Apple's AirTags are finally on sale, and these $29 trackers promise to ensure that you never lose your keys ever again. However, as some reviewers have discovered, there are a couple of big loopholes in the AirTag's privacy features.
During its announcement, Apple spoke of a few features to discourage its AirTags from being used to track people surreptitiously. These AirTags privacy protections sound impressive, such as the fact that an AirTag will sound an alert if it's been separated from its paired iPhone for a certain amount of time, or that iPhone users will get on-screen notifications if a rogue AirTag is accompanying them.
But it appears that these protections may not go far enough.
- Apple AirTag review: The best key finder for the iPhone
- How Apple AirTags work — and how they thwart stalkers
- Plus: Forget AirPods Pro — this has better battery life and three drivers per bud
For one, that lost-AirTag sound doesn't go off until three days have passed, and only iPhones that have updated to iOS 14.5 will get the on-screen notifications, which come after a couple of hours.
Similar to many of the best keyfinders, Apple's AirTags use Bluetooth to help your phone locate its fob. However, the AirTags also use ultra wideband to more precisely lead you to their location.
On an iPhone with a U1 chip (currently, the iPhone 11 and iPhone 12), you'll get a directional arrow that points you directly to an AirTag's location.
On Apple's AirTags page, the company notes: "Only you can see where your AirTag is. Your location data and history are never stored on the AirTag itself.
"Devices that relay the location of your AirTag also stay anonymous, and that location data is encrypted every step of the way. So not even Apple knows the location of your AirTag or the identity of the device that helps find it.
"If someone else’s AirTag finds its way into your stuff, your iPhone will notice it’s traveling with you and send you an alert. After a while, if you still haven’t found it, the AirTag will start playing a sound to let you know it’s there."
Sounds nice, but...
However, as Caitlin McGarry noted in her AirTags review on Gizmodo, your iPhone needs to be running iOS 14.5 in order to receive on-screen alerts.
If you're using an iPhone with an older version of iOS, or an Android device, or have no smartphone at all, you'll have to wait for the stalking AirTag to play that sound. (Android phones can interact with AirTags only when locating AirTags that have been marked as lost by their owners.)
Even if your phone has the latest version of iOS, you won't receive an alert right away. You'll also receive an alert when you've arrived home. Over at Mashable, Brenda Stoylar discovered that the iOS 14.5 alert pops up after an unpaired AirTag has been following you for two hours away from home.
It gets worse: Android users, and anyone with an iPhone that hasn't yet been updated to iOS 14.5, won't hear that this-AirTag-isn't-yours sound for as long as three days.
Troubling findings
Last Thursday, before iOS 14.5 was released, Mashable's Stolyar gave an AirTag to each of her roommates, both of whom had iPhones. She was able to track their movements around New York City for the next two days.
During this entire time, neither of her roommates received any alerts that Stolyar was tracking their movements, other than when she texted them to make sure the location tracking was accurate. (It was.)
Meanwhile, Stolyar tried to replicate the experiment using Tile trackers, and found that she couldn't track anyone who strayed more than 400 feet (Bluetooth range) from her phone.
"Apple is fast approaching one billion active iPhone devices, making it the largest finder network in the world," Stolyar wrote. "That's not something to brag about when you're releasing Bluetooth trackers that can also be used to track people."
Apple is putting Android users in physical jeopardy
Let's face it: A little less than half the smartphones in the United States are iPhones. Worldwide, it's about one in eight phones. That means there are billions of people who can be tracked using AirTags for up to three days without them knowing it.
"Given how many Android users are out in the world," wrote Gizmodo's McGarry, "it seems almost guaranteed that an iPhone owner could exploit this to use against their Android-using partner."
A suspicious spouse using an iPhone or iPad could slip an AirTag into their partner's purse, clothing or car and be able to see what they're up to for up to 72 hours.
That alert will sound only if the stalked person is away from home. If the stalkee comes home every night, resetting the away-from-home countdown, then the stalker might be able to track their daily movements indefinitely.
McGarry was able to track her husband's car (with his consent) moving around Los Angeles for an entire day, and he never got any alerts, even after he updated his iPhone to iOS 14.5.
"Some publications have even gone so far as to claim AirTags are 'stalker-proof,'" Stolyar wrote. "But, I can assure you, they are not."
Can this be fixed? Apple responds
The silver lining is that these privacy warnings are not hard-coded into the AirTags. They can be changed by Apple with a simple over-the-air software update.
McGarry expressed her concerns to Apple, which told her that it "may adjust the logic and timing of these features, which are tunable over the air, to continue improving our deterrents."
In the meantime, if you're purchasing AirTags, make sure all your iPhones are updated to iOS 14.5. And if you're an Android user, smile grimly at the fact that as with iMessages, Apple is once again making you feel like a second-class citizen.
Next: You can use your AirTag to track your luggage while traveling and not lose your bags!
