The National Security Agency has told phone users to disable Wi-Fi, Bluetooth, and NFC whenever those radios are not actively needed, warning that location data can be extracted from these connections with or without a user’s consent. The guidance, issued across two separate NSA advisories, spells out a risk that most people never think about: the same wireless features that pair earbuds and auto-connect to coffee-shop hotspots also broadcast signals that third parties can harvest to track movements. For anyone carrying a smartphone in public, the agency’s advice amounts to a short checklist of settings to switch off before walking out the door.
How wireless radios expose your location without GPS
Most people assume location tracking requires GPS. The NSA’s own cybersecurity guidance dismantles that assumption. According to the agency’s advisory on limiting location data, a device’s position can be derived from GPS, Wi-Fi, and Bluetooth connections alike. That means a phone with GPS turned off can still betray its owner’s whereabouts through the other radios it keeps active.
The mechanism is straightforward. When Wi-Fi is enabled, a phone continuously scans for nearby access points and broadcasts probe requests that contain identifiers. Bluetooth behaves similarly, pinging for discoverable devices. NFC operates at shorter range but still creates a detectable handshake. Each of these signals can be logged by receivers positioned in stores, transit hubs, or public spaces, building a breadcrumb trail of where a device has been. The NSA’s analysis notes that this location data may be obtained with or without user or provider consent, a detail that strips away the comfort of assuming an app permission prompt is the only gate between a phone and a tracker.
The practical takeaway is that disabling these radios outside of trusted environments, such as a home or office network, removes the signals that enable passive location inference. Calls and text messages still work over cellular, so switching off Wi-Fi, Bluetooth, and NFC does not cut a user off from communication. It simply closes the side channels that feed location data to parties the user never agreed to share with.
What the NSA specifically recommends turning off
The agency’s public-settings advisory is direct. The NSA urges users in public to disable Wi-Fi, Bluetooth, and NFC when those features are not in use. That single instruction covers three of the seven settings referenced in the headline, and each one addresses a distinct attack surface.
- Wi-Fi: Turning it off prevents the phone from connecting to rogue hotspots and stops it from broadcasting probe requests that reveal its MAC address and, by extension, its location history. It also reduces the risk that a device will automatically join a spoofed network designed to intercept traffic.
- Bluetooth: Disabling Bluetooth blocks opportunistic pairing attempts and eliminates the beacon-like signals that retail trackers and surveillance tools can pick up from several dozen feet away. It also narrows the window for exploits that target flaws in Bluetooth stacks.
- NFC: Switching off NFC closes the near-field channel used for contactless payments and data transfers, reducing the chance of relay attacks in crowded spaces where an attacker might try to skim or relay a tap-to-pay transaction.
Beyond those three radios, the same logic extends to related settings that amplify exposure. Location services, which aggregate data from all available sensors, should be restricted to apps that genuinely need real-time positioning, such as navigation or ride-hailing. Auto-join for Wi-Fi networks should be disabled so the phone does not latch onto unfamiliar access points without explicit approval. Hotspot and tethering functions, when left on, turn a device into a visible network node that nearby devices can probe. And ad tracking identifiers, which tie browsing and app behavior to a single profile, can be reset or limited through both iOS and Android privacy menus.
Each of these settings ships enabled by default on many devices. Manufacturers optimize for convenience, not for minimizing data leakage. The result is that a brand-new phone, fresh out of the box, is configured to share the maximum amount of wireless information with its surroundings. The NSA’s recommendations effectively ask users to reverse that default and treat connectivity as something to be deliberately enabled, not passively left on.
Why default-on radios create a measurable tracking gap
The core tension behind the NSA’s guidance is a design conflict baked into every smartphone. Wireless radios exist to make connectivity seamless, but that seamlessness depends on constant broadcasting. A phone that automatically reconnects to a saved Wi-Fi network at a train station is also a phone that announces its presence to every receiver within range. The same is true for Bluetooth accessories: the convenience of earbuds that connect the moment they are powered on relies on the phone advertising itself in the background.
The hypothesis that users who systematically disable Wi-Fi, Bluetooth, and NFC outside trusted locations would show measurably lower rates of passive location inference is consistent with the physics involved. Fewer active radios mean fewer signals to intercept. The NSA’s own framing supports this reasoning: if location can be derived from these connections, then eliminating the connections removes the derivation path. No public dataset yet quantifies the exact reduction in tracking events for users who adopt this habit versus those who do not, but the directional logic is grounded in how wireless protocols function and how receivers collect identifiers over time.
Third-party apps compound the problem. Many apps request Bluetooth or Wi-Fi scanning permissions not because they need to connect to a device, but because scanning nearby signals can reveal information about a user’s environment. An app that knows which Wi-Fi networks are visible can infer where a user is, even without direct GPS access. When multiple apps collect and share this kind of data with analytics or advertising partners, a single device’s movements can be reconstructed across days or weeks.
Default-on radios also create what might be called a “tracking gap” between users who change their settings and those who do not. In a crowd where most phones are broadcasting, a small number of devices that remain silent will be harder to single out or follow. The NSA’s advice effectively encourages people to move into that quieter cohort. While this does not make a device invisible-cellular networks, for instance, still need to know roughly where a phone is to deliver service-it does remove several of the easiest, most precise signals that non-carrier entities can exploit.
Practical steps for everyday users
Translating the NSA’s technical guidance into daily habits comes down to a few repeatable steps. Before leaving home, users can turn off Wi-Fi, Bluetooth, and NFC, then selectively enable them only when needed-for example, to connect to a known hotspot or pair with a specific accessory. Inside settings menus, they can disable automatic Wi-Fi joining, review app permissions that involve location or nearby devices, and turn off or limit advertising identifiers.
In public spaces such as airports, hotels, and cafes, the safest approach is to treat all networks as untrusted by default. That means avoiding automatic connections, declining prompts to join unfamiliar hotspots, and resisting the urge to leave Bluetooth on simply for convenience. When contactless payments are necessary, NFC can be toggled on for the duration of the transaction and turned off immediately afterward.
The NSA’s advisories do not promise perfect anonymity, and they do not suggest that users can fully opt out of all forms of tracking while still carrying a modern smartphone. Instead, they outline a set of straightforward configuration changes that meaningfully narrow the attack surface. For people who carry their phones everywhere, that shift-from broadcasting constantly to broadcasting only when necessary-can be the difference between a device that silently reports its owner’s movements and one that shares only what is required to stay connected.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
