Are geolocation services spying on you?

Learn how geolocation services work, and who learns of your location when your smartphone pins it down.

How the A-GPS in your smartphone works, and whether Qualcomm is tracking you

News that Qualcomm, a leading vendor of smartphone chips, tracked users with its geolocation service caused a minor stir in the tech press recently. In this post we’ll separate the truth from the nonsense in that story, and discuss how you can actually minimize undesired geolocation tracking. First things first, let’s look at how geopositioning actually works.

How mobile devices determine your location

The traditional geolocation method is to receive a satellite signal from GPS, GLONASS, Galileo, or Beidou systems. Using this data, the receiver (the chip in the smartphone or navigation device) performs calculations and pins down its location. This is a fairly accurate method that doesn’t involve the transmission of any information by the device — only reception. But there are significant drawbacks to this geolocation method: it doesn’t work indoors, and it takes a long time if the receiver isn’t used daily. This is because the device needs to know the exact location of the satellites to be able to perform the calculation, so it has to download the so-called almanac, which contains information about satellite positions and movement, and this takes between five and ten minutes to retrieve if downloading directly from satellite.

As a much quicker alternative to downloading directly from satellite, devices can download the almanac from the internet within seconds via a technology called A-GPS (Assisted GPS). As per the original specification, only actual satellite data available at the moment is transmitted, but several developers have added a weekly forecast of satellite positions to speed up the calculation of coordinates even if the receiver has no internet connection for days to come. The technology is known as the Predicted Satellite Data Service (PSDS), and the aforementioned Qualcomm service is the most impressive implementation to date. Launched in 2007, the service was named “gpsOne XTRA”, renamed to “IZat XTRA Assistance” in 2013, and in its most recent incarnation rebranded again as the “Qualcomm GNSS Assistance Service”.

How satellite signal reception works indoors and what SUPL is

As mentioned above, another problem with geopositioning using a satellite signal is that it may not be available indoors, so there are other ways of determining the location of a smartphone. The classic method from the nineties is to check which cellular base stations can be received at the current spot and to calculate the approximate location of the device by comparing their signal strength knowing the exact position of the stations.

With minor modifications, this is supported by modern LTE networks as well. Smartphones are also able to check for nearby Wi-Fi hotspots and determine their approximate location. This is typically enabled by centralized databases storing information about Wi-Fi access points and provided by specific services, such as Google Location Service.
All existing geopositioning methods are defined by the SUPL (Secure User Plane Location), a standard supported by mobile operators and smartphone, microchip and operating system developers. Any application that needs to know the user’s location gets it from the mobile operating system using the fastest and most accurate combination of methods currently available.

No privacy guaranteed

Accessing SUPL services doesn’t have to result in a breach of user privacy, but in practice, data does often get leaked. When your phone determines your location using nearby cellular base stations, the mobile operator knows exactly which subscriber sent the request and where they were at that moment. Google monetizes its Location Services by recording the user’s location and identifier; however, technically this is unnecessary.

As for A-GPS, servers can, in theory, provide the required data without collecting subscribers’ identifiers at all or storing any of their data. However, many developers do both. Android’s standard implementation of the SUPL sends the smartphone IMSI (unique SIM number) as part of a SUPL request. The Qualcomm XTRA client on the smartphone transmits subscribers “technical identifiers”, including IP addresses. According to Qualcomm, they “de-identify” the data; that is, they delete records linking subscriber identifiers and IP addresses after 90 days, and then use it exclusively for certain “business purposes”.

One important point: data from an A-GPS request cannot be used for pinning down the user’s location. The almanac available from the server is the same anywhere on Earth — it’s the user’s device that calculates the location. In other words, all that the owners of these services could store is information about a user sending a request to the server at a certain time, but not the user’s location.

The accusations against Qualcomm

Publications criticizing Qualcomm are citing research by a certain someone who goes by the name Paul Privacy published on the Nitrokey website. The paper maintains that smartphones with Qualcomm chips send users’ personal data to the company’s servers via an unencrypted HTTP protocol without their knowledge. This allegedly takes place without anyone controlling it, as the feature is implemented at hardware level.

Despite the aforementioned data privacy issues that the likes of the Qualcomm GNSS Assistance Service suffer from, the research somewhat spooks and misleads users, while it contains a number of inaccuracies:

  • In old smartphones, information indeed could have been transmitted over insecure HTTP, but in 2016 Qualcomm fixed that XTRA vulnerability.
  • According to the license agreement, information such as a list of installed applications can be transmitted via the XTRA services, but practical tests (packet inspection and studying the Android source code) showed no proof of this actually happening.
  • Contrary to the researchers’ initial allegations, the data-sharing function is not embedded in the microchip (baseband) but implemented at OS level, so it certainly can be controlled: by the OS developers and by the modding community as well. Replacing and deactivating specific SUPL services on a smartphone has been a known skill since 2012, but this was done to make GPS work faster rather than for privacy reasons.

Spying protection: for everyone and for the extra cautious

So, Qualcomm (probably) does not track us. That said, tracking via geolocation is possible, but on a whole different level: weather apps and other seemingly harmless programs you use on day-to-day basis do it systematically. What we suggest everyone should do is one simple yet important thing: minimize the number of apps that have access to your location. After all, you can choose a place manually to get a weather forecast, and entering a delivery address when shopping online is not that big a deal.

Those of you who want to prevent their location from being logged anywhere should take several extra protective steps:

  • Disable every geolocation service apart from the good old GPS on your smartphone.
  • Use advanced tools to block your phone from accessing SUPL services. Depending on the smartphone model and operating system type, this can be done by filtering the DNS server, a system firewall, a filtering router, or dedicated smartphone settings.
  • It’s best to avoid using cellphones… altogether! Even if you do all of the above, the mobile operator still knows your approximate location at any time.