Edgar Cervantes / Android Authority
For some people, the rise of Bluetooth and ultra-wideband (UWB) tracking devices and accessories is probably not just welcome, but necessary. It’s easy enough for a phone to become lost or stolen, never mind keys, or wireless earbuds that pop out at the literal drop of a hat. Gear is also getting prohibitively expensive to replace — high-end earbuds can top $250, and the Galaxy Z Fold 3 costs as much as a gaming PC. If you’re prone to misplacing things, tracking tech can save you thousands of dollars.
Amidst the rush to adopt it, however, it’s important to be aware of the serious privacy issues involved. It’s well-known that governments often use every tool available to track suspects, whether or not those targets are legitimate. Consider the NSA metadata collection exposed by Edward Snowden, or the Pegasus spyware used by countries like Saudi Arabia and the UAE. Stingray cell tower simulators are employed by many agencies, including US law enforcement.
The private sector is hardly immune from such worries, either. We already share a wealth of location data with app-based businesses like Google and Facebook. There are firms specializing in enhancing, analyzing, and/or reselling that data, like Foursquare, and a subset of them aren’t too picky about their clients or methods. Some individuals will ignore the law entirely.
Broadly speaking, the risks of device tracking can be broken into two categories: stalking and general surveillance.
Ryan Haines / Android Authority
Stalking is perhaps the biggest and most obvious threat. A Tile-like Bluetooth tracker slipped into someone’s bag, vehicle, or clothing can potentially be used to follow someone wherever they go, especially now that the only major size restriction is batteries. Bluetooth’s range is (realistically) limited to a few hundred feet — yet companies like Tile and Apple have gotten around that, using networks that anonymously “echo” the location of trackers as customers pass by. If you hid a Tile in an e-bike before it was stolen, for example, its location should refresh whenever another user of the Tile app is in the area.
The threat of stalking isn’t hypothetical.
The threat of stalking isn’t hypothetical. In 2018, for example, a Houston woman told ABC 13 that she discovered a Tile planted inside the console of her car, which her ex had been using to follow her to homes, restaurants, and out-of-town locations. The ex in that case was charged with a misdemeanor, but it’s not hard to envision an alternate scenario in which the woman was assaulted or killed.
Short of criminal activity, there’s room for parents and partners to engage in controlling behavior. An abusive husband could use trackers to follow their spouse to a shelter or the police. An overprotective mother could prevent their child from going anywhere but home or school.
Due credit goes to Apple for making anti-stalking integral to AirTags — iPhones automatically tell their owners if an unpaired AirTag is following them, and after eight to 24 hours, the tag will start beeping. This still doesn’t apply to Android phones though, and even when such support comes online, Android users will have to download an app to protect themselves. That hardly helps unsuspecting victims as currently the wait time before an AirTag suspected of “person tracking” starts to beep for non-iPhone users is a full three days.
Related: Apple AirTag review
Samsung’s SmartTags follow a similar model but require users to scan for stalkers manually. Thankfully, people also need the correct Samsung app on their phones for location data to be broadcast, so SmartTags aren’t easy to weaponize. Tile, however, offers no such anti-stalking features at all.
As tracking devices technology evolves and networks grow, the tug of war between stalkers and tech companies is bound to escalate, with the former exploiting any loopholes they can find. Sadly, they don’t have to personally plant a Bluetooth tracker to hunt someone down — hacking into mobile platforms is another option, which brings us to the topic of general surveillance.
Hacking can actually be more effective than planting a tracker, since people tend to carry their phones everywhere, and attackers can obtain a lot more than just location info — assuming they overcome the hurdles of encryption and detection. The combination of this and state-of-the-art tracking devices stand to amplify surveillance possibilities.
The problem here isn’t so much hardware as the apps people use for tracking. Tools like Google Find My Device and Apple Find My are baked into their respective platforms, and if they’re infiltrated, they can potentially map out every connected gadget a person has. These do require breaking into heavily protected accounts at least, so as long as a person has a strong password and two-factor authentication (2FA), the threat is low.
The more items a person tracks through first- or third-party apps, the more comprehensive surveillance can theoretically become.
Lax security practices have always been a problem, however, and things begin to get dicey with third-party apps. Most companies don’t have the same security resources as giants like Apple and Google, meaning their servers and accounts don’t always have as many safeguards. Brands like Tile are generally trustworthy, but even they don’t use 2FA at the time of writing.
The more items a person tracks through first- or third-party apps, the more comprehensive surveillance can theoretically become. Let’s say you have a tracker on your backpack or laptop. If your phone and the tracker leave for a specific place every morning, it’s not hard to guess that the origin is your home, and the destination is an office or worksite. Placing another tracker on a TV remote immediately confirms your home location, and if you’re monitoring headphones or a personal electric vehicle, hackers can pick out some of your favorite haunts, like parks or the gym.
Things are even more complicated in 2021 due to the widespread availability of UWB-equipped trackers like the AirTag and SmartTag Plus, not to mention larger products with UWB built-in. Though a phone may have to be within 30 feet of a tracked item to switch from Bluetooth to UWB, the latter can narrow location down to just a few inches. Hacking into a phone surrounded by UWB items could let an attacker figure out where in a building devices are kept, or even where a specific person sits and sleeps. In the wrong hands, this data could be used to plan burglaries or even murders.
Mercifully there are several limiting factors, beginning with online security layers. Consumer UWB tracking is also relatively new, and only devices with the right radios can relay that data, such as the S21 Plus or iPhone 12. In other words, a target requires a state-of-the-art UWB ecosystem to generate precision info, and they then have to fall victim to device or server hacks. As UWB becomes ubiquitous, the ecosystem barrier will fall away, hopefully without creating new vulnerabilities.
The future and what can be done
Edgar Cervantes / Android Authority
There could be tough times ahead. Ransomware attacks are on the upswing, as NPR notes, and it’s entirely possible that tracking apps will become a lucrative target. Hitting them could leverage users’ most private information while threatening the businesses that most depend on holding a reputation for safety. Stalkers, meanwhile, may become more tech-savvy and exploit Bluetooth/UWB tracking devices and tech to the fullest. If in 20 years everything from shoes to cars has built-in tracking, you might not be able to tell how someone is following you.
Even if criminal attacks stay at a minimum, there’s still the issue of government intrusion, particularly in authoritarian nations like China. Chinese law requires that local user data remains on local servers. This isn’t a bad idea in principle, but under an authoritarian regime, the result is that if police or intelligence agencies want access to someone’s location data, they can get it without much pushback. More trackers translate into more data points for surveillance and suppressing dissent.
Both China and Russia regularly launch cyber espionage against the US, Canada, and Europe. There’s an obvious incentive for them to gather as much location data about targets as possible — imagine knowing the daily habits of a politician or general, or simply someone with classified data access. This type of spying could also be used to gauge vulnerabilities for future hacks, flagging devices that spies weren’t necessarily aware of.
With all that said, worst-case scenarios rarely come true, and both public and private organizations are finally stepping up their cybersecurity efforts, if mostly to avoid paying out millions in ransom demands. We just need that to apply to Bluetooth and UWB tracking as much as it does to banks and hospitals.
Read more: How to manage your location data
There are things app, device, and accessory makers can do. First, anti-stalking measures like those for AirTags and SmartTags will have to become widespread, and toggled on by default. 2FA should probably be an option for all tracking apps in the Play Store or App Store, and mandatory for people using first-party Android and iOS tracking.
If you have any fears, there are personal steps you can take that are beyond 2FA and short of disabling location data completely. You can, for instance, manage location sharing on an app-by-app or device-by-device basis, and regularly scrub location histories when it’s allowed. Virtual private networks (VPNs) can help mask IPs and add extra network security.
It’s also good to be broadly aware in social spaces. By keeping a close eye on who’s around you and where your things are, you can reduce the risk of threats like mugging and pickpocketing, not just stalking. Finally, be judicious about using Bluetooth/UWB trackers — while the idea of never losing anything is nice, ask yourself how often you actually lose a given object, and whether you need that much more tracking in your life.