Real-World Test Shows It’s ‘Frighteningly Easy’ to Use an AirTag for Stalking

AirTag and iPhone Credit: Starry Sky Visual / Shutterstock
Text Size
- +

Toggle Dark Mode

We’ve been hearing about how Apple’s AirTag will help to discourage unauthorized tracking since before the highly anticipated new tracking tag was even released last month, however now that they’re landing in people’s hands, it’s becoming apparent that Apple may not have done enough to prevent its AirTags from being used for nefarious purposes.

While domestic violence advocates already sounded the alarm on this last week, it was still unclear whether their concerns were merely theoretical — perhaps based on a misunderstanding of how the features work. However, it seems that at least one real-world test has borne out these fears as actually being mostly valid.

The Washington Post’s Geoffrey A. Fowler decided to put a new AirTag to the test to determine whether he would actually know if somebody planted a tag on him without his knowledge, and after trying it out for himself, he was forced to conclude that “AirTags are a new means of inexpensive, effective stalking.”

I know because I tested AirTags by letting a Washington Post colleague pretend to stalk me. And Apple’s efforts to stop the misuse of its trackers just aren’t sufficient.

Geoffrey A. Fowler, The Washington Post

Apple has emphasized the anti-stalking features built into the AirTag, designed to warn potential victims if one of the trackers ends up being placed surreptitiously on their person, but sadly despite Apple’s best efforts so far, it looks like they don’t do enough to protect people from being stalked by an AirTag.

Fowler conducted an experiment where he asked a colleague to plant their AirTag in his backpack, and then try to use it to track him for a week “from across San Francisco Bay.”

To be clear, Fowler did acknowledge that Apple’s alerts worked mostly as designed. He received multiple alerts on his iPhone that an unknown AirTag has been found moving with him. After three days, he was also alerted by the hidden AirTag itself.

Audible Alarms

However, these alerts were woefully inadequate, Fowler explains. Firstly, the audible alarm that was emitted by the AirTag didn’t happen for three days, and when it did come up, it was “just 15 seconds of light chirping” that would have been easy to miss.

The sound measured at most about 60 decibels from three feet away — not much louder than the birds singing outside my window. And it lasted only about 15 seconds, after which the AirTag went silent for several hours and then started chirping for another 15 seconds.

Geoffrey A. Fowler, The Washington Post

In essence, this means that an AirTag could be planted on a victim for up to three days before they would be aware of it. Further, as Corbin Streett, a technology safety specialist with the National Network to End Domestic Violence (NNEDV) explained last week — and reiterated to Fowler — the real risk is that a victim of domestic abuse may very likely be returning to their abuster/stalker regularly enough that the three-day alarm would never actually go off.

The intimate partner threat model is unique. Generally, companies are thinking about external threats, not the person who knows your favorite color and your password and who sleeps next to you at night.

Corbin Streett, NNEDV technology safety specialist

Now, to be fair, it is somewhat more complicated to stalk somebody with an AirTag if they’re not carrying an iPhone with them. The AirTag doesn’t report its location on its own, but instead relies on nearby iPhones, iPads, and Macs to pick it up. When those devices happen to “notice” a nearby AirTag, they will report their location, which is not necessarily the exact location of the AirTag.

For instance, if somebody in a neighbouring apartment notices a nearby AirTag, the tracking is going to report the location of that person’s apartment, which could be down the hall from the actual location.

That said, this doesn’t mean that there isn’t a very real risk for non-iPhone users, but that risk is largely dependent on how many Apple devices are in proximity to them at any given time.

For instance, in our testing, an AirTag carried by a person without an iPhone reported a far less precise location, and it did so very sporadically, especially outdoors. However, locations reported in shopping malls and grocery stores were both more accurate and more frequent, likely due to a higher concentration of iPhones being used by other customers and staff in those locations.

So, we’d say that Fowler’s contention that the AirTag doesn’t do enough to notify non-iPhone users of its presence is definitely a very valid argument.

It’s also worth keeping in mind that iOS 14.5 only came out a couple of weeks ago, and it’s only devices that are running iOS 14.5 that can report the location of a nearby AirTag. So, it’s almost certain the accuracy — and risk to stalking victims — will increase significantly as more users upgrade their iPhones. By the time iOS 15 drops later this year, the silent network of AirTag tracking devices will have easily multiplied by several factors.

Fortunately, the three-day notification is something that Apple can change, and Apple’s VP of iPhone marketing told Fowler that the company expects it’s going to need to tweak it as time goes by.

These are an industry-first, strong set of proactive deterrents. It’s a smart and tunable system, and we can continue improving the logic and timing so that we can improve the set of deterrents.

Kaiann Drance, Apple VP of iPhone Marketing

Despite this, however, Apple continues to be somewhat evasive regarding whether it actually consulted domestic abuse experts when it designed the AirTag. Drance simply said she didn’t have “any more details to share about the process,” but added that they’re “open to hearing anything from those organizations,” of course.

iPhone Notifications

For Apple’s own customers, the anti-stalking features are considerably more useful, but they’re still far from foolproof. More importantly, however, Fowler echoes comments made by others like Streett that Apple needs to work with Google to find a way to provide similar notifications to Android users, in much the same way that the two companies partnered on COVID-19 contact tracing last year.

While an iPhone alerted me that an unknown AirTag was moving with me, similar warnings aren’t available for the roughly half of Americans who use Android phones.

Geoffrey A. Fowler, The Washington Post

It’s fair to say the stalking risk to iPhone users who have an AirTag planted on their person is considerably higher than it is for non-iPhone users. A stalker can basically benefit from near-real-time tracking, as the victim’s iPhone would almost continually be reporting the location of the AirTag as it moved with them.

By contrast, an AirTag being carried by somebody who doesn’t have an iPhone with them would only report its location based on other nearby iPhones or other connected Apple devices like iPads and Macs. An AirTag also has to spend at least a minute or two in proximity of those devices before its location gets reported — driving by other iPhone users on the freeway or even walking past them on the street isn’t enough to update the AirTag’s location.

All of that having been said, Fowler did acknowledge that the safety alert on the iPhone was “harder to miss,” but it may also come too late to really be useful.

Apple’s other major anti-stalking protection was harder to miss: an alert on my iPhone that read, “AirTag Found Moving With You.” It popped up after I returned home from meeting my colleague.

Geoffrey A. Fowler, The Washington Post

The catch here is that these notifications don’t come quickly enough. For example, Apple told Fast Company last week that a user will be notified of a potentially unwanted AirTag as soon as they arrive at home, or at other locations they frequent, but by then a stalker will have already been able to determine their home address or their favourite hangouts.

As Streett told Fowler, the notification should really come “as soon as a tag that doesn’t belong to you begins to move with you.” Instead, Apple seems to wait until it’s been detecting moving with you for a longer amount of time or distance. While Apple is obviously trying to strike a balance between false positives and useful alerts, Fowler’s experiment suggests that it’s not erring enough on the side of safety.

When I was riding a bike around San Francisco, the AirTag updated my location once every few minutes with a range of about half a block. When I was more stationary at home, my colleague’s app reported my exact address.

Geoffrey A. Fowler, The Washington Post

Room for Improvement

Once you are notified that an AirTag is moving with you, the Find My app still doesn’t do enough to help you locate it, Fowler explains. The options are limited to playing an alert — something that didn’t even work consistently for Fowler — but there’s no option to engage the U1-powered Precision Finding feature for an AirTag that doesn’t belong to you.

Fowler also notes that the app also lacks a function that just lets people proactively scan their vicinity for any nearby AirTags, just to make sure they’re safe.

Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation (EFF) and a prominent advocate for fighting stalkerware, added that she doesn’t think Apple “thought through all the real-world scenarios,” for how an AirTag might be used for stalking. For example, if an abuser swapped their AirTag with their partner’s, it might not pop up an alert at all when the victim came home, as it would connect to the original iPhone quickly enough. Although in this case, it would likely still pop up alerts in other frequently visited locations, but that really depends on how consistently the victim follows a normal routine.

I don’t expect products to be perfect the moment they hit the market, but I don’t think they would have made the choices that they did if they had consulted even a single expert in intimate partner abuse.

Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation (EFF)

Galperin also adds that Apple should provide more sophisticated algorithms for these alerts. For example, it would be useful if an iPhone could detect an AirTag in a person’s car by determining that it moves with them frequently but then stays where they’ve parked. This is all information that the iPhone is well aware of, since Apple Maps already notes your parked car location, but there doesn’t seem to be any indication that this is tied into AirTag alerts.

It also doesn’t help that Apple isn’t offering up too many details on when and how these alerts are triggered. So far, company executives have only shared that they’ll be triggered when a user arrives at home or another frequented location, like their workplace, school, or gym. However, it’s likely there’s a lot more to this that Apple isn’t talking about. We’ve observed that these alerts do come up in other scenarios, but we do know they’re far from immediate, and it’s been hard to pin down exactly how long it takes, or how far you have to travel with an AirTag before you see one.

There’s also the fact that these alerts can be disabled too easily in the Find My app. “People in abusive situations don’t always have total control over their phones,” Fowler notes, which means that a domestic abuser could simply disable the alerts entirely behind their victim’s back. In the very least, the option should require authentication before you can switch it off, in much the same way as turning Find My off globally.

Ultimately, however, Fowler concedes that Apple really is leading the way in these kinds of privacy and safety features, especially considering that its competitors have basically done nothing at all.

Apple has done more to combat stalking than small tracking-device competitors like Tile, which so far has done nothing. But AirTags show how even Apple, a company known for emphasizing security and privacy, can struggle to understand all the risks involved in creating tech that puts everyday things online.

Geoffrey A. Fowler, The Washington Post

The fact that there are still risks just goes to show how complicated the issue is, but fortunately the entire system is designed in such a way that Apple can tweak it as it learns how to make improvements, and gets more feedback from stalkerware and domestic violence experts such as Galperin and Streett.

I’m really wary of security problems that have to be fixed by buying an iPhone.

Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation (EFF)

More importantly, however, safety advocates say that what really needs to happen is for Apple to work with Google and others to fix the “biggest hole of all in the alerts system.” In an ideal world, this would involve not only allowing Android devices to alert users of nearby AirTags, but also getting makers of other popular item tracking tags like Tile on board.

Wouldn’t it be great if these companies partnered in a way where scanning for Bluetooth tracking devices is built into all phones?

Corbin Streett, NNEDV technology safety specialist

With so much on the line, however, consumer safety groups are firm that Apple has to do much better. Experts say that not only is digital stalking “remarkably common,” but it’s also “strongly linked to physical abuse, including murder.”

Sponsored
Social Sharing