Bluetooth-enabled location trackers such as Tiles and AirTags aren’t just a helpful way to find missing luggage or a misplaced wallet—they can also be easily slipped surreptitiously into a bag or car, allowing stalkers and abusers unprecedented access to a person’s location without their knowledge. At EFF, we have been sounding the alarm about this threat to people, especially survivors of domestic abuse, for a long time.
Now, there’s finally an industry discussion happening about the best methods of preventing unwanted trackers. The most effective way to prevent physical trackers from being used as stalking devices against most people is through tracking alerts. If a physical tracker is out of range of the phone that it is paired to, and it’s moving with you, you should get an alert about it.
Apple rolled out AirTags with some rudimentary anti-stalking mitigations: a tracking alert that worked for iPhone users and a beep from the AirTag that was worryingly easy to muffle or disable and which did not go off until the AirTag had been out of range of the phone it was paired to for three days. Since then, Apple has improved its mitigations by cutting down the time until the beep goes off and by putting out an Android app that can be used to scan for unwanted AirTags in the vicinity. In the meantime, Tile took one step forward by adding tracker detection to its app, and then one step back by creating an “anti-theft mode” that turned that detection off. As of right now, none of the other physical trackers on the market have any anti-stalking mitigations at all.
Recently, Google announced that it was rolling out Bluetooth tracking detection for Android. The new capability only detects AirTags at the moment, but it’s still a major step forward for people who may be followed by physical trackers. Android users will no longer have to download an app and run a scan to detect unwanted AirTags—it will all happen in the background.
Detecting AirTags is just the beginning. What about every other Bluetooth-enabled physical tracker on the market? Google and Apple have proposed a solution: a standard for all physical tracker manufacturers to agree on which would make them detectable by default on iOS and Android phones. This standard could be great news, resulting in increased safety for an untold number of vulnerable people. But the details matter. There are some hard questions and a need to refine the companies’ new joint industry specification that dictates how a Bluetooth tracker detection can remain consistent. That is the purpose of the Internet Engineering Task Force (IETF) Draft on Detection of Unwanted Location Trackers (DULT).
IETF Event
The Internet Engineering Task Force (IETF) is a body that discusses, drafts, and publishes protocols that largely dictate how the internet functions. In July, the IETF convened for a week and among the many discussions was the creation of the “Detection of Unwanted Location Trackers” or the DULT draft. The event brought together phone and device manufacturers, EFF, and other technologists who had weighed in on the IETF mailing list.
You can get the full meeting transcript here. There are a few points that we think are particularly important to keep in mind for the future of this proposed standard:
Privacy & Protection of People over Property
It is impossible to make an anti-theft device that does not alert the thief that they are being tracked without also making a perfect tool for stalking. Apple is careful not to advertise the AirTag as an anti-theft device for this reason, but other makers of physical trackers such as Tile explicitly bring up anti-theft as a use case for their product. If physical trackers are going to have effective anti-stalking mitigations, then manufacturers need to give up on the anti-theft use case predicated on unknowingly tracking the thief and sneaking up on them. You cannot have both. EFF believes that people are more important than property, and we hope that the companies will come to agree. In any use cases that get defined in the specification, the security of those who do not want to be unknowingly tracked should be prioritized over the ability to track the location of stolen items.
Additionally, unwanted physical trackers should be accountable. Manufacturers should store the bare minimum of information about the phone or account that the tracker is paired to, and they should store it for a time and in a manner consistent with their data retention policies. The information should be made available to others only in response to a valid court order.
Any standard should also protect the privacy of the owners of physical trackers. We are concerned that having physical trackers rotate their identifiers only once a day will provide insufficient defense against a sophisticated tracking network. Weak privacy protections for a device that is frequently attached to keys and wallets could be used for location tracking by unscrupulous governments, law enforcement, and private actors.
Fair Doesn’t Mean Free
Apple has listed several patent disclosures that the company claims apply to this specification. That’s a way of notifying competitors, and the public, that Apple believes it owns patents that cover the use of this technology. That means Apple could, in the future, choose to charge patent royalties to anyone using this technology, or file a patent infringement lawsuit against them.
The decision to assert patents over this specification is unnecessary and unfortunate. The public will suffer a significant loss if Apple asserts that it has patent rights to what should be an open, free repository of information meant to help companies and everyday people prevent stalking and malicious tracking. Apple could threaten or sue people who use agreed-upon technology to prevent unwanted tracking.
Apple stands alone in its insistence that it may use intellectual property rights to threaten people with patent lawsuits, or demand fees, for using privacy-protecting technology. The IETF convening included Samsung, Google, Mozilla, and many other patent-owning entities, all of whom chose not to engage in this type of threatening behavior.
Apple’s decision to bring patent rights into this conversation is disappointing. The company should withdraw its patent disclosures and make a public statement that it won’t make intellectual property claims against companies or users who don’t want to be surreptitiously tracked.
The technology required for Detecting Unwanted Location Trackers can, and should, be free to all.
Encryption in the Light
One of the most curious parts of the specification is the portion that addresses the “proprietary payload.” Since this involves Bluetooth, a short-range wireless technology, the draft addresses methods of communication between the Bluetooth location trackers and the networks they are attached to. Communication and interoperability of location trackers are left to individual company implementation in the proprietary payload. For example, both Apple and Google have proprietary ways to accomplish secure, encrypted communication between their network and location trackers. However, we would like to see a more open consensus on how this is accomplished and avoid industry fracture on something like secure communication for location trackers.
As we participate in the shaping of this draft into a standard, we hope to see more thoughtful discussions like this occur before new products get introduced that could endanger people. While we can’t turn back time, everyone involved in the location tracker industry business has the responsibility to create a safeguard for people; and not just their lost keys.