Apple AirTags Are a Privacy Nightmare

[Obligatory we do not practice law.  This is not legal advice or a legal opinion.  Seek legal council if you have questions about the lawsuit we mention]

We’ve been vocal a lot about the privacy nightmare that are Apple AirTags. Apple gets a lot of stuff right when it comes to protecting privacy. They dropped the ball with AirTags.

For the uninitiated, Apple markets the AirTag as an easy way to keep track of your stuff like your car keys, backpacks, luggage, wallets, and anything else you can conceivably attach them it to. Apple released the product on April 30^th 2021.

The AirTag itself is about the size of a US half dollar.

How the AirTag works

Without getting super technical, AirTags use a protocol called Ultra-Wideband (UWB). It’s like Bluetooth where the signal travels short distances, but UWB is able to transmit more data faster, in near real time, and there’s no interference with other wireless technologies because it’s compatible with them. [Source: PC Mag]

Like Bluetooth, UWB has a range of around 30 feet (9.1m), but, because of how Apple engineered it’s products, AirTags really don’t have a limit in range. This is due to the fact that AirTags are trackable so long as they are within range of other Apple devices that have UWB built into them. [Source: PC Mag]

UWB is great for locating objects and this leads us to talking about privacy concerns.

Car theft and stalking incidents

The earliest reporting we could find on AirTag related car thefts was reporting from MacRumors from December 3^rd 2021. York Region Police in Canada investigated, since September 2021, five incidents with AirTags being used in high-end car thefts. [Source: MacRumors]

Then news started rolling in about people, the majority women, being stalked with Apple AirTags. You can read articles about this issue here, here, and here.

Lawsuit against Apple

On, or around, December 6^th 2022, news broke of two women filing a law suit against Apple, which is the basis of the class action against the tech giant.

What the two plaintiffs, Lauren Hughes and Jane Doe, allege is harrowing with the level of stalking their abusers did with just an Apple AirTag.

The class action suit is broken down into iPhone and Android users and we’re only going to highlight two of the claims for each because there’s just so much meat to this filing we won’t do it justice. The summary of the lawsuit comes down to this, as reported by Digital Trends,

“Among the 12 claims Apple faces, the plaintiffs allege Apple of breaching their privacy by geolocating them, violating state privacy laws, and fraudulent marketing to deceive the public that AirTags were safe. The lawsuit makes it clear that “each Plaintiff continues to be at risk of unwanted and unlawful tracking via an AirTag device.”” [Source: Digital Trends]

An iPhone claim

One of the several claims pertaining to the Apple side of things is alerting someone that an AirTag they don’t own is near by. The court filing states

“This alert, however, is not immediate. Originally, Apple’s algorithm would wait 72 hours before notifying an individual that they had been in the proximity of an unknown AirTag. Put another way, a victim could have been stalked for three days before Apple alerted them of the potential danger. Recently, Apple reduced the time period for the notification, but individuals still report not receiving an alert after as much as a day of being tracked— “[a]ccording to Apple, the timing of the alerts can vary depending on the iPhone’s operating system and location settings,” but users have no control over this. As a report by an industry expert noted, “Apple estimates it takes between four and eight hours to send an alert, which could be a potentially fatal span of time.” [Source: LAUREN HUGHES and JANE DOE, v Apple Inc. Pages 16-17]

An Android claim

With Apple’s Google Play Store app called Tracker Detect, which is their remedy to help Android users find AirTags, it doesn’t run in the background constantly looking for devices nor does it send the user notifications. The lawsuit claims that

“This limitation is critical and, potentially, deadly: unlike the “always-on” scan that Apple provides for iPhone, iPad, or iPod Touch owners (meaning that these devices constantly conduct background scans for unwanted AirTags), an Android owner must selectively, and intentionally, engage Tracker Detect to conduct a scan. Once that scan concludes, the app will not scan for AirTags again until the Android device owner once more engages the app. Put another way, any Android owner who downloads Tracker Detect must decide when and where to scan for AirTags—something a person being unknowingly tracked would be unlikely to do. [Source: LAUREN HUGHES and JANE DOE, v Apple Inc. Page 18]

While we’re only highlighting a claim each from the iPhone and Android side of things, there are several more that show some pretty severe oversights. There’s also a section in the suit that discusses issues law enforcement has when someone reports being stalked by AirTags and the challenges of preserving these devices as evidence.

The lawsuit is well worth the read. There’s a lot at stake for both us as consumers and our privacy.

Our take

Apple isn’t going to sit this out quietly. Their U1 chip that provides the ability for Apple devices to track things is too valuable to them.

Apple can update and re-engineer the AirTag all they want in it’s current state and it still won’t be enough to protect someone from their abuser from tracking them. Sure, you can increase the beeping volume of the device and make reporting time shorter. For the victim, if they can’t hear it, can’t get alerts in a timely manner, and can’t find the device, it’s of little help. For non Apple users, you truly are SOL. The Tracker Detect app sucks. Full stop. We’ve tried it out.

If you’re a privacy conscious person using the Android app, your day looks like this:

• Before leaving your home you manually push the scan button on the app to search for AirTags.
• Returning to your car from when you leave a store, for example, you have to manually push the scan button on the app to search for AirTags.. If you drive a lot and go to several places during the course of the day, you’ll be repeating this process over and over again. If you’re in a densely populated area, the app is even more useless as it’ll detect every AirTag near by.
• Same thing goes for checking to see if your, or your kids, belongings have an AirTag attached. Having to manually scan all the time is burdensome.

This is anecdotal, but reading some articles on how AirTags work and even some related to stalking, these outlets don’t bring up that these devices can be abused. If it is brought up it’s phrased as “We’re not sure yet if this will be abused.” We even came across an article about a stalking incident that they turned it into a fluff piece on how beneficial AirTags are on finding lost/misplaced items. Our advice to outlets talking about how something works, especially when it comes to tracking devices, you need to address that if it deals with tracking, it will be abused by abusers. This is akin to magazines of the 1930s -1950s placing ads from cigarette companies saying that doctors prefer X brand of cigarette. There needs to be responsibility and accountability somewhere for something that is life threatening.

In it’s current state, we feel AirTags should not exist. They are too dangerous to someone’s physical safety. Not to mention the psychological factors that accompany being stalked and harassed. We encourage you to join the class action suit if you were a victim of stalking by Apple AirTags.

That leaves us with questions. Should Apple AirTags and similar tracking devices even exist? While we see the benefit of an AirTag for finding lost keys, a wallet, or luggage, should they be engineered only using Bluetooth, and not being part of a “Find My” like network, and have the device just pair with your phone? This would severely limit the range. If this is the way, what measures do you put in place to prevent it from being abused and tampered with?

What are your thoughts? Let us know in the contact form below. While you’re here, also sign up for our cybersecurity and research newsletter https://bsquaredintel.com/newsletter-signup/. We give you tips, tricks, tools, news, and updates of what we’re up to.