A new report today says that AirTag stalking is ‘frighteningly easy’ thanks to a number of weaknesses in Apple’s privacy protections.
It reveals several ways that an abusive partner could circumvent the measures Apple takes to alert stalking victims …
Background
At the time AirTag was launched, Apple was keen to stress the anti-stalker measures it has taken:
- If an AirTag you don’t own moves with you (and the owner is not also doing so), an alert pops up on iPhones. This alert appears when you arrive home, or at a frequently-visited location.
- If you don’t own an iPhone, an audible alarm will eventually be triggered.
- If you find an unknown AirTag on you, you can scan it with either an iPhone or Android phone and it will take you to an Apple webpage which explains how to remove the battery to disable it.
- Every AirTag has a serial number, so law enforcement can obtain owner details from Apple by presenting a court order.
However, groups who work with victims of domestic abuse say that these protections are inadequate in general, and especially so in the case of someone who lives with an abusive partner. (A number of factors, from fear to financial dependence, can make it difficult for a victim of domestic abuse to leave.)
In particular, three days is a very long time to be tracked without your knowledge if you are an Android user. Additionally, for a stranger stalker, they would be able to track you to your home address or another location you frequently visit, before you are alerted – in other words, after the damage is done.
AirTag stalking test
The Washington Post’s Geoffrey Fowler carried out his own test, allowing a colleague to plant an AirTag on him to find out for himself.
AirTags are a new means of inexpensive, effective stalking. I know because I tested AirTags by letting a Washington Post colleague pretend to stalk me. And Apple’s efforts to stop the misuse of its trackers just aren’t sufficient […]
To put Apple’s personal security protections to the test, my colleague Jonathan Baran paired an AirTag with his iPhone, slipped his tag in my backpack (with my permission), and then tracked me for a week from across San Francisco Bay […]
After placing an AirTag in my bag, my colleague was able to find my whereabouts with remarkable precision. Once he associated the AirTag with his iPhone, the tag’s location showed up in an iPhone app called Find My, included free with iPhones. (It started as a way to find lost Apple products and has now expanded to other things.)
When I was riding a bike around San Francisco, the AirTag updated my location once every few minutes with a range of about half a block. When I was more stationary at home, my colleague’s app reported my exact address.
The popup alert on his iPhone worked well, he says, as he was alerted multiple times. However, given that alerts only appear at home and other primary locations, that may not protect against an abusive partner.
An AirTag starts a three-day countdown clock on its alarm as soon as it’s out of the range of the iPhone it’s paired with. Since many victims live with their abusers, the alert countdown could be reset each night when the owner of the AirTag comes back into its range […]
Also troubling: There’s an option in the Find My app to turn off all of these “item safety alerts” — and adjusting it doesn’t require entering your PIN or password. People in abusive situations don’t always have total control over their phones […]
In many abuse situations, the alarm might never go off at all.
The only protection for Android users is the audible alert after three days, and it’s already been shown that the speaker can be disabled. The piece reiterates calls for Apple to work with Google as it did with COVID-19 contact tracing to develop a standard which gives Android users the same pop-up alerts as iPhone owners. It does also seem a no-brainer to require authentication to turn off the privacy alerts.
Photo by Tamas Tuzes-Katai on Unsplash
FTC: We use income earning auto affiliate links. More.
