Privacy myths busted: Protecting your mobile privacy is even harder than you think

This story is part of The Year Ahead, CNET’s look at how the world will continue to evolve starting in 2022 and beyond.

With increasingly invasive digital surveillance from advertisers and law enforcement over the past few years, securing your mobile phone from privacy threats in 2022 should be a key resolution. But don’t stop short. Changing a few settings in your phone and apps isn’t enough. To get the most privacy, the key ingredient to add is a suite of encrypted apps. 

Securing your phone’s privacy from groups like your internet service provider and law enforcement is a three-part process. First, you need to change several settings in your operating system — that reduces your device’s compliance with your apps’ requests for your data. Next, you manage all of your apps by deleting them, disabling them or changing their privacy settings — that reduces your apps’ collection of the data you produce. 

Dozens of settings in your phone’s operating system and within your apps would need to be changed before you could say you’d completed the first two steps. That’s why the final step — installing privacy-focused apps like a VPN, Signal Messenger, Brave Browser, DuckDuckGo and the BitWarden password manager — is crucial. Installing this suite of encryption and privacy apps makes most of the data you produce useless to your ISP and any local law enforcement surveilling you. 

On their own, these steps do create some minor inconveniences for an unknown portion of the advertisers that collect your data — but once you combine them with the five apps listed below, their effectiveness skyrockets, creating an impressive foundation for your mobile privacy. 

Use a PIN code to lock your phone — not fingerprints or facial recognition

In most circumstances, police are supposed to have a warrant before they can take your phone from you and search it. Police are also supposed to be barred from forcing you to unlock your phone with biometric data like fingerprints and facial recognition. They’re also supposed to have a warrant before they can request your internet history, texts and phone call logs from websites or your ISP or phone company. Supposed to. 

Fact: Sometimes humans simply forget the PIN code to their phone’s main lock screen and then other people like police officers, for example, have a very difficult time accessing the phone’s contents without extended effort. Happens all the time. Another fact: You can’t say you forgot your fingerprint or face at home. 

Remember, however, that a PIN code only buys you more time until police crack your phone. In some cases, just an hour or so. 

Disable location tracking

Without a virtual private network, disabling your phone’s geolocation services is pretty much useless as a way to protect your geolocation privacy from your ISP and law enforcement. Unless you’re using a VPN, every single piece of data that leaves your phone will appear to be coming from the nearest cell tower or Wi-Fi router you’re connected to. End of story. 

Toggling off your GPS doesn’t do much. If you share a billing or service account with another person, that other person can likely track you. Some services like AT&T FamilyMap and Apple’s Find My app may need to be manually disabled or uninstalled. Review the Disabling GPS tracking section of this guide for a walk-through on doing both. 

Both Android and iOS devices still have to contend with the geo-tracking of Google Sensorvault. Disabling Sensorvault stops Google from tracking your every movement across its Maps and Location History apps.

Read more: How to turn off location services on your iPhone

Turn off your mobile ad ID

If you’ve noticed interest-specific ads suddenly appearing in your browser or social news feeds, your mobile ad ID may be responsible. Your mobile ad ID is a type of tracking technology that follows you during your browsing and includes location information — a privacy vulnerability. 

iPhone users can turn this off by enabling Apple’s setting to limit any new apps’ ability to track you. Go to Settings, then Privacy, then Advertising, and toggle off Personalized Ads. This may not cover all the apps on your phone, however, so I also recommend limiting app tracking for other apps that you’ve previously downloaded. 

Check your apps and accounts 

Read CNET’s guide to keeping your information private online. Our guide to disappearing online is also helpful if you need Google to remove you from search results. 

Sign out of all other devices

In the privacy settings of nearly every one of your online accounts — from your email and social media accounts to your streaming services and cross-device synced services — you’ll find an option to sign your account out of all other devices. 

While it would be impossible to walk through every possible service with you in one article, this is a vital step to securing your accounts if you suspect any other person may be able to access your location and search history from a device you can’t control. Take the time to check the settings pages of your apps.

If you’re a Gmail user, check out our walk-through on signing out across other devices. 

Lock down your social media 

It should go without saying, but turn off all location tagging features for all of your social media accounts, one by one. And in each of your social media accounts — whether it’s Instagram, TikTok, Twitter, or Facebook — go through your privacy settings and disable your account being displayed in search results when people look for you. 

For help securing your Facebook account, check out our guide, or for help permanently deleting your account while still saving your photos. 

Enable 2FA

In most cases, two-factor authentication, or 2FA, will not protect your accounts if the person breaking into your accounts has your phone in their hands. That’s because 2FA normally works by sending you a text message or voice call with a passcode for the account you’re trying to log into. Some 2FA protections are customizable, however, and you can receive an email with a temporary passcode instead of a text message. 

Every account and service has its own process for enabling 2FA, most of which will be located in the settings menu of whichever app or account you’re securing, and are often under submenus labelled account, security, privacy or advanced options. 

Google users, you can set up 2FA by going to your Google account security page and clicking 2-Step Verification. Follow the prompts until you reach a screen titled “Use your phone as a second sign-in step.” 

As CNET’s Jason Cipriani notes, using alerts in the Gmail app is easier, but it means you have to have your phone nearby at all times and you’ll need a connection to approve the alert. So, if you’re somewhere where you have no bars — or if someone cuts off your phone service — you’ll need to be connected to Wi-Fi. 

Read more: How to enable 2FA for LinkedIn, Twitter, Microsoft, Apple and Google

Check for leaky apps

If you’re using the latest version of Android, there are new privacy features aimed at making it easier to find and restrict any apps with aggressive permissions. Check our guide to Android 12 privacy features for instructions on how you can see which apps have access to your microphone and camera.

If you suspect someone may have installed malicious apps on your phone, like stalkerware, it’s worth reviewing HackBlossom’s DIY guide to domestic violence cybersecurity for useful ways to secure your privacy. It covers methods of disabling certain privacy vulnerabilities in ways that recognize the need to be careful when distancing yourself from an abuser.

CNET’s Laura Hautala has written extensively on stalkerware and offers reliable instructions on checking your phone for tell-tale signs of malware that might be lurking in the background.

Fail-safe: Nuke your phone remotely

Many Android devices may have fewer out-of-the-box privacy and security benefits than iPhones, but if you’ve got an Android device you have one final kill switch. You can set up your phone so that you’re able to remotely wipe its entire contents if it falls into the wrong hands. 

In our Android settings guide, scroll down to the Be prepared to lose your phone section and read the walk-through for help getting it rigged. Important: Before taking even the first step toward wiping your device, back up your phone’s stored data on another device like a USB or removable hard drive. 

One final tool that may be useful to some of you is a digital dead man’s switch. If your phone is taken from you and you’re arrested, you could arrange a dead man’s switch to email a trusted ally with login information and instructions for remotely wiping your phone.

One option is the Dead Man Tracker app, which can notify certain people in the event you don’t respond. A second option that isn’t an app is the Dead Man’s Switch site. It sends an email to previously selected recipients. Note: I haven’t personally tested these two, so read the terms and privacy policies carefully before using, and test in advance. 

The real key to privacy: Add these five apps

While changing these settings is a great start toward improving your privacy in the year ahead, they’re only a half measure. To better protect yourself, install the following privacy-focused apps to protect your data from your ISP. 

Signal Private Messenger App

• Protection: Voice calls, along with multimedia text messages
• Cost: Free and open-source
• Estimated time: Under 3 minutes to install and start using

Make sure you download the app directly from its verified developer and not a copycat. Signal’s desktop app is also a more private replacement for instant messaging platforms like Slack, or Facebook’s Messenger and WhatsApp. Martin Shelton, of the Freedom of the Press Foundation, also has a 5-minute primer newcomers should read on getting the most out of the app. 

Surfshark VPN

• Effectiveness: Widely recommended
• Cost: From $13 per month, with a 30-day refund policy. 
• Estimated Time: Approximately 10 minutes to subscribe, install, and begin using, depending on your payment type. 

Without a VPN, your ISP and mobile carrier can usually see your Google searches. Police regularly get customer records from AT&T, T-Mobile, Verizon, or any other cell provider. Police also regularly get their hands on records from Google, Bing, Yahoo and other search websites — all of which can let police trace your searches to your phone. Surfshark is the cheapest VPN I trust (for now). You can get one month of service for $12.95 with a 30-day money-back guarantee.

Brave Browser and DuckDuckGo

• Cost: Free
• Bonus: Switch your Brave settings to the most aggressively protective 

A browser that leaks information can cancel out your VPN’s ability to cover your tracks, leaving your traffic exposed to your ISP, law enforcement and any sites you visit. Switch to the privacy-focused Brave Browser. Brave isn’t owned by Google, but any extension you can install in Chrome — like the extensions for Surfshark VPN, BitWarden, and DuckDuckGo — you can install in Brave Browser. Avoid using Google as your search engine and instead switch to DuckDuckGo — the privacy-focused search engine that keeps little to no information about the searches you use it for. 

BitWarden password manager

• Protection: Browsing and app logins
• Price: Free
• Time: Less than 2 minutes to install, but the time it takes you to add your passwords to the manager depends on how many accounts you have.

After installing BitWarden via the App Store or Google Play, also consider installing the app on any laptops you have and install BitWarden’s extension in your browser.