← Trackers
F

AirTag

Fail
Apple · 🇺🇸 United States · Bluetooth
PolicyApp PermissionsNetwork TrafficFirmwareRegulatory
Technical details
Manufacturer: Apple

⚠️ The bottom line

Lauren Hughes and dozens of other women went to court to tell Apple what it already knew: a $29 device small enough to slip into a purse had become the stalker's tool of choice. The class action survived Apple's attempt to throw it out. The judge said if the product's design caused the harm, Apple has to prove its benefits outweigh the risk of enabling round-the-clock surveillance of domestic violence victims. Apple still hasn't settled. Apple launched AirTag in April 2021 knowing nearly three-quarters of the world's smartphone users had zero way to detect one hidden in their bag. For two full years, every Android user was invisible to Apple's "safeguards." A woman with an Android phone being stalked would hear nothing, see nothing — unless the AirTag's speaker chirped after three days, which stalkers quickly learned to disable by ripping out the speaker. Apple called this "privacy by design.".

Legal jurisdiction
🇺🇸 United States (headquarters)
CLOUD Act read more →
US govt can demand your data from this company even if stored overseas
FISA §702 / PRISM read more →
NSA collects stored emails, photos, messages without individual warrants
Geofence warrants read more →
Police can demand location data for everyone near a crime scene
Spying
3/4 HIGH
Is someone spying on me?
Data Sharing
2/4 MODERATE
Who gets my data?
Kids at risk
Security
0/4 N/A
Is it actually secure?
Honesty
2/4 MODERATE
Can I trust what they say?
CONFIGURE High-risk areas that can be partially mitigated with settings changes.
5Contradictions
2Critical
2High
1Medium
6Sources
Findings by concern
Spying 3/4 HIGH 2 findings
⚠️ criticalpolicy claims vs regulatory findings
Lauren Hughes and dozens of other women went to court to tell Apple what it already knew: a $29 device small enough to slip into a purse had become the stalker's tool of choice. The class action survived Apple's attempt to throw it out. The judge said if the product's design caused the harm, Apple has to prove its benefits outweigh the risk of enabling round-the-clock surveillance of domestic violence victims. Apple still hasn't settled.

What they claim: Apple markets AirTag with built-in anti-stalking protections including alerts and sound notifications.

What we found: Class action Hughes v. Apple (Case 3:22-cv-07668) survived Apple's motion to dismiss, representing dozens of stalking victims. The suit alleges AirTags revolutionized stalking due to $29 price, tiny size, and precision accuracy.

⚡ highpolicy claims vs firmware analysis
Every iPhone in the world is conscripted into Apple's tracking network whether its owner knows it or not. Your phone silently relays the location of every AirTag it passes — there's no opt-out. Researchers at TU Darmstadt proved the network could be hijacked to transmit any data, turning a billion phones into a global surveillance mesh. You didn't sign up for this. You weren't asked. Your phone is doing it right now.

What they claim: AirTag works through the Find My network where devices anonymously relay locations.

What we found: Over a billion Apple devices relay AirTag locations with no opt-out. Researchers at TU Darmstadt demonstrated the network could transmit arbitrary data, turning every nearby iPhone into an unwitting surveillance relay.

Data Sharing 2/4 MODERATE 2 findings
⚡ highpolicy claims vs regulatory findings
The same feature that helps you find keys in a couch cushion helps a stalker find their victim in a parking lot — down to the centimeter. Police saw tracking-device reports explode after AirTag launched. London's Metropolitan Police logged a 70% increase. Domestic violence shelters started teaching women how to sweep their cars for tiny white discs. Apple built the world's most precise consumer tracking network and acted surprised when abusers used it for precisely that.

What they claim: AirTag's Precision Finding uses UWB to help locate items with directional guidance.

What we found: Police departments reported a surge in AirTag stalking. London Metropolitan Police documented a 70% increase in tracking device reports in 2022. DV organizations reported clients finding AirTags in cars, children's backpacks, and personal belongings. Precision Finding gives stalkers centimeter-level accuracy.

⚫ mediumpolicy claims vs regulatory findings
Apple's answer to stalking: every AirTag is tied to an Apple ID, so police can subpoena it. In practice, stalkers buy an AirTag for $29 cash, create a throwaway Apple ID with a burner email in two minutes, and they're invisible. By the time a detective gets a subpoena, waits weeks for Apple's response, it leads to a dead ProtonMail address. The safety measure supposed to catch stalkers catches almost nobody.

What they claim: Apple requires each AirTag be linked to an Apple ID, enabling law enforcement to identify stalkers.

What we found: Stalkers purchase AirTags with cash, register with burner Apple IDs using disposable emails. By the time law enforcement obtains a subpoena and Apple responds, the stalker has disposed of the Apple ID. The safety measure catches almost nobody.

Honesty 2/4 MODERATE 1 finding
⚠️ criticalpolicy claims vs app permissions
Apple launched AirTag in April 2021 knowing nearly three-quarters of the world's smartphone users had zero way to detect one hidden in their bag. For two full years, every Android user was invisible to Apple's "safeguards." A woman with an Android phone being stalked would hear nothing, see nothing — unless the AirTag's speaker chirped after three days, which stalkers quickly learned to disable by ripping out the speaker. Apple called this "privacy by design."

What they claim: AirTag includes safeguards to alert people if an unknown AirTag is traveling with them.

What we found: For nearly two years after April 2021 launch, Android users — 72% of global smartphones — had zero detection capability. Apple didn't release an Android app until December 2022, and it required manual scanning. Automatic cross-platform detection didn't arrive until May 2024, three years after launch.

What happened to real people
Documented incidents involving Apple products and user data.
PRISM participant since 2012. Apple dropped full iCloud E2EE plans (codenamed Plesio/KeyDrop) after FBI objections (Reuters 2020). Advanced Data Protection released 2022 as opt-in with deliberate friction. [source]
Apple handed over iCloud backups in 1,568 cases covering ~6,000 accounts. 90% compliance rate. Surveillance firm: 'If you did something bad, I bet I could find it on that backup.' [source]
Government requests for push notification metadata rose from 158 (H1 2023) to 277 (H1 2024). Push tokens can identify devices and link to accounts. [source]
What your data is worth to governments
Apple complied with 12,043 government data requests in H1 2024. That's +621% over 10 years. Apple has been a confirmed PRISM participant since 2012. Under this programme, the NSA collects stored communications. The company is legally prohibited from telling you. Jurisdiction: US (CLOUD Act, FISA Section 702).
Documented: PRISM participant since 2012. Apple dropped full iCloud E2EE plans (codenamed Plesio/KeyDrop) after FBI objections (Reuters 2020). Advanced Data Protection released 2022 as opt-in with deliberate friction.
Documented: Apple handed over iCloud backups in 1,568 cases covering ~6,000 accounts. 90% compliance rate. Surveillance firm: 'If you did something bad, I bet I could find it on that backup.'
What is PRISM? · What is the CLOUD Act? · Transparency report
Sources