Meshtastic clamps position precision to protect shared location data

Meshtastic just closed one of the easiest ways for a node to overshare where it is. A June 14 firmware commit in meshtastic/firmware, titled “Clamp position precision on public / known-keys,” pushed location handling toward a stricter privacy boundary for channels that are public or broadly shared.

Meshtastic’s channel docs make the tradeoff clear. position_precision is a per-channel value from 0 to 32, where 0 means location data is never sent on that channel and 32 means full precision is sent. The PRIMARY channel is the default path for periodic broadcasts like position and telemetry, and the default PRIMARY channel is LongFast with PSK “AQ==”. Leave that unchanged, and location is shared with every node in range that is also using the default channel.

That is why the new firmware clamp matters. The commit notes pointed to an information privacy audit for CCPA compliance, along with fixes for bounds checking, all-channel precision clamping, and a disabled-channel guard. The practical effect is to move more of the privacy rule enforcement into firmware, instead of depending on every client or interface to write the same value correctly every time.

Meshtastic has already shown how brittle this area can be. One 2024 issue said position was not sent because precision was 0 and the Android app had no field for precision. Another said location was not precise even though precise location had been selected in channel settings. The project’s docs also say sharing location on a private secondary channel is a newer feature that only works on firmware 2.7.1+, which shows how recently Meshtastic has been pushing location controls beyond the default PRIMARY channel.

The privacy surface is larger than one setting. Meshtastic’s MQTT map reporting can publish an unencrypted map report that includes node position with configurable precision, altitude, hardware model and role, firmware version, LoRa region, modem preset, primary channel name, whether the node can be reached on the default channel with known key, and nearby-node counts. In a mesh, that is enough to sketch not just where a node is, but how it is configured and how reachable it might be.

The June 14 clamp also lands after a June 18, 2025 GitHub security advisory warned about repeated public/private keypairs and possible low-entropy key generation, which could let direct messages be captured and decrypted and could affect remote administration. Later firmware notes added more explicit protections, including a fix to honor channel settings and prevent location leaks, plus a separate clamp for direct position packets.

For family hiking groups, community meshes, and emergency coordination, the payoff is simple: enough location awareness to be useful, without turning every broadcast into a precise breadcrumb trail. Meshtastic is drawing that line more firmly in firmware now, and that makes the shared map a little less exposed.