Amazon Tile Trackers and Apple AirTags are so convenient. Amazon Sidewalk and Apple Find My “crowdsourced” networks help users find lost objects that the Tiles or AirTags devices are attached to. This technology makes finding lost things extremely easy. Apple AirTags only cost $29 each and Amazon Tiles range in cost between $24 and $59 in several styles. The user attaches the Tile or Airtag to cellphones, laptops, keys, wallets, dog collars, or places them inside objects. What kind of crazy person would recommend that a customer disable this technology? Well, there are hundreds of articles on the Internet on why and how to opt-out of Amazon Sidewalk, and a significant number of articles on the dangers of the Apple Find My network. Yet most articles promote the benefits of the “lost and found” technology and downplay or ignore its major security and privacy problems.
AirTags and Tiles are active RFID tags with a battery inside. Most RFID tags are used in retail stores or warehouses to track inventory and sales of items and are passive, having no internal power source. Some companies also use RFID tags for ID badges and even insert them under the skin of employees to allow access to buildings, access computers, or purchase items. The different types of Amazon Tile RFID tags are detected from a 150-to-400-foot range. Apple AirTags may have a range between 200 and 400 feet, according to some experts.
These RFID tags require a huge number of Internet devices in an interconnected network to be effective. Amazon and Apple already have private networks in place to achieve this. As Victoria Song of Gizmodo.com pointed out, these are called mesh networks where related devices work together to “extend connectivity.” Promoters incorrectly call these networks “crowdsourced” even though many people unknowingly participate.
How do these mesh networks operate? For Amazon, their Ring Video Doorbell home security systems and Echo speakers connect to Alexa voice-based virtual assistant. A small portion of a customer’s home bandwidth is used and combines with the bandwidth of other Echo and Ring devices in the local area. This is called parasitic bandwidth sharing. The mesh network fills in the empty spaces of your network’s internet connection and devices by utilizing low-power wireless connections, surrounding your home. The range of its radio frequency is estimated to be one-half mile. Users set up the Amazon Tile App on Android, Windows, or iOS to make Tiles ring or view the Tile’s most recent location when users want to find a lost item.
For Apple, the user sets up the Find My app on an iPhone, iPad, or iPod touch, or Android. When a specific item is lost the person enters it on the Find My app. If the user chooses to Play a Sound and the item is near, the user will hear the device ring. If there is no sound the user enters View Location to view exactly where the device is on the planet.
The Apple Find My network has approximately 1.65 billion connected devices and so this network is extremely effective in locating lost items. The Sidewalk network of millions of Amazon Ring and Echo devices is probably just as effective. According to cybersecurity expert Rob Brahman, most major US cities are probably fully within the Sidewalk mesh network.
Here are the Amazon devices that extend connectivity through Sidewalk: Echo (3rd gen +), Echo Dot (3rd gen +), Echo Dot for Kids (3rd gen +), Echo Dot with Clock (3rd gen +), Echo Input, Echo Flex, Echo Plus (all gens), Echo Show (all models and gens), Echo Spot, Echo Studio, Ring Floodlight Cam (2019), Ring Spotlight Cam Mount (2019), and Ring Spotlight Cam Wired (2019).
All this still sounds great. What is the big problem for consumers? Cybercriminals are increasingly gathering people’s data and monitoring people’s internet devices to steal assets and commit violence. Bad people can use Sidewalk and AirTags to commit crimes against people, regardless of the assurances by Amazon and Apple that they use encryption and have taken measures to protect user privacy and security.
Businesses will also need to increase their security. Fabian Braunlein of Positive Security commented that although the Apple Airtag bandwidth is low, it still would allow hackers an effective and inexpensive way to secretly remove data from corporations. Johannes Ullrich, dean of research at the SANS Technology Institute, warned that mesh networks and parasitic bandwidth sharing could be used by hackers to send data. “As far as risks go, you don’t know who actually uses your device or what they are using it for. You have no control over who is using your device or how they are using it.”
The National Network to End Domestic Violence told Fast Company Magazine that it is the normal procedure of halfway houses to inspect a client’s devices for surveillance technology. Jon Callas, of the Electronic Frontier Foundation, worried about the Amazon Tile. “What happens if somebody drops one of these in my bag?” Callas ponders. “That is what the real privacy issue that we see is, and it is something that they don’t address at all. The open, scary question is: What happens when somebody wants to use this as a stalking system?”
The US Centers for Disease Control and Prevention statistics reveal one in seven men and one in four women suffer from physical violence by their partners. In the US, one in seventeen men and one in six women are stalked.
Apple states on its web pages if one attempts to secretly track another person, the foreign Air Tag’s alarm will ring to warn the person that he may be being stalked since Apple devices know when an AirTag is not with its correct owner.
Yet, Victoria Song reported that Gizmodo and Mashable both reviewed Apple AirTags and discovered the AirTags were incredibly accurate in secretly tracking people without their permission. Song also wrote that Gizmodo.com found Apple users running a previous version of iOS 14.5 will not be notified when an unwanted AirTag tracker is near them. She also wrote that Android Find My app users are unfortunately not informed if an AirTag is tracking them until they are “physically out of range from their stalker for three days.”
As for Amazon Tile, it has already been implicated in a possible stalking incident. Sheridan Ellis posted a warning on TikTok on June 1st that she found someone’s Tile in her purse after coming home from an evening with friends. She immediately removed the battery to disable the device. Her TikTok post on the danger of location trackers had 1.2 million views by June 15th.
Despite the hundreds of articles on the privacy and security problems of the Amazon Sidewalk and Apple AirTag mesh networks, most people probably will not opt-out. Here is where the law and customer personal data expectations lag years behind the technology. For quite a few years it has been standard practice online for websites to ask you to opt in to receive their promotions and such. However, because only a small percentage of people voluntarily opt-in to be monitored when given the choice, Amazon and Apple automatically add your devices into their mesh networks when you start using their services. And opting out is not a simple flip of a switch. It is a 4-step process.
Robert Lemos of darkreading.com reported Apple Airtag was hacked just two weeks after its release. The article, “Apple AirTag Teardown & Test Point Mapping”, on colinoflynn.com, shows pictures and a component map of the AirTag. Lemos disclosed another hacker used the Apple Air Tag Teardown article to change an AirTag to direct an Apple device to a hacker-operated URL. This shows the inherent cybersecurity problems for the Apple AirTag user.
Amazon and Apple have not created a secure enough network to protect against stalkers, cybercriminals, and security problems that will inevitably arise from third-party applications using their mesh networks. Johannes Ullrich thinks it would benefit consumers more if the Amazon and Apple mesh networks had open-source protocols. That way, other software developers could find defects and improve upon networks and not rely solely upon the assurances of Apple and Amazon that their mesh networks are as secure and private as they could be. From this point of view, he does not see the need for multiple networks. So far, Ullrich finds Amazon documentation inadequate, with few specifics on how the rules work for formatting and processing data.
Internet service providers will probably be upset about Amazon Sidewalk. “The Wirecutter” column in the New York Times story by Jon Chase quoted an unnamed ISP source declaring, “Amazon does not have the right to do this……. it is not Amazon’s network to be sharing—they are putting their customers in violation of their agreements with their providers, and it is straight-up theft.” This refers to the Terms and Agreements that customers agree to when they subscribe to an ISP’s services. An ISP contract provides bandwidth to that subscriber alone and cannot be shared with others outside of that contact. Amazon says that Sidewalk will only use 80 kbps at a time and 500 MB per month maximum bandwidth of each user’s home system, but many ISPs may see it violates their terms of service allowing Amazon to mooch off their networks and eventually build an Amazon ISP to compete with them.
Eric Griffith of PC Magazine points out that people need to decide if they trust Amazon and Apple with their personal data and then determine if they should opt-out of the mesh networks. Amazon currently says the Sidewalk server only authenticates and sends data but does not read it. Griffith brings up a point that few other tech journalists mention that Amazon Sidewalk’s Terms of Service could change anytime in the future permitting less privacy and less secure use of personal data.
As mentioned in my previous articles on personal data and data companies, industry analysts increasingly see data as the world’s most valuable asset, even more than the oil and energy industry. This helps explain why Amazon and Apple are so keen on developing mesh or smart networks. The cost of the network is paid for by the consumers who buy the Apple and Amazon devices that create the AirTag and Sidewalk networks, but the consumer’s personal data is not owned by the user of the devices. For now, Amazon and Apple say they do not read or keep the data from Tiles and AirTags.
However, it is well known that Amazon collects data about user conversations with Echo devices. Experts have revealed Amazon’s Ring surveillance devices have compromised user privacy and security from employee snooping to sharing of detailed location data. In addition, the Electronic Frontier Foundation found the Android version of the Ring app was sending a large amount of personal data about users without user knowledge or consent.
Apple’s web pages state that “AirTag does not store location data or history.” However, Manik Berry of fossbytes.com wrote that Apple does collect personal data on its users. It does not sell the data to third parties like Google and Facebook sell their user’s personal data. However, Apple gets paid by advertisers for ads it places for them in the Apple App Store, on News app, and the Stocks app. Apple policy states ads are targeted to groupings of people with similar tastes, not to specific individuals. Killian Bell of cultofmac.com stated Apple generated $2 billion ad revenue in 2019 and may generate up to $11 billion in ad revenue by 2025.
Most people think of Amazon only as an online store and services company. Yet, AWS or Amazon Web Services generated 50 percent of Amazon’s total operating profit in the first quarter of 2019 alone, while generating only 13 percent of Amazon’s net sales. AWS is a direct competitor to Google, IBM, and Microsoft in selling cloud services and machine learning tools. AWS customers range from NASA to the NFL. The profit margins are far greater in the AWS data and tech division of Amazon than its online store of consumer products and services. If corporations go where the money is, it only makes sense that Amazon will maximize the ways AWS can profit off data, including that transmitted through the Sidewalk network.
Eric Griffith indicated Sidewalk will know who is walking by the home, who is knocking on the door, who is unlocking the door, etc. This is different than the data packets that are sent to locate an item with a Tile attached to it. This will be useful in targeting people for advertising. It will also increase spying and cybercrime by those who steal this data. Amazon has not proven itself a friend to privacy advocates. It owns a facial recognition software that it has sold to many US police departments. Amazon also owns Ring, which has agreements with over 400 US police departments so law enforcement agencies can effortlessly obtain the doorbell video recordings.
How to opt-out of Amazon Sidewalk on a tablet or mobile phone:
- On the Alexa app: Open More > select Settings > Account Settings > Amazon Sidewalk and toggle it to Disabled.
- On the Ring app: Tap the “three-lined” menu > Control Center > Sidewalk and tap the slider button.
How to opt-out of the Apple Find My network:
Go to Settings > tap your Apple ID > tap Find My > tap Find my iPhone > toggle it to Find My Network off.
So, it comes down to convenience versus privacy and security. If people opt out, they cannot use the mesh network to locate lost keys, lost dogs, wallets, or any item the Tile or AirTag was attached to. However, people survived quite well without the Amazon Sidewalk or Apple Find Me network before, so they could do just as well now. For the people who think, “this technology will never be used in any way to harm me”, the decision is easy, leave the network on. But for those who see the mesh network as another huge technological intrusion into personal privacy and undermining personal security, the choice is clear: opt-out!
