Stop Pretending Apple and Amazon’s Bluetooth Networks Can’t Be Abused

Stop Pretending Apple and Amazon’s Bluetooth Networks Can’t Be Abused
Photo: Tile

Hot on the heels of Apple’s AirTags launch, Amazon announced that it’s expanding its Footpath network with Tile, smart lock company Level, and elder care smartwatch maker CareBand. The news is the biggest expansion of Amazon Footpath since it was announced last year, and offers a glimpse into how the company envisions this device-to-device network will work to help people find lost items or extend connectivity beyond wifi. And while we can all agree networks like Amazon Footpath and Apple’s Find My, which enables AirTag’s tracking abilities, might make losing things a lot less annoying, we’re not talking seriously enough about how to prevent them from being abused.

At this point, the average person is still probably fuzzy on what exactly Amazon Footpath is. It’s a sort of secondary mesh network in which Echo and Ring customers’ devices act as bridges to extend connectivity. It works by “borrowing” a small amount of your bandwidth and adding it to other participating Echo and Ring devices in your vicinity. Likewise, if you turn on Apple’s Find My, your Apple devices act as Bluetooth beacons to help locate other Apple devices — even if they’re offline — and relay that to the owner of the device.

The fact that close to 1 billion Apple devices are part of the Find My network is a big reason why Apple’s AirTags are incredibly precise at finding lost objects. By that logic, Amazon adding Tile, Level’s smart locks, and the CareBand stand will Footpath a more effective network to track items, too. Starting June 8, Amazon will flip the switch on Footpath, and Tile integration starts June 14. This sounds neat. You get to extend the range of Tile trackers, while also improving device location within your home — Alexa will reportedly be able to tell you which Echo device your misplaced item is closest to.

Tile has had its own mesh network for a while, but it wasn’t very extensive, and partnering with Amazon will give it a massive boost. For the Level smart locks, joining Footpath is supposed to enable your smart home gadgets to continue communicating with each other regardless of where your phone is. The CareBand will let you keep track of where older relatives with dementia are without needing to be connected to wifi.

What’s wrong with that? Well, nothing if these are used in the way they’re intended, with the best intentions. It’s what happens when they’re not. Apple and Amazon both claim to care about privacy and both enable encryption for security. In the case of the AirTags, Apple has implemented features to prevent unwanted tracking. Amazon has likewise released a white paper on how it treats privacy and security with Amazon Footpath. The problem is we don’t know how rigorously these precautions have been tested and vetted in real-use testing for the worst-case scenario: abusers using these networks to stalk people without their consent. Just because companies encrypt your data, doesn’t mean these products can’t be used in creatively awful ways to violate your privacy.

In both Gizmodo and Mashable’s reviews of the AirTags, the trackers were found to be scarily accurate at tracking people without their knowledge or consent. Users who haven’t updated to iOS 14.5 will not receive alerts that an unwanted tracker is near them, and even if you have updated, you may not see a notification if the AirTag isn’t tracking you for some unspecified length of time. Android users are also at a disadvantage.

If they’re being tracked via an AirTag, they won’t be notified until they’ve been physically out of range from their stalker for three days. In many abusive situations, you may never reach that particular threshold. This isn’t tech reviewer paranoia either. The National Network to End Domestic Violence told Fast Company it feared that AirTags could be abused as surveillance tools to discreetly track a partner, and that it is standard practice for halfway houses to thoroughly search through a survivor’s devices for these kinds of surveillance devices.

There’s the temptation to engage in whataboutism. There have been GPS child and pet trackers for years. Tile has been around for ages. It’s not like AirTags were a well-kept secret. Hell, smartphones can be easily be abused this way too. Why make a stink now? The reason why this moment is the exact time to raise the alarm is both Apple’s Find My and Amazon Footpath have the potential to make these devices easy to use, affordable, accessible, and extremely accurate, without the need for wifi or GPS.

And you don’t even need to opt into these networks to be vulnerable to their tracking functionality. There are 1.65 billion Apple devices in active use as of January 2021. According to Statista, there are 46.5 million Amazon Echo devices in the U.S. Both Find My and Amazon Footpath depend on as many people as possible participating to be effective, so all of those devices are pinging each other in the background with accurate locations, but that scale also means that it doesn’t matter if you as an individual choose not to participate (which in both cases, you can).

What matters is that everyone around you has opted in, most likely, and there’s nothing you can do about it. So long as there’s an Apple or Amazon Echo device around, you can be tracked by a small, easily hidden Bluetooth device that doesn’t need to be connected to the internet or a cellular network or a GPS satellite to report on where you are.

The myth is these abusive situations are rare; things that happen to other people, in rarefied circumstances. That couldn’t be further from the truth. Abuse and stalking are depressingly ordinary and commonplace. Domestic violence numbers have surged during the pandemic, and the CDC also says one in four women and one in seven men will experience physical violence from a partner in their lifetime. In the U.S., one in six women and one in 17 men, or roughly 19.3 million women and 5.1 million men, will experience stalking in their lifetime.

It’s a given that some abusers will use the accuracy and convenience of Find My and Amazon Footpath to their advantage — and that they will test the boundaries of whatever protections Apple and Amazon have put in place. It’s for that reason we need to have this conversation now because frankly, opting out is an illusion. If ensuring safety for everyone means you can’t track your items, maybe that’s a sacrifice we should collectively make.