UPDATE--Apple and Google have developed a draft framework to enable product manufacturers to detect and alert users when small devices such as AirTags are tracking their movements surreptitiously. The specification, which is in the hands of the IETF, is the first industry-led effort to address the problem of unwanted Bluetooth trackers.
Small location-enabled Bluetooth devices such as AirTags, Tile, Pebblebee, and others offer users the ability to track items such as keys, wallets, luggage, or pretty much anything they want. The trackers are usually quite small and are relatively inexpensive, so they have become very popular among both legitimate users as well as bad actors who want to track people or physical objects for malicious purposes. Privacy advocates and groups that work with domestic abuse victims have warned about the ways in which criminals can abuse these trackers to surveil people without their knowledge.
"This is where we start. Getting two companies like this to publish a draft specification is a good start. I actually have a great deal of optimism about this," said Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation, who has done extensive work with surviviors of domestic abuse on digital privacy and security issues.
The new specification defines a set of recommendations and requirements for the ways that manufacturers should design their devices to behave both when they’re in proximity to their owner and when they’re separated from the owner. The key requirement is for trackers to have the ability to determine when they’ve been separated from the owner’s device for a set period of time and then play a sound to alert non-owners that the tracker is moving with them. The trackers also must have a mechanism to allow non-owners to find them.
“Bluetooth trackers have created tremendous user benefits but also bring the potential of unwanted tracking, which requires industry-wide action to solve,” said Dave Burke, vice president of engineering for Android at Google.
Among the other components of the draft specification is a pairing registry that would store information about the owner of a specific accessory at the time that it’s paired with a device. That data would include the email address and phone number of the owner, and obfuscated data would be available to the platform provider, for example Apple.
The companies submitted the draft specification to the Internet Engineering Task Force on Tuesday and it will now work its way through the process of potentially becoming an IETF Internet standard. That process can take years, but manufacturers can adopt any of the best practices and recommendations they want at any point.
“Formalizing a set of best practices for manufacturers will allow for scalable compatibility with unwanted tracking detection technologies on various smartphone platforms and improve privacy and security for individuals,” the draft says.
“Unwanted tracking detection can both detect and alert individuals that a location tracker separated from the owner's device is traveling with them, as well as provide means to find and disable the tracker.”
Lawmakers have held many hearings about online tracking and surveillance in the last few years, but those have focused almost exclusively on the ways that platform providers and ad tech companies track people across the web. The individualized, targeted surveillance that small Bluetooth-enabled trackers can allow is a different story altogether and not one that’s easily addressed by regulations or legislation. Which is why industry initiatives such as this draft specification are vital.
“A key element to reducing misuse is a universal, OS-level solution that is able to detect trackers made by different companies on the variety of smartphones that people use every day,” said Alexandra Reeve Givens, president and CEO of the Center for Democracy and Technology.
This story was updated on May 4 to add comments from Galperin.