This article was originally published by Security Boulevard (https://securityboulevard.com/).
At the end of January 2022, Akron, Ohio resident Heidi Moon was staying in a hotel in Kent, Ohio when her ex-boyfriend texted her, indicating that he knew where she was. Four hours later, Moon was shot and killed by her ex-boyfriend, who then turned the gun on himself. In the back of Moon’s car, wedged into the pocket behind the front passenger seat, was a $29 Apple AirTag—a device that tracked Moon’s location. In another case, Indianapolis, Indiana resident Andre Smith broke up with his girlfriend, Gaylyn Morris. When Morris suspected Smith of cheating on her, Morris used an Apple AirTag to stalk him; tracking his car to a local bar where she deliberately ran him over three times.
On December 5, 2022, a class action lawsuit against Apple was filed in federal court in San Francisco. The suit claimed Apple was selling a device that contributed to electronic surveillance, stalking, fear and, ultimately, death: Hughes v. Apple, Dkt. No. 5:22-cv-07668-NC (N.D. Cal., December 5, 2022). The suit alleged that Apple was negligent in designing and manufacturing the AirTag, that the AirTag was defectively designed, that the product facilitated the tort of “intrusion into seclusion”, that the collection of location data was false, deceptive, unfair and fraudulent under California and New York consumer protection laws, that the device constituted a prohibited “electronic tracking device” under California penal code, that Apple violated consumers’ California-constitutional right to privacy. The named plaintiffs include Travis County, Texas resident Lauren Hughes, whose ex-boyfriend used an AirTag to tell him where she was. When Hughes moved out of her house to a hotel room to avoid her stalker, she received a notification on her iPhone that an unknown AirTag was traveling with her. She found the device in a plastic baggie colored with a Sharpie marker in the wheel well of the rear passenger tire of her car. Another named plaintiff—described as ‘Jane Doe’ from Brooklyn, New York, was stalked by her ex-spouse, who put the AirTag in their child’s backpack.
How AirTags Work
Apple AirTags, like Life360’s Tile device, is a small device that can be put into a purse, backpack, bike, wallet or on a keychain to tell the owner where these items are. It’s particularly useful for figuring out where you parked your car, where you left your wallet, where your stolen bike is and even (during the holiday season) where the airline has put your lost luggage.
They work by establishing a Bluetooth connection to any nearby Apple device, using that device’s GPS to determine the tracker’s location and the device’s internet connection to transmit that location to Apple—and then to the consumer. Of course, if anyone has the user ID and password to the owner’s “FindMyIPhone” app (or to the cell phone itself) they can track the AirTags just as easily as the AirTag owner does (particularly if they can SIM-swap the phone and receive the authentication text messages).
So, even for authorized users, there are significant data privacy concerns. The information collected by the AirTag in my car or wallet is subject to search warrant and/or subpoena (it’s not clear which) by police, prosecutors, regulators or others any time my current or historical location is relevant to some case or investigation. Even if Apple doesn’t have to produce the data for some reason, you might be compelled to produce the data or to provide access to the historical “FindMy…” data in litigation. It’s like a dash camera; great protection if a drunk driver hits you, but also evidence if you were speeding or failed to fully stop at a stop sign. FindMy location data—like Google maps location data—can track every place you are and have been for years. Pretty nifty in an infidelity/divorce case! But unlike Google maps data, you don’t even have to have a cell phone for the AirTag to track you. The data stream is collected if you have your keys, a tracked wallet or a tracked backpack. All of this is done with your knowledge and consent, even if you don’t fully appreciate how it can impact you. Your boss thinks you came to work late or took off early? AirTag to the rescue (if they can lawfully get access to the data).
The California class action case demonstrates a nefarious (and somewhat ubiquitous) use of location trackers like the AirTag. They are particularly useful for stalking—especially when the stalker has (even brief) physical access to something belonging to the victim—a handbag, a car, a backpack, etc. The stalker uses their own AirTag to send the victim’s location to the stalker.
Unknown AirTag Traveling With You
As the lawsuit noted, Apple has taken some efforts to limit this problem—mostly after introducing the product. When an Apple phone is “traveling with” an unknown AirTag for some period of time, the Apple phone displays a message indicating that there’s an unknown AirTag nearby. But this notice is only delivered (a) if the victim has an Apple device; (b) if that Apple device is powered up and connected and (c) if its operating system is up-to-date. Even then, there can be delays of hours or days until the “suspicious device traveling with you” message is displayed, and that assumes that you check your messages. It’s better than nothing at alerting users that there’s a tracker, but it’s not perfect.
Battle of the Droids
If the victim is using an Android phone, they don’t get the Apple messages. They can download an app to their phone that allows them to scan for unknown AirTags, but that presupposes that they have reason to believe they are being stalked and that they live in an area where such a scan would produce meaningful information. If they are in Brooklyn or downtown San Francisco, they would be hard pressed to find a location where there was not someone’s AirTag nearby.
Ding Ding Ding Goes the Bell
The AirTag is also designed to “beep” if it is away from the “owner” for an extended period of time—but it’s not clear how long that time is. As the lawsuit noted, lots of things in our homes, cars and lives beep, boop, clang, ring or ding. We become inured to it. Moreover, it’s often difficult to find the source of the ding when we have no reason to look for a small metallic AirTag. Clever stalkers simply disable the tiny speaker, or install the device in a wheel well of a car where road noise would overwhelm the tinny chirp of the AirTag. Again, good against remotes, but good against the living? In fact, some months ago, my son was traveling to the Netherlands for a wedding and, to protect himself from lost luggage, I put an AirTag in his suitcase (yes, with his knowledge). Naturally, he lost it. Not the luggage, mind you; just the AirTag. To this day, that same AirTag still pings me that it is at Leif Erickson Terminal, Gate 23B in Keflavik, Iceland, near the Kvikk cafe, if you find yourself in the neighborhood.
One problem, though, is that the AirTag is supposed to help its owners find things that are either lost or stolen. I have one hidden in the stem of my bike in a place that’s hard to find. The point is to be stealthy. If (well, when) my bike is stolen, I don’t want the thief to know there’s a tracking device in the bike (hopefully, thieves don’t read this publication). If the AirTag gave an audible warning—’Hey, thief! This bike has Lojack, and here’s where it is!’—that would limit the AirTag’s usefulness as a tool to help find the stolen bike. The bike wrangler would simply listen for the AirTag beep and remove or disable it. The AirTag is either stealthy or it’s not.
The lawsuit essentially alleges that AirTags negligently facilitate harmful stalking and are not properly designed to prevent them from being used in that way. The plaintiffs will have to show that Apple had a duty to the stalking victims (not purchasers of the AirTags) to prevent the devices from being misused against them. For example, I could throw an active cell phone into someone’s car to track them (in fact, I have an old flip phone in the trunk of my car, plugged in, for just this purpose).
Overall, however, the lawsuit reflects a concern that companies should consider (and abate) the privacy considerations for products they produce. Just as the beaters to a mixer can be misused (important safety tip—turn the mixer off before you let the kids lick the beaters!) all kinds of tech can be misused. The question to be addressed by the court is who is liable when the tech is misused—in this case, the stalker or Apple? I’ll keep tracking the case. Legally.
Read the original article, as published on Security Boulevard, here.