Apple, Google propose anti-stalking spec for Bluetooth tracker tags
We moved fast and broke things, people got harassed and murdered, so let's revisit privacy
Apple and Google have come together to develop an industry specification to prevent "unwanted tracking," otherwise known as stalking, via Bluetooth location tracking tags.
Though Tile has been selling Bluetooth Low Energy (BLE) wireless tracking tags for a decade, it wasn't until 2021, when Samsung introduced its Galaxy SmartTag and Apple introduced its AirTag, that reports of abuse of the devices became commonplace.
Last year, in an attempt to address privacy concerns, Apple announced product changes to alert people when they're in the presence of someone else's AirTag, among other adjustments to the system. Samsung implemented a similar anti-stalking measure called Unknown Tag Search.
It was too little, too late. People got killed, allegedly after being stalked with wireless trackers. And Apple was sued for allegedly facilitating stalking and violating privacy with its AirTags. That case – which aspires to be a potentially very expensive class action – is ongoing. The plaintiffs met with Apple representatives last week, to attempt to resolve the dispute via mediation.
According to wh Law, one of the law firms representing the plaintiffs, "AirTags are a new means of inexpensive, effective stalking, and they have become the weapon of choice for people who want to harm or harass you"
On Tuesday, Apple and Google called for the adoption of a proposed specification to standardize unwanted tracking alerts across different vendors' devices.
“We built AirTag and the Find My network with a set of proactive features to discourage unwanted tracking – a first in the industry – and we continue to make improvements to help ensure the technology is being used as intended," said Ron Huang, Apple’s vice president of sensing and connectivity, in a statement.
"This new industry specification builds upon the AirTag protections, and through collaboration with Google results in a critical step forward to help combat unwanted tracking across iOS and Android."
Samsung, Tile, Chipolo, eufy Security, and Pebblebee – makers of rival tracking widgets – have all endorsed the spec. Whether other manufacturers will remains to be seen.
- Apple tweaks AirTags to be less useful for stalkers, thieves
- What's called Grogu but isn't that cute? Google's leaked answer to Apple AirTags
- Amazon opens its ad-hoc Wi-Fi-sipping Sidewalk mesh to all manner of gadgets
- How to reprogram Apple AirTags, play custom sounds
Dave Burke, Google’s vice president of engineering for Android, offered similar sentiment. “Bluetooth trackers have created tremendous user benefits but also bring the potential of unwanted tracking, which requires industry-wide action to solve,” he said in a statement.
"Android has an unwavering commitment to protecting users and will continue to develop strong safeguards and collaborate with the industry to help combat the misuse of Bluetooth tracking devices."
Apple and Google hope to have a production-ready version of the specification by the end of the year.
The two tech titans' call for industry cooperation to standardize stalking warnings has met with approval from groups like the National Network to End Domestic Violence and the Center for Democracy & Technology, both of which hailed the planned tracking mitigation as a step in the right direction.
Ensuring that mobile trackers meet privacy expectations, however, will also require better mobile device security.
Last May, researchers with the Secure Mobile Networking Lab at TU Darmstadt, in Germany, published a paper [PDF] that describes how Bluetooth, Near Field Communication (NFC), and Ultra-wideband (UWB) remain active in Low-Power Mode (LPM) in iPhones even when the device is turned off.
The authors – Jiska Classen, Robert Reith, Alexander Heinrich, and Matthias Hollick – say that means it's possible to load malware onto an iPhone when it's powered down.
"Design of LPM features seems to be mostly driven by functionality, without considering threats outside of the intended applications," the authors state. "Find My after power off turns shutdown iPhones into tracking devices by design, and the implementation within the Bluetooth firmware is not secured against manipulation. Tracking properties could stealthily be changed by attackers with system-level access."
"We responsibly disclosed all issues to Apple," the authors report. "They read the paper prior to publication but had no feedback on the paper’s contents."
In an email, Nishant Bhaskar, a University of California San Diego doctoral candidate who co-authored another research paper on Bluetooth Low Energy tracking attacks, told The Register, "I believe this alliance between Apple and Google is a step in the right direction. Bluetooth location trackers being misused for stalking represent an immediate danger and a major chunk of today's overall BLE tracking threat; this universal standard does provide a mechanism to address this issue across mobile system vendors."
"Today all of our personal devices are constantly sending Bluetooth beacons, and so there are other BLE tracking threats also such as physical layer tracking (as we discussed in our paper) that also should be looked into. That said, I do believe that such industry partnerships sets us up well for investigating and addressing other Bluetooth tracking threats also." ®