I too, found the anti-stalking features might hinder the use of AirTags for locating intentionally stolen items: (1) it has a removable battery, and also (2) "someone can tap [the tag] with their iPhone or NFC-capable device and instructions will guide them to disable the unknown AirTag".
The anti-stalking feature also seems to contradict its privacy features:
> Bluetooth signal identifiers transmitted by AirTag rotate frequently to prevent unwanted location tracking.
But also, in the next sentence:
> iOS devices can also detect an AirTag that isn’t with its owner, and notify the user if an unknown AirTag is seen to be traveling with them from place to place over time.
If an AirTag is supposed to be "anonymous", then how can a user be informed that this tag has been seen with them over an extended period? This would mean that there is a way to identify a particular AirTag in the first place.
My guess would be that you, as the tag owner, locally store the master beacon key and can use it to derive key required to decrypt received beacon payloads for your own tags. You can then filter out your own and approximate how many others (which you cannot link over time) you permanently see. If it is more than one most of the time, you’re probably tagged without your consent.
This seems like a problematic situation. In a vacuum I can see how they want to mitigate the stalking risks, but as of right now, unless you have a recently updated Apple device then, then you're completely ignored by the stalking mitigations. There's nothing official from Apple on the Google Play store that would mitigate that situation as well. This just seems like a low barrier to entry stalking tool on the extreme side of use cases for people Apple doesn't have business interests with.
I thought I read that the tag itself will start beeping if it's not near its owner for too long, and the tag has been moving around? Not sure what "too long" means, but if it's short enough, that should foil stalking attempts if the potential stalkee doesn't have an iDevice.
Edit: looks like it doesn't start beeping for three days (though Apple can change this server-side if they decide three days was a bad choice), which seems like way too long. A stalker could probably make good use of this in just a few hours, let alone three days.
I presume the location info is only collected if its marked as "lost" - at which point if the tag connects to apples network via someones phone, it'll prompt them. If its marked "lost" and sending location with no iphone nearby and is moved it beeps.
The stalking potential is greatly reduced if the victim has an android as the location will only be sent when its detected by an iphone.
The location information is updated whenever it is seen by an iDevice. The iDevice participates in this without its user's explicit permission or knowledge.
If the stalkee has an android they will never know. Their position will be snitched by every iDevice they come near.
"Lost devices. Devices that determine to be in a lost
state start sending out BLE advertisements with a public key to be discovered by finder devices. Devices are considered to be lost when they lose Internet connectivity.
Third-party accessories [6] are small battery-powered devices that can be attached to a personal item and are set up through an owner device.
Accessories are determined to be lost when they lose their BLE connection to the owner device.
Finder devices.
Finder devices form the core of the OF network. As of 2020, only iPhones and iPads with a GPS module are offering finder capabilities. Finder devices can discover lost devices and accessories by scanning for BLE advertisements. Upon receiving an OF advertisement, a finder creates an end-to-end encrypted location report that includes its current location and sends it to Apple’s servers."
Elsewhere, it is clear that this operates even when flight mode is enabled.
If you can't stand criticism of Apple, please fuck off back to reddit and fanboi there.
But you don't permanently see them, because the ID rolls over quite often to prevent tracking the beacon.
Conceivably the beacons co-operate in preventing tracking by conversing with iPhones nearby to store a random code supplied by the phone for a period of time, and allowing any iDevice to ask for the list. If your iDevice sees the same random code it transmitted to a stranger beacon appear in multiple time periods it knows it is colocated.
I would guess that the colocation feature would allow you to track devices actively (tailing someone).
Spies will have to be alert the potential for both exposure and tracking. Hopefully Apple commissions Spy Vs Spy ad campaigns!
My guess was simpler. If the phone sees a random tag for 30 minutes, then coincidentally that tag disappears but a new one shows up--for 30 minutes--and this keeps happening, then it's probably the same tag that's following you around. Especially if it's always about X meters away, or whatever.
Random tags passing by wouldn't maintain the same distance or RSSI, and they wouldn't be spaced perfectly apart in time either.
Of course I'm making assumptions here about the key rotation frequency, or even if it's a regular intervals. I guess if you're spending a lot of time in crowds, the rotating beacon that's with you would be hard to pick out of the myriad other beacons coming within range all the time. ("Was that a key rotation, or another person?")
I can see how that might work, but signal reception is always noisy. I doubt RSSI would be a reliable measure. You could partially wrap the AirTag in a scrunch of alfoil and it would mean every movement of the phone would massively change the reception, it would look like a variable distance.
Also, I wonder if it is a fixed time with no overlap? Because you could certainly track someone, eg through a shopping centre, by seeing when a beacon turns off and then listening to new beacons. Correlation would be trivial. And if the e.g. 30m clock is accurate then you could reidentify hours later by just listening to the rollover time, so they would have to vary the rollover at least.
I wonder about false alarms, because you can easily sit on commuter train for an hour and have someone next to you, even more so for long distance travel.
A local device like an iPhone has to know what AirTags are yours, since they have to guide to back to the beacon. If your iPhone notices beacons that appear at multiple locations, that aren't yours, it can detect that.
Apple knows who you are. Apple knows which airtag you're near. You don't know which airtag you're near. It seems pretty clear that apple can use this information to tell if an airtag was placed in your car unbeknownst to you. Not sure what the mystery is.
When the ID changes on the tag, a nearby device can link the two id's together since they're in the same 'position' (i.e. id x was at y position and now id z is there, so id x = id y). However, someone who is not there wouldn't be able to link those ID's together. This gets you the privacy feature and the anti-stalking feature. (The anti-stalking feature likely wouldn't need a perfect series of matches; if you have a good chain of them, you'd have good confidence.)
"AirTag is designed from the ground up to keep location data private and secure. No location data or location history is physically stored inside AirTag. Communication with the Find My network is end-to-end encrypted so that only the owner of a device has access to its location data, and no one, including Apple, knows the identity or location of any device that helped find it."
That is not true. All locations are encrypted with a public key before being uploaded to Apple's servers, and only the user's devices (which contain the private key) can decrypt the location.
> Even more cynically, you can say it's private from their competitors.
I've heard this from a few people recently, but I don't understand the implied criticism. What should Apple do here? Keep my data mostly private but also slip a copy of it to Google and Microsoft?
Obviously not. Through the high purchase price of their products, I'm paying (and trusting) Apple to manage my privacy and keep it private from everyone else. The fact that "everyone" necessarily includes all of Apple's competitors isn't just irrelevant, it's a red herring.
Wherever possible, they've done exactly that—so how is that a criticism? Case in point is the end-to-end encryption of iMessage. Or the at-rest encryption of iOS devices.
In other instances where Apple does have access to your data, there is a plausible justification for that access and no evidence shown where Apple has ever abused that access for commercial gain.
iCloud backup is on by default, which includes the contents of your iMessage conversations, even if you do turn off this default, your conversations with most other normal people are uploaded in a form where apple has the keys. Apple had plans to make all of iCloud backups E2E encrypted but backed out after pressure from the FBI. https://www.forbes.com/sites/kateoflahertyuk/2020/01/21/appl...
That is one example of many where apple could do it, but doesn't. To do many things on your apple device requires an apple id, which requires a phone number which is linked to identity. Location services uploads your location to apple constantly via close by wifi APs + GPS location, there is no option to do GPS only location w/ no network activity. All of this info is one secret supoena away to be uploaded to violent people with guns. YOU may trust your nice government, but many do not have the luxury of living in such a nice place.
Over and over again, you see the pattern of apple doing of 'private from everyone, except us'. And not mentioning the 'but us' part.
I think it's a pretty reasonable response given malls and other places were scooping up bluetooth and wifi Mac addresses and using them to identify patrons. Sure, only Apple knows so it might possibly have some benefit to Apple and even less possibly a detriment to competitors, but it definitely increases privacy and I find that very compelling. Your iPhone/Android already knows where you are with location services enabled. I'd rather Apple keep everything as private as possible and it's not like their getting a huge data gain.
Yep, Apple hasn't exactly hidden that's how they do privacy. They give you an identifier that makes sense to their systems, but won't make sense to other observers. They still track you, they just don't tie it to PII (I'm assuming there are ways to associate your "anonymous" ID to you though, since it's probably wrapped up with iCloud stuff somewhere - it would just take an arcane query of some sort).
"Your AirTag sends out a secure Bluetooth signal that can be detected by nearby devices in the Find My network. These devices send the location of your AirTag to iCloud — then you can go to the Find My app and see it on a map. The whole process is anonymous and encrypted to protect your privacy. And itʼs efficient, so thereʼs no need to worry about battery life or data usage."
"Only you can see where your AirTag is. Your location data and history are never stored on the AirTag itself. Devices that relay the location of your AirTag also stay anonymous, and that location data is encrypted every step of the way. So not even Apple knows the location of your AirTag or the identity of the device that helps find it."
So no, Apple actively doesn't want to know anything. I'd wager a guess that the airtag query system is using the same kind of method as the COVID tracker API.
"Whether attached to a handbag, keys, backpack, or other items, AirTag taps into the vast, global Find My network1 and can help locate a lost item, all while keeping location data private and anonymous with end-to-end encryption."
Even with E2EE it makes sense that it is still possible to differentiate "registered, known" tags from "unknown" tags. Unknown tags won't reveal any information about who owns them, but they will still transmit on the same frequencies and with the same protocol as your air tags.
They aren't. The tag generates and broadcasts a public key that is rotated every 15 minutes. A nearby "finder" device receives a broadcast, encrypts its location with the received key and sends it with a hash of the public key to Apple's anonymous location directory. The owner (who keeps the same key pair rotation algorithm running from the same seed key) can look up a bunch of key hashes for a range of 15-minute intervals and then fetch and decrypt location payloads. No device or account IDs are transmitted in the process.
The anti-stalking feature also seems to contradict its privacy features:
> Bluetooth signal identifiers transmitted by AirTag rotate frequently to prevent unwanted location tracking.
But also, in the next sentence:
> iOS devices can also detect an AirTag that isn’t with its owner, and notify the user if an unknown AirTag is seen to be traveling with them from place to place over time.
If an AirTag is supposed to be "anonymous", then how can a user be informed that this tag has been seen with them over an extended period? This would mean that there is a way to identify a particular AirTag in the first place.