The cellphone companies have been selling the realtime location of all subscribers since at least 2018. It doesn't depend on whether you have location enabled either, since it figures out your location from the towers! On top of that, one of them had an unauthenticated API, meaning anyone in the world could track the realtime location of any US phone #[0].
If all of this bothers you, contact your state legislators. Most state privacy laws don't protect against ISPs selling your location & browsing info, even though that would be the common expectation. Maine's law is simple and does a good job[1][2].
> It doesn't depend on whether you have location enabled
It's even better: the location can be enabled through a network initiated request. This is because A-GPS works "both ways". See https://en.wikipedia.org/wiki/Assisted_GNSS#SUPL : SUPL Position Calculation Function (SPCF) lets the client or the server ask for the client’s location.
As part of the FCC’s updated 911 requirements, where cell phones (with no set location) are required to be routed to the correct 911 center, aGPS was developed to not only help GPS get a faster TTFF (time to first fix), but to transmit location data to the carrier (and to anyone else who can intercept the data)
> If all of this bothers you, contact your state legislators
If you don't like that and want a quick fix, on android devices check /data/vendor/agps_supl/agps_profiles_conf2.xml for ni_request="true": this is the Network-Induced Location Request functionality, where the network asks for the GPS position. Change that to false.
Personally, I believe 911 AGPS is of limited use: if I'm unconscious and can't dial, the phone 911 AGPS working won't do me any good. If I'm conscious and I can dial, I can also open a map app.
Still, if you want to keep the 911 stuff, just change reject_non911_nilr_enable="false" to true (because yes, by default, everything goes - 911 or not)
There's also lpp_enable="true" (LTE Positioning Protocol, yet another method by which cellular providers can pinpoint your location via aGP
S), imsi_enable="true" (which transmit a unique identifier along with the AGPS request!)
Check also /data/vendor/agps_supl/agps_profiles_conf2_prv.xml
Or even better: don't use a phone. I have a 5G/LTE module in my laptop when I need internet connectivity: it's turned off the rest of the time (rfkill block wwan). You can also disable the power to this M2 port (saving battery if you care about that)
> Personally, I believe 911 AGPS is of limited use: if I'm unconscious and can't dial, the phone 911 AGPS working won't do me any good. If I'm conscious and I can dial, I can also open a map app.
For what it's worth, new phones can detect car crashes and initiate a 911 call if you don't actively stop that.
What if you're not unconscious, but badly concussed or otherwise dazed? You can't count on having a clear and level mind in the aftermath of an unspecified emergency.
Because 911 is relatively simple and has been drilled into people since they were kids? I don't know man, I think being able to dial 911 is a lot simpler than being able to read your location off a map. Trying to find street names on google maps can be hard enough when my brain is working correctly.
> Any other related rererences - the tech that enables this sort of tracking?
It's everywhere in mobile devices. It's better not to use them.
If you must use one, you must at least have root to disable AGPS + add stringent iptable rules to disable any outgoing communication by default: you should only enable connections per app, or per IP/domain for what you need.
Still, that'll be of a limited help since the baseband manages connections (3GPP profiles etc) and does the equivalent of NAT to your device.
For all I know, the baseband could tell android "location disabled? sure thing!" while still getting GPS fixes + sending the position by UDP packets processed by the baseband OS: Android won't even see it! Yet by virtue of sharing the same IP (or being "enriched" with your IMSI as you can see above), you will be totally trackable.
If you want, you can also recover the stock firmware (https://github.com/Biktorgj/quectel_eg25_recovery), but the ability to audit from top to bottom to disable data exfiltration requires a 100% free software solution.
But now that CVEs form the basis of a very lucrative ~$16b/year industry[0], wouldn't it make sense to let those companies take over?
Privatizing the Internet enabled much more innovation than if it had stayed govt-funded.
0: https://www.grandviewresearch.com/industry-analysis/security...