The National Security Agency recently issued a public warning that exposed location data from mobile devices can pose a security risk for government personnel, particularly those in the national security arena.
The guidance explains how mobile devices transmit sensitive location data via GPS signals, wireless access (cellular or WiFi) or Bluetooth. Anytime a user even powers on their device, location data is exposed. Adversaries can utilize this data to track personnel and build profiles of their daily movements and interactions, presenting privacy and security risks. The agency recommends users mitigate location exposure based on their situation and risk tolerance.
As part of the mitigation recommendations, NSA highlights the privacy and security risks posed by web browsers, and recommends users limit browsing activity on mobile devices. This obviously limits use of the mobile device itself, and browsing data on a mobile device is often accessed by other apps, particularly social media, creating additional privacy and operational security risks.
In a key footnote, the guidance cites a 2017 research paper on browser fingerprinting, a critical operational risk of web browsing, whether on a mobile device or desktop. Browser fingerprinting is a “tracking technique that uses device configuration information exposed by the browser through JavaScript APIs (e.g.,Canvas) and HTTP headers (e.g.,User-Agent)." In the research paper NSA cites, researchers utilized a unique browser fingerprinting method to “track users not only within a single browser but also across different browsers on the same machine.”
Traditional “stateful” web tracking methods such as cookies and third-party trackers are well known and many commercial browsers today protect against these by default. Browser fingerprinting is more insidious because traditional countermeasures are ineffective. Unlike cookies, the user cannot easily detect or control fingerprinting.
As discussed in a research paper on the identifiability of web browsing histories presented earlier this year, “Even if traditional stateful tracking is addressed, IP address tracking and fingerprinting are a real concern as ongoing privacy threats that can work in concert with browser history tracking.”
Browser fingerprinting poses obvious privacy and security risks not only to national security personnel but anyone concerned about their exposure online. Just as companies build profiles and target consumers based on browsing habits and other online activity, our adversaries can utilize similar technologies and capabilities to identify and track government personnel via their web browser data. These risks persist across mobile and desktop environments.
Obfuscating online activity from passive or active observers is basic tradecraft for open source intelligence (OSINT) collection. OSINT practitioners must conceal or manage their online identity to avoid mission compromise. But as the NSA guidance and recent research shows, even seemingly benign day-to-day web browsing can put national security personnel and their missions at risk if revealed. Practicing good cyber hygiene and utilizing a remote browser capability can help mitigate the threat and limit exposure.
Secure Browsing is a remote browser that embeds security, identity, and data policies. Most relevant to our discussion here, Secure Browsing enables users to maintain a non-attributable presence on the web. All IP and platform fingerprint data resolves to Authentic8 cloud infrastructure. Cookies, trackers, web beacons, analytics tools, and other web surveillance techniques are neutralized. Users not only isolate their web traffic and malicious activity from the endpoint, but limit their data exposure as well.