Our devices, our internet activity, and our everyday presence in the physical world can all be used to identify our location. In this guide, we’ll walk through some concrete steps you can take to mitigate the risk of your location being tracked or identified by unwanted actors.

Assessing your actual risk

Before we dive into the technical details, it is important to take a step back and think about your specific threat context. Ask yourself: Do I actually have a reason to keep my presence at a given location (or in general) a secret?

While there is a lot of ambient concern around location tracking and no shortage of advice floating around social media about how to limit your likelihood of being identified at, say, a protest, this advice typically assumes that you need to not be connected to a specific location or event in the first place.

As a journalist covering the event in question, you may actually want your presence to be known, or may have little need to hide the fact that you were present. After all, if you plan to publish an article about the protest later that day or week, you will likely make it clear that you were there anyway.

While there are plenty of digital and physical security considerations to keep in mind when covering potentially contentious events like protests, location tracking is less likely to be one of them for a journalist. That said, it is important to keep in mind that your identity may impact your risk assessment. For example, your citizenship status may affect the level of risk you are willing to accept.

Your risk assessment related to location tracking can, however, change dramatically based on the journalistic activity you’re undertaking. Consider a sensitive story in which you are meeting a high-risk, anonymous source in person. Your adversaries could use location data to determine that you and the source were in the same spot at the same time, leading to the possible exposure of the source’s identity.

Or perhaps you need to visit a particular location (e.g., a government building) that could put a given department or agency on notice that you are investigating them, in turn making the reporting process more challenging.

If you find yourself in a situation like this, where it is undoubtedly advisable to limit who has access to your location information, it is important to be aware that there is a wide range of methods through which sophisticated adversaries can track or identify someone’s location. We break these methods down into three buckets: video surveillance, internet-based surveillance, and mobile device-based surveillance.

In the sections below, we’ll highlight the surveillance methods within these categories that you are pretty much guaranteed to encounter in today’s physical and digital worlds.

Video surveillance

If you are concerned about being identified at a specific location, or perhaps you don’t want to be identified when meeting in person with a source, make note of the presence of surveillance cameras in, near, and on your way to that location or meeting. Keep in mind that surveillance cameras are often present in and near private property, and are increasingly common in public spaces as well.

Consider who might have access to a given camera’s footage as part of your risk assessment. If your adversary is a corporate entity (perhaps one you are investigating for a story), then you should probably avoid meeting a whistleblower within view of surveillance cameras on that company’s (or its affiliates’) properties.

If your adversary is law enforcement or a government entity — and you think it likely that they would expend considerable resources to identify where you’ve been, with whom, and when — then your concerns might expand.

Consider the presence of video surveillance systems on street corners, at traffic lights (including license plate readers), and in public places like subways and parks. Such systems are often controlled by local law enforcement and increasingly supported by AI-enabled facial recognition technology. Many law enforcement entities partner with home security camera providers like Ring and successfully request surveillance footage from nearby businesses to expand the data that they have access to as well.

We’ve seen examples of surveillance cameras and other physical surveillance tools (like security badge access records) being used in the U.S. to expose journalistic sources, and the presence of ever-expanding surveillance systems certainly opens the door for abuse and overreach. In this context, it is worth at least being mindful of how video surveillance could be leveraged to expose your location, especially if you have highly resourced adversaries and are working on very sensitive stories.

Being aware of video surveillance systems, and critically considering where and how to conduct certain elements of your journalistic work (like source interviews) is the best way to mitigate this risk. While not foolproof, wearing nondescript clothing and facial coverings, covering tattoos and other unique identifiers, and using vehicles that aren’t connected with your identity can be other ways to lower your risk of being identified through video surveillance.

Internet-based surveillance

One of the most common ways that people expose their location information online is by simply posting about it. Sometimes this comes in the form of tagging a social media post with your location (which can either happen intentionally or by default, based on a given app’s settings). In other situations, your location can be more subtly revealed by the background of a photo you post or the inclusion of other information that might offer clues to your whereabouts. While it may seem obvious, if you are concerned about exposing your location, it’s critical to pay attention to these basics.

A subtler way that information about your (or a source’s) location could be revealed is through the metadata in files, photos, and other documents. Such metadata, if not properly removed from files before they are shared publicly (or stolen by an adversary via a data breach or hack), can expose location information about, for example, where a photo was taken or on what devices a given document was generated. Take a look at our guide on metadata for a deeper description of what metadata is, how it can be a security risk, and some tips on how to remove it from sensitive files.

Also, keep in mind that your device’s internet protocol address, if not obfuscated, can be potentially revealing as well. In addition to exposing your general location, the IP addresses from which you visit certain websites can also reveal your connections and affiliations. For example, if you meet with a sensitive source at their home and use their Wi-Fi network to check your Gmail account, you’ve created a record in Google’s servers that could be used to connect you to the source via the fact that you are using their IP address.

While it would take significant resources for an adversary to make these connections (and legally compel a company like Google to hand over such data in the course of an investigation), it is at least worth being aware of. To understand more about situations in which it may be beneficial to obscure your IP address, take a look at our article on virtual private networks. It walks through how a VPN can, in some circumstances, help mitigate this risk and offers trusted options.

Mobile device-based surveillance

There are three key mechanisms through which your phone can expose your location: cellular tower triangulation, Wi-Fi and Bluetooth signals, and your device’s location services (which often bundle together data from the first two mechanisms alongside GPS).

Our friends at the Electronic Frontier Foundation have an excellent primer that breaks down how these mechanisms work, so we won’t spend too much time on the technical details here, although we strongly recommend you check out that article.

Each of these mechanisms has the potential to expose your location to different adversaries in different ways and, therefore, requires distinct (although at times overlapping) mitigations.

Location services

The source of mobile location information most widely distributed to third parties usually comes from your device’s location services. These location services enable you to share your location with specific applications, operating system services, and websites you visit. This means that your location data can end up in the hands of Apple (for iOS devices), Google (for Android devices), and the owners of websites and third-party applications (e.g., Instagram, TikTok, Lyft, Google Maps).

From here, your location data can be sold to advertisers, data brokers, and government and law enforcement entities. It is also susceptible to a broad range of legal requests. Such requests may include geofence warrants, through which government actors have historically compelled service providers like Google to hand over information about which devices were present in a given geographic area at a given time.

The only way to fully mitigate the risk associated with location services is to turn them off completely and never use them. The latest iPhones make this process simple. Most Android devices will also allow you to turn off location services through system settings. However, turning off location services completely will make it harder for you to conduct some common smartphone tasks, like navigating via Maps or having a ride-sharing service pick you up automatically at the right location.

If losing features like these seems daunting or too disruptive to your daily life, consider only disabling location services leading up to, during, and immediately after particularly sensitive events. While this will significantly reduce your risk, note that it may be possible for apps to collect GPS locations while services are disabled, store them until you’ve turned these services back on, and then transmit them.

Modern iPhones and Androids also give you the option to provide more fine-tuned location access in situations where you want the convenience of these services without giving up all of your data. You can turn location services off for specific third-party apps and services that you don’t trust (see how for Android here and iOS here). You can also limit the precision of location data that individual apps receive.

On Android, if a given app has permission to use your device’s location, it can make use of the device’s precise location, approximate location, or both. In this case, precise location means your exact location, while approximate location means to within three square kilometers (or a little over one square mile). You can turn off precise location for a given app (and therefore grant it approximate location only) by opening up your “Settings” app and then navigating to “Location.” From here, choose a specific app and toggle off “Use precise location.”

iPhones work similarly. Within your Settings app, tap “Privacy & Security” and finally, “Location Services.” From here, you can select a specific app and turn off the “Precise Location” toggle as needed.

For those using Android or Google Apps in general, also be sure to turn off your “Web and App Activity” (see these instructions), as this activity is shared with Google and could potentially include your location. For anyone using Google Maps, it is also a good idea to turn off “Timeline” (also referred to as “Location History”) within the Google Maps app.

While Timeline/Location History in Google Maps is now stored locally on your device instead of on Google’s servers (reducing one historically significant location sharing risk), turning this setting off eliminates a set of data that could be exploited if your device were to ever be stolen or confiscated. To turn off Timeline/Location History, Google Maps users can follow the instructions under “Delete Timeline Data” and “Turn Off Timeline” here.

While Apple deserves credit for applying end-to-end encryption to its “Significant Locations” feature, iPhone users might also want to disable it to reduce the location history being collected and stored on your device. You can turn that feature off here.

Cell tower triangulation

Whenever your phone is powered on and connected to a cell network, your cellular provider can identify your location through a process called triangulation. The data collected through this process can be used to identify the general whereabouts of a specific device, or to identify which devices were in a given area at a given time. Our friends at the EFF describe how triangulation works in detail in this article.

While this category of location data is, by default, only available to your cell service provider, law enforcement can, with a warrant, force providers to share it with them as well. It is also theoretically exposed to anyone who gains access to your cell provider’s systems (including well-resourced, likely state-affiliated hackers). If any of these actors fall into your bucket of adversaries, it’s worth considering ways to mitigate this form of location tracking.

The best technical step you can take to prevent this type of tracking is to turn your device completely off. While airplane mode prevents your device from connecting to cell towers, it does not necessarily block location services. So if you’re concerned about both location services and cell tower tracking, turning your device off is the best bet.

An alternative mitigation is to not take a device with you on sensitive assignments, or to use a secondary device that is not connected with your identity (which is incredibly difficult to do effectively). If you find yourself in a situation where a secondary or “burner” device is the only path forward, we recommend reaching out to our digital security training team or other security experts for a consultation.

Law enforcement entities have also been known to set up portable, fake towers (known as cell site simulators) that attempt to connect to nearby devices to log their physical presence. This tactic, while used very rarely, can be deployed around specific events like protests. This article (also from EFF) breaks down mitigations if you are concerned about cell site simulators in particular.

Wi-Fi and Bluetooth

When you have Wi-Fi and Bluetooth enabled, your device emits signals that expose your MAC addresses, which are unique identifiers associated with your device. These can be collected by networks and devices you connect to, and potentially by others within range of these signals, and used to identify devices in a given area.

Modern iPhones and most Androids running on Android 10 or higher now usually randomize the MAC address included in these signals. This randomization means that the address for your device that is included in the signal is not one that can initially be associated with you. However, this is not very reliable on older devices, and it is default behavior even on modern devices for the randomized MAC address to remain consistent on networks with the same name. In other words, if you frequently connect to the same Wi-Fi network (or a network created by an attacker that shares its same name), the MAC address provided by your phone will, even though randomized, stay consistent over time.

If you’d prefer to randomize your MAC address more frequently for Wi-Fi networks that you routinely use, you have some options.

For iPhones on iOS 18 or higher, you can proactively choose to “forget” a Wi-Fi network. If it has been more than 24 hours since you previously forgot that same network, your device will provide a freshly randomized MAC address the next time it connects to that network. Another option on iOS 18 or higher is to set your “Private Wi-Fi Address” setting for a given network to “Rotating” by following the steps outlined in this article.

For Android devices on Android 11 or higher, you can enable nonpersistent MAC randomization (in other words, a new MAC address even on the same network) by following these steps, which will require you to enable developer options.

These settings will greatly reduce your risk of exposing your device’s identity via MAC address. With that said, despite significant strides in recent years, randomization schemas are still evolving and there is a history of imperfections in their implementation. So if you are facing an adversary with extreme technical sophistication and significant resources, it may be best to simply turn off your device or disable Wi-Fi and Bluetooth when in a location where you don’t want to be tracked.

Note that simply turning off Wi-Fi and Bluetooth by tapping the Bluetooth and Wi-Fi icons in your control center (which you can access on most devices by swiping down from the top of your screen) is an important step, but will not alone stop your devices from sending out these signals.

To actually disable Bluetooth and Wi-Fi on an iOS device, you will need to go into your settings, select “Bluetooth” or “Wi-Fi” respectively, and then toggle the switches to off.

On Android devices, in addition to toggling off Wi-Fi and Bluetooth in your control center, you will need to turn off Wi-Fi and Bluetooth scanning. To do this, open your device’s settings and then tap on “Location.” Within that menu, you can select “Location Services.” From here, you will see options for “Wi-Fi scanning” and “Bluetooth scanning.”

If you want to take no chances whatsoever — and leaving your device behind is not an option — you may also consider placing your device in a Faraday bag designed to fully block these signals.

Wrapping up

If your risk assessment includes a need to tightly protect your location from sophisticated adversaries, be sure to keep in mind all three categories of location surveillance (visual surveillance, internet-based surveillance, and device-based surveillance).

Turning off or not taking your devices with you to a sensitive location is the simplest method to stop mobile location tracking, and other mitigations like disabling Wi-Fi and Bluetooth, limiting location services, and strengthening your MAC randomization settings can also help reduce this piece of your digital footprint.

When it comes to activity on the internet, minding your IP address and the location metadata associated with files and communications can make a big difference.

In the physical world, thinking about surveillance cameras and other infrastructure around you can help inform your decision about how and where to conduct your journalistic work.

Before focusing too much on all these risks and their mitigations, though, remember to ask yourself if, when, and why location tracking is a concern for you, your sources, and your work. Keep in mind that many of the surveillance methods outlined in this guide take a tremendous amount of effort and attention to successfully deploy against individual journalists or sources, and even small steps to reduce your overall risk can make a big difference.

Have additional questions about how to limit exposing your location and mitigate these risks as a journalist? Our digital security training team is always ready to support. Contact us for our training options.