Change settings
The degree of adjustment a user selects for their phone depends on their personal objective. There are two broad goals that users may pursue.
First, many people want to cut back on data shared with Google, Apple, or other tech companies that collect information for later advertising. Data collection is performed by the operating system manufacturers (iOS and Android), by device makers, and by developers of most online services.
The second goal is to obscure information that could reveal the user’s location.
To achieve the first aim, reducing data transfer to a tech company, it is often enough to tweak smartphone settings. By default, many devices and apps are arranged to send as much information as possible to servers, from usage data to location details.
On Android devices, for example, turning off voice command recognition can be a prudent step, notes Konstantin Gorbunov, a network threats expert and web developer at Code Security.
“This feature allows the device to listen for voice commands and transmit them to Google servers for processing. That means Google can remotely access the microphone and listen in. To disable the function, go to the settings and turn off the ‘Ok Google’ or ‘Voice’ option”, he explains.
Disabling synchronization with a Google account in the settings is another move. In this case, the company will no longer receive updates from the user’s contacts, calendar entries, or notebook notes.
Next, review which apps have access to the phone’s movement data (found in geolocation settings) and turn off any suspicious programs. Similar options exist on iOS as well.
NTI SafeNet market expert Igor Bederov, Head of the T.Hunter Investigation Department, notes that turning these options off in the settings does not guarantee complete deactivation, since the device can still send various data to Apple, Google, and even other large tech firms in the background.
This can be checked by monitoring outgoing internet traffic, he adds. For Android users seeking extra protection, one option is to use a pure Android Open Source Project (AOSP) build, which excludes many Google services from the system.
“But be prepared for inconvenience”, the expert cautions.
Avoid base station
Bederov explains that there are more intricate steps to reduce digital traces. These measures require careful preparation and can severely limit how the device is used.
First, awareness of IMEI is essential. IMEI is a unique identification number assigned to every device with a cellular network connection.
IMEI encodes information about the phone’s maker, country of origin, and certain features, along with its release date and serial number. The identifier is stored in the device and appears on packaging and technical sheets. With this identifier, one can determine the location of the nearest base station, even if the SIM card is not present. While IMEI can be altered, not all devices support this.
The next step is to stop using the SIM card. Many modern smartphones boot easily without a SIM. Without a SIM card, identifying the device on the GSM network becomes harder, especially if the IMEI is changed. A virtual mobile number can be used for online registrations instead.
A second phase involves installing an alternative operating system. The most common Android alternative is AOSP, but others exist with fewer pre-installed services that transmit data to tech companies. Options include Ubuntu Touch, Kali NetHunter, GrapheneOS, and more.
“Alternative operating systems focus on stronger privacy and security. They store less user data and make querying that data more difficult”, Bederov explains. He highlights projects like GrapheneOS that aim specifically to bolster user privacy.
According to the expert, privacy enhancements also involve internet access management. One approach is to install software that masks the real IP address. Users can also choose a browser that obfuscates traffic routing and provides encryption.
“This combination yields a device that leaves a minimal digital trace. Such a setup would be hard to track on both the GSM network and the internet”, Bederov adds.
Simpler does not mean better
Information security experts interviewed for this piece challenge the belief that push-button phones offer superior protection against surveillance.
“Just because a phone lacks a touchscreen does not mean it has no internet access. Back in the 2010s, many push-button models included browsers and network access, so the same risks apply as with modern smartphones”, says Konstantin Gorbunov from Code Security.
Push-button devices also create digital footprints when connecting to the internet. They have IP addresses and can be identified. In fact, these phones can be more vulnerable since software customization is harder. To protect such devices, external security measures like a pre-configured Wi-Fi access point with an anonymizer can help.
“If a push-button phone has no internet access and only makes calls or sends texts, hiding the digital trace entirely remains impossible. Carriers can still store messages and call data”, Gorbunov notes.
Igor Bederov reminds that SMS and calls travel via radio waves in the GSM network, which is built on base stations. GSM traffic is easier to block and decrypt due to older encryption. That does not mean all conversations are intercepted, though.
Interference with GSM communications by third parties is prohibited, though it can be pursued through formal investigative means using specialized equipment. Security researcher Bederov emphasizes that tampering with GSM networks is both difficult and risky, with penalties.
At the same time, he notes that tools for extra encryption of voice traffic exist but are mostly used by security forces or the military. There are civilian solutions like TopSec Mobile that encrypt traffic before it is sent over the GSM network.
In practice, encrypting voice traffic over the network is often unnecessary. For private conversations, using encrypted internet calls is typically easier, and there are many apps and services for this purpose. Even if attackers intercept traditional calls, they may be concealed by language or other signals, according to Bederov.
letter of law
Aiming for anonymity also means staying within legal boundaries. Legal counsel notes that using additional tools to encrypt voice traffic on the GSM network can be illegal in some jurisdictions. A modified mobile phone may be deemed an uncertified means of communication, which can trigger administrative penalties.
Specific laws may require fines for using uncertified communication devices, with different amounts for citizens, officials, and legal entities. These penalties can vary by country and context.
Experts warn that changing the IMEI of a device can violate laws in several countries. In some places, altering the IMEI is a criminal offense, carrying potential fines or imprisonment. Legal commentators add that creating modified communication tools and using them for illegal activities could lead to additional charges under relevant criminal statutes.
In summary, while privacy goals matter, they must be weighed against compliance with local laws and regulations, which can carry significant consequences.