AirTags: Hidden Stalking Menace or Latest Overblown Urban Myth?
The plural of anecdote is not statistics. In the absence of hard data, however, anecdotes often stand in. That seems to be the case with the risk of unwanted tracking associated with Apple’s AirTags, cited in several recent news stories and some police reports as a vector for stalking and car theft.
If we take all reported incidents at face value, the total known incidents number no more than a couple dozen across the United States and Canada. Why the outrage and heavy coverage? The fear of what’s known is just the tip of the iceberg. That’s normal anxiety in regular times and accentuated in a pandemic era, in which our calibration is so far off it can be hard to understand how to judge risk and reaction.
Tracking the Unknown
Let’s review how an AirTag and the similar Chipolo ONE Spot work (see “Apple’s AirTag Promises to Help You Find Your Keys,” 20 April 2021, and “Chipolo Ahoy! The ONE Spot Find My Network Tracker Arrives,” 24 August 2021). These small, low-power Bluetooth-based items continuously broadcast an encrypted Bluetooth identifier that can be picked up within a range of up to hundreds of feet by Apple devices running recent operating systems. The Bluetooth ID changes at regular intervals to avoid reverse tracking: a static ID would allow someone to track the broadcasting item. (Apple adapted this approach for the system that it and Google provide for COVID-19 exposure tracking.)
Any Mac, iPhone, or iPad with an Internet connection and the Find My network enabled combines its currently known location with any Bluetooth network identifier that fits the pattern for a Find My item. This pairing of location data and Bluetooth ID is uploaded to Apple. Apple can’t use those location pings to determine the identity of any given device because the Bluetooth ID encryption allows only a native Find My app that’s part of an iCloud-linked account to request and decrypt the data. All AirTags and Find My items are paired using a single iPhone or iPad, and their encryption keys are shared among that user’s other devices.
Because of its compact size, intermittent Bluetooth transmission, regular ID change, automatic signal relaying, and long battery life, an AirTag would seem to be an ideal device to track someone without their knowledge. And it would be, except for the safeguards Apple has put in place to alert people who have an AirTag near them. I wrote an article that describes all the cases in which someone is alerted—see “When You’re Told an AirTag Is Moving with You” (4 June 2021). In brief:
- If an AirTag or other item relays consistently through your iPhone or iPad as you move across locations, you should receive an alert. That alert provides a lot of advice to the device owner about how to proceed.
- An Android user with Apple’s new Tracker Detect app installed can manually scan to detect AirTags and Find My items near them, but only on demand—not in the background as with iOS and iPadOS.
- After a random interval between 8 and 24 hours apart from an owner’s devices, a Find My item will produce a loud noise at regular intervals.
Those safeguards leave a fair amount of room to squeeze around the edges of notification. As I described in “13 AirTag Tracking Scenarios” (15 May 2021), a malicious person could put a tracker in a vehicle or bag owned by a partner and ensure that partner’s iPhone had the Find My network disabled. As long as the vehicle or bag was back near the stalker within about 8 hours, its alarm might never go off.
The issue of unwanted tracking is exacerbated by the squishiness around nearly every aspect of AirTags. We don’t know how many AirTags and similar Chipolo ONE Spot Find My trackers have been sold. We don’t know the number of alerts people receive daily about trackers traveling with them. Of that number, we don’t know how many are false positives: the times that a tracker incidentally near someone provokes an alert that has nothing to do with them.
Most important, we don’t know what number of Find My trackers are being used to attempt to track adults or non-custodial children without their knowledge and consent. (The issue of tracking your children or those you have guardianship over gets into more complicated legal issues that vary by state.)
What do we know?
- It’s feasible to use AirTags to track someone without their knowledge. It’s cheap and easy, but fraught with the chance of discovery and tracing it back to the AirTags’ owner.
- Police and individuals have found AirTags hidden in vehicles a few times.
- Police don’t quite know how to deal with reports by individuals who suspect they are being tracked.
- A fair number of media reports and some police announcements make a lot of assertions; the worst start to verge on common urban myths that play on deep-seated fears.
Let’s look into the media and police reporting.
A Roundup Reveals We Should Round Down
I’ve assembled several stories from the last few weeks, as seemingly credible accounts appeared of people believing that someone was either actively tracking them or had done so at one time. (Simultaneously, I’ve started seeing more people sharing first-hand experiences of using AirTags to recover lost and sometimes stolen stuff.)
The biggest flurry of stories and subsequent reporting emerged from the York Regional Police in Ontario, Canada, who said that, in what they believed were five different incidents, car thieves hid an AirTag on an expensive vehicle in a public parking lot in order to find it later at an owner’s home and steal it at their leisure.
The department posted this video to Twitter and a media release on their website (Internet Archive link) with a more detailed description and photos. (The release is no longer available, but this isn’t a retraction: the tweet is still up, and the York police appear to remove their posts consistently within four weeks, likely automatically.)
That was 2 December 2021, and several stories followed with specific incidents:
- A swimsuit model found one in her coat pocket: Brooks Nader explained on her Instagram account that she had received a warning about an AirTag traveling with her as she moved among bars one night and then headed home.
- Man finds Apple AirTag tracker on his Dodge Charger (Detroit, MI): This TV station has a single first-hand account. It also quotes local police anonymously with a story that’s suspiciously like the York release: “Thieves track the target vehicle and pick the most opportune time to steal—found mostly on Dodge products, parked in mall parking lots.”
- West Seneca Police warn of Apple AirTags being hidden on cars and Apple’s AirTags used to follow 2 women in West Seneca (West Seneca, NY): The West Seneca Police cite two cases and found a hidden AirTag in one of them.
- Crowley Police: Apple AirTag facilitating crime (Lafayette, LA): A local police chief asserts two cases with “a notification” but provides no details.
- Burlington Police give warning about Apple AirTags (Burlington, IA): “Police say they are getting calls from people who have received notifications on their phones that they have been air tagged and it will show them their route of travel.”
- Are Apple AirTags Being Used to Track People and Steal Cars?: This prominent end-of-year story in the New York Times had more smoke than fire, asking a question instead of making a statement. The story features several first-hand accounts but includes Mary Ford, “a 17-year-old high school student from Cary, N.C.…[who] realized it wasn’t a threat when her mother revealed she had put the tracker in the vehicle about two weeks earlier to follow her daughter’s whereabouts.” But “[Ashley] Estrada, who got the notification while in Los Angeles, eventually found the quarter-sized tracker lodged in a space behind the license plate of her 2020 Dodge Charger.”
I also found more general pieces that combined raising awareness and promoting general anxiety:
- Police warn of AirTags used to track people instead of items(Jacksonville, FL): Despite stating the police warning, this story doesn’t quote any police officers or leaders.
- Is it legal to track people using AirTags in Alabama? (Huntsville, AL): “The Huntsville Police Department says they have not had any cases of AirTag stalking yet.”
- Some Atlanta residents being tracked with Apple AirTags: “We uncovered eight police reports in our area, most within the last month…” the news station said, which could include people receiving false positives. But one person was definitely tracked via her vehicle across a long drive.
The most sensible accounting came from the University of Wisconsin’s police department in its post, Apple AirTags and Your Safety. The blog reports that “UWPD has had three reports of individuals reporting they’ve received an AirTag warning message in the past few weeks on the UW-Madison campus.” But it continues with a very important proviso: “In every instance, the AirTag could not be located… it’s very likely the AirTag signal was being picked up from a nearby apartment or residence hall room rather than the individual being maliciously tracked.”
Are people overreacting? No: the message is absolutely disturbing. If I were in a situation where I suspected someone might have followed me from a bar, from my place of work, or from school, I would absolutely call the police. And I’m a straight man—if you identify as a gender other than male and an orientation other than straight, I expect the sense of concern would be vastly higher due to the well-documented heightened risk of stranger, domestic, and ex-partner stalking and violence among the 70% or so of the population that covers.
But wait. If these incidents were happening regularly, I would expect to see an explosion of news stories. The AirTag offers a specific alert; finding one provides an actionable element for police, who are accustomed to GPS trackers being hidden on cars for stalking purposes. Reporting an alert might not get an officer excited, but finding an AirTag would certainly warrant a report. In some of the stories above, police even began or completed the process to obtain the registered information associated with the AirTag. In theory, that should lead to a culprit, and the news media should be following up on these stories.
Remember, AirTags are locked to an iCloud account, are associated with a phone number, and have an immutable serial number inside. To read the serial number, someone finding an AirTag only needs an NFC-capable Apple or other device; with other Find My items, an iPhone or iPad is required. All this would seemingly add up to making an AirTag a high-risk way for a perpetrator to track someone unless they had the foresight to create a burner Apple ID and potentially use a burner iPhone that could otherwise be tracked by its unique cellular ID. Apple may promise privacy for iMessage and a lot of other data, but the company will reveal via warrant things like to whom an iCloud account belongs.
Some of the reporting and the police statements smack of past panics and recurring urban myths. In the 1980s, law enforcement across the United States was convinced Satanism was rampant with human sacrifice, including the murder of infants. No matter that no adults or babies were missing—Satanist! From the Chicago Tribune in 1987:
But to a growing number of police investigators around the nation, stories of ritual mutilation, blood-letting and sometimes murder are all too real. In seminars and conferences, they have begun to train others to see signs of satanic motives behind otherwise bizarre and inexplicable crimes.”
Similarly, police alerts appear every year around Halloween about razor blades in apples or poison in candy, even though only four cases were reported between 2008 and 2019 in the US and almost none before that. A prominent 1974 candy poisoning story wasn’t random: a father murdered his child. There’s also the ongoing hoax of LSD-coated stickersintended for children. And the one about how flashing your brights at someone with their headlights off at night will lead them to follow you and kill you as part of a gang initiation despite no deaths ever reported this way. (Road rage is something else.)
It’s human to tell stories. It’s human to manifest fears within the modern world as expressions of distrust of technology. And there’s definitely a risk with Find My trackers that you could be tracked in a way vastly easier than with any previous device. Being aware can help, and Apple could do more.
Keep Alert for Trackers
If you’re worried, what reasonable efforts can you take to protect yourself and your loved ones against unwanted tracking?
- Leave Find My enabled: If you disable the Find My network, you won’t receive warnings that an AirTag is moving with you. (Conversely, disabling it prevents your device from relaying, but the value in receiving warnings is very high.)
- Pay attention to alerts: Apple’s alerts and explanatory details are clear and informative—read them and follow the provided links. No specialized knowledge is necessary to understand Apple’s instructions for finding and disabling Find My items.
- Listen for odd alarm sounds: Find My separation alarms are designed to alert people to the tracker’s presence—if you hear something odd, listen carefully and look for it. The alarm may be faint if someone has tried to muffle the sound.
- Explain the basics of Find My to others: Help those who know little or nothing about technology or the tech industry to learn what an AirTag is and what to do if they receive an alert or hear a sound.
- Contact authorities, if it makes sense: Upon finding an AirTag, if you have any doubts about your safety and you trust that law enforcement could improve on that, file a police report so the authorities can investigate further with Apple.
One thing that’s out of our control? Active scanning for nearby Find My items. It’s quirky that you can force a scan of your vicinity for Find My devices from an Android phone, but you can’t do the same from a piece of Apple hardware. In the iOS 15.2 beta, an item in the Find My app’s Items view read Items That Can Track Me, appearing to offer Tracker Detect capabilities. It didn’t ship in the production release of 15.2, but Apple should make sure it’s in an upcoming release. This would allow iPhone and iPad users to check their car, bags, or home if they’re concerned. (And Tracker Detect for Android should work automatically, as the Find My app does in iOS.)
Fundamentally, we can’t keep people from engaging in bad behavior. Before wireless technology, someone could have attached a can of flour to the back of your car, punctured it with a small hole, and followed the trail of white powder through the streets. Relatively expensive GPS trackers that are more powerful and don’t require relaying abound. An abusive or mistrustful partner might simply use Find My via Family Sharing to see your iPhone or MacBook’s whereabouts.
AirTags don’t offer a new kind of risk. They’re just a new and ill-understood entry in an old game that might encourage some people to go farther than is sensible or legal with regard to tracking other people. Apple should continue to refine parameters around the AirTags to favor safety while still making them useful for finding a lost backpack or keys.