Apple and Google Join Forces to Stop Unauthorized Tracking Alert System
3.5.23 Security The Hacker News
Apple and Google have teamed up to work on a draft industry-wide specification that's designed to tackle safety risks and alert users when they are being tracked without their knowledge or permission using devices like AirTags.
"The first-of-its-kind specification will allow Bluetooth location-tracking devices to be compatible with unauthorized tracking detection and alerts across Android and iOS platforms," the companies said in a joint statement.
While these trackers are primarily designed to keep tabs on personal belongings like keys, wallets, luggage, and other items, such devices have also been abused by bad actors for criminal or nefarious purposes, including instances of stalking, harassment, and theft.
The goal is to standardize the alerting mechanisms and minimize opportunities for misuse across Bluetooth location-tracking devices from different vendors. To that end, Samsung, Tile, Chipolo, eufy Security, and Pebblebee have all come on board.
In doing so, tracking devices manufactured by the companies are required to adhere to a set of instructions and recommendations as well as notify users of any unauthorized tracking on iOS and Android devices.
"Formalizing a set of best practices for manufacturers will allow for scalable compatibility with unwanted tracking detection technologies on various smartphone platforms and improve privacy and security for individuals," according to the spec.
"Unwanted tracking detection can both detect and alert individuals that a location tracker separated from the owner's device is traveling with them, as well as provide means to find and disable the tracker."
A crucial aspect of the proposed specification is the use of a pairing registry, which contains verifiable (but obfuscated) identity information of the owner of an accessory (e.g., phone number or email address) along with the serial number of the accessory.
Besides retaining the data for a period of minimum 25 days after the device has been unpaired (at which point it's deleted), the pairing registry is made available to law enforcement upon submitting a valid request.
In addition, the specification mandates that trackers transition from a "near-owner" mode to a "separated" mode should it be no longer near an owner's paired device for more than 30 minutes.
The companies are soliciting feedback from interested parties, following which a production implementation of the specification for unwanted tracking alerts is expected to be released sometime by the end of the year on both mobile ecosystems.
The last time Apple and Google came together, it was to devise a system-level platform that utilizes Bluetooth low energy (BLE) beacons to allow for contact tracing during the COVID-19 pandemic without using location data.