Apple markets AirTags exclusively for finding things that you’ve misplaced, not for things that have been stolen. That’s an important distinction that has privacy implications.
AirTags are meant to compensate for your scatterbrainedness
So AirTags are primarily meant to compensate for your own scatterbrainedness: The “Find Me” network helps you find your things again. Apple clearly distinguishes this from a theft, because this results in the following situation: You then know where the stolen device is located and therefore possibly also the person who stole it. If you now want to track someone’s whereabouts (which is illegal without prior agreement), then it would be the same scenario as with a theft, except that the person in question does not know that an AirTag is in the vicinity. But Apple can’t turn off the AirTag immediately, because then you wouldn’t be able to find your stuff in a legal scenario – and the AirTags would be useless. In addition, third-party manufacturers might also use the Find Me network. The bicycle manufacturer VanMoof is one of them – and here the application purpose “forgetting where my bike is” and “stolen bike” overlap again.
So Apple weighs AirTag’s function against privacy and has come up with the following two solutions:
- A foreign AirTag will report to your iPhone when the owner is no longer around
- A foreign AirTag beeps after three days when the owner is no longer around
So finding foreign AirTags that someone has put in your coat pocket is easy for Apple users: anyone with an iPhone running at least iOS 14.5 will get a notification that a foreign AirTag is nearby. Of course, this only happens when the real owner is no longer around – on a train, for example, this would otherwise degenerate into chaos. But this situation is only about the tags that are no longer in the range of the original owner. With the help of the iPhone you can now locate the AirTag and make it unusable – by simply removing the battery.
The AirTags report when they have moved away from the original user. At the latest after three days.
If a person is not in possession of an iPhone, the AirTags can not draw attention to themselves and warn of their existence with a notice on an Android smartphone. Therefore, Apple has made it so that the small tags start beeping after three days so that you can find them without further help.
Furthermore, Apple points out that you should contact the police if you suspect illegal surveillance: With the help of the AirTag’s serial number, the original owner can then be tracked down, because Apple knows exactly which Apple ID belongs to the AirTag.
Possible misuse of AirTags
These regulations sound quite well thought out for a practical use of AirTags, but still offer several loopholes that can undermine the system. We explicitly point out here that this is illegal. It is only meant to make you aware that surveillance is possible with the AirTags and that you should exercise caution if your iPhone is tipped off. The following scenarios for misusing AirTags are possible (Forbes came up with three before we did):
- Non-Apple users are easy to monitor
- Turn off the AirTag speaker
- Contact the AirTag with the owner iPhone at regular intervals
- Use an anonymous Apple ID
Android users are easy to monitor
So users who don’t have a current iPhone that can display AirTags notices – and that’s about 75-80% of all smartphone owners, depending on the country – can be tracked for three days before the AirTags start beeping. Since an Android device or even an old iPhone with iOS 12.5 cannot issue a warning of the AirTags, they send under the radar. Of course, other iPhones are needed to send the AirTag’s location to Apple, but that can happen in passing in a busy street. So with Apple’s current default setting, you can monitor someone who doesn’t use Apple stuff for three days.
Hardware manipulation of the speaker provides silence
Everyone who wants to keep this up longer will probably manipulate the AirTag and disable the internal speaker. Corresponding hacks should appear on the net after a few days. This will also disable the audible warning of the AirTag. Apple will probably disable the AirTag at some point anyway, but chances are good that the tag will not be found in the first place.
Regular contact resets the alarm time window
It’s almost trivial to keep bringing your own surveillance AirTag within range of your own iPhone: namely, this resets the three-day window and lets you use the tag as it comes out of the box. This is possible for example if you want to track a colleague. Since every day the backpack is near your iPhone again, because he or she is sitting at the desk next door, the tag does not send any alerts. Only when the colleague goes home, where there are no Apple devices, the tag would send an alert – but there are no Apple devices to catch the message. And the next day, after all, your iPhone is around again.
Anonymous Apple ID makes tracking down the stalker difficult
Furthermore, Apple gives the tip to contact the police in case of abuse with an AirTag: Based on the serial number, Apple then wants to give out all information about an Apple ID. In practice, this has two disadvantages: on the one hand, the police hardly ever investigate thefts of MacBooks, for example, where this information could easily be provided by Apple. The capacities are simply not there. Secondly, it is simply possible to create an anonymous Apple ID. You can simply log in with any email address. So the AirTags are not traceable anyway.
Good idea, but enjoy it with caution
To make it clear again: these procedures are of course also feasible with other technical solutions, this is not a special feature of the Apple solution. However, the Apple solution should be widely used and tracking should also be very possible due to the high number of Apple Devices.
We would just like to point out the vulnerabilities of the system if it were to be abused. Currently, the only way to ensure that no unwanted AirTags are foisted on you is to own a current iPhone.