" is a well established part of pop tech assumptions.
Despite all this, if it came to overthrow a surprise dictatorship tomorrow qI'd still expect almost everybody, myself included as well as a majority of hn readers almost as big as that amongst the general population, to naively show up at the street riots with their devices happily logged into the network. But not a single one of them would do so because they believed that toggling the GPS feature to off somehow protected them.
> I'd still expect almost everybody, myself included as well as a majority of hn readers almost as big as that amongst the general population, to naively show up at the street riots with their devices happily logged into the network
I agree this would be common but lower percentages after the George Floyd protests got a LOT of widely-circulated warnings on social media, and then a bit later a ton of right-wingers were getting rounded up for January 6th. I think those were eye opening for a lot of the people for whom this is likely to be relevant.
I think you’re massively underestimating people. Anyone who’s watched a cop tv show in the last 20 years knows you can get a persons location via their carrier by seeing which cell towers they were near.
Every day somebody is born who hasn’t heard somebody say “triangulate the signal” on some procedural.
Meanwhile the intersection of “hasn’t heard this” and “is intentionally turning off location services on phones” is, I imagine, an extremely small cohort of the phone using population. But this would be a good sort of public poll to do!
there were 4.97bn mobile internet users in 2022 accounting for almost 60% of total web traffic.
yeah. most people don't know they're supposed to care about the amount of just how little to no privacy they really don't have anymore. general awareness to the function of a tap-on tap-off feature like this, something that's, with a staunch juxtaposition, not currently infringing nor bearing any matter to whatever social-media-esque consumption they're filling their eyes-on-screen time with as they go about living a naive inspired blissful existence, their attention no doubt occupied by and kept busy with literally any and every other thing.
You're not wrong but who is going to read a software devs blog? If this was some major news outlet writing a tech piece then the public at large may actually be reached with this info
It does hide your home IP address if you are on your home WIFI. That works for web traffic and sites you visit if you don't leave other fingerprints. Of course that is only one of the location indicators.
Article author here. This is exactly my point. This could be so much clearer.
Think about when you open a private window in Chrome. There's a clear warning that your ISP or school or employer may know what websites you visit anyway. But there's no such warning for smartphones. It just says "Location: Off" and people don't know.
I think you'd have to be sending and receiving to stay connected to the towers at all. I haven't tried it, but if it's true that you can still call 911 while in airplane mode then you're certainly sending and receiving. What we need is a "No really, all radios off" switch, preferably a hardware switch, but if we had one maybe people would opt of being tracked all the time.
True, but none of them are going to stumble on the boutique article about it. If that's the audience, this should meet the technically illiterate where they are; twitter, youtube, facebook, etc.
I wrote the article to notify an audience a little bit broader than Hacker News. There are many people who seem to think that it's only Google or Apple or Facebook they need to worry about; or that if they get GrapheneOS they are now really-secure and really-private (which they are, from Google, but not really overall). The very idea that their cellphone carrier may have their location, even without their phone cooperating, is often a foreign idea they never thought of.
This is, of course, a very long rabbit trail that never ends. Your license plate could get scanned. You could get picked up on cameras and run through facial recognition. But it's still important to call out areas that people may not have considered. Imagine a journalist - if nobody calls this out because "everyone knows," she might have installed GrapheneOS, signed up for ProtonMail, paid with cash for a SIM card, and gone off to cover some story without realizing this blind spot.
> I think everybody knows that if it's important not to be tracked by law enforcement (e.g. attending an illegal protest), you don't take your phone in the first place.
My home state would not have almost every police department armed to the teeth with IMSI Catchers if everybody just knew they weren't supposed to do that.
How is this a click bait title? Hacker News commenters often have a bad perspective on how non-tech people ought to see the world, and this is a great example. I'm not in tech, so I find it entirely reasonable to expect that if my phone has a "location tracking off" switch, it will disable location tracking. I honestly can't comprehend why you think this isn't a reasonable point of view.
There's been a bizarre shift in discourse about privacy in the last 15 years. When most of these posters were young, they actually cared about keeping their personal information private. The idea that you would carry around a device with a location tracker that could only be turned off by deactivating the device, would have been horrifying.
Now, at least on HN, these same people are saying This is Fine. Maybe their companies depend on exploiting the ignorant.
Cell phones 15 years ago still leaked location information via the cell tower they connected to, didn’t they? This doesn’t seem like a development from the past 15 years like you’re saying.
So if you were privacy conscious to that extent 15 years ago, you didn’t carry a cell phone. That didn’t change.
It is only private on your side, it changes nothing for the sites you visit or their partners, they can still track you, and your IP address is still visible. It is not a blocker like uBlock, though in the case of Firefox, turning on private mode also enables a builtin blocker.
It is explained clearly when you open Incognito mode in Chrome, and people complained that it doesn't do what it says it doesn't.
On the original iPhone the location switch was basically real. Location services burned a ton of battery and law enforcement's ping capability was rudimentary.
Back then turning the switch off made a smartphone as difficult to locate as a dumbphone. The phone had to exert a lot of energy to know where it was even within a city block.
I'm not convinced this has changed much. Obviously if the Eye of Sauron chooses to focus on your location there's no way to avoid it but I would bet that mundane cell phone location logs are sharply limited by tower storage, CPU limits, and probably by software licensing.
I'd be interested to hear from a cell tower software engineer.
Yet the toggle is automatically on for a number of applications even when it says its turned off.
That still makes its existence a misleading coercive lie giving you the illusion of control; for those that don't already know better. These dark patterns should be illegal (and in fact are if you take a strict constructional meaning from deceptive and unfair business practices already codified in law).
Its just effective enforcement of antitrust, and FTC violations simply isn't occurring at these monoliths.
I'm guessing there's a big overlap in the population that thinks "locations services" set to "off" protects their location also thinks that "incognito" hides their identify even when they log in to a site.
Yes there is no way to avoid Apple knowing where you are at all times. It is possible to turn off Google's location knowledge on an Android with a little tinkering, but that can break some things.
As someone (like many of us) who had phones pre-smartphone, it's pretty obvious to me that switching location services off was only to prevent apps from doing so.
Your carrier has in my mind, always been able to determine your location. We had movies doing triangulation based on phone calls to catch criminals.
The guy who wrote the article was 21, so it's not a stretch to think they only grew up in the smartphone world and didn't have that base understanding.
This just isn't the case with modern phones. 5G and 4G use active beam forming. It usually only takes a single tower to figure out bearing and signal strength can indicate range. With just one tower, a carrier knows where a 5G phone is within 10m. Combining multiple towers shrinks that rapidly.
I know of a few occasions [0] when missing persons were found stranded in the mountains due to the assistance of cell tower triangulation. That said, it's a pain to get any element of accuracy and in the US, it takes a lengthy legal process for law enforcement to obtain that data.
>> if it's important not to be tracked by law enforcement (e.g. attending an illegal protest), you don't take your phone in the first place
These days it won't help, thanks to our friends from the AI department. Anyone's identity is easily found from the cameras filming the illegal protest.
"I think everybody knows that if it's important not to be tracked by law enforcement (e.g. attending an illegal protest), you don't take your phone in the first place."
This is because they know that the "location off" switch is a lie.
No, I fully expect GPS to be off even though cell provider can still triangulate my location. On airplane mode I expect both things to be off. Now, I would like to know what is stopping a class action suit on this subject.
No state requires permission to protest. States do require permission to block the streets. However, the courts force such permitting decisions to be neutral to the political message.
That's just factually wrong in the US. ACLU: "If marchers stay on the sidewalks and obey traffic and pedestrian signals, their activity is constitutionally protected even without a permit." There are a few other things to avoid (blocking other pedestrians, using sound amplification devices) without a permit. And of course, private property owners can set their own rules.
>I've never heard anybody think setting "location services" to "off" prevented your cell service from detecting your location and presence, which can then of course be shared with law enforcement.
Notice the article authors' age.
Unlike most of us, they likely never used a pre-internet-capable cellphone.
Agreed. The article talks about going to politically unpopular protests. Anyone who attends those is educated on not taking their phones with them when the stakes are that high.
The second para starts: "Well, that would be the case if we lived in an ideal world, but that switch is more of a polite “please don’t” than an actual deterrent."
>Please don't comment on whether someone read an article. "Did you even read the article? It mentions that" can be shortened to "The article mentions that".
I think it is important that a discussion about something should actually involve the original something. Informed discussion should be ... informed. I think it is facile to appear to actively encourage discussion that is demonstrably uninformed of the OP.
1) you violated the house rules, thats a complete thought, looking for 'what did I do wrong' after that misses the point
2) because that sort of thing tends to lower the level of the conversation. Sniping at each other is easier than substantive conversation and tends to crowd it
I think dang also has an explanation of moderating style and intent floating somewhere that is persuasive and interesting. If you are interested I can try to find it for you, although you might be able to find stuff using the search or reviewing his comment history
Presumably you're commenting to rectify the misinformation, and you can get to the meat of it one sentence sooner if you skip the personal attack. You already know the person you're replying to doesn't read everything in front of them. Why give them more to read? Why open with a personal attack? It never makes people like you.
A couple of months ago, I speculated on this very forum that there must be companies that actively hoover up all of you app and cookie data to build an on-demand profile of you. Someone pointed me to "acxiom", which grudgingly, over the course of two months gave me a dump of what they knew about me. A lot of it was wrong, but they knew what stores I shopped at, my diet, and what cars I was considering buying. Disturbingly, they had a list of third parties who had purchased information about me, and one was an unnamed healthcare provider who had bought my location data. So, that's where we are as a society now. Sleep tight.
They just had a button for it. The SLA was 45 days, but they slipped that by another week or two. And based on what I got it actually took them about 50 nanoseconds.
Well, and then there’s the problem of your carrier sharing your location with a parade of location data companies, some of whom will hand that data to just about anyone [1,2].
Important reason to never use mobile carrier internet without a VPN. Otherwise they can see all your hostnames via SNI, and the services all get your carrier IP for linking.
This is what I have done for years:
Cellular is always off anywhere near my house. I only turn on cellular when needed. I use Graphene which allows WIFI to be used without cellular for my VOIP calls on voip.ms or jmp.chat. I have been using prepaid cash purchased SIMs but might switch to silent.link. The only way for the carrier to know where I am is if they do something funny on the proprietary baseband modem.
I gotta ask... why? It's your house, anyone who could get your info from a teleco and wants to know your location almost certainly knows your home address, so this is just to protect from know when you're at your house? If you're still turning on cellular around town too, a decently useful map of your location history would exist anyway?
I'm not trying to be snarky or anything, I'm genuinely curious here what the benefit is to you.
I don't have a link handy but the last time I interacted with the user you're replying to, it was also about cell phones, and they were doing dumb things like swapping SIMs with their wife, thinking it would make things more private....somehow.
Guess what a SIM card does when it's put into a new phone? Includes the last IMSI it was installed into when it joins the carrier's network.
They're not very well educated on digital privacy and engaging in a lot of cargo-cult privacy stuff that is almost certainly making them stand out like a giant red thumb. Very few people do things like switch SIM cards on a regular basis, at least ones who aren't engaged in criminal enterprises.
Their behavior reminds me of a former partner's ex, who was [paranoid-delusional | obsessed with] cell phone tracking.
I really have no idea why they're so concerned about their cell phone carrier "knowing" their home address.
I simply don't like people following me around wherever I go and keeping a record of it. I am pretty boring in that way and most others. Rotating SIM cards and devices does not create privacy, but it does create confusion on network maps if someone tried to identify the owner of a SIM or device by analyzing travel patterns.
It would certainly make you stand out on that network map compared to others who are even more boring than you are (read: just about everyone, sans criminal enterprises as noted above).
It would be hilarious and sad if some spooks focused on me or my wife and wasted hours on traffic analysis just to figure out we are average law abiding people of zero interest.
The point is to keep my SIM and phone anonymous. As explained in the article, if they can see where your phone sleeps at night, they can figure out who is associated to the SIM card and the IMSI sent.
You and your SIM card is associated by law in most European countries. You can get a prepaid SIM card, but you still have to hand your data over. I have a prepaid SIM card and I have a contract for it. I also have one without a contract, but I do have to verify the data once a year. It renders all instant messaging applications that use a phone number insecure, by default.
silent.link appears available in most of EU. I do not know which VOIP providers are available to your country, but VOIP.MS expanded to EU recently. It is cheap and friendly for consumer users if you can deal with a little technical setup. It requires KYC, but if that is a problem, check kycnot.me.
Even then, your house would be the location you spend most of your time. You'd have to be really vigilant to switch off your cell functions when you go near your house most of the time, and not always at the same place (otherwise a clean gap in the map will reveal where you live).
If you want to be untraceable you don't use cellphones, simple as that. Of course modern life is ridiculously difficult that way so it's pretty impossible.
Right, but surely he had to prove identity when buying/renting the house? Maybe the telco doesn't know - but if someone could've gone through them to get his home address, they could also have gotten it through other means?
Doesn't your phone ping off the tower regularely anyway? I've always understood that without a physical switch to the antenna there's no way to actually know
Yes that was my caveat about the proprietary baseband modem that we cannot totally control. If I was in a different threat model category, I would use a phone with physical switch to the baseband. Those devices like Pinephone and Librem that only run Linux are not quite mature enough to fit my needs. They may be my next choice.
I looked into it a little bit, a good option depending on your threat model is to simply leave it in a faraday container (read: aluminum foil envelope - or the more sophisticated stuff) when you don't want it to be visible. But then, you kind of have to let go of having that phone usable at home at all, and end up having a "dirty" and a "clean" phone. Then again, just useful depending on your threat model.
While I don't think an ordinary user would possess the knowledge that their cellular function relies on their respective telco knowing their approximate location at all times, I also don't think an ordinary user would be misled by this toggle, especially as further information is readily available, particularly so on iOS, with the first line of the click through directly underneath it reading:
"Location Services allows Apple and third-party apps and websites to gather and use information based on the current location of your iPhone..." Before delving into further lengthly, but transparent, detail.
Anyone who was concerned about their location being revealed this way would certainly be more careful than to just flick a singular toggle and call it a day.
Interesting. It's weird to see the generation of people who only ever used smartphones start to think about this stuff.
In the past, at least in crime shows, the police could track your location for even "dumbphones" using the method in this article; therefore the common wisdom has been "use a burner/take the battery out/dont take your phone". But now that phones have GPS + location switch, the "legacy" method is no longer front of mind.
The EFF has had privacy guidelines for decades that cover this. Click on the menu for a list of sites and videos to help improve your privacy hygiene: https://www.eff.org/
There are a lot of "lies" when it comes to location based ecosystem and permissioning on modern smart phones.
1. The fact is that some applications require any access to the physical location(lat long) to function is a lie. For example many app just needs to know if you are at "home/work/fav place" without knowing the lat long of it e.g. function for Assistant based Reminders to be triggered. yet google or ios just make access to location a creepy sounding binary permission with a less creepy variation on preciseness of location access. In reality these should be two permissions.
2. The fact that some apps need background location access to function is a lie. Locations can remain on the phone only for many apps and this can be enforced as a permission or the OS. For example Navigation can be done by rendering the blue dot on a screen and that is technically doable at a privileged OS level service without exposing the lat long info to apps. The apps just need to provide tiles and relevant styles to render. Garmin like navigators have been doing it for years with hardware older than smartphones. Google lies to you when it says it needs your lat long to function. In reality its just needed to target you with ads. "Nearby" functionality could be enforced by sharing location in an encrypted fashion through P2P networks, though apple in fairness is doing better at privacy of location sharing; Google has none of this AFAIK and at worst they both retain the data(or atleast we have no confidence if they do or not). In reality background location access could be almost exclusively be made more private by being on device only for many apps.
3. The fact that Google/Apple are doing public good by providing location permission is a lie. Try turning off precise location in a Google supported Android, the experience is horrible.
4. Non PlayStore installations on AOSP by other providers could be somehow better for Location Privacy is a lie. I will never buy a samsung phone because they are very likely to install various Location, Wifi, BLE Service Providers for serving up data for Location or Location Inference which is lucrative to closed ecosystems of Apps by Big Tech(FAANG et. al). These services are more of black and back room deals that don't show up conspicuously in public discussions and undermine privacy.
Better and more nuanced permissioning can really help a lot of location based apps to thrive. But Google and Apple have made anyone but their own apps have to choose between being creepy or not.
Your cell provider can always determine the location of your cellular device. They always have. Now with 4G and 5G it is easier for trusted services to get extremely precise details about the location of your device [1][2].
The example in the second link shows the details that the cellular network provider may have, and this includes the Cell tower ID, the enodeBID (4G), tracking area (TA) ID, geolocation, information about whether the device is moving (its velocity), the mobile country code (MCC), mobile network code (MNC), and a whole lot more.
This data is already with your cellular network provider, so it makes no difference if you have "switched off" location services on your phone.
I think it's reasonable to guess that not all HN readers - there are very, very many people who read HN - are experts on a technology as complex as modern wireless communications.
Everything is a lie. From the moment you pick up your phone (literally) everything you do is tracked. Every touch, every gesture, every tap, every app, even the temporal data of what you didn't do. It's all tracked by someone, somewhere, for something. And it's all discoverable under subpoena. The only solution is to return to monke. Live a completely analog or air-gapped lifestyle outside of what is required from you for work.
I'm so sick of it. Fuck everything about participating in the surveillance state.
I'm actually not sure what exactly is accomplished by toggling Location Services off. For example, I have Android 11, and AIUI, several methods are used to get a fix on location.
Does the LS button turn off the GPS/GNSS radios only? What about WiFi location services? Are those disabled by the button too? Bluetooth, is that a thing?
The main code that executes when you turn off the location setting for a user that stops apps from getting your location is LocationManagerService.refreshAppOpsRestrictions
This function removes the coarse and fine permissions from all apps except those who are on the Emergency Bypass Allowlist or the ADAS Bypass Allowlist.
It just means the system location APIs won't return a location. There's no attempt to detect if an app is using e.g. inertial guidance or a database of SSIDs to estimate locatiom.
Scanning ssids requires the location permission on Android. Turning location off temporarily revokes the location permission for all apps (system included)
It depends on the settings on your phone. There's the location toggle, which will limit almost all location API access to apps on your phone. There's a toggle for WiFi/Bluetooth scanning in the background, which is used to quickly connect to devices that come into range and to help get a quicker fix on your location once you do enable it. This type of scanning will continue even if you disable location services through the default button, though apps on your phone won't be able to use them. I'm not entirely sure how the Bluetooth thing is supposed to work, I'm guessing some places have Bluetooth beacons?
Disabling location services should also disable the GPS/GLONASS/etc. chip because it's not useful. In theory the Android system could activate the chip of course, but in any clean ROM it won't. If you're trying to protect your location from the apps on your phone, you'll most likely be fine just disabling location services. Pay attention: some phones have a location toggle that actually only disables GPS, you may need to long press the toggle to get it to turn off all location services.
IP geolocation is also easy to implement, so consider using a VPN to make it hard to track you through your internet connection.
If you try to protect yourself from external factors, you're in for a challenge. Overrides may exist, for example when you call the emergency services; location services and GPS will turn on and send a GPS fix to the emergency services. Furthermore, if your phone has even a semblance of a cellular connection, triangulation from the ISP side becomes an option. With LTE, and especially mmWave, tracking from a cell tower becomes painfully accurate.
If you're on some large WiFi network, for example a building with tens or hundreds of WiFi access points, an active WiFi connection can be tracked very easily as well (down to the centimeter with the right firmware on the APs).
If you want to protect yourself from passive scanners that respond to your phone's WiFi scanning signal, be sure to keep MAC address randomisation enabled. Also consider making your phone use random MAC addresses when connecting to WiFi access points in case someone fakes an access point to get your phone to reveal its real MAC address. This isn't foolproof, there are ways to determine your phone's brand, model, and even the firmware version through WiFi probes if your adversary has enough information on it, simply based on the extra options set in the WiFi packet header and the order of them.
Using any Bluetooh devices also makes it easy to track you as you can't use random MAC addresses with Bluetooth peripherals.
If you want safety from external tracking, disable all communication systems unless absolutely necessary. If you just want to disable app tracking, retract location permissions or disable location services.
One final note: some apps have been caught going through photos in your gallery, extracting the time and date of the picture together with the GPS tag in them. This allows apps with media permissions to build up a location history if you've been taking pictures. Be wary of unnecessary full media permissions; apps generally don't need them as there are APIs that allow apps to select a single file or folder.
Airplane mode should do that though. Of course with the negative that you're not able to do anything online, but well... You can't have your cake and eat it :)
In the old days we had pagers to be still reachable and yet anonymous. But those networks have died out pretty much everywhere, sadly.
> The phone's accelerometers will still run in aeroplane mode which can infer a surprising amount about your location.
I've heard of most of these but this one is new. How does this work? Are the accelerometers used to basically track direction and distance from a last known location?
I would think if the phones are doing this, there's no telling what else we don't know about them. I've decided now that it's pretty much "Game Over" when it comes to any privacy on a phone.
There is a reason why "leave your phone at home" is well-worn advice and a common refrain in opsec communities. You can never really know for sure what is being tracked.
Even before e911 was implemented on all the phones I could ping phones and give the FBI the approximate location and direction based on cell site handoffs. I had to use RF engineering maps that were overlaid on street maps but it worked. This was in 1997 on a GSM network.
I believe it. Even on AMPS and D-AMPS one could still get approximate location. It just wouldn't be quite as accurate but if all you need is a neighborhood it could suffice.
I guess the question is - is there an open source software that forces the cellular modem to communicate only to one tower (of your choice)? this way, the exact location will never be known?
There is no FOSS in GSM/CDMA world, these technologies are closed as hell and there is no open information about the sim-card computers. Almost any old GSM phone (at least Siemens and Nokia) can chose towers voluntary - but in too developed countries having too small size on the globus everything pre-3G is disabled.
Find My iPhone still works when the iPhone is turned off. On new iPhones, it even says it on the screen that the iPhone is still findable when powered off.
What might be interesting, you turn location services off in the settings while the iPhone is turned on. Then power off iPhone and effectively turn location services back on via Find My iPhone.
I've never heard anybody think setting "location services" to "off" prevented your cell service from detecting your location and presence, which can then of course be shared with law enforcement.
The toggle is for not sharing your location with installed applications.
I think everybody knows that if it's important not to be tracked by law enforcement (e.g. attending an illegal protest), you don't take your phone in the first place. (And certainly everyone on HN already knows.)
So no, the location switch is not a lie.