Apple needs to work with Google, Samsung, Tile and other rivals to find a fix, privacy experts say.
Apple’s AirTags are meant to be a high-tech solution to an age-old problem: finding misplaced keys, wallets and other personal items. But since Apple launched the diminutive Bluetooth trackers last April, they’ve also been used for nefarious acts – particularly stalking.
“It was the scariest, scariest moment ever, and I just want everyone to be aware that this exists,” Sports Illustrated model Brooks Nader said in a January Instagram post. She was describing an iPhone alert she received one night while walking home from a bar saying that a device had been tracking her location. Nader’s husband discovered an AirTag hidden in her coat pocket after she arrived home, she said in an interview on the Tamron Hall Show.
Experts I spoke with say it’s incumbent on tech companies to come together and find better ways to prevent Bluetooth trackers from compromising personal privacy. That includes not just Apple, but also Samsung, Tile and other companies making similar products with fewer safeguards. They could start by providing information to each other and to the public about how Bluetooth trackers are being exploited. Sharing findings on how their respective products are being used maliciously is critical for creating privacy protections that work equally well across all smartphones. It would ensure that all companies are operating on the same data when developing tools for preventing or mitigating abuse.
“I think that there are going to be limitations as long as the solutions remain with individual companies,” said Erica Olsen, director for the National Network to End Domestic Violence’s Safety Net Project.
Apple has made efforts to prevent misuse by encrypting the communication between AirTags and its Find My network. The company announced on Feb. 10 that it’s adding new privacy warnings to AirTags during the setup process. It’s also further reducing the amount of time it takes to notify an iPhone owner that an unknown AirTag may be traveling with them.
The company said in a press release that it’s “committed to listening to feedback and innovating to make improvements that continue to guard against unwanted tracking.” But when approached by CNET, Apple declined to say whether it would collaborate with other tech companies on a fix.
Whatever the answers, a solution is overdue. The companies may not be encouraging abusers to exploit their technology, but what they have done is made if far cheaper and more convenient to do so. Now it’s up to them to make it more difficult – or ideally impossible – to misuse their technologies.
In the meantime, though, there are ways you can protect yourself.
How AirTags work, and why they’re being linked to stalking
AirTags are button-sized, Bluetooth-enabled trackers designed to help iPhone owners keep track of personal items. Place one in anything from a wallet to a bicycle, and its location appears on a map within Apple’s Find My app for iPhones, iPads and Mac computers – a useful feature if an item goes missing. When an AirTag is out of the owner’s Bluetooth range, other Apple devices in the Find My network can detect it via Bluetooth and relay its location to the cloud.
But that amount of precision carries some risks. A wave of reports have shown AirTags being used for stalking and theft attempts, prompting the New York and Pennsylvania attorneys general to issue public safety alerts on Feb. 16. A Connecticut man was arrested for allegedly using an AirTag to stalk his ex-girlfriend by hiding an AirTag in her car, according to a Feb. 2 report from Fox 61. CBS News spoke last month with two Atlanta women who discovered they were being tracked by AirTags hidden in their cars. One of the women said she found an AirTag in her vehicle’s gas tank. And then in December, The New York Times spoke with seven women who believe they were being stalked via AirTags after receiving alerts on their iPhones. Two never managed to find the AirTag that may have caused the alert.
AirTags are getting so much attention in part because Apple’s network is so widespread. The company said in an April press release that its Find My Network is approaching 1 billion Apple devices. There are more than 1.8 billion active Apple gadgets in use around the world, Apple said in its January quarterly earnings call, so there’s plenty of room for the network to grow. (Participation in Apple’s Find My network is optional and can be disabled, so not every active product is in the network).
Other Bluetooth trackers have far less reach. Tile, for example, has sold more than 40 million devices worldwide to date. Tile’s network is slightly larger than that since it also encompasses compatible products from other companies, like Amazon’s sidewalk-enabled Echo devices. But it’s still no Apple. “You might go all day without coming within Bluetooth distance of a person who has the Tile app installed on their phone,” said Eva Galperin, director of cybersecurity for the Electronic Frontier Foundation. “But good luck going all day without getting within Bluetooth distance of another iPhone.”
What Apple is doing to prevent unwanted tracking
Apple has put safeguards in place to prevent unwanted tracking, and it says it’s working with law enforcement on AirTags-related requests.
One of its most crucial protections is a notification that alerts iPhone owners when an unknown AirTag has been moving with them over a period of time. Nader, the model, said the only “silver lining” of her situation was that her iPhone was able to notify her that she may have been tracked. She contacted the police, who couldn’t do much since she didn’t have any information about who planted the device, Nader also said on the Tamron Hall Show.
Apple sends the unknown AirTag notification only when the recipient arrives home or at a significant location, like the gym or other frequently visited destinations, or by the end of the day. But it’s making an update later this year that will send that alert even sooner, although Apple didn’t share further specifics on timing.
The company has also announced a slew of other changes meant to thwart unwanted tracking. Later this year, those with compatible iPhone models (iPhone 11 and later) will be able to use Apple’s Precision Finding feature to see the distance and direction to an unknown AirTag that’s within Bluetooth range of an iPhone (about 33 feet). The company is adjusting the sound that plays when someone is looking for an unknown AirTag to use “more of the loudest tones” so that it’s easier to find. And AirTag buyers will now see a privacy warning when setting up their device reiterating that tracking people without consent is a crime in many regions.
That’s not all. When an AirTag is separated from its owner for a period of time, it will play a sound when it’s moved to make it easier to find. Apple decreased the amount of time it takes to play this sound from three days to a randomized time window of between eight and 24 hours. The company also launched a free Tracker Detect app for Android phones in December that can scan for any nearby AirTags that have been separated from their owner.
In a statement to CNET, Apple said it takes customer safety seriously. “AirTag is designed with a set of proactive features to discourage unwanted tracking – a first in the industry – that both inform users if an unknown AirTag might be with them, and deter bad actors from using an AirTag for nefarious purposes. If users ever feel their safety is at risk, they are encouraged to contact local law enforcement who can work with Apple to provide any available information about the unknown AirTag.”
Other trackers don’t have as many privacy protections
Apple’s privacy protocols exceed those of its competitors. Samsung’s SmartThings Find app allows users to scan for nearby unknown Galaxy SmartTags, but it doesn’t alert them proactively. Samsung declined to discuss whether it would add this functionality in the future. The company also said it’s “committed to providing secure mobile experiences to users.”
That said, Samsung has some privacy protections in place. Similar to Apple, its tags routinely change their device IDs to prevent the Bluetooth signal from being tracked over longer periods of time. And all user data is encrypted.
Tile’s products don’t allow people to scan for nearby tags that don’t belong to them, but that’s changing soon. The company is launching a feature in early 2022 called Scan and Secure, which makes it possible to search for nearby Tile tags from the Tile app, even if the person doesn’t have an account. Tile said it worked with advocacy organizations to develop the feature.
But like Samsung, Tile requires a button to be pushed in the app to find nearby tags – it doesn’t scan for them unprompted. Tile also said it will continue to consult with experts and build on this feature.
What it might take to prevent Bluetooth trackers from being misused
Although Apple and Tile are making progress, privacy experts believe much more needs to happen. The first order of business should be working with Google to make sure Android owners have the same protections as iPhone users, says Galperin.
Apple’s Tracker Detect has the same shortcoming as Samsung’s and Tile’s systems: It doesn’t proactively warn people if an AirTag is found nearby (a feature iPhones owners enjoy). The company declined to comment on whether it intends to add this feature to the app in the future.
Alexander Heinrich, a researcher and Ph.D. student at Germany’s Technical University of Darmstadt’s Secure Mobile Networking Lab, is one of the creators behind another app for detecting AirTags, called AirGuard. The free Android app launched in September, long before Apple launched its Tracker Detect.
AirGuard offers a few features Apple doesn’t, including the ability to scan for AirTags in the background without needing to press a specific button within the app. (Before that, though, you must give the app the necessary permissions to do so.) The app has more than 100,000 installs so far, according to its Google Play Store listing, but user reviews about the its accuracy have been mixed.
“On day one, I felt like OK, I have to do something for Android because also people were calling that out immediately,” said Heinrich. “Because they saw, OK, on iOS they have integrated it, but there’s nothing for Android.”
Developing more comprehensive protections for Android users is a good start. But to reach a real answer, Olsen says companies need to cooperate by sharing information about how their products are being misused. She points to the Coalition Against Stalkerware, an organization formed in 2019 to provide education and resources for combatting stalkerware. It counts the cybersecurity firms Malwarebytes, Kaspersky and Avast as partners – an example of how competing companies can work together to overcome privacy issues.
“People are unfortunately very clever with misusing products, and they’ll continue to find ways,” said Olsen. “So I think it’s going to be a constant kind of battle to continually evolve the product.”
Tile says it’s started discussions “both internally and externally” about working with competing companies to develop industrywide privacy practices.
“We can’t share more details at this time, but we look forward to seeing forward progress and welcome the opportunity to partner with other companies in the industry in the name of consumer safety,” Tile said in a statement to CNET.
Apple and Samsung declined to comment on their respective future plans.
Understanding the scope of the problem
Part of the challenge is that it’s unclear how often AirTags or other similar Bluetooth trackers are being used for stalking or theft, says Jen King, privacy and data policy fellow at the Stanford Institute for Human-Centered Artificial Intelligence.
“At this point, I feel like it’s all anecdotal,” she said.
Heinrich and his colleagues are trying to help answer that question, too. The Technical University of Darmstadt is using the AirGuard app to conduct a study that could potentially reveal how often AirTags are being exploited for stalking.
AirGuard users can opt into the study, which would enable Heinrich and his colleagues to collect anonymized data untraceable to individuals. Information collected includes the signal strength of discovered AirTags, the number of notifications sent to the user and the dates and times pegged to those alerts.
Still, using data like Bluetooth signal strength and notification frequency to get an idea of how often AirTags are being used for stalking is tricky. Heinrich and his colleagues can see when AirGuard sends notifications, but they don’t have the context behind these alerts. Many users could simply be trying out the app to see if it works, for example. That’s why the team is planning to conduct a second study that includes a questionnaire to add more context. In the meantime, data like Bluetooth signal strength may help Heinrich and his colleagues understand how close the AirTag in question might be to the user.
“We try to use this information to see if, for example, that might have been an actual tracking attempt,” Heinrich said. “Because then the device is probably closer than if you have gotten a false alarm by someone who was sitting next to you on the bus, or something like that.”
What users can do to protect themselves today
Right now, Android owners can download an app like Apple’s Tracker Detect or AirGuard to check for rogue AirTags. Meanwhile, iPhone owners will receive an alert that says “AirTag Found Moving With You” without having to download an app. If it’s a different Find My-enabled product, iPhone owners will receive a similar alert showing the product’s name.
Manually searching areas that could make for good AirTag hiding spots, such as inside pockets or underneath car cushions, is also a good idea. We have an article with advice about how to prevent unwanted AirTags tracking, and Apple has a support page dedicated to the topic.
There’s another factor at play that makes it difficult to circumvent threats that may emerge from new tech products. We simply don’t have the same instincts for avoiding potentially dangerous virtual scenarios as we do in real life, says Petros Efstathopoulos, the global head of NortonLifeLock Research Group, the security software provider’s research arm.
“If you’re sitting in your living room, and you see somebody looking through the window, you have a very kind of instinctive reaction to that,” he said. “And you’re like, ‘Who are you? Why are you looking at me?’ So that kind of trust or lack thereof, that sense of safety and trust doesn’t map very well to the digital world.”