Question about Google's Find My Device network with the new trackers
Hi everyone,
Have a quick question if you have the time. I want to buy some of the new Android Find My Device trackers, have wanted to ever since destroying my Tiles when they were bought by that scummy data-retailer.
My question is: if I buy, for example, a Pebblebee device, does Pebblebee get my location data? Google already has that; that's the deal with the devil you have to decide whether or not you want to take. But I don't want to give this information to another third party.
I've done some Googling on this but of course search is useless these days. I tried to read Pebblebee's privacy policy but gave up pretty quickly:
➜ ~ cat pebblebee | wc -w
17391
Does anyone have an authoritative answer on this? Would love to know.
TIA and thanks for your time!
ETA: I have seen where Pebblebee claims they don't sell user data; I'm not even questioning that with this post (although I do question every company's trustworthiness). This is more a question about the architecture of the Find My Device network itself.
Edit 2: I'm already carrying around a personal spy that reports everything I do to Google, I don't think it matters whether they can get my location from the trackers lol. I just wondered if I was exposing that to Pebblebee (just as an example) as well.
I recently described how Apple's Find My network works, but the TL;DR is: lost devices send out bluetooth beacons with a rolling encryption public key, any Apple devices in earshot will hear that beacon, encrypt their current GPS position with that key, and send it to Apple servers. Any Apple user can download the position reports for any public key, but of course you need the private key to be able to decrypt it. You can read more in the reverse engineering done by the devs of OpenHaystack, which reimplements the protocol and lets you send beacons from any BLE device.
Reading through Google's explanations, I can't find a hard technical explanation like OpenHaystack's RE docs for Apple's network, but it appears to be much the same.
The main difference I'm noticing is:
This doesn't clarify whether Google has some record of who has what devices or not. Apple's network very explicitly doesn't, any valid Apple ID can request locations for any public key. If Google's network requires users to somehow register with them what devices they control, even if Google can't see the actual locations of those devices, that's a big step backwards.
Reading through Pebblebee's help center, they have a FAQ about how you configure a device. The TL;DR is that you can configure a Pebblebee tracker in three ways: as a Google Find My Device tracker, an Apple Find My tracker, or a Pebblebee app tracker. If you set it up in either platform app, the tracker is unusable in the Pebblebee app, and only configurable and usable via the Google/Apple app. This means the data never sees Pebblebee servers or their app, so there's no mechanism for the data to be taken by Pebblebee (the company) and potentially sold.
Actually Google won't have the explicit location data, the Find My network is E2EE.
https://support.google.com/product-documentation/answer/14796936?hl=en
Awesome info, thank you! I think that covers everything.
I'll believe that when pigs fly. (and I feel this about Apple as well) Sure, it might not be uploaded or encrypted as part of the protocol data, but that data exists and somebody is running that left outer join.
"Oh we're not tracking your BLE location. We're tracking your IP location and we just so happen to know your BLE MAC."
But like… how? This seems like a properly technologically secure system. I don’t see how what you are concerned about can physically happen.
All Google knows is that an IP has uploaded a blob of data about something. It doesn’t know the location of the IP, and it doesn’t know who the blob of data belongs to.
Unless its an android device doing the uploading. Then they (almost certainly) have a very precise location for that IP. Of course, thats true for anything you've granted location data to, so it's not just Google that can do that trick.
To find out who owns it, just watch for what devices download said blob. Ignore any known bots (ie Apple and Google syncing data mutually).
I’m not sure how this identifies you to Google. I think you may be misunderstanding what you quoted, actually.
So your IP has uploaded a blob of data that belongs to another person. If that other person downloads their blob, what does that tell Google about your IP’s ownership?
For WiFi at least, mobile devices change IP addresses whenever they change networks. (Unless you have your own VPN exit node or something.) The IP address will show rough location (which is how websites geolocate you), but devices in a coffee shop or airport are pretty anonymous - unless they have some other way to identify you.
That's probably pretty easy with browser fingerprinting because there's so much more information available inside a web browser, so a web page download can combine the browser fingerprint and IP to get a location attached to something.
But an end-to-end encrypted message with only an IP address recorded seems pretty safe? You get the IP and that's it.
What happens when you join by IP with another message? You already had the IP, so not a whole lot. A timestamp. The fact that it has the Find My Device network turned on. Is it worth doing the join?