AirTags: Update

Last year we reviewed Apple’s new AirTags and some of the concerns that had been raised with respect to personal location tracking. The consensus then was although these new devices were easy to use and worked well, there wasn’t enough detailed information available describing how AirTags worked or sufficient transparency in how personal location information could be used.

Fast forward to January 2022 and Apple have now released The Personal User Safety Guide, which includes a section on how to stay safe with AirTags. Providing the device with the Find My application (phone or iPad) is running iOS or iPadOS 14.5 or later, the device will notify the owner if another device has been detected moving in sync.

Apple AirTag detected alert

Apple have also published an additional set of instructions describing what to do if you get such as an alert and, if necessary, how to disable the locations services on the various supported devices. A new tracker detect app for Android phones has also been released.

Although the additional information and device identification resources available now are good to see, some concerns remain as to whether devices such as AirTags should still be available in their current form if there is still the possibility of unwanted tracking. Instead of unknown devices being allowed to follow by default, why not turn that around and block all unknown devices unless permission is granted?

AirTags: Who’s watching who?

When I saw the announcement about Apple’s new AirTags, my first thought was to forget tracking the location of my personal possessions, I could use one of these to track my elderly, and occasionally forgetful, Mother. Attach an AirTag to her bag, subject to her consent, and I’d be able to keep an eye on her whereabouts when she heads out to walk her dog.

However, not long after the initial release and reassurances that location privacy was an integral part of the design, a software update for AirTags was made available to counter unintended or surreptitious tracking by other suitably enabled devices in the vicinity. The initial configuration for sending safety alerts for an AirTag separated from its paired iPhone or the presence of AirTag not owned by you but in some way tied to your location (nearby or slipped into a pocket?) and tracked by others, meant alerts were not triggered for three days if you didn’t have an iPhone with IOS 14.5 or had an Android phone. Given the number of iPhones in circulation and the extent of Apple’s Find My network, millions of people could be tracked unwittingly through AirTags and be none the wiser for three days. Even after an upgrade to iOS 14.5 and the AirTags software update, it could still take a couple of hours to alert an iPhone owner to the presence of a so-called stalker AirTag. Chances are nothing would happen but is broadcasting your location like this worth the risk?

In this day and age of heightened awareness of creepy apps, issues related to location tracking and so on, it seems odd this particular scenario hadn’t been considered as a potential security threat. As Brenda Stoylar noted in her Mashable article …

‘AirTags are easy to use and effective, but their extensive location tracking and ability to go beyond Bluetooth range is also what makes them dangerous for the rest of us.‘

What makes AirTags potentially dangerous to use is the lack of detailed information describing how they work and a lack of transparency in how location information is, or could be, collected.

Personal Geofences, Bluetooth and Covid-19

Continuing on the themes highlighted by Joseph in his recent post COVID-19 and Privacy Concerns, Apple and Google have announced a joint plan to develop a phone tracking solution, as opposed to an application, that will use Bluetooth signals to identify people a phone’s owner had been in close enough proximity with to represent a potential risk of infection. Phones within a certain range would exchange an anonymous, encrypted code and if one of the phone owners subsequently tests positive for and declared themselves to be infected with the virus, their code would be shared with a central database. Other phones would download and scan the database for potential code matches. If a match is found, the phone’s owner is alerted.

Both companies have been quick to stress neither location data or any personal information would be captured and their focus will be on ‘privacy,  transparency and consent’. Although still subject to approval, the proposal has already had a fairly positive initial response from the European Data Protection Supervisor (EDPS) on Twitter who indicated it met one of their main criteria by incorporating data protection by design.

With health services and governments in many countries facing urgent requirements to implement rigorous and effective tracking solutions, necessity is once again proving to be the mother of invention.

 

Company ethics versus technical reputation

Over the last two years we have written a number of posts on some of the issues surrounding personal information and data privacy; from UAVs (drones) to the secret lives of phones, the collection and reuse that information continue to challenge end users and customers. How much of our personal information are we willing to trade for access to products and services?

A recent ZDNet article by Jack Schofield reported the results of a Harris poll into corporate reputation and the responses from 18,000 American adults to six categories: emotional appeal, financial performance, products and services, social responsibility, vision and leadership and workplace environment. The survey indicated that 76% of those surveyed were concerned about the amount of personal information captured by large companies, including technology giants Apple, Google, Samsung, Microsoft and Amazon, and less than half (44%) reported that they trusted companies to act responsibly with that information. In the category Social Responsibility, the only technology company to appear in the top five was Microsoft, ahead of both Google and Apple.

How much of that mistrust materialises as lost sales or changing preferences? According to the poll company business practices are an increasingly important factor for customers, with 60% of those surveyed reporting that they researched companies before they considered engaging with them. It seems that technical reputation is not the only measure by which companies are judged and company ethics, in particular personal information policies and practices, now play a major role in influencing our choices.

 

 

 

3D imagery and aerial photography: Public access versus public safety and security

One of the recurring themes in The GIS Guide to Public Domain Data is that of open access: How and when spatial data is made publicly available. A recent report from BBC reporter Zoe Lleinman, highlighted the continuing problem of balancing the public interest in access to detailed mapping data for towns and cites versus concerns from government organisations with respect to security and public safety. Officials from Norway’s National Security Authority have refused permission for Apple to take aerial photographs of the capital city Oslo to create a 3D imagery layer that would include government buildings and restricted areas. Although the data Apple require can be sourced elsewhere (for example, from the Norwegian Mapping Authority), the authorities felt they would have no control over how data would be used if Apple were to acquire the data themselves. Other map companies have used 2D satellite imagery, which is not protected, for their mapping services.

Maintaining public safety, and national security, has long since ceased to be simply a matter of security barriers and guard dogs patrolling the perimeters of restricted areas; with increasingly easy to use web mapping services, access to detailed spatial information no longer requires a physical presence at the site. Terrorist events in Norway, and the targeting of government buildings, triggered a major debate about security and public access to such information. We discussed a similar problem with attempts to ban access to Google Earth data in India following the attacks in Mumbai in 2008. As the Norwegian and Indian authorities themselves acknowledge, there are many benefits to be gained from having access to detailed imagery, but developing effective data access policies, where information use is monitored, is an on-going challenge.