It's interesting to see that Google takes this so seriously they're backporting it to Android 6. I guess they probably have metrics on what Android versions are still in active use, but I'm a little surprised that Android 6.0 would still be used heavily enough to warrant the backport. Regardless, it's good to see this sort of industry cooperation from companies who would normally be at each other's throats.
Google made a deliberate decision long ago to detach library and feature support from the operating system due to manufacturer fragmentation. So most of their new stuff automatically works with old versions of android
Google Play System updates provide very few security patches and this only applies to devices with Android 10 and higher and most APEX modules are only updatable in later versions.
And the annoying thing is that on some phones (like Samsung phones recently, twice), the Play System updates get blocked for months on end. Worse, people who buy a new device are often stuck on ancient versions.
I recently tried an Android phone again for a few months, and the update/security situation is still a mess. E.g. Samsung does monthly updates on more premium phones. But a former flagship like the S22 would sometimes only get the update near the end of the month, even before the S24 is out. Having a phone with known CVEs for the better part of a month is… meh.
For some vendors, like Samsung, things are much better than a decade ago, but it’s still a far cry from Apple rolling out updates to all models simultaneously.
> Samsung does monthly updates on more premium phones. But a former flagship like the S22 would sometimes only get the update near the end of the month, even before the S24 is out.
This is complicated by their rolling updates per country, it can be few weeks between the first CSC (3 letter identifier for country and carrier variant) to receive an update and it being rolled out to the final one.
I was towards the end of that update cycle, so the Android security patch level could become quite detached from the actual month.
>Having a phone with known CVEs for the better part of a month is… meh.
Out of curiosity , have you ever encountered any malware that exploits said CVEs? If a month delay would be so dangerous, Android users, even of new devices would be getting pwned left and right, let alone Android users of device no longer getting patches.
Source: Android user of old phone who hasn't been hacked yet so I'm not sure where exactly the dangers are, as the attack surface is mostly the web browser and the apps, both of which are scanned and covered by up-to-date patches from Google Play Store/Services even on my ageing phone. So as long as you don't browse extremely dodgy websites, and don't download shady apps you should be good as nothing else can't get to the Kernel CVEs on your unpatched phone.
Yeah, I'm sure some crafty malware dev can whip out a targeted virus that can exploit the chain of open CVEs on my particular phone through a MMS message or something, but I'm not sure targeting the 100 or so users left still using this old OnePlus model that's worth less than 20 Euros used (pointing to a user without much income), is a good use of their skills and time, when they could be frying much bigger fish with that know-how like going after Microsoft's Azure or something.
Nor am I being targeted by state actors who have these means. And if you are being targeted by state actors, they have access Zero-Days that even Apple or Google haven't patched yet so you're not safe anyway no matter what phone you have.
> If a month delay would be so dangerous, Android users, even of new devices would be getting pwned left and right, let alone Android users of device no longer getting patches...Android user of old phone who hasn't been hacked yet so I'm not sure where exactly the dangers are
What are the odds that you'd ever know if you were hacked? If you have root access on your device your odds of being able to see something amiss are probably somewhat better than if you don't, but even then I wouldn't count on it. How many people detected Predator/Pegasus? It isn't just state actors taking advantage of zero days. A zero day gets that malware on your system, but once it's infected how would you know? There have been reports that millions of android phones are infected at the factory. (https://www.theregister.com/2023/05/11/bh_asia_mobile_phones...)
I don't know how you could possibly be confident that your device isn't infected with something. The devices are designed to keep you from having the ability to poke around too much at their internals and the radios make it difficult to monitor exactly what's being sent/received to the device.
>What are the odds that you'd ever know if you were hacked?
Would you know?
>I don't know how you could possibly be confident that your device isn't infected with something.
Easy, my bank account is still full.
How are you confident your phone isn't infected? Being up to date is no guarantee. Until you can poke around with root access to inspect everything it's still Schrodinger's cat in a black box you trust to not be dead inside.
Because how would malware ever make it into my phone? It doesn't just magic itself onto your device once it stops received updates. It needs an entry point off the attack surface. And what's my attack surface since all your examples don't apply to me?
I never download shady Apps from the likes of Huawei AppGallery lol or even off the PlayStore and I don't use Android 5. All apps I use are whatsapp and Google chrome, and I also don't browse shady websites on my phone.
That assumes the malware is intended to take your money instead of your data, or even just your internet connection. Malware can be used to attack/infect other devices or even just click ads. What kind of harm could someone who had full access to your device, including access to your internet activity, texts, location, camera, and microphone do to you without telling you about it (blackmail).
> Because how would malware ever make it into my phone?
Maybe it was installed at the factory. Maybe it came from literally any one of the many many vulnerabilities that made it possible to infect your device without any indication. Android phones have been compromised via text message, via Bluetooth, via QR code, and via apps.
It's great that you aren't doing anything obviously risky, but that isn't a requirement to get infected and the problem is you just can't know. You aren't the admin of the device. You don't have the authority to control what it does. You aren't allowed to see what it's doing. You can't see who it's communicating with or when.
I've also used phones which haven't received any updates for years without any obvious problems. Just maintaining basic digital hygiene like you do. In theory, one could use a zero-day in a web browser (like the recent libwebp vulnerability), then exploit one of the numerous CVEs in one of the system libraries or the kernel, and own the phone that way even without you doing anything worse than visiting a random website. For example, that's how one of the the first methods of jailbreaking PlayStation 4 operated.
Your average Joe six-pack like myself probably shouldn't really worry about it though, it seems more likely to be used against really high value targets.
You might want to try out another web browser that has aggressive ad blocking (Firefox, Brave, or Vivaldi should do it) since ads are one of the major methods of spreading malware.
>You might want to try out another web browser that has aggressive ad blocking (Firefox, Brave, or Vivaldi should do it) since ads are one of the major methods of spreading malware.
Under rated advise. Too bad said Joe six-pack donesn't follow it because it thinks other browsers "have viruses"
Are you suggesting we've got a statistically valid sample of Android users here to suggest that drive-by RCE exploits that have been published and patched on modern Android devices are essentially just a fantasy and aren't actually concerns at all for unpatched devices? And that the people in this sample would always clearly know their device was compromised?
FWIW, while I don't think I personally had an Android device hacked, I do think I've had family members with devices potentially hacked. One family member running an older version of Android continued to have lots of accounts constantly getting stolen despite using a password manager and unique complicated passwords. Pretty much any time they'd be logged in to an app there would begin to be fraudulent orders or other mischief on that service. They never installed shady apps. Rotate the password on another device, no problems for a while. Log in on the phone again and within a day or two have the mischief start again. All that stopped after replacing the device.
Another family member started getting popover ads on their device despite not having any odd apps installed that would be the cause. Even after a "factory reset" the popover ads continued to plague the device, as if it was embedded in the ROM.
My bank app is sht, The 2FA is EMBEDED in the app; in the beggining it was a separate app. It also needs Google Play Services. And I live in a third world country with little accountabilty. On top of all that, most people use very cheap chinese phones which never get any update.
Still, bank accounts have never been depleted through hacking of phones.
To be fair, it's non-trivial to convert hacked bank credentials to actual cash, due to anti-fraud measures, KYC rules, and reversibility built into the finance system. A better indicator would be $1000 worth of BTC on an unencrypted wallet not being hacked.
True, given that the average android phone probably needs 100s of CVEs patching, it's kinda weird that there's not obvious epidemic of phones being hacked
If something is actively exploited they definitely don't wait to months end. Also a Google update is not urgent if the vulnerability is not really exploitable on Samsung (they have some additional security) or a fix is already backported.
>Is this the reason that my old mid/low end android devices become unusable even through they no longer get updates?
More recent versions of apps (like whatsapp, which requires to be updated regularly) are unnecessarily more demanding. Try disabling Play services, all Bloatware, all quasi-bloatware (calendar, contacts), all the way to the default keyboard. (pm disable-user --user 0)
Install FOS replacements with no internet connectivity, e.g. from f-droid and such (not affiliated)
It is easier to buy a new device, but I get attached to my pal ;)
Has Android gotten that bad? I last used it in 2018, and haven't exactly missed it since, but even back then I didn't think of Calendar or Contacts as quasi-bloatware.
Most of the memory in a phone is flash. All flash memory has limited write cycles and there's a speed/lifetime tradeoff, also. Flash devices normally actually have more memory than stated, writes go to empty pages that then replace the original, which is then wiped. Every cycle the cell grows slightly weaker until one day it's too weak.
In the best case when a page write fails the memory controller discards the page from the pool, when the pool becomes exactly equal to the official size the device goes into permanent read-only mode. (Which would brick any device it's built into. A PC you could pop in another drive, a phone you can't.) Many devices have failure modes worse than this.
The better the quality of the memory the more margin it has, and how much you write to a drive has little to do with how big it is--from a practical standpoint life expectancy is roughly linear with size.
>from a practical standpoint life expectancy is roughly linear with size.
For the flash itself (the giant mass of NAND or NOR gates making up the cells), in terms of TBW it's straight up linear with size. 2 TB flash storage has twice as many cells as a 1 TB (of the same make) therefore can eat twice as many write cycles (unless the manufacturer does something on the sly like change overprovision ratio based on capacity, change from TLC to QLC on higher capacity units and "forget" to mention it, etc., but those are factors beyond the basic logic gate arrays).
However I don't think size effects MTBF as that looks at factors unrelated to write cycles; things like catastrophic failure of a chip or a short that catches fire and burns down the server farm.
Realistically speaking, MTBF has little bearing when considering flash storage lifetime. TBW is where it's at. If the specs only give MTBF, I tend to assume the TBW is bad enough it's worth hiding and I'll avoid those . If not that, then it's either straight incompetence, recycled flash scam, or the manufacturer just doesn't give a shit (all of which are way worse than choosing to omit a low TBW rating).
It may seem like i'm nitpicking the word 'roughly' but i don't disagree with the sentiment. Depending on how you want to measure lifetime (jfc don't use MTBF), it isn't exactly linear, but it's not the flash's fault.
> Supporting Android 6 would be like supporting iOS 9.
1. Your point still stands, but this is because this update is probably shipping as a Google Play Framework update, which works on >= 6.0. Google is not (to my knowledge) releasing a new firmware.
Apple would do well to decouple certain software components from iOS, IMHO.
2. In case others are curious about iOS version market share, statcounter's stats for April 2024:
As a developer, that long tail of folks on the previous major version really sucks with fast-moving frameworks like SwiftUI. There's no way my company (a banking app) would drop 10% of customers, so we typically do N-1 for iOS support.
Our Android app shipped almost 3 years ago with minSdk=24 (Android 6.0) and we haven't had to update it.
The web browser is a big issue with this, too. A Safari release broke IndexedDB and they didn’t release a fix for over two months because browser updates are tied to the OS.
If there's a critical security update they can release an update within days. So it's got nothing to do with the complexity of releasing a new OS, it's just that they found IndexedDB not important enough to warrant an out of cycle update.
I mostly work on Windows apps. People still complain when software drops support of Windows 7 released in 2009, or Windows 8 released in 2012. Despite none of them are supported by Microsoft.
It'd be a more fair comparison to take into account Windows 7's EOL which was just a year ago IIRC if you coughed up Extended Support money, its broad install base, and it being the last actually truly decent Windows that had a consistent UI across the place and no ads.
> Apple would do well to decouple certain software components from iOS
I'm not really convinced of this. When you control the entire hardware and software stack, and already provide updates for 7+(?) years per model, would doing this really change much? Google needed to do that because some cheapo manufacturers weren't really providing any updates to speak of, and Google has limited ability to force manufacturers to provide updates on any particular schedule.
It's funny, because to me this is really just the Linux model vs. BSD model, in a way. Linux base systems are cobbled together from various bits of software maintained by different people and groups. Many of those components can be updated independently of one another, including the kernel. The BSD model is to ship the entire base system as a versioned unit, and only update the entire thing monolithically. Android does the Linux model, iOS does the BSD model. Both models work just fine, depending on what your goals are and your distribution model.
I think the one thing I'd argue Apple should decouple from the OS is Safari. A web browser (and the underlying OS web view) should be independently updateable, even after a device stops getting OS-level security updates.
So this has the downside of not being supported for Androids that don’t use Google Play services right? Like the Amazon tablets?
Still a big win overall I’m just curious what number of devices basically don’t get important upgrades due to this method. (Surely a tiny amount compared to what you’d have if you relied on device manufacturers to update the OS.)
Google and Apple have fairly different platform software update strategies so I was curious how the support windows line up. Android 6 was the last supported release on devices like the Nexus 5 and Xperia Z3 from 2013 and 2014. iOS 9 was the last version supported for devices like the iPhone 4s and 3rd gen iPad that shipped in 2011 or 2012. Going forward to 2013 iPhones you have the 5s which was last supported in iOS 12. It sounds like Google is able to ship this directly rather than as an OS update that would need to go through manufacturers, while Apple typically deploys these type of fixes by pushing an OS update. I'm curious how far back they'll go, they rarely ship security fixes more than two major versions behind the current release (so maybe down to iOS 15, supporting devices released in 2015).
> they rarely ship security fixes more than two major versions
Every flagship iPhone since 2011 has gotten at least five years of OS updates, with additional years of security updates after that.
For instance, the original version of the iPhone SE is currently in its eighth year of support, and just got another security update a couple of weeks ago.
One issue with iOS vs Android is that iOS has the browser tied to the OS ala Internet Explorer. Once iOS is no longer supported, you're now using an unsupported insecure browser. And all other iOS browsers sit atop the unsupported insecure browser in iOS.
On Android, the browser is separate and you can install alternative browsers. The current release of Chrome for Android works with Android 8 which was released in August 21, 2017 and dropped January 2021. Android System Webview (the browser engine that other apps can use so they don't have to ship their own) works the same way and is independently updated from the OS.
Updating an app doesn't fix an issue that requires a security update, or a replacement driver.
> Virtually any Android, Linux, or Windows device that hasn't been recently patched and has Bluetooth turned on can be compromised by an attacking device within 32 feet. It doesn't require device users to click on any links, connect to a rogue Bluetooth device, or take any other action, short of leaving Bluetooth on. The exploit process is generally very fast, requiring no more than 10 seconds to complete
A browser update doesn't fix that and that and Blueborne was disclosed during the era when an Android device only had a support window of two of three years.
iPhones from over a decade ago were getting security updates, including for the browser, for seven or eight years.
Every month or so someone (usually a security company that wants to sell something) find a domesday exploit for android that is unpatchable, and then it gets patched or turns out to be a non issue.
> the browser tied to the OS ala Internet Explorer.
Internet Explorer was usually only loosely tied to the OS. Yes, many versions of Windows came with some version of IE, but you could usually install a newer version if you wanted. Every once in a while, a newer version of IE required a newer version of Windows, but that wasn't typical.
As I understand it, on Apple systems, Safari comes with the OS and is updated together --- Safari updates come in OS updates. Mobile IE was very similar though, at least on Windows Phone 7 and newer.
> Safari comes with the OS and is updated together --- Safari updates come in OS updates.
That’s true on iOS but not exactly true on macOS. Upgrading macOS also upgrades Safari, but you can also install newer versions of Safari on older versions of macOS. You just can’t have older versions of Safari on newer versions of macOS.
Two different things, Apple provides a pretty long window of OS updates for each device but doesn't ship updates for older OS versions. For example the 1st gen SE shipped with iOS 9 which has not been getting updates for a few years, but it can run iOS 15 which still seems to be getting security updates.
It probably seems odd when you're coming from a history of devices with a very short support window, but you don't need to worry about years when you only get a security update until you run out of years when you get the OS AND security updates first.
For instance, that original iPhone SE came out in 2016, the same year as the original Pixel phone. The iPhone is still supported by Apple today, while the Pixel phone was dropped from support by Google five years ago.
Google had to come up with a way to backport features to older unsupported versions of the OS because their support window was so abysmally short.
Hopefully, this won't be an issue going forward, with Google promising a comparable support window in the future.
FWIW, WhatsApp claims support back to Android 5.0, and if they haven't changed their support decisions since I left, that means there's a significant amount of users in the wild on Android 5.0. I'm not surprised Google only goes back to Android 6, they were always dropping versions from support before WA did; their threshold must be higher.
WhatsApp majority userbase sits outside of the US, and it's deeply embedded in many 3rd world countries. I'm not sure how their European userbase compares with the African/Asian userbase.
I reckon the WhatsApp userbase OS distribution skews much more to older android versions compared to an app that mostly enjoys US/1st world country userbase.
Certainly, the WhatsApp userbase is skewed. But most of WhatsApp Android users are also Google Play Android users (certainly not all, WhatsApp publishes the apk directly), so if WhatsApp doesn't want to cut off X million users on Android 5, but Google is ok with not supporting it, Google almost certainly has a higher threshold value required to keep support. I'd guess the Android 5 users with Google Play and not WhatsApp outnumbers the Android 5 users with WhatsApp and not Google Play, but none of those statistics are public.
With the number of Android devices out there, it really makes more sense to think about it in actual user/device count rather than percentages.
Unless I missed a memo, Linux LTS is 2 years of support these days. Many distributions offer 10 year LTS releases, but I’m not sure of any off the top of my head that currently offer more.
I feel like a couple things were mixed that aren't the same. The commenter upthread said 10 years for Windows OS versions. I took that to mean e.g. "Windows 11 will be supported for 10 years from initial release".
Sure, you can often install a modern Linux distro on a 20-year-old device (though just as often, you cannot), but that's not the same thing as a single version of Windows being supported for 10 years. The analogous situation is indeed LTS versions of Linux distros, which certainly don't have 10-year support lifetimes, let alone 20.
But the support lifetimes make sense for the various vendors. Apple doesn't need to support a particular major version of macOS or iOS for all that long, because they make sure new versions of their OSes will run on fairly old devices (all of which are devices they've built, and have full control over), and they aggressively push people to upgrade to new major versions as they come out.
Microsoft has a lot of customers who value stability and consistency above all else, and on top of that, they have to support a wide variety of hardware that they don't and can't control. Supporting a major version of Windows for many years makes sense for them.
As for Linux, there's no one single source, so a rolling-release distro can decide to only support the bleeding edge, whereas a cloud provider might roll their own distro for server use and decide to support that for a decade, if they think that's what their customers want.
I just recently pulled out an old phone that originally ran Android 6 for a project, hardware wise it still runs perfectly. The only thing wrong with it is that I can't upgrade it to a newer Android version.
From what I understand, backporting won't make a difference, unless vendors integrate it into their custom OS installs, and, from what I hear, they aren't really giving legacy support much love.
They are taking it seriously because of the legal liability issues. Their lawyers are clearly worried about the legal implications of their devices being used to track people and things for illegal purposes and want to make sure they have a level of protection against lawsuits from consequences of tracking devices used for illegal purposes. There are already cases of women being stalked using these devices.
> Their lawyers are clearly worried about the legal implications of their devices being used to track people and things for illegal purposes
Just that Android devices are not involved in tracking of AirTags, as of today only iOS devices actually share the location of AirTags back to Apple.
They maybe want to change that, but considering the huge amount of volume disparity between AirTags and Google's tags, I assume Apple would have to pay Google for the service of extending their tracking-network...
> It’s possible the tracker is attached to an item the user is borrowing, but if not, iPhone can view the tracker’s identifier, have the tracker play a sound to help locate it, and access instructions to disable it.
That means someone can steal your stuff, and then disable the tracker so you can't find it. Most people and myself included were sticking these cheap tags on everything we own, and it was genuinely useful during travel or in scenarios where theft was a consideration.
> That means someone can steal your stuff, and then disable the tracker so you can't find it.
This is by design. AirTags were never marketed as an anti-theft device. They had anti-stalking features from day one which were/are at odds with anti-theft.
It was marketed as helping you find things that are lost, nothing more.
> iPhones share the location of nearby AirTags with apple. Good for the owner of those AirTags, but the owner of the iPhone may not want this.
You can turn this off. Though, doing so is bidirectional: it also prevents your phone from sending out its own Bluetooth beacons when it’s not connected to the Internet, for other phones to pick up. Which might not be what you want. But if you’re worried about privacy impact, it probably is what you want.
Also keep in mind that the protocol already minimizes privacy impact by, among other things, encrypting the location coordinates with a key Apple doesn’t have.
You're right of course, but this represents a huge shift in the way we think about our computers now, and speaking only for myself I don't think I like it.
It used to be that when you bought a computer, it was yours. It did your bidding, nobody elses. Security features it had were about keeping other people out, not keeping you out of your own device.
Now, mostly IMHO thanks to Apple, the idea has really shifted. The owner of the device is a "threat" just like anybody else is. The device protects itself against unauthorized actions from the owner, and it does what the mother company wants it to do, regardless of the owner's desires. If the owner is trying to stalk somebody, then that's a better outcome than having the stalker enabled, but we don't get to pick and choose which things the device follows it's owners desires or the mother company's. If the mother company wants you using their chosen DNS servers, or exfiltrating user data for analytics, or showing you ads (Amazon especially), that's what will happen. Now that we've made it acceptable for companies to behave like this, they are going to (ab)use it to the max. I think this is a tragedy of the commons personally. People optimizing for individual use cases at the expense of the collective, leading to disastrous results for the collective.
One can debate whether anti-theft is a worthwhile trade-off for stalking, but because it's implemented as a peer-to-peer network, the consent of the owners of the other peers is relevant.
The huge shift here is that this feature exists in the first place - it's an on-by-default peer-to-peer network that runs on almost all phones, very few people know about and almost nobody would have consented to if they understood it could be used for stalking.
Isn't this a success of the commons? Apple decided on behalf of everyone else to use THEIR phones to find YOUR missing thing. That's a win for you as the owner of the AirPod. In order to make that decision palatable to the crowd, they tried to make sure your ability to use their phones without asking had minimal opportunity for abuse (they don't want you to be able to track them with their own phone).
I've not heard that term before and can't find it, but I think I know what you mean. If it seems like I've gotten it wrong, then please let me know :-) Thanks that is a very interesting question. To some extent it may depend on perspective.
I don't think so, because this isn't the commons doing anything, it's just a dictator with all the power forcing people to make the right choices. At least in the case of government enforcement, there's (ostensibly at least) some rights you have and limits/restraints on the government, including democracy which keeps it in check against abuse.
When it's a private corporation like Apple or Amazon just making these decisions, you have little to no recourse (except maybe switch brands, but there aren't many viable options out there for most of these devices. It's not reasonable to point most people to the Pine Phone for example).
To be the opposite of Tragedy of the Commons, I would think it would need to be people self-organizing or self-regulating to prevent the tragedy. If a powerful overlord forces it, I think it's something else.
> It used to be that when you bought a computer, it was yours. It did your bidding, nobody elses. Security features it had were about keeping other people out, not keeping you out of your own device.
Yeah, but when your device can infringe on others, it's ok to curtail those features. No one has unlimited rights.
Cameras (including iPhones with cameras) are allowed to be sold, even though you can point them at someone's bedroom window and infringe on their right to privacy. That's just one example. Another example is my right to peace and quiet in the quiet area of a train. Yet iPhones will happily blast noise out of their speakers there, and I have experienced many iPhone users doing so. When can I expect the phones to ship with a volume limiter?
> but you can't point them up skirts, or walk up to their bedroom window (you have to be at the public sidewalk/street).
What? iPhones will prevent you from doing that? How?
> Cell phones already have volume limiters, too
I wonder if you've missed GP's point... Your volume limiting link looks like a feature that the user can control. That means that Apple isn't preventing iPhone users from violating other people's right to quiet in quiet areas.
What are you even talking about? There's nothing about a camera that prevents someone from putting it in a tree.
And that link about the volume limit? Come on, dude. That's a volume limit which the user can configure to protect themselves from hearing damage. Not even close to what this discussion is about. It doesn't even apply to the speaker! Completely irrelevant.
There can be legal consequences to some speech, but our voice boxes haven't been flashed with firmware that limits our ability to use certain words. This is not at all analogous to what Apple is doing with iPhones. To be the same, it would have to listen/parse everything you say and filter out the offensive parts so other people don't hear them. It would also need strong technical measures to prevent you from flashing your own voice box firmware that allows you to bypass Apple's restrictions. If you can point to an implementation like that, then you may have a point, but I'm entirely unaware of the existence of such a thing.
I don't know where you live but that isn't at all true anywhere I've lived.
I've had two reasons to need to "find" things with AirTags where I specifically didn't know where they were:
- airline bungle, so luggage was left at a transit airport.
- forgetting where something had been put down.
But the most common usage is the opposite, positive confirmation: we've just left for the airport, check if everything says "with you" once you're a few hundred meters down the road.
If the most likely reason for something to be "lost" is that it was stolen, maybe you should move somewhere with a less than apocalyptic level of petty crime.
Perhaps zarzavat just isn't prone to losing things.
Personally, I'm careful enough with my keys etc (and lucky enough) that I don't lose them - I lived for several decades before the invention of the airtag, and developed habits not to lose things.
On the other hand, bicycles getting stolen? That happens.
There's a big difference between "theft isn't a concern" and "theft is the main reason things are lost". A place where you're more likely to get your things stolen than you are to misplace them is definitely a place with above-average crime rates.
And while I don't know where you've been and what your tolerance level for "worrying about" theft is, I've never worried about theft anywhere but very touristy places in huge cities.
It sounds silly, but I understand where he's coming from. I used to live in Philadelphia. You couldn't leave your bag down on the subway without someone running off with it right before the doors closed.
Wild. a family member of mine has paranoid schizophrenia and if something isn't where she thinks it should be she immediately jumps to "it was stolen." Even if the glasses are on her head or the phone is literally in her hand, she'll declare it was stolen and get upset.
It makes me wonder if she lived in one of those places earlier in her life (before I knew her) and might be more justified than it seems... ?
I know lots of people think that when they can't find something; it doesn't mean it is schizophrenic behavior in and of itself. I remember as kids discovering that other friends of mine also jumped to that conclusion. To my knowledge, none of us then or are now schizophrenic.
Sure. I also live in a place where you can't leave your belongings unattended even for a short time without a high risk of them getting stolen. But there's a simple solution to that: don't leave your belongings unattended, ever. Everyone I know who lives where I live knows that, and the incidence -- at least among my friends -- losing things to theft is super low.
I don't think this is a good situation, mind you, but I think people in my circle still misplace things orders of magnitude more often than their stuff gets stolen.
Uhh, I don't know about that. Since getting airtags I've misplaced my car keys multiple times, left my wallet on an airplane, and had multiple airlines misplace my luggage. In that same time I've not had anything stolen.
It is when it's countering other anecdata. If anyone has actual data then by all means show it and that will trump the anecdata, but without that, anecdata is all we have.
They weren't marketed but it was implied. If you forgot, they had to patch them a while after release due to stalking concerns so that "day one" point is moot.
> To discourage what it calls “unwanted tracking,” Apple built technology into AirTags to warn potential victims, including audible alarms and messages about suspicious AirTags that pop up on iPhones. To put Apple’s personal security protections to the test, my colleague Jonathan Baran paired an AirTag with his iPhone, slipped his tag in my backpack (with my permission), and then tracked me for a week from across San Francisco Bay.
> I got multiple alerts: from the hidden AirTag and on my iPhone.
Design doesn't matter after a point - you have to meet your users on their turf. Most people were using it for other reasons - and if Apple's stance is, fine - don't buy it, then so be it.
The device, from the beginning, was not designed as an anti-theft tracker. It’s always had features that made it unsuitable for this use case. At every point Apple has made it very clear they’re not interested in meeting users on that turf.
Users can say they’re not interested in it because it doesn’t suit their needs - that’s completely fine.
Source? I just use them to find my keys and remote, didn't know it was popular to try and recover stolen property given the alerts when you're near not-your-airtag for any length of time.
Police department recommendations are often wrong, and often based on either poor information about the domain the advice is being given in or actively-promoted (by police leadership) disinformation.
Police agencies aren't systematic domain experts except in the application of force to obtain compliance, as well as not having an interest in accurate advice.
There have been news articles since practically the day of release. I tracked stolen keys to a house a few miles away, but didn't feel like risking my life for them.
There are any number of products allowing you to mount them inconspicuously.
The killer use case here, as I think most people have figured out, is figuring out where your stuff is when it's in a system you don't have visibility into. Like if UPS says it's "on the way" from NYC to LA or something, and especially if the airline isn't sure where your luggage is. It's just spectacular for that.
And of course where did I leave my keys and is my backpack in the car or at work stuff, but that's the obvious/advertised use.
> For any product, users should be free to use it for any (legal) use they see fit.
None of these companies ever agreed to be bound by that value, and aren’t under any obligation to adhere to the tenets of Hacker culture. Hackers as a group have failed to convince the public that these things matter, so as far as these businesses are concerned, they don’t.
Like, I agree, it sucks when companies restrict what I can do with a device. But when that happens I don’t talk about it like they betrayed me, I knew what I was buying and decided to buy it anyway.
> Hackers as a group have failed to convince the public that these things matter
I distinctly remember friends at Apple being surprised, in the aftermath of San Bernadino, at the backlash they received for refusing to break the encryption on the shooter’s phone for the FBI [1].
You’re free to use the purchased device. You’re not free to demand changes. It’s not like you’re unlocking functionality that should be built in. Changing this would require patching the firmware of every iPhone
The reason apple designed it this way is so that someone can know if they are being tracked. If an air tag not associated with your phone is close by for a certain period of time, then it notifies you that you are being tracked.
This is a safety feature and its been there since day one.
Every phone is already being being tracked and logged. What youre really saying is that people often tolerate some tracking if done by CIA/phone company/Apple/Google/FB. We're just playing with semantics here. Tracking is either acceptable or not. The only real solution is to go off-grid.
It's reasonable for a person to have a threat model that's more concerned about their violent narcissist ex attaching an AirTag to their car than about the CIA.
If the FBI wants to obliterate me, they can get a warrant and send goons to my house. The costs of preparing for that threat model are excessive, so I don't.
If some scumbag ad company wants to track me, they can eat shit on my adblocker and not track me. The cost of preparing for that threat model is trivial, so I do.
CIA/phone company/Apple/Google/FB/some rando are all different, independent, situations; as a reasonable adult I have decided that some of them are acceptable, some of them are not.
>> helping you find things that are lost, nothing more.
So it is now on me to know whether my object is lost or stolen? Even if I magically knew all the details, that isn't a bright line rule. One person's "lost" luggage is another's stolen electronics. Clearly, more people are using these things to track down stuff that has been taken rather than find the remote control lost somewhere in their living room.
Will apple allow people to disable the tracking of other people's iPhones too in the name of privacy? What if my wife leaves her phone in my car? Can I get tracking disabled on that phone so she cannot track my location?
> So it is now on me to know whether my object is lost or stolen?
No. AirTags let you track your objects whether they are lost or stolen. It's just that they also alert potential thieves to their presence, so any reasonably competent thief will be able to disable them.
> Clearly, more people are using these things to track down stuff that has been taken rather than find the remote control lost somewhere in their living room.
My use cases are to (a) find items that I misplaced or lost somewhere on my own. (b) track the whereabouts of luggage that got lost by an airline.
These cases are not particularly hindered by anti-stalking mechanisms.
CR2032 batteries are lithium batteries, so they do fall under the rules for "Spares" (no to checked baggage). They are permitted "In Equipment" for checked baggage. They are on the "Lithium Metal" row as one of the three example photos.
At some point, airlines were raising concerns, but the rules have changed.
When I recently pointed out to the lost luggage department at an airport that I knew for a fact that the luggage (or at least the tracker) was right at the airport, they did not appear to be surprised or concerned at all.
> That means someone can steal your stuff, and then disable the tracker so you can't find it
This has always been the case with AirTags. They've had anti-stalking notifications since day one, and disabling one is as easy as a quarter test of the case to remove the battery.
It's possible to build your own tracker atop the Find My network without these anti-stalking features. The Find My network can even be abused for low bandwidth data transfer from any point in the world with an occasionally nearby iPhone.
The biggest anti-stalking feature is that the tracker will beep when it's notified when it's moving in proximity with a phone or other device. So obviously it's trivial to create a tracker that doesn't beep.
Your phone can also refuse to send notifications about the location of a nearby tracker if it thinks it's being tracked, but if there are a bunch of other phones nearby that can relay that information there is nothing to stop them from doing so.
That’s because Apple themselves limit access to authenticated (but supposedly anonymous - aka doesn’t matter whose) Apple IDs before allowing access to the geodatabase
Not for long, since cross compatibility with android is apparently coming.
IIRC, they need you running macos to get the data via a plugin for apple mail. If you only needed an appleID, it could likely be done in a web browser.
The cross compatibility is only for anti-stalking features, and is probably implemented in such a way that you couldn't use it to implement a tracker that works in both systems.
What I don't get is why nobody seems to have done the work to reverse engineer the onboarding workflow, and why Apple doesn't allow onboarding on Mac devices. I had to buy a (used) iPhone just to onboard AirTags, despite onboarding Mac devices works without one.
If I were to do this on a certain chip and put it in a random person's car, wouldn't they get a message showing 'X found moving with you'? Or is that only implemented for AirTags themselves?
Yes, they would, it tracks all BT devices, not just Airtags.
But even with an unmodified tracker, it's quite hard to locate one in a car, because there is a lot of hiding spaces (especially if you put one in some hard-to-reach space such as under the carpet in the cabin etc...).
Using randomized or rolling addresses avoids detection to an extent, depending on how many randomized addresses one uses and how often they're rotated.
However, it's also trivial to detect randomized (or rolling) addresses due to the address being utilized for more than a single locality. Although, I'm not sure that either Apple or Google is actually doing the randomized detection even with this new patch.
Yeah, I think the point of these devices is for locating lost items, not stolen items. Trying to handle the stolen use case but not allowing nefarious tracking seems to be at odds with each other.
Depends on what you're trying to track if it's stolen. A compartment in something like a car or an eBike that allows removal only by using an actually high-security key (i.e. something that LockPickingLawyer can't pick) or power tools that would seriously compromise the structural integrity of the thing in question would be something I'd pay serious money for... but no manufacturer of anything I'm aware of has actually gone that far.
VanMoof bikes connected to the Find My network if I remember correctly. I thought you can pay for access.
But to disincentivize theft, any device would have to be built in such a way that swapping the electronics or discarding that tracking module makes the device you were protecting worthless. Lots of secure handshakes between paired components, very secure software kept up to date, etc. which sounds unrealistic in most cases.
Together with that network access fee probably makes such solutions economically infeasible today.
> But to disincentivize theft, any device would have to be built in such a way that swapping the electronics or discarding that tracking module makes the device you were protecting worthless.
Not really. It just needs to be so difficult to remove without a key that thieves physically cannot remove / disable the tag without threatening the stability of the bike, car or whatever.
Doesn't need to be perfect, all it needs to do is provide sufficient survival time against your average crackhead.
An AirTag is a lost item tracker. What I was mentioning is a stolen item tracker. Very different propositions.
You’re proposing something that may be a paradox. The only way to make something physically hard to remove is to integrate it. Locks are proven to be ineffective for this purpose. When this ideal lock is invented you will simply lock your bike with it directly and achieve the goal of theft deterrence to begin with. No need for tracking if stealing the bike destroys it.
Getting an AirTag into a mechanically locked compartment of your bike is useless. You even mentioned LPL so you know any such lock will be bypassed in a matter of seconds, maybe even less time than it takes you to put the AirTag you just bought in there. So your theoretical protection model hinges on something that doesn’t exist yet: a lock that you can easily open to put an AirTag in and service it but that nobody else can unlock.
Car or e-bike manufacturers paying for access to any “find my” network means they can heavily integrate the expensive electronics in a way that makes removing the “tracker” part truly impossible (it’s on a main controller chip) or severely devalues the object if you do (the chip/board is prohibitively expensive and impossible to find on the open market). It’s more expensive and kills self repair but reliable anti theft might be worth it to you. Think of the iPhone model here.
At the end of the day the Find My network exists to be used by different manufacturers [0]. The unpickable lock doesn’t.
> An AirTag is a lost item tracker. What I was mentioning is a stolen item tracker. Very different propositions.
There's two different types of "stolen items"... you got organized theft, stuff like people stealing cars that are then parted out in Eastern Europe [1]. And then you got stuff like people going for joyrides - this is something that can be solved by even a decently hidden AirTag.
No I get that. For cars it’s actually a lot harder because they have a lot of valuable parts that can’t be meaningfully secured.
And joy rides are the worst of all because the perpetrators aren’t around by the time you locate your car of bike. Locating it is actually the least of the worries, it’s usually crashed somewhere or thrown in the river.
But a phone, e-bike, or expensive camera, etc. are better served by integrated “Find My”. If it gets to Shenzen it’s lost anyway but otherwise removing the activation locks or location mechanism in practice will destroy the core of the device.
Locking an AirTag behind a mechanical lock cannot achieve the same. It takes a minute to pick or drill the lock and ditch the AirTag in an envelope to Shenzen. Think of LPL and what lock can prevent that. The lock is still the weakest link and if it can’t protect the bike directly, adding layers of complication directly relying on the same weak link seems pointless.
Can you please describe what scenario you imagine an airtag would be useful in tracking down a stolen item in an airport?
I ask because I'm at a loss. BLE from these little devices has ~40ft of range on a good day, and even if a mesh network were involved, I fail to see what the airtag could do that would help you recover your item. Sound an alarm? Great, the thief knows where it is now, and they can just yank it out and throw it in the trash. Give you GPS coordinates? Great, that'll really help after you find security, tell them what happened, convince them it's urgent, and explain to them what they're looking at when you show them the app. Of course that all assumes the airtag (or a nearby mesh device) has a useful GPS fix, and the thief hasn't already found the tag and thrown it in a trash can or something.
Imagine you put an AirTag somewhere deep into your suitcase, and someone malicious steals it and then drives off with it. With the current model, the thief will get notified there’s an AirTag traveling with them, and they can play a sound, find it and remove it / disable it.
Imo without these features it would be rather unlikely for a thief to find AirTags quickly or even realize it’s there.
The ~40ft range is more than enough, the global mesh network of all iPhones is the whole point of the AirTags, there’s no “gps fix”.
So we're in agreement about the technical situation at hand - rely on nearby devices' location data. This should work fine in most airports, sure.
I'm still stuck on all of the friction involved in actually using airtags as a theft recovery device. Neither the tag or Apple's service can contact police or airport security on its own, so you're spending who-knows-how-long flagging down security, explaining the situation, and waiting for them to relay that message back to an appropriate authority who will go find the thief.
Alternatively, you skip the "talk to security" part entirely and go find the thief yourself (assuming you're comfortable with that sort of confrontation). You're still dealing with a moving target - one that can very easily leave the airport entirely, forcing you to choose between sacrificing your bag and potentially missing your flight, a cab, etc.
You also run into a proliferation issue. The more popular airtags become as a theft-recovery device, the more thieves will know to look for them and remove them from stolen items.
Google Maps generally shows my location inside of airport terminals pretty accurately, so it stands to reason that the network of iPhones in a terminal could plot a tracker's position pretty well. If someone has your bag and you know which direction they're moving, you could possibly catch up and get close enough to either spot it or (assuming you have an iPhone 11+) get a Ultra Wide Band fix to finish pinpointing it.
Bury the tracker somewhere too inconvenient to locate and remove quickly, and they'll count on not removing it until later (or they'll just ditch it once it starts beeping).
> Most people and myself included were sticking these cheap tags on everything we own, and it was genuinely useful during travel or in scenarios where theft was a consideration.
Yep. That ruins half the value of AirTags. It's a limitation that their competitors, like Tile, didn't have until very recently.
Every time this comes up, someone butts in with "they're for lost items, not stolen ones!", which is technically accurate but pedantic beyond reason. "Stolen" is a special case of "lost" for most people. In both cases the object is out of the owner's possession. "Stolen" just means it's deliberately missing and not accidentally so.
I understand, sympathize, and support the idea of making life harder for would-be stalkers. My gut instinct says non-notifying AirTags would make life harder for many more thieves than the self-tattling AirTags does stalkers. Apple and Google agree with each other that inconveniencing those losers outweighs abetting thieves. That's their decision to make. I'd still be irritated if I couldn't find my lost-with-the-help-of-a-thief bike because my AirTag told the thief I was looking for it.
I think the idea is that thieves that have already been successful at removing the item from your possession are much less of a threat to your life than someone who is actively tracking where you are. It's a debate worth having, which one should be the priority, but I can appreciate the logic of doing it this way.
I can, too. I can also think of counterexamples: if a person is broke, they use their bike to get to work, and someone steels it, that's going to give them a very, very bad week. There's some hard calculus there I'm glad I'm not in charge of. Blocking 1 stalker is clearly more important than blocking one sunglasses thief. I suspect that blocking 1,000 bike thieves would have a bigger societal benefit than blocking 1 stalker.
These are hard questions. I can appreciate the challenges. And yet I'd still be highly peeved if I could my AirTag laying on the ground because it alerted a thief who then removed and discarded it.
Stalking is way more common than successfully recovering items with a tracker like this. It’s usually a bad idea to even try. I followed a tracker into someone’s yard only to discover that the thief had thrown the tracker over the fence and I was just trespassing.
Even if the tracker didn’t alert the thief, how hard is it for a thief to find a tracker on the bike on their own? I don’t think an AirTag is going to save too many bicycles.
Seems like the calculus would only make sense when you are talking about big expensive items - cars, boats, RVs. But for those you probably want a non-bluetooth solution.
The bikes getting stolen here are people's "cars". Electric cargo bikes with room for two children is what people use to get around. Getting that stolen ruins daily logistics for people. They cost up to $10k, which is a significant amount of money. People should really rethink the societal cost of bike thieving, they are both more expensive and more integral in how people move around. Not just children's toys.
I only want AirTags or similar to guard against thieves. So if that is not going to work it's quite useless for me. Luckily for bikes, there is https://bikefinder.com/
So I've got the tools to cut that thick bike chain but I somehow can't pull device inside the handlebars out or destroy it? It looks like their special tool is just a star security bit.
And also, would it really hold up to just being cut with whatever tools the thief used to cut your bike chain?
I think we can agree that victims of domestic abuse and stalking have a risk of physical harm and that physical harm trumps property rights / being peeved right?
This is a 0-sum choice & erring on the side of not letting this product be used for stalking seems like a sane choice. There are stalking products you can go buy that are more expensive that can give you the theft protection you want. Apple's and Google's monitoring network is unfathomably large and can passively monitor any device anywhere in the world. The threat vectors they have to balance against abuse is completely different.
You say that right after I give an example of where property crimes can seriously mess up someone’s life. Yes, 1 person’s personal safety is more important than 1 person losing a convenience item. If it were a choice between 1 person’s safety and 1,000,000 persons’ transportation, I’d pick the latter every time.
The choice Apple faced clearly isn’t 1 stalking victim against 1,000,000 people unable to get to work. I use that example to show that it’s not as simple as “safety vs annoyance”. Apple and Google ran the numbers and erred on the side of safety. That doesn’t make it an automatic or simple choice.
Think about it this way - without AirTags and with AirTags + anti-stalking, your bike theft scenario is unchanged. Without airtags and with AirTags without anti-stalking, your personal safety scenario is worse. Those are the discussions I remember when I worked on CoreLocation at Apple. It had nothing to do with running the numbers, at least pre-development. I would be slightly surprised if someone tried to put numbers to that - Apple is pretty values-based when it comes to those kinds of decisions.
The stalking issues go well beyond personal safety. Police officers, judges, politicians and cops who now have to worry about someone chucking a $25 airtag in their car which is much easier to do innocuously and those people have power to craft regulations and laws. Abortion rights are even more contentious now & stalking comes up there.
There just isn't a scenario where opting in the entire world-wide smartphone community into enabling mass stalking at a never before price point is a net positive - there just aren't enough poor people with stolen bikes to shift that equation. There's a reason AirTags destroyed Tile - Tile's network is laughably small & would always be that way compared with the reach you get at the OS level. That drastically shifts the threat model.
We'll never know. The personal safety issues are important and I'd never argue otherwise. Having cheap, effective crime deterrence seems like it could be a nice thing if you could wave a magic wand and remove the stalking angle. Apple keeps adding features to those ends, like the new Stolen Device Protection updates, that shift the risk-reward math for device thieves. I could still buy a cheap used phone and stick a SIM in it, hide it in a victim's car, and use that to track them without alerting them to it. And still, we get nice tools like Find My because more people are likely to lose their phone or have it stolen than to stalk their exes with it.
I understand the personal safety issues. They're important. I get it. That doesn't stop part of me from wishing I could use these cheap, convenient lost item devices to help me track down stuff that wasn't exactly accidentally lost.
Buying an old phone or watch and using FindMy is a compelling counter argument. The problem is that the cost of that is meaningfully higher - it’s a $25 one time purchase vs ~$50-100 + a recurring ~$30/month. The size of the device is another one - the phone or watch is substantially bigger than an AirTag (or how small an AirTag could become over time). Finally, a phone or watch has a much shorter battery life to support tracking. You could trade off accuracy for a much longer battery life, but you’re still capped to maybe a couple of days or even a week if you really know what you’re doing. That’s compared with ~1 year of unattended AirTag use.
As for crime prevention, I think you’re overestimating how much of a benefit that would have. Stolen device protections remove the value from the stolen device. That’s not the case for your stolen bike - thieves don’t actually care if you can track the device because a) knowing where your stolen property is doesn’t actually aide in it getting recovered b) as long as they can move the stolen product along quickly enough the information becomes too stale to action on it (remember - police usually need a search warrant). My cousin’s car got stolen with AirTags in it but he got lucky in that the police did something about it - plenty of news stories of AirTags in cars with people trying to get the police to do something and the police not being able to for a variety of reasons. And that’s cars which are orders of magnitude more expensive than bikes that police won’t bother with. Look up VanMoof theft stories to convince yourself that tracking is useless: https://www.reddit.com/r/vanmoofbicycle/comments/zbexyr/upda...
Smart watches are not meaningfully larger than airtags if you take the wristband off, and a cheap prepaid plan for $5 or $10 would be more than sufficient. You also don't need FindMy because the cell network itself can triangulate.
There is a genuine need for anti-theft technology. Apple doesn't have to address that market, likely because they're afraid of brand damage, but stalkers already have plenty of options available.
As I said, the battery model is drastically different for active trackers. 7 days of surreptitious monitoring vs 1 year changes the risk profile of noticing these trackers / how many you can have before the logistics of recharging all of them wears on you. And if you’re unlikely to recharge each of these every single day, your protection drops on average to 3.5 days.
It’s not just brand damage - passive tracking using every single smartphone opted into the tracking vs active tracking where you have to expend more battery AND pay for an ongoing cellular connection each month is a tangibly different use-case with different threat models.
I'm assuming you're waiting until the end of the 7 day battery life to recharge it (e.g. you recharge every Sunday) and I'm assuming the probability of a theft is uniformly random throughout the week. Thus, on average, you'd expect stolen devices to only have half the battery left because there's equally many stolen on the first day (7 days of battery left) as on the last day (0 days), equally many stolen on the second day (6 days left) vs penultimate day (1 day left) etc etc. At scale, that would average out to stolen property having attached devices having half the advertised battery life.
You can argue that you'd be more dilligent about recharging but I'd counter that at scale you'd be the outlier. On average I'd actually expect an average battery life when stolen closer to 0 because people wouldn't be diligently recharging them & reattaching them (i.e. either the battery life would be 0 or the device wouldn't be attached to the desired property).
I don't think people would only charge when the battery runs out. More likely people would charge weekly, say on a weekend night or during their weekly WFH day or something like that.
A 14-day battery life would then mean an average of 10.5 days of protection, which isn't too bad.
> You can argue that you'd be more dilligent about recharging but I'd counter that at scale you'd be the outlier.
I don't know about this. For bicycle users, charging their rechargeable headlights and taillights regularly (typically once weekly) is very much a habit already. This is just another thing to charge at the same time, which is a time they aren't riding their bicycle.
Thanks for sharing your experience at Apple. It's really valuable to understand exactly how decisions are made at big tech companies, especially for sensitive issues like this.
That said, I'm saddened that the approach seems shortsighted, since it doesn't sound like it considered a holistic picture, but rather was based on a specific value judgement. This seems to put other issues, like the whiplash around the approach to CSAM into perspective.
That isn‘t enough reason to make these things useless. A knife can be used to kill someone and to cut meat. And we still haven’t removed the sharp edge, have we?
There is a big liability issue for these companies if they say its for tracking stolen items. Anecdotally according to reddit threads, police don't care if you have the tracker showing its at the thiefs house, thats not enough evidence to do anything and its not an active crime with people in danger worth being prompt about. law enforcement also don't want you to confront the thief due to the risk of that situation escalating. If these companies start advertising for stolen items they are effectively encouraging vigilanteism and you can imagine how much of a legal headache that will be as soon as the first airtag user is shot dead.
Airtag pinging a location that may not even be accurate is not a reasonable cause for search nor even enough information to know where to search in some cases. Imagine the airtag says it is in an apartment complex. Which of the hundreds of units in that building do you decide to barge through and search? All you have is a 2d map and 35ft resolution on a good day.
Not sure what I'm missing here, as Airtags have long worked like this - that as long as you had an iPhone or an Android phone with the anti-tracking app installed, you'd be notified of being stalked.
So if your bike thief had an iPhone, they'd be able to find the tag anyway?
AFAIK the only major difference is that it's now being baked into the Android OS so people don't need to actively download the app.
Yes, I think the PR backlash for such features is too great that it spoils them for the rest of us.
When people "misuse" any technology, it seems the consensus nowadays is that the responsibility is shared between the technology creator/owner and law enforcement. Personally, I'm not fully sold as this is mainly a sociopolitical question.
It would 100% be used for stalking & be directly contributing to easier violence against victims. Not sure I buy the argument it's purely because of image PR reasons vs there being a genuine well-founded harm-minimization strategy for why it's designed this way.
You can call anything you do as a "genuine well-founded harm-minimization strategy", but nobody is out there banning knives and gardening shears and shovels and baseball bats and other tools that can contribute towards "easier violence" because of the cost to society. You either have an absolutist/ideological view on this, or you're willing to compromise. Ultimately its a matter of perception, and then too, some people are easier to convince than others.
I really don't understand your argument here. No one is banning you from building stalking devices. Apple and Google have chosen by themselves not to do that & are working to standardize their particular implementation (which you can also see in this thread there's a lot of support for). That's very different from banning knives and gardening shears.
And I think you are taking a very US-centric view. For example, switchblades & similar quick-open knives aren't legal in many jurisdictions. So yes, many countries recognize that tools have a trade-off and are willing to legislate their usage depending on problems being observed.
It's very rare to find a true absolutist on any idealogy unless they're completely blinded - it's just that they draw the line further away than someone else / need a stronger argument to convince them. For example, I'm going to guess that you're not in favor of laissez faire with respect to nuclear weapons & tech - cause that shit is actually really easy and cheap to build these days & the sole difficulty is the regulations that surround it.
>I really don't understand your argument here. No one is banning you from building stalking devices
I use airtags to not just locate lost stuff, but also as a potential means to find stuff when stolen. Its not about me wanting a way to stalk someone, what a bizarre thing to say!
>It's very rare to find a true absolutist on any idealogy unless they're completely blinded - it's just that they draw the line further away than someone else / need a stronger argument to convince them.
Oh, I'm not a libertarian, I'm firmly pro-government. I'm just not pro-nanny state. I'm willing to compromise if the other side is too. However am I not allowed to complain, even a little?
> Its not about me wanting a way to stalk someone, what a bizarre thing to say!
Please describe how what you’re asking for is different than stalking the people who stole your stuff? More importantly, how would Apple/Google know how to differentiate between the two use-cases?
> However am I not allowed to complain, even a little?
You can always complain but your complaint is pretty non-sensical because this is private corporations making a decision and government isn’t involved, so it’s unclear how this is a nanny state. Go build your own tracker that meets your specifications?
And yet tiles have been out for something like a decade and I've never seen a news story about them being used for stalking.
100% indeed...
Stop your screeching that is feeding the asinine moral panic that has resulted in these things becoming worthless for tracking packages and stolen items.
1. You need to go compare the reach of how good Tile’s tracking is vs literally nearly every smartphone being opted-in transparently into tracking these tags. This is drastically different.
2. Tile is a smaller target, so “I’ve never seen a news story” just means the reach of any such story is smaller.
3. Maybe Tile already has similar protections? It’s against their TOS [1]
4. Tile has been sued for stalking [2]
5. Tile is offering an anti-theft feature provided you have to use biometrics & give them a government ID and you have to agree that they’ll sue you if you use it for stalking [3]. So Tile too is clearly concerned about the stalking problem, they’re already being sued around it, & they’re a drastically smaller target than Apple and Google (no one is going to craft legislation around what Tile is doing). Apple is 3x the size of Tile by itself.
You can disregard it as moral panic but how would you distinguish that from a genuine concern of the potential for an abuse for a technology? Strict liability isn’t popular these days but it has ebbed and flowed as a doctrine. Failure to try to try to do a good faith attempt to prevent this problem would certainly land Apple and Google into hot water when a case of stalking inevitably happens using these devices.
3. Tile doesn't (or at least didn't as of when I replaced my last one with an AirTag). I don't put much weight in the TOS bit; I'm sure it's against Apple's, too.
5. If Apple launched an AirTag Pro at twice the price with these controls but otherwise identical hardware, I'd be all over it. They're leaving money on the table.
So which is it? Is it unjustified moral panic with 0 evidence of harm & Tile isn't doing anything or are you just upset that these big companies aren't building the product you want to buy?
With 5 you're now shifting goal posts by introducing a non-sequiter to my point 5. I've clearly highlighted that Apple always balances money-making opportunities against their values around privacy & public safety. No one is forcing you to buy this product. You should also fully expect to see Tile utilize this standard so that they can leverage the reach of having every smartphone in the world scanning for these instead of just other Tile customers.
I think you're right. I get the push toward that consensus. There are plenty of makers (cough cough Purdue Pharmaceuticals) who make awful, abusable things and then say, hey, it's not our fault people are misusing them! It still sucks getting caught in the middle.
Thinking system-wide changes through is what public policy is all about, and the same should probably be true of shipping devices in the tens of millions.
(That doesn’t mean it’s easy. Doing pilot studies is a good idea.)
It's a fundamental tradeoff. And who's affected in each case?
The anti-stalking bias degrades the product for people who've bought an AirTag and become victims of theft. It's a limited population. People are unaffected by default.
The anti-theft bias means everybody is a potential victim of stalking. If I have no interest in AirTags, anybody else can still tape one to the bottom of my car and track me wherever I go. Everybody is potentially affected.
Even if theft is far more common than stalking, an anti-theft bias would be a tough position for Apple to defend if it means they're potentially facilitating stalking for the entire population. It may not be ideal, but I can understand it.
You also have the situation where if air tags did not have the anti-stalking features, there would be far more stalkers in the world. I'm sure there's many people who would not buy a GPS logger and connected to someone's car, but they might "forget" an airtag in someone's car, were it not for the anti-stalking alerts.
I suspect if Apple went the Anti-Theft route, thieves would not stop thieving, they would just start searching large stolen items for air tags before bringing it to wherever they may.
I believe you’ll find that tracking your stolen items is just a recipe for frustration when you tell the police where your shit is and they act like you’re the asshole when you expect them to do anything about it.
(And no, this isn’t connected to current politics—I’ve not known cops to care about tracking down stolen good no matter how much evidence you can hand them, since at least the 90s)
This so much. Confronting thieves is always a bad idea. I prefer to view it in a positive light. The thief probably needed the stolen item more than I did. The thief is happy, I am happy for the thief. The overall happiness in the world has increased!
> inconveniencing those losers outweighs abetting thieves
This feels incredibly minimizing for people who have been stalked. Or people fleeing domestic abuse, human trafficking, or other forms of abuse where controlling a person’s movement is a large part of the harm being inflicted.
Stalking covers a wide range of activity that impacts people who are usually in a vulnerable or dangerous situation. The people who would use tags to track people aren’t just “losers”, they’re pimps, rapists, murderers, abusive spouses, and so many other awful things.
Inconveniencing them far outweighs someone stealing your luggage.
They are already pretty worthless as far as air travel goes in my experience. Airtag indicated my bag was on the tarmac at the first airport pretty much until it dropped in front of me in the baggage carriage at the last airport. Effectively it gives me zero information I didn't have already from the old analog method of using ones eyes and following up with airline staff.
Their utility is directly tied to how many Apple devices with gps and data are in close proximity to them.
I get significantly better responsiveness from them at an Australian airport or Singapore airport than I do at Bangkok airport. That doesn't mean they don't work, it just means it's unrealistic to expect minimum wage baggage handlers in Thailand to have an iPhone in their pocket.
What about baggage handlers at two major US hubs where this bag flew? Plus presumably an entire plane of iphones and that plane is certainly not a faraday cage.
Its crazy, but sometimes people have non-Apple devices. There's a decent chance none of the baggage handlers had an Apple device on them when they were handling the bag, or they were only around the bag so briefly it was between the airtag's chirps.
There's a good bit of separation between the cabin and the cargo hold. I imagine it could be pretty difficult to get a read from a low power tag deep in a bag in a pile of other luggage with several other big metal plates between.
That was a case where Lufthansa was confused about the difference between (volatile) Li-ion rechargeable batteries and the (benign) Lithium single-use coin cells in the AirTags. They retracted their stance on them after a day or so. It was a fire hazard thing, not a "we don't want you tracking items" thing.
Lufthanasa, like other airlines, was pissed that customers were routinely catching their employees claiming their luggage was "lost" when it was sometimes even sitting a few dozen feet from the person who was claiming the luggage was lost, so they made up some obvious nonsense about them being hazardous.
Unless you think a huge, high-end airline "got confused"? It wouldn't have been against regs even if ti was a lithium ion battery because it's so tiny. What do you think they do about the millions of electric toothbrushes and shavers people travel with that have much larger lithium ion batteries?
They retracted it because it ended up causing a Striesand Effect, putting a lot of sunlight on how airlines do a very brisk business selling "lost" luggage.
> Unless you think a huge, high-end airline "got confused"?
Having dealt with battery regulations with airlines, couriers and postal services many times, yes, yes I do. They routinely fuck it up, even claiming that AA Alkaline batteries are too dangerous to ship.
> They retracted it because it ended up causing a Striesand Effect, putting a lot of sunlight on how airlines do a very brisk business selling "lost" luggage.
... and lots of cases of "lost" luggage being due to the fact that decades after implementing paper tags, neither airlines nor bag/trolley manufacturers have gotten their asses together and worked on a standardized way to reduce instances of tags simply getting ripped off during handling.
Like, it wouldn't even be that hard. Place a long, wide recess maybe 2mm deep along the entire trolley, where the tag can be stuck in and is guarded that way against conveyor belts or other bags ripping off the tag.
And maybe invent a system where you have to scan your boarding pass and the tag barcode to leave the baggage claim area to reduce the amount of cases where people have taken the wrong bag.
Aren't there third-party devices like Tile that you could use? Sure, it can't be tracked by every iOS and Android device, but it's not like there aren't trackers that you and your wife could both use.
CEO of Tile/Life360 here - I made a meta comment but I'll call out that because all Life360 users now scan for Tiles, and we are on 1 in 8 phones in the US, our network is actually huge. The small network thing is a misperception. We bought Tile knowing we could supercharge their previously small network.
I was in the location data space. These guys got out completely. It was a big loss to the industry since they had great coverage. They definitely weren’t lying about that.
I'm a Tile owner (soon to be ex-owner), and I think your response is a little disingenuous. When Google announced recently they'd open up their Find My Device network to bluetooth trackers, I assumed for sure Tile would be on board. I was dismayed to discover Tile specifically has no plans to join the Android Find My Device network, unlike Chipolo and Pebblebee. So I switched to Pebblebee.
The Life360 network may be sizable but it's going to me nowhere close to the iOS or Android networks, and it's going to get a lot smaller with folks like me leaving. If Tile supported the Android Find My Device network I would have stayed.
I disagree. There's a clear disclaimer of who they are, and they're responding to a specific criticism.
Their comment at the top level also has that disclaimer and while it's written in a bit of a marketing tone, it adds substantive value to the discussion.
One major value of HN is that we get people who are actively involved in building various pieces of technology directly engaging with the community. When there's a strong disclosure of who they are, that's almost always a good thing. (Of course, some organisations don't encourage that disclosure and that's a little more ambiguous).
I think it's pretty fair to make this clarification and I don't fault a company for wanting to squash misinformation about their product. I found it to be a useful comment because I had no sense of the scale of the Tile network, and I did have an intuition that it was much smaller.
I have zero affiliation with Tile and I have never bought any device like this of any sort, but this is useful information to me as someone who has been the target of frequent bicycle theft.
The criticism I will agree with is that it does feel worded a with a bit of a corporate polished tone that does give that vibe. edit: I think it's largely the "supercharge" descriptor.
Like @RobertRies, I found this comment useful. I've never bought a Tile but now that I know they have this much penetration I'm somewhat more likely to. I also had not seen the other posts by GP, so don't find it redundant.
These trackers work by connecting to nearby phones, with the phone supplying GPS information and uploading it via its cell connection. So a Tile tracker will only get its location updated if someone with the Tile app is nearby, and since Tile users are relatively rare the tracking is only reliable in very busy places.
Apple and now Google trackers on the other hand build this functionality into the OS (or Google's near-OS bundle for Android), so if basically any phone comes within range of the tracker it will provide a location update.
> How does the tracking network size affect functionality?
Ability to actually find lost items. AirTags are so successful (in the US) because of the ubiquity of iPhones which are, effectively, constantly reporting on the location of detected devices. A smaller network of listening/reporting devices will not be as effective unless it happens to be very popular right in the area the device was lost.
The devices don't have any GPS. Instead, they have a unique ID that phones see, and report their location to Apple/Google/Tile. If the network is bigger/denser, then your devices is more likely to be detected, and detected more often.
Tile is essentially useless, especially compared to airtags, annoyingly.
I had a tile, however I fianlly got rid of it when I was unable to locate my keys in my house. It sent me on a wild goose chase saying that it had been last seen near my bins.
I was in the same room as them for the first 15 minute of it beaconing.
Airtags seem to acutally work reliably, and because you don't need the app running, has a good network to find them outside of my house
