Apple was careful to address AirTag stalking concerns when it announced the new tracking tags, but was a little vague on the details of the privacy protections built into the system. It has now revealed a little more, as concerns are expressed about the potential for misuse by abusive partners.
There appears to be a particular loophole if someone wants to track a partner who uses an Android phone …
FastCompany reports concerns expressed by a nonprofit created to tackle the issue of domestic violence.
Apple initially drew attention to three privacy protections.
Technology often comes with unintended consequences, explain representatives from the National Network to End Domestic Violence (NNEDV), a leading nonprofit with the goal of ending violence against women. NNEDV sits on advisory boards for Facebook, Twitter, Snapchat, and Uber and has consulted for both Google and Apple in the past (but not on AirTags). The organization’s representatives say that while Apple AirTags are a cheap, easy-to-use product to find a lost item, they are also a worrisome surveillance tool that could be leveraged by an abuser to discreetly track a partner. An AirTag simply needs to be slipped into someone’s bag or jacket pocket to track exactly where they go.
However, the company didn’t get into the specifics of when and where it would alert people. In response to questions, Apple did give two specifics.
iOS devices can detect an AirTag that isn’t with its owner, and notify the user if an unknown AirTag is seen to be traveling with them from place to place over time. And even if users don’t have an iOS device, an AirTag separated from its owner for an extended period of time will play a sound when moved to draw attention to it. If a user detects an unknown AirTag, they can tap it with their iPhone or NFC-capable device and instructions will guide them to disable the unknown AirTag.
First, arriving at your home address with an unknown tag will trigger an alert on your iPhone. The address used is the one you have in your “Me” contact. Second, an alert will also be triggered if there’s an unknown tag with you when you arrive at one of your frequently visited locations, such as a work address.
These alerts only work if you have an iPhone, however. If you’re an Android user, the only protection is the fallback one of sounding an alert from the AirTag after three days. Domestic abuse campaigners say there are two problems with this.
Three days is a long time to be tracked without your knowledge. And the three-day alarm is only triggered when the AirTag doesn’t come within range of its paired iPhone.
Streett suggests Apple should have partnered with Google to create a cross-platform safeguard, the same way it did with COVID-19 contact tracing. In that way, Android users would get the same level of AirTag stalking protection as iPhone owners.
So abusers who live with partners using Android can constantly pair and re-pair an AirTag so that it won’t set off an alert, a problem so core to the design of AirTags I’m skeptical it can be fixed with a software tweak.
“Three days won’t work if you’re going home every day to the same person tracking you. . . . That’s a learning space [that] hopefully Apple will consider and work to build in protections with that threat model,” says Corbin Streett, technology safety specialist at NNEDV. “[Apple] is thinking about the threat model where it’s a stalker who is walking by someone on the street they don’t know—that stranger danger model—but what about when it is the person you come home to every day?”