Apple AirTag and Privacy

Apple introduced AirTag at its Spring Loaded event last month. In recent weeks, however, more and more people have begun expressing concerns over AirTag and privacy. In this article, we’ll take a look at the issue, covering:

• What is AirTag?
• AirTag privacy protections
• AirTag privacy issues
• How to check if an AirTag is tracking you

What is AirTag?

AirTag is a small tracking device for your stuff. 

You set it up by pairing it to an iPhone, and attaching it to an object. You can slip AirTag into a bag, attach it to your keyring, or tape it to the back of your TV remote!

If you misplace something, and you’re in close physical proximity to the lost item, you can get AirTag to play a sound so that you can find it. If you have an iPhone 11 or iPhone 12 model, you can also use AirTag’s Precision Finding feature. Precision Finding makes use of AirTag’s built-in U1 chip, which emits radio signals that allow your iPhone to pinpoint a device. It’s much more precise than GPS or Bluetooth. 

But what if you’re not close to your device? What if you lose your bag in an airport, or drop your keys on a walk? If that happens, you can use Find My to find your missing item. AirTag uses Bluetooth beacons to signal to nearby Apple devices on the Find My network. These devices relay location information back to Apple, allowing you to locate your AirTag on the map. You can also put an AirTag into Lost Mode. Lost Mode notifies you when another device has detected your AirTag. It also lets you provide your contact details to the person who finds your lost item.

AirTag and privacy protections

If a concealable tracker that can be followed with an iPhone seems like a major privacy issue to you, you’re not alone. As soon as AirTag was announced, people began asking questions about AirTag and privacy. How can Apple keep everyone’s location data safe when AirTag is sending that information back to its servers? Can someone else track me with their AirTag?

Apple has thought about these issues, and tried to build privacy into AirTag’s design. Here are some of AirTag’s key privacy features:

• Apple only keeps location data for lost AirTag items on its servers for 24 hours. It encrypts all of the data.
• If you need to locate a lost AirTag with Find My, Apple uses end-to-end encryption to protect everyone’s privacy. Apple doesn’t know the identity of the device that detected your AirTag, and they don’t know where your AirTag is.
• Apple rotates the Bluetooth identifiers emitted by AirTag in order to prevent third-party tracking.
• If an AirTag is separated from its paired iOS device, but is in close proximity to your iOS device, your device will let you know with a special notification.
• If an AirTag is apart from its main device for an extended period of time, it will play an alert sound to let non-iOS users know that it’s there.
• Every AirTag has a serial number. That serial number is paired to an Apple ID and a specific iPhone during setup. In theory, this should discourage stalkers from using AirTag as a tracking device, because the authorities could trace the AirTag back to them.

AirTag and privacy concerns

Despite AirTag’s built-in privacy features, some observers point out that AirTag still has some pretty significant privacy issues — and say that Apple hasn’t gone far enough to protect people from unwanted tracking.

One Washington Post reporter allowed a colleague to track him with an AirTag for a week. What he found was disconcerting. For one thing, the journalist noted that although he received notifications about the AirTag on his iPhone, an Android user wouldn’t have seen any such warnings. The AirTag audio alert eventually went off, but this only happened after three days — and even then it was only “15 seconds of light chirping”. 

Apparently, these are the default settings for AirTag. In other words, if you don’t have an iPhone, someone could track you without your knowledge for several days before you found out about it. In addition, domestic violence experts note that victims of stalking often live with their stalkers … and the AirTag resets its three-day countdown every time it’s close to its paired device. As the Post journo points out: 

[T]he alert countdown could be reset each night when the owner of the AirTag comes back into its range … In many abuse situations, the alarm might never go off at all.

Beyond the privacy concerns, there’s also the possibility that bad actors could alter an AirTag for malicious purposes. Last week, a security researcher managed to modify an AirTag’s microcontroller firmware — essentially “jailbreaking” the AirTag in the same way that people jailbreak iPhones. In theory, a hacker could leave a jailbroken AirTag in a public place hoping that some unlucky person would find it and try to return it to its owner. The modified AirTag could be used to redirect the finder to a malicious website instead of the Find My website.

How to check if an AirTag is tracking you

So how can you see if an AirTag is tracking you?

For iPhone users, it’s fairly straightforward. If have an iPhone 6S or newer and you’re running iOS 14.5 or later, you will get a notification that says AirTag Found Moving With You. Tap the message to see more options. You can get help finding the AirTag by having it play a sound, get information about the AirTag to see if has been marked as lost by its owner, or disable the AirTag altogether.

But what if you don’t have an iPhone? Unfortunately, for the time being you’ll have to rely on the AirTag audio alert. The alert plays for 15 seconds by default before going silent again for several hours. If you find someone else’s AirTag, you can use an NFC-capable Android device to view the AirTag’s Lost Mode message.

AirTag is a useful technology, but the privacy issues are somewhat worrying (especially for non-iOS users). The good news, however, is that Apple has indicated that it’s open to changing the AirTag defaults based on community feedback. Here’s hoping that Apple will move quickly to address the privacy concerns around AirTag.