When you update an iPhone or iPad to Apple’s iOS 13, you might notice a lot of apps asking for Bluetooth access without clearly explaining why.
This might seem like an annoyance, but it’s actually a new feature whose purpose is to protect your privacy. Prior to iOS 13, apps could use Bluetooth to collect detailed location data from users without explicit permission, using tracking beacons in retail stores and other public locations. Even if users had denied an app access their location data, Bluetooth could have provided a workaround.
At Apple’s Worldwide Developers Conference in June, senior vice president of software engineering Craig Federighi referred to this kind of tracking as “abuse,” and said Apple was “shutting the door” on it. In iOS 13, any use of Bluetooth that doesn’t involve transmitting audio will require a permission prompt, similar to the ones that already appear when app wants to access cameras, microphones, and location.
But while the goal of shutting down sneaky location tracking is noble, the new Bluetooth permission could also cause confusion when iOS 13 launches this fall. While trying the public beta version of the new software, I’ve had dozens of popular apps ask for Bluetooth access, raising the possibility of previously-undisclosed data collection. But when I contacted the app makers in question, most of them insisted that they’re using Bluetooth for benign purposes. Without clearer disclosures from Apple and app makers, the privacy benefits of blocking Bluetooth in iOS 13 might be lost upon users.
How apps use Bluetooth to track you
Patrick Jackson, the chief technology officer for the anti-tracking app Disconnect, says Bluetooth tracking often comes into play at retail stores. By setting up beacons that passively sniff out nearby Bluetooth devices, retailers can tell exactly where shoppers are inside a store based on the beacons’ proximity to users’ smartphones.
These kinds of beacons aren’t always used to spy on you. Target, for instance, says it uses beacons to help shoppers navigate through its stores and locate items using the retailer’s mobile app, and Macy’s has used beacons to tell app users about promotions and contests when they visit a store. Apple itself uses beacons to let you pay for items in its stores by scanning bar codes with the iPhone’s Apple Store app.
But as with so much other data collection, these tracking beacons also enable a hidden exchange of information. A survey from 2016 by eMarketer found that retailers were far more interested in using beacons for data collection and targeted marketing than they were in making their stores easier to navigate. Jackson believes that with iOS 13, Apple is specifically taking on this kind of behavior from retailers and tracking firms such as Footmarks.
“It’s clear Apple’s targeting them directly with changes to iOS 13, because it’s not clear to a user that it’s going on in the background,” he says. A marketer wants “to know if a user’s looking at shoes on the phone, then they eventually go to Nordstrom’s, and not only do they go to Nordstrom’s, but they also look in the shoe department.”
Google also acknowledged that it uses Bluetooth beacons to gather more precise location data in apps such as Google Maps. Still, a spokesperson says Google won’t track users via Bluetooth if they’ve disabled Location History through a Google account, and granting Bluetooth permission in iOS 13 will not change users’ Location History settings.
Not necessarily nefarious
If apps were only using Bluetooth to infer location, the solution would be straightforward: Just deny permission for any app that shouldn’t have that information. But even when app makers aren’t using Bluetooth to track your whereabouts, they still have to get the same permission in iOS 13 to talk to other sorts of Bluetooth devices. This can lead to more confusion, as it’s not always clear why each app wants to use Bluetooth in the first place.
Amazon, for instance, asks for Bluetooth permission in both its main shopping app and Alexa, suggesting that the company might be using those apps to follow users around. But an Amazon representative insists otherwise, saying the shopping app uses Bluetooth for reordering items through the (soon-to-be-dead) Dash Button and the Dash Replenishment Service. As for Alexa, it uses Bluetooth to connect with accessories like the Echo Auto, which lets you talk to Alexa in your car.
None of this, however, becomes clear to users when the Bluetooth prompt appears. As of this writing, all apps show the same generic message when an app requests Bluetooth access in iOS 13: “This will allow [the app] to find and connect to Bluetooth accessories, and allow your [iPhone or iPad] to be found over Bluetooth.”
Meanwhile, a wide range of media apps including Netflix, Hulu, and HBO Go are using Bluetooth for Google’s Chromecast streaming devices, which offer a “Guest Mode” so users can connect even when they’re not on the same Wi-Fi network as a Chromecast. While this feature might be useful, Google seems to recognize that it could sow distrust. In preparation for iOS 13, developers can now remove Guest Mode support to avoid having the Bluetooth prompt appear in their apps.
A messy situation
According to an Apple spokesperson, it will be up to individual apps to make the case for Bluetooth permission, and up to users to decide whether to grant it. With other types of permissions, it’s common for apps to explain what they’ll do with access right before Apple’s prompt appears.
The problem is that unlike with other permission prompts, app makers don’t have any control over when the Bluetooth prompt appears. As of this writing, the Bluetooth request pops up immediately when you first launch the app, so there’s no opportunity for the developer to explain why Bluetooth access is necessary.
Bluetooth also doesn’t have the same granular access controls that Apple now offers for broader location tracking. There’s no option for you to only enable Bluetooth while the app is in use, and no way to track when an app has accessed Bluetooth in the background. Once you grant permission, you’re in the dark.
On top of all that, Bluetooth is an inherently messier permission than something like location or camera access. You might raise an eyebrow at a weather app that asks to access photos, or a mobile game that wants to record through the microphone. But what does it mean when Netflix or the Amazon app ask for Bluetooth access? In many cases, it will be tough to say.
Apple does deserve credit for giving users more control over a potential source of privacy violations, and things could certainly change before the final version of iOS 13 arrives, or in a later update. But without giving app makers a way to clearly explain what they’re using Bluetooth for–and giving users more ways to monitor that behavior–it’s not hard to imagine users ignoring the new Bluetooth controls. And if people end up blindly allowing Bluetooth access without understanding the implications, the backdoor to location tracking will remain open for abuse.