The TLDR
Your phone broadcasts your location through at least five independent systems simultaneously: GPS, cell tower connections, WiFi network scanning, Bluetooth beacons, and your IP address. Turning off GPS stops one of them. The other four keep working. Every app with location permission is recording this data. Your carrier sells it. The advertising ecosystem trades it. And the government buys it on the open market instead of getting a warrant.
The Reality
Here’s what a single day of location data looks like from a typical smartphone:
6:30 AM: Your phone connects to your home WiFi. Google (Android) or Apple (iOS) logs your home address via the WiFi SSID. Your carrier logs your connection to the nearest cell tower — confirming your approximate location within a few hundred meters.
7:15 AM: You drive to work. Your phone pings cell towers along your route. Each handoff between towers is logged. GPS is off, but your carrier has your entire commute route from tower connections alone.
8:00 AM: You walk into the office. Your phone scans for WiFi networks and finds your workplace AP. Apps with background location access — weather, maps, fitness, social media — record your arrival. Bluetooth beacons in the building detect your phone’s Bluetooth MAC address.
12:30 PM: You open Instagram and post a lunch photo. Even if you don’t tag your location, the EXIF data in the original photo contains GPS coordinates. Instagram strips EXIF before publishing, but Instagram has it. And Instagram’s parent company, Meta, adds it to your advertising profile.
6:00 PM: You hit the gym. Your fitness app records your route via GPS. Strava publishes it to the heatmap. Your insurance company’s wellness program notes your activity.
That’s one day. Multiply by 365. Multiply by years. That’s the picture.
How It Works
GPS — Satellite Triangulation
GPS (Global Positioning System) uses a constellation of 31 satellites. Your phone receives timing signals from at least four of them simultaneously and calculates your position by measuring the nanosecond differences in signal arrival time. Accuracy: 3–5 meters outdoors.
What most folks don’t realize: GPS is receive-only. Your phone isn’t transmitting to satellites. But every app that reads your GPS position is transmitting that data to its servers.
Cell Tower Triangulation
Your phone maintains a constant connection to the nearest cell tower. When you move, it hands off to the next tower. Your carrier logs every connection.
With two or three towers in range, your position can be triangulated using signal timing (Timing Advance in GSM, Round Trip Time in LTE). Accuracy: 50–300 meters in urban areas, up to several kilometers in rural areas.
This works even when GPS is off. It works even when WiFi is off. It works any time your phone has cellular service. The only way to stop it is airplane mode — or removing the SIM.
WiFi Positioning
Your phone constantly scans for WiFi networks, even when not connected to any. Each network has a BSSID (the router’s MAC address) that’s been mapped to a physical location by Google’s Street View cars, Apple’s devices, and Microsoft’s data collection.
When your phone sees three or more known BSSIDs, it can calculate your position to within 15–40 meters — often better than GPS indoors.
Google built this database by wardriving. Street View cars collected WiFi BSSIDs and their GPS coordinates from 2007 to 2010. Apple’s devices continuously update the database from every iPhone’s WiFi scans. You helped build the surveillance map.
Bluetooth Beacons
Bluetooth Low Energy (BLE) beacons are everywhere — in retail stores (tracking your movement through aisles), in airports (measuring foot traffic), in Apple AirTags and Tile trackers. Your phone’s Bluetooth radio is constantly broadcasting and receiving beacon signals.
Accuracy: 1–3 meters. Indoor tracking that GPS can’t touch.
IP Geolocation
Every internet connection exposes your IP address. IP geolocation databases (MaxMind, IP2Location) map IP ranges to physical locations. Accuracy varies: typically city-level (25–50 km), sometimes neighborhood-level for residential ISPs.
A VPN changes your visible IP. It does not change any of the other four tracking methods.
How It Gets Exploited
The Strava Heatmap
In January 2018, Strava published a global heatmap of all user activity. The problem: military personnel at classified bases had been using Strava while jogging. The heatmap revealed the locations and layouts of military installations in Afghanistan, Syria, and Somalia — including patrol routes.
One fitness app. Millions of people not thinking about what “sharing my runs” actually meant.
Geofence Warrants
Law enforcement uses geofence warrants to demand that Google hand over data on every device that was in a specific area during a specific time window. Google’s Sensorvault database contains location history for hundreds of millions of devices.
In 2020, the government issued over 11,000 geofence warrants to Google alone. You don’t have to be a suspect — you just have to have been nearby.
Government Purchase of Commercial Data
Why get a warrant when you can just buy the data? The EFF documented how federal agencies — including the IRS, CBP, ICE, and the military — purchase commercial location data from data brokers like X-Mode (now Outlogic), Venntel, and Babel Street.
This data comes from ordinary apps that collect location through their advertising SDKs. Your weather app’s location data flows through the ad tech stack to a data broker to a government agency — no warrant required.
Stalking via Location Sharing
Snap Map (Snapchat), Find My Friends (Apple), and location-sharing features on Instagram and WhatsApp are designed for consensual sharing. They’re routinely used for surveillance in abusive relationships. The National Network to End Domestic Violence has documented widespread misuse of these features for stalking and control.
AirTags and Tile trackers have been placed in victims’ belongings for physical tracking. Apple added anti-stalking measures in 2022 after widespread reports, but third-party trackers remain harder to detect.
What You Can Do
Platform Controls
- iOS: Settings → Privacy & Security → Location Services. Review every app. Set to “Never” or “While Using” — very few apps need “Always.”
- Android: Settings → Location → App permissions. Same drill. Revoke background location from everything that doesn’t absolutely need it.
- Google: myactivity.google.com → Location History → turn it off and delete existing data
- Social media: Turn off location tagging on every platform. Disable Snap Map (Ghost Mode). Turn off Instagram location stories.
The Limits of “Turn Off Location”
Turning off GPS stops GPS. It does not stop:
- Cell tower tracking (requires airplane mode)
- WiFi positioning (requires turning off WiFi scanning — buried in Android’s advanced settings)
- Bluetooth beacons (requires turning off Bluetooth)
- IP geolocation (requires a VPN)
To meaningfully reduce location tracking, you need to address all five methods. For most folks, the practical approach is: review app permissions ruthlessly, disable background location for everything except navigation, and accept that your carrier and OS vendor will always have some location data.
Privacy Zones
Some fitness apps (Strava, Garmin) offer privacy zones that hide the start and end of your activities. Use them. Set one around your home and your workplace. A privacy zone won’t stop the app from collecting the data — but it stops other people from seeing where you live.
Sources & Further Reading
- EFF: The Atlas of Surveillance — mapping surveillance technology across the US
- EFF: Geofence Warrants — legal analysis of location data warrants
- Strava Heatmap Military Base Exposure (2018) — the fitness tracking incident that exposed classified installations
- FTC Location Data Report — federal analysis of commercial location data practices
- ACLU Cell Phone Tracking — documentation of law enforcement cell tower tracking
- CISA Mobile Security Best Practices — federal mobile device guidance