DEA Using AirTags to Track Packages (and Drug Manufacturers)

It was recently reported in Forbes that the U.S. Drug Enforcement Administration (DEA) was using Apple’s AirTags to help track drug manufacturers. According to the March 23 article by Thomas Brewster,

“[B]order agents intercepted two packages from Shanghai, China. Inside one was a pill press, a machine used to compress powders into tablets; in the other, some pill dyes. Believing that they were destined for an illegal narcotics manufacturer, the Drug Enforcement Agency was called in. DEA investigators inspected the devices but rather than cancel the shipment or pay a visit to the intended recipient, they tried something they’d never been known to try before: they hid an Apple AirTag inside the pill press so they could track its movements.”

The article indicated that the DEA obtained a warrant permitting them to slip the quarter-sized device into the package and—presumably—to track it.

Most of the legal debate in the area of location tracking has centered around the question of whether or not judicial approval—in the form of a warrant—was necessary in order to track someone’s—or something’s—movement. In 1983, in a case called United States v. Knotts, the U.S. Supreme Court ruled that no warrant was necessary to permit DEA agents to drop a tracking device into a bottle of “precursor chemicals”—chemicals used to make unlawful narcotics—and then to track that beeper. In Knotts, the beeper was a short-range radio device that permitted DEA agents to follow the bottle from their car using a radio receiver. Because the beeper merely enhanced the agents’ ability to do what they could do otherwise (follow a car) for which they did not need a warrant, the court opined that no warrant was necessary to put the beeper in the bottle or to track it.

Fast forward to 2012, and federal agents put a GPS device (a large one with a battery) concealed under the bumper of a suspect’s car and tracked the movements of that car for about six months. In that case, United States v. Jones, the Supreme Court ruled that a warrant was necessary to install the device on the suspects’ car since the act of installing the device was trespassory in nature and invaded the subjects’ property rights.

Taking these cases together, it is likely (but not inevitable) that a court would rule that a warrant would be necessary to install the AirTag. The question is whether the AirTag is closer to the beeper in Knotts or the GPS transmitter in Jones. It’s a floor wax and a dessert topping.

But in the case of the AirTag and the DEA, it appears that the DEA did get a warrant. Good for them.

But (and there’s always a ‘but’) does this put the lie to Apple’s argument that the AirTags are safe from use by stalkers and creeps who want to slip them into unsuspecting womens’ purses and backpacks to cyberstalk them? If the DEA can defeat Apple’s “DANGER, WILL ROBINSON! YOU ARE BEING TRACKED” warning system, then can’t your average cyberstalker do the same?

The short answer is probably yes. Apple’s warning about cyberstalking consists of alerting a person (well, a person with an Apple device like an iPhone, iPad or similar) that “an AirTag is traveling with you.” Apple will also send an audible “beep” to the AirTag to tell the subject where the offending surveillance device can be located. Now, the beep can be easily defeated with a pair of needle-nosed pliers. Snip, snip and the speaker is “disconnected.”

So, one of a few scenarios is possible with respect to the DEA and the AirTag. First, the DEA found a workaround to prevent the “an AirTag is traveling with you” warning from being sent, received or noticed. Second, the warrant from the court authorizing the installation of the AirTag also directed Apple to disable the warning. Third, that the DEA knew that these particular drug dealers were Android users and that the Apple alerts would not work (but then, neither would the AirTag—as they have to ping some Apple device). Finally, the DEA might have figured out what everyone else knows: Nobody actually listens to these pings and warnings. Users have been desensitized to alerts.

Hard to know what happened here. Suffice it to say that the next generation of government surveillance devices won’t be coming from a secret lab in Langley, Virginia, or be developed by some secret codenamed MI6 agent (I think the term “Q” may be passé.) Rather, the next generation of government surveillance will come from Apple, Amazon, Google or Meta—and will be “consumer friendly.” And it will be delivered to your house in 24 hours or less!

Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 203 posts and counting.See all posts by mark