Your phone is almost certainly scanning for Wi-Fi networks and Bluetooth devices right now, even if you think both radios are off. That background scanning feeds a quiet stream of location data to apps, advertisers, and data brokers, and the National Security Agency wants you to shut it off.
The NSA’s guidance document titled “Limiting Location Data Exposure,” most recently updated in 2026, repeats a warning the agency has issued for years: disable Wi-Fi and Bluetooth scanning whenever those connections are not actively in use. The setting ships turned on by default on both Android and iOS devices, and because most people never dig into their location sub-menus, the scanning runs indefinitely in the background.
Why the NSA treats this as a real threat
The agency’s concern is grounded in peer-reviewed research it cites directly. A study titled “PinMe: Tracking a Smartphone User around the World,” archived on arXiv, demonstrated that a phone’s built-in accelerometers, gyroscopes, and barometers can reconstruct a user’s path across cities and countries without ever accessing GPS. The researchers showed that even when explicit location permissions are denied, the sensor data alone can reveal where someone has been.
A second paper the NSA references, “Next Place Prediction Based on Spatiotemporal Pattern Mining of Mobile Device Logs,” available through PubMed Central at the U.S. National Library of Medicine, tackled the next step: once movement data is collected, algorithms can predict where a person will go in the future. Together, the two studies form a straightforward chain. Passive sensors build a travel history, and pattern-mining techniques turn that history into a forecast.
Intelligence professionals call this “pattern-of-life” exposure. Aggregated location points can map daily routines, frequented addresses, social contacts, and habitual travel routes. In practice, that means the data can reveal not just where someone sleeps and works, but when they are likely to be away from home, which medical facilities they visit, and which religious or political gatherings they attend.
The data broker problem makes it worse
The NSA’s warning does not exist in a vacuum. Over the past several years, a series of enforcement actions and investigations has shown how commercially harvested location data ends up in unexpected hands. In 2023, the Federal Trade Commission banned data broker X-Mode Social (now Outlogic) from selling sensitive location data after finding the company had sold raw GPS and Wi-Fi-derived coordinates that could track individuals to reproductive health clinics, places of worship, and domestic violence shelters. Investigative reporting has also documented how a surveillance tool called Fog Reveal, built by Fog Data Science, allowed local law enforcement agencies to purchase location trails drawn from ordinary smartphone apps without a warrant.
These cases illustrate the pipeline the NSA is trying to interrupt at its source. When Wi-Fi and Bluetooth scanning run in the background, they generate the raw signals that apps and SDKs harvest, bundle, and sell downstream. Disabling the scanning does not make a phone invisible, but it removes one of the easiest, most passive collection channels.
What the research does and does not prove
The PinMe preprint was first posted in 2018, and the next-place-prediction study was published earlier still. Both remain scientifically relevant because the underlying sensor hardware has not fundamentally changed: phones still carry the same accelerometers, gyroscopes, and barometers that can be read without obvious user interaction. However, neither paper accounts for privacy controls introduced in more recent operating-system updates. Apple’s App Tracking Transparency framework, introduced in iOS 14.5, requires apps to ask permission before tracking users across other apps and websites. Google added approximate-location options and more prominent background-activity indicators starting with Android 12. Whether those newer controls fully close the gaps the researchers identified has not been tested in a comparable peer-reviewed study.
There is also no single public case study, in the sources the NSA cites, tying a specific harm directly to Wi-Fi or Bluetooth scanning as the sole collection vector. The warning is preventive. It rests on demonstrated technical capability and on the broader, well-documented reality of commercial location-data abuse, rather than on a single disclosed incident. Readers should weigh it that way: the technical risk is well-supported, but the precise frequency of exploitation through this particular channel remains unquantified in public literature.
How to actually turn it off
On most Android phones: Open Settings, tap Location, then look for Wi-Fi scanning and Bluetooth scanning (on some devices this is under Location > Advanced or Location services). Toggle both off. The exact menu path varies by manufacturer and Android version, but the labels are usually explicit.
On iPhones: Go to Settings > Privacy & Security > Location Services. Review which apps have background location access and set them to “While Using” or “Never” unless you have a specific reason to allow continuous tracking. iOS does not expose a separate “Wi-Fi scanning” toggle the way Android does, but restricting per-app location permissions and disabling “Precise Location” for apps that do not need it accomplishes much of the same goal.
In both cases, the NSA’s broader point is simple: visit these menus at least once rather than accepting whatever the manufacturer shipped as the default.
Why this keeps coming back
The NSA first published its location-data guidance in 2020 and has continued to update and re-promote it through June 2026. That persistence signals something important: the agency does not consider the problem solved by any single OS update or regulatory action. New apps appear, new SDKs get embedded, and default settings reset after major software updates. The scanning toggles are a small, repeatable step that any user can take in under a minute, and the intelligence community’s own signals-intelligence authority is telling the public it is worth doing.
The research underpinning the warning is freely available because platforms like arXiv, backed by an institutional membership network, maintain open-access archives over many years. When a federal agency cites a 2018 preprint in a 2026 guidance document, it is relying on that infrastructure to keep the evidence accessible to anyone who wants to verify the claim. That transparency is part of what makes the recommendation credible: the technical basis is not classified, and anyone with a browser can read the same papers the NSA read.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
