The make-vs-find line, lawful and unlawful uses, the consent bright line, regional law pointers, data-handling rules for detection sweeps, DIY-beacon ToS boundaries, and the presence-not-proof caveat — the ethical and legal capstone of the series

14.1 About this Volume

This is the ethical and legal capstone of a fifteen-volume series. Vols 2–10 treated item trackers as tools you own and operate. Vols 11–13 treated them as things that might be used against you, and documented how to find them. This volume draws the line between those two halves, explicitly and defensibly, and provides the posture framework that governs every other volume.

The series both makes trackers (Vol 10 documents building a DIY Find My beacon from an ESP32 or nRF board) and finds them (Vols 11–13 cover detection devices, DIY BLE-scan methods, and turning owned Hack Tools gear into tag-finders). That two-edged body of knowledge requires an equally explicit ethical framework. The make-vs-find line is consent and ownership. The lawful uses are: tracking your own property, monitoring a person who has given informed and ongoing consent, research on gear you own, and counter-surveillance sweeps of your own space and vehicle. The unlawful use is covert tracking of a person without their consent — criminal stalking, harassment, or unlawful surveillance in essentially every jurisdiction. There is no gray zone on that last point.

This volume covers: the make-vs-find line and its rationale (§2), the full set of lawful uses with the important nuances (§3), unlawful and unethical uses with a concrete scenario matrix (§4), regional law pointers for the US, EU, UK, and elsewhere (§5), data-handling obligations during detection sweeps (§6), the ToS envelope around DIY Find My beacons (§7), and the ethical constraints on the use of detection tools themselves — including the central caveat that detection gives presence, not proof (§8).

This volume is the AirTags-specific extension of the hub’s legal and ethics charter at _shared/legal_ethics.md. The charter’s standing rules — own hardware or written authorization; distinguish lab from in the wild; no jamming; no unauthorized access — all apply here. This volume adds the tracker-specific rules, the stalking-law landscape, and the posture for what to do when you find a tracker that is not yours. The Hacker Tradecraft/ deep dive’s legal and ethics volume covers the same territory at the level of hacking tradecraft generally; this volume is the narrower, tracker-specific cut.

Not legal advice. This volume is an engineer’s reference on the legal and ethical landscape for item trackers and tracking technology. It is not legal advice, does not establish an attorney-client relationship, and is not a substitute for qualified legal counsel licensed in your jurisdiction. Laws vary by jurisdiction, change frequently, and apply differently depending on facts and circumstances. Every statute, regulation, and legal category named in this volume is a pointer to the right questions and a map of the territory — not settled answers, and not professional legal guidance. Verify anything that matters with a licensed attorney in your jurisdiction before relying on it. Nothing in this volume should be construed as permission to take any specific action.

14.2 The Make-vs-Find Line — The Central Organizing Idea

14.2.1 What this series teaches, and where the line is

This series was framed from the first page of Vol 1 as having “a deliberately two-edged body of knowledge.” The first half teaches how trackers work and how to build one; the second teaches how to find hidden ones. The explicit reason both halves belong together is that you cannot competently detect a hidden tracker without understanding deeply how trackers operate — the separated-state behavior, the MAC rotation, the DULT signal. That claim is true and it is the reason the series is structured the way it is.

The two halves are not morally equivalent in their applications. Making a tracker and placing it on your own gear is lawful and uncontroversial. Making a tracker and placing it on a person without their knowledge is criminal stalking. Finding a tracker hidden on you is protective counter-surveillance. Finding a tracker that someone else placed and then using that information to locate or monitor them is a different thing entirely. The line is not between making and finding — it is between what the technology is aimed at.

   The make-vs-find line — what this series teaches and where it stops
   ════════════════════════════════════════════════════════════════════

   ┌──────────────────────────────────────────────────────────────────┐
   │  HALF 1 — MAKING TRACKERS (Vols 2–10)                           │
   │  Theory / use / varieties / DIY beacon (Vol 10)                  │
   │                                                                  │
   │  Lawful subject matter:           Out-of-scope misuse:           │
   │  • understanding how they work    • placing a tracker on a       │
   │  • using them on YOUR OWN           person covertly              │
   │    property                       • using the DIY beacon to      │
   │  • research on gear you own         track a non-consenting       │
   │  • consenting family tracking       person                       │
   ├──────────────────────────────────────────────────────────────────┤
   │                   ▲  THE LINE  ▲                                 │
   │                                                                  │
   │          CONSENT  ·  OWNERSHIP  ·  AUTHORIZATION                 │
   │                                                                  │
   ├──────────────────────────────────────────────────────────────────┤
   │  HALF 2 — FINDING TRACKERS (Vols 11–14)                         │
   │  Counter-surveillance / detection / posture                      │
   │                                                                  │
   │  Framed as PROTECTIVE:            Not framed as:                 │
   │  • detecting a tracker on you     • offensive surveillance       │
   │  • sweeping your own space        • defeating a tracker you      │
   │  • documenting for law LE           placed yourself              │
   │  • understanding the technology   • investigating others         │
   └──────────────────────────────────────────────────────────────────┘

   Vol 15 — Cheatsheet (bright-lines card synthesizes both halves)

The single most important sentence in this volume:

Consent is the line. Using a tracker on your own property is lawful. Using a tracker to monitor a person who has given informed, ongoing, and uncoerced consent is lawful. Using a tracker to monitor a person without their knowledge or consent — regardless of your reason — is criminal stalking, harassment, or unlawful surveillance in essentially every jurisdiction. The reason (jealousy, concern, suspicion, worry about an adult child’s safety) is a motive, not a legal exemption.

Three conditions jointly determine whether a given use is lawful:

Table 1 — Three conditions jointly determine whether a given use is lawful

Condition	What it means	Why it matters
Ownership	You own the object being tracked, or you have written authorization from the owner with defined scope	Trackers on property you don’t own raise unauthorized-surveillance questions regardless of intent
Consent (where a person is involved)	The person whose movements are affected by the tracking has been informed and has genuinely agreed — not coerced, not merely told, not assumed	Tracking a person’s location without their knowledge is the definition of covert surveillance; most jurisdictions criminalize it specifically
Scope	The tracking stays within the boundary of the purpose disclosed to the person (if applicable)	An employee told “we track company vehicles on company time” has not consented to 24/7 location monitoring of their personal life

All three must be satisfied when a person’s movements are involved. When only property is involved (a bag, a bike, a car, with no person-tracking intent), ownership plus scope are enough.

14.2.3 Lawful-use quick-check

   Lawful-use quick-check — property and person tracking
   ══════════════════════════════════════════════════════

   START: I want to place or use a tracker
                   │
                   ▼
   Is the thing being tracked YOUR OWN property?
                   │
           ┌───────┴────────┐
           YES               NO
           │                  │
           ▼                  ▼
       Proceed             Do you have WRITTEN AUTHORIZATION
       to next              from the owner, with defined scope
       question             and time limit?
                                  │
                          ┌───────┴────────┐
                          YES               NO
                          │                  │
                          ▼                  ▼
                      Proceed            STOP — unauthorized
                      to next            tracking of property
                      question           you don't own is
                                         unlawful in most
                                         jurisdictions
                   │
                   ▼
   Does the tracking involve monitoring a PERSON's movements
   (not just the location of an object)?
                   │
           ┌───────┴────────┐
           NO                YES
           │                  │
           ▼                  ▼
       CLEAR — track      Does that person KNOW about
       your own thing     the tracking and GENUINELY CONSENT?
       (e.g. bike, bag,   (Not coerced, not assumed,
       luggage, keys)     not inferred from silence)
                                  │
                          ┌───────┴────────┐
                          YES               NO
                          │                  │
                          ▼                  ▼
                      Lawful            STOP — covert tracking
                      (document         of a person without
                      consent if        consent = criminal stalking
                      possible)         / unlawful surveillance
                                        in essentially every
                                        jurisdiction

14.3 Lawful Uses

14.3.1 Your own property

The clearest, least disputed category: attaching a tracker to an object you own, for the purpose of locating or recovering that object. This is the primary design purpose of every AirTag, SmartTag, Tile, and Chipolo on the market. The person-tracking problem does not arise when the tracked thing is property, not a person.

Straightforward examples: a CR2032-powered AirTag on your keyring, a Tile on your carry-on luggage, a SmartTag zip-tied inside your bicycle frame, a Find My-enrolled tag zip-locked inside a camera bag. In each case you own the object, the tracker relocates only that object, and the only person whose location is implicitly tracked is you — the owner — because you carry the object. There is no third party whose consent is relevant.

The property category extends to vehicles you own. Attaching a tracker to your own car, truck, or motorcycle — the one whose title is in your name — is lawful. This is a normal use case; car owners tracking their own vehicles for theft recovery is a long-standing and explicitly legal practice. The legal complication arises only when the vehicle is shared or when tracking the vehicle is transparently a proxy for tracking a person (see §4.2).

The hub’s charter at _shared/legal_ethics.md applies: “Every test target must either belong to the operator or be covered by explicit, written authorization from the owner.” That rule covers this volume too. If you own it, you can track it. If you don’t own it, you need written authorization with defined scope — no exceptions.

14.3.2 Consenting adults

The second lawful category: tracking a person who is an adult and who has given informed, ongoing, uncoerced consent. The operative word is consent, and it carries legal meaning that differs from social meaning.

Consent for location monitoring, to be legally meaningful and ethically sound, generally requires:

Explicit disclosure: the person knows a tracker exists and roughly how it works (not fine-print buried in an app’s terms).
Specificity: the person knows what is being tracked, when, and for what purpose.
Voluntariness: the person has a genuine ability to refuse without adverse consequence. Consent given under threat, economic coercion, or within a power-imbalanced relationship (an employer telling an employee they must consent or lose their job for a personal-vehicle tracker) is legally questionable.
Ongoing revocability: the person can withdraw consent at any time. Consent to location tracking is not a permanent grant.

The most common form of consented adult location tracking today is a family-sharing location app (Apple’s Find My Family, Google Family Sharing, Life360 as a consensual tool). These are not secret — both parties can see each other’s location, and either can stop sharing. A physical tracker attached to someone else’s personal effects is a fundamentally different arrangement from a mutual location-sharing app, and the consent analysis is correspondingly more demanding. “She knows I worry about her” is not consent. “She signed up for Find My Family and can see my location too” is.

14.3.3 Minor children — the nuance

Parental monitoring of minor children occupies a legal category distinct from monitoring unrelated adults. In most jurisdictions, parents have broad authority over minor children’s activities, and using a tracker to monitor a young child’s location is generally treated as lawful parental supervision. The category is real; the nuance matters.

Table 2 — 3.3 Minor children — the nuance

Age / situation	Tracking posture	Key considerations
Young children (approximately under 10–12)	Lawful parental supervision in essentially all jurisdictions	Parental authority is broad; child does not have full privacy interest; transparent family tracking tools are common and appropriate
Older children / early teens (~12–15)	Lawful parental supervision in most jurisdictions, but privacy interests are growing	Transparency and family discussion reduce conflict and normalize age-appropriate boundaries; covert tracking increases as the child ages becomes more ethically fraught
Older teens (~16–17)	Still lawful in most jurisdictions; legally and ethically murkier in some	Some jurisdictions give older minors more privacy rights; covert tracking of a near-adult may be permitted but is rarely the right approach; honest conversation is the better tool
Child turning 18 (or the age of majority in your jurisdiction)	Adult — parental authority does not automatically extend	At the moment of legal adulthood, covert tracking of an adult child without their consent is criminal stalking in the same way as any other adult; parental concern is not a legal exemption
Minor child in shared custody	Track the child’s movements (with co-parent agreement where possible); never track the child as a proxy for tracking the other parent	Courts in multiple jurisdictions have ruled that using a tracker on a child’s belongings to monitor the other parent’s location is stalking of the co-parent, not child safety
Teen already using a consensual family-location app	Consensual app-based tracking; different arrangement from a covert physical tracker	A teen who agreed to share their phone location with family has not consented to a physical tracker they don’t know about; the consent applies to the agreed arrangement

The overarching point: parental tracking of minor children is generally lawful, but it is not unconditionally so, the limits are jurisdiction-specific, and the moment a child becomes an adult the analysis resets to the adult-consent framework entirely. Do not carry the “I’m the parent” framing across the age-of-majority line.

14.3.4 Research and teardown on gear you own

Research on hardware you own is explicitly lawful. Vol 5 (AirTag hardware teardown) and Vol 10 (DIY OpenHaystack/Macless-Haystack beacon) both document this type of work: buying a commercial tracker, opening it, analyzing the silicon, understanding the protocol, and building compatible implementations. The hub’s charter at _shared/legal_ethics.md is explicit: “Every test target must either belong to the operator or be covered by explicit, written authorization.”

If you bought it, you can tear it down. The relevant limits are on what you do with what you learn: exploiting a vulnerability for unauthorized access, publishing keys that could compromise third-party systems, or using research findings to track non-consenting people would be out of bounds (the hub charter covers this for computer access; the stalking-law analysis of §4 covers the people-tracking angle). But the research itself — protocol analysis, signal capture, comparative testing between the tags on your own bench — is firmly in-bounds.

The OpenHaystack/Macless-Haystack work (Vol 10) involves actually transmitting on the Find My network. That raises the additional ToS question covered in §7; the research aspect is lawful and the transmission aspect is governed by your adherence to Apple’s Terms of Service and FCC Part 15 (or equivalent regional spectrum rules). Neither of those is a stalking or privacy concern; they are covered separately.

14.3.5 Counter-surveillance sweeps of your own space

The detection half of this series is explicitly framed as protective counter-surveillance. Sweeping your own home, your own car, your own office, or your own person for a tracker you did not consent to carry is the most clearly lawful activity in the second half of this series. It is your property; it is your person; you are looking for something that may have been placed there without your authorization.

Vol 11 covers the detection tools (iOS/Android OS-native alerts, AirGuard, commercial BLE scanners). Vol 12 covers DIY BLE-scan detection methods. Vol 13 covers doing the sweep with owned Hack Tools gear (Flipper Zero BLE scan apps, ESP32 Marauder, Nyan Box). All of that detection work is framed from the victim’s perspective, and a sweep of your own property is its most unambiguous application. The data-handling obligations during such a sweep — what to do with information about trackers that belong to other people — are covered in §6.

14.4 Unlawful and Unethical Uses

Covert tracking of a person — placing a tracker on their vehicle, bag, or person without their knowledge, or using a tracker to monitor their location without consent — is the paradigmatic unlawful misuse of item-tracker technology. It does not matter:

whether you own the vehicle (you cannot use a car you own jointly to covertly track your co-owner’s whereabouts without their consent);
whether you have good reasons (concern, jealousy, child safety concerns about an adult child, suspicion of wrongdoing);
whether the relationship is intimate (intimate-partner stalking is a large fraction of the real-world AirTag-enabled stalking caseload);
whether the tracking was brief (a single covert location fix may still be criminal in jurisdictions with specific electronic-tracking statutes — verify your jurisdiction).

The law in this area has converged across most jurisdictions on one point: covert tracking of a person is criminal. The categories of law that reach it are surveyed in §4.3.

14.4.2 The lawful-vs-unlawful use matrix

The required decision matrix. Read this in conjunction with the quick-check tree of §2.3.

Table 3 — 4.2 The lawful-vs-unlawful use matrix

Scenario	Lawful?	Why	What to do
Tracker on your own car (for theft recovery)	Yes	Your property; no person being covertly tracked	Normal use
Tracker on your own bike / luggage / keys	Yes	Your property	Normal use
Tracker on your household pet	Yes	Your property in essentially all jurisdictions	Normal use
Tracker on a young child’s backpack (parental supervision)	Yes, generally	Parental authority over minor; see §3.3	Age-appropriate transparency
Tracker on your teenage child’s bag, child is aware	Yes	Consented minor-child supervision	Family agreement is better than covert
Tracker on your teenager’s bag, child does not know	Legally murky; ethically poor	See §3.3; older minors have growing privacy interests	Discuss and agree instead
Tracker on an adult child (18+) with their consent	Yes	Consenting adult	Document consent; ensure it is ongoing
Tracker on an adult child (18+) without their knowledge	No	Adult; covert tracking = criminal stalking in most jurisdictions	Stop; do not do this
Tracker on company vehicle, employees notified of policy	Yes, in most jurisdictions	Work property; disclosed	Written policy is essential; check local employment law
Tracker on company vehicle, employees NOT notified	Risky to unlawful	Many jurisdictions require employee notice for electronic monitoring	Add a written policy before deploying
Tracker on employee’s personal vehicle	No	Not your property; employee’s private life	This is stalking regardless of employment relationship
Tracker on partner / spouse with genuine mutual consent	Yes	Consenting adult; mutual	Ensure consent is real, specific, and ongoing
Tracker on partner / spouse without their knowledge	No	Covert tracking of a person = criminal stalking	Stop immediately
Tracker on an ex-partner	No	Covert tracking of a person = criminal stalking; also a common domestic-violence pattern	Stop; remove any trackers immediately
Counter-surveillance sweep of your own home	Yes	Your property	Normal protective use
Counter-surveillance sweep of your own vehicle	Yes	Your own vehicle	Normal protective use
Research / teardown on trackers you purchased	Yes	Your own property	Normal research; see §3.4
DIY Find My beacon (OpenHaystack) on your own gear	Yes (with ToS caveats)	Your property; rides Apple network under ToS	See §7 for the ToS boundaries
DIY Find My beacon placed on someone else’s belongings	No	Covert tracking of a person; DIY hardware does not change the analysis	Do not do this
Sweeping someone else’s vehicle for a tracker, on their behalf with consent	Yes	Their vehicle, their consent, you are acting as their agent	Get their explicit, written authorization

14.4.3 Categories of law that reach covert tracking

Covert tracking of a person may be criminal under several overlapping categories of law. What follows is an engineer’s map of the legal territory — categories and pointers to real instruments, hedged where specifics should be verified with a lawyer. This is not an exhaustive analysis and is not legal advice.

Anti-stalking and harassment statutes. Every US state has a criminal anti-stalking statute. Most of them cover conduct that causes a reasonable person to fear for their safety, or that constitutes a “course of conduct” of surveillance and harassment. Many were updated after GPS trackers became common to explicitly include electronic location monitoring. At the federal level, the interstate stalking statute (18 U.S.C. § 2261A — verify current text and applicability) covers stalking that uses interstate means, which includes BLE trackers that report through Apple’s national network. Covert placement of a tracker on a person’s vehicle is exactly the fact pattern most anti-stalking statutes were written to cover.

Electronic surveillance / wiretap law. The Electronic Communications Privacy Act (ECPA), including the Wiretap Act provisions at 18 U.S.C. §§ 2510 et seq. (verify current text), prohibits the unauthorized interception of electronic communications. The application to location data from a passive BLE beacon is fact-specific and contested in some contexts, but covert installation of a device that transmits location information to a third party has been prosecuted under wiretap-analog statutes in multiple jurisdictions. Many US states have broader electronic-surveillance statutes than the federal floor.

GPS-tracking-specific state statutes. Approximately forty US states have enacted statutes that specifically prohibit covert installation of a GPS or electronic tracking device on another person’s vehicle or property without consent. California Penal Code § 637.7 (verify current text) is an example: it prohibits using an electronic tracking device to determine the location or movement of a person without consent. Many analogous statutes were enacted in the 2010s and 2020s, some specifically updated after AirTag-enabled stalking became a documented public concern. The specific elements, defenses, and penalties vary widely — verify the statute applicable in your state or jurisdiction.

Harassment statutes. Short of stalking, harassment criminal statutes often reach a course of conduct that alarms or causes substantial emotional distress. A tracker that does not by itself constitute stalking (because the victim is not in fear for their safety) may still be criminal harassment under a lower-threshold statute.

Civil liability. In many jurisdictions, covert tracking that does not meet the criminal threshold may still give rise to civil liability: invasion of privacy torts, intentional infliction of emotional distress, and — particularly in employment contexts — wrongful conduct claims. Civil liability is separate from criminal exposure.

Data protection law (EU / UK). Outside the US, covert tracking of a person involves the unauthorized processing of personal data (location data is personal data under GDPR and its equivalents), which is independently unlawful under data protection law — separate from any criminal stalking analysis. See §5.3.

14.4.4 “I was worried about them” is not a legal defense

One of the most common justifications offered for covert tracker placement is concern for the tracked person’s safety or fidelity. It is worth stating clearly: in the legal analysis, this is a motive, not a defense.

Anti-stalking statutes do not generally require proof of malicious intent. They typically require proof of conduct (a course of surveillance), combined with the effect on the victim (reasonable fear, or in some formulations a specific type of distress). The actor’s reason for the surveillance is relevant only to sentencing, not to whether the offense occurred. A parent worried about their adult child, a partner worried about infidelity, an employer worried about an employee taking company secrets — in each case the worry is real and the concern may be sincere, and in each case covert placement of a tracker to act on that concern may be criminal.

“I was worried about them” is not a legal defense to stalking. Anti-stalking, electronic-surveillance, and unlawful-tracking statutes in most jurisdictions are conduct-based and effect-based, not intent-based. What matters is whether you covertly monitored a person’s location without their consent, and whether the conduct caused the relevant harm. Good intentions do not eliminate criminal liability. If you have a genuine safety concern about another person, the lawful paths are: talking to them, involving social services, involving law enforcement, or providing support through channels that do not require covert surveillance.

14.4.5 AirTag-enabled stalking and the policy response

Item trackers were immediately recognized as stalking tools when the AirTag launched in April 2021. Domestic-violence advocates filed formal objections with Apple before launch, warning that a cheap, coin-cell BLE beacon with global network coverage would become a stalking tool of choice for intimate-partner abusers. Those warnings were accurate. Within months of launch, widely reported incidents confirmed the pattern: trackers hidden in vehicle wheel wells, under bumpers, in bags, and on other personal effects — used to monitor the locations of current and former intimate partners.

The documented stalking cases prompted regulatory pressure in the United States (Congressional requests and FTC guidance), the EU, and the UK, and were the primary driver behind the Apple+Google DULT joint specification described in Vol 4 §7 and covered as a product in Vol 11 §5. The DULT standard was designed specifically because the regulatory pressure made it politically untenable for each vendor to leave the anti-stalking-detection problem entirely to each other. The technical countermeasures documented throughout the detection half of this series — the separated-state alert behavior, the audible chirp (shortened from ~3 days to ~8–24 hours after criticism), the iOS and Android OS-native alerts, AirGuard — are all direct policy responses to documented harm.

The right takeaway for a reader of this series: this is not a hypothetical concern. AirTag-enabled stalking happens, has been widely documented, has resulted in criminal prosecutions, and was the direct cause of the anti-stalking infrastructure the detection volumes cover. The series teaches detection and framing because real people need it. It does not teach covert placement because that is criminal and harmful — not because the technical knowledge would not transfer.

14.5 Regional Law Pointers

This section is a pointer map, not a legal guide. The applicable law for any specific situation depends on the jurisdiction, the exact facts, and current statute text — all of which change. Verify everything with local legal counsel. The table in §5.6 is the reference summary.

14.5.1 United States — the federal framework

The United States has several overlapping federal instruments potentially relevant to covert location tracking, none of which was originally written specifically for BLE item trackers.

Federal stalking statute. 18 U.S.C. § 2261A (verify current text) covers interstate stalking, including stalking carried out through electronic means. AirTag reports travel through Apple’s national (and international) Find My network, which may satisfy an interstate-means element. The exact application is fact-specific; if you are a victim, mention the interstate network angle when speaking to federal law enforcement.

Electronic Communications Privacy Act (ECPA). The Wiretap Act (18 U.S.C. §§ 2510 et seq. — verify current text) and the Stored Communications Act (18 U.S.C. §§ 2701 et seq. — verify current text) protect against unauthorized interception and access to electronic communications and stored data. The application to passive BLE location trackers (which do not intercept communications in the conventional sense) is contested; courts have handled analogous GPS tracker cases differently, and the law in this area has evolved. It is a potential avenue, not a certainty.

Computer Fraud and Abuse Act (CFAA). 18 U.S.C. § 1030 (verify current text) prohibits unauthorized access to computers and computer networks. The application to a passive BLE beacon is indirect; the more relevant CFAA angle would arise if the tracking involved unauthorized access to the victim’s devices or accounts. The hub’s charter at _shared/legal_ethics.md notes this for general context.

Violence Against Women Act (VAWA) stalking provisions. VAWA (reauthorized most recently in 2022 — verify current text) includes provisions strengthening anti-stalking enforcement at the federal level and funding for victim support services. These provisions are relevant to the intimate-partner abuse fact pattern that dominates real-world AirTag stalking.

14.5.2 United States — the state patchwork

The most practically relevant US law for most covert-tracking situations is state law, because: (1) most stalking is intrastate and therefore state-prosecuted, (2) approximately forty states have enacted specific statutes addressing electronic location tracking beyond the federal floor, and (3) state law varies significantly in threshold, scope, and available remedies.

The variation matters. Some state statutes require “intent to cause fear”; others are conduct-based without an intent element. Some cover only tracking devices installed on vehicles; others cover any electronic tracking of a person. Some require that the victim actually experience fear; others are satisfied by a course of surveillance conduct. California (§ 637.7 in the Penal Code — verify current text) has had a specific prohibition on covert GPS/electronic tracking for longer than most states (note that § 637.7 has been supplemented and affected by later California legislation — verify its current force). Other states enacted statutes in the 2020s specifically after AirTag-facilitated stalking became a documented problem. A few states still rely on general stalking statutes without tracker-specific provisions. Check your state’s criminal code for:

A specific “GPS tracking device” or “electronic tracking device” provision in the criminal code
The state’s stalking statute and whether it covers “course of conduct” surveillance
Whether civil remedies (restraining orders specifically covering tracker removal) are available

In the European Union and the European Economic Area, covert tracking of a person involves unauthorized processing of personal data, which is independently prohibited under the General Data Protection Regulation (GDPR — Regulation (EU) 2016/679, verify current text). The GDPR analysis operates in parallel to any criminal stalking analysis.

Location data is personal data. GDPR Article 4 defines personal data as “any information relating to an identified or identifiable natural person.” Location data that can be linked to a specific individual — which AirTag-derived location data can, since it is encrypted to the owner’s account key (Vol 2) — is unambiguously personal data. The moment a tracker is used to build a record of a person’s location, the resulting data is personal data under GDPR.

Processing requires a lawful basis. GDPR Article 6 requires that personal data be processed on a lawful basis (consent, contract, vital interests, legal obligation, public task, or legitimate interest). Covert tracking of a non-consenting person has no valid lawful basis. The “legitimate interests” basis (Article 6(1)(f)) is a common attempt-at-justification in civil contexts, but the GDPR requires that legitimate interests be balanced against the data subject’s rights, and the Article 29 Working Party (now the European Data Protection Board) has consistently held that covert surveillance of individuals rarely passes that balancing test.

Consent under GDPR. GDPR Article 7 sets the conditions for valid consent, which Article 4(11) defines as a “freely given, specific, informed and unambiguous” indication of the data subject’s wishes. Blanket consent buried in a relationship agreement or assumed from cohabitation does not meet this standard for location tracking. Explicit, revocable, purpose-specific consent is required.

Criminal-law overlaps. GDPR violations are administrative (up to 4% of global annual turnover or €20 million, whichever is higher — verify current thresholds). But most EU member states also have criminal-law provisions covering stalking and harassment that apply independently of GDPR. Both tracks may apply simultaneously.

14.5.4 United Kingdom

The UK has specific instruments covering both the stalking conduct and the data protection angle.

Protection from Harassment Act 1997 (verify current text): creates both a criminal offense of harassment and a civil cause of action. The offense covers a “course of conduct” — more than one act — that amounts to harassment of another and which the defendant knew or ought to have known amounted to harassment. Electronic surveillance, including location tracking, has been prosecuted under this Act.

Stalking Protection Act 2019 (verify current text): introduced Stalking Protection Orders (SPOs), which can be granted on an application basis even before a prosecution, and which can prohibit conduct including electronic surveillance. (The specific criminal stalking offenses themselves — ss 2A and 4A of the Protection from Harassment Act 1997 — were created earlier, by the Protection of Freedoms Act 2012, not by the 2019 Act, whose contribution is the SPO regime.)

UK GDPR. Post-Brexit, the UK retained GDPR as “UK GDPR” (the Data Protection Act 2018 incorporating retained EU law). The analysis for location data as personal data, lawful basis, and consent is functionally identical to the EU analysis (§5.3), applied under UK law.

14.5.5 Other jurisdictions — the honest caveat

The short version: virtually every modern legal system has criminal provisions that reach covert surveillance of a person’s location, and most modern privacy/data-protection frameworks treat location data as personal data requiring a lawful basis for processing. The specific provisions, thresholds, remedies, and enforcement vary.

If you are reading this volume in Canada: the Criminal Code of Canada has criminal-harassment provisions, and provincial privacy legislation (PIPEDA at the federal level — whose proposed successor is the Consumer Privacy Protection Act (CPPA, Bill C-27), distinct from Canada’s existing federal Privacy Act; verify current force — and provincial statutes in Alberta, BC, and Quebec) covers personal information including location data. If you are reading this in Australia: each state and territory has stalking laws, some including specific provisions for tracking devices, and the federal Privacy Act 1988 (verify current text) covers personal information including location data held by relevant entities. For any other jurisdiction: look for (1) a stalking or harassment criminal code provision, (2) any specific electronic-tracking-device statute, and (3) the applicable privacy/data-protection framework. The combination of all three is where covert tracking law lives.

14.5.6 Jurisdiction pointer table

Table 4 — 5.6 Jurisdiction pointer table

Region	Legal framework category	Notes — verify current text
US Federal	Federal anti-stalking statute (18 U.S.C. § 2261A); ECPA Wiretap Act (18 U.S.C. §§ 2510 et seq.); CFAA (18 U.S.C. § 1030); VAWA stalking provisions	Interstate nexus required for federal stalking; ECPA application to passive BLE tracker is contested; CFAA more relevant to device/account access than tracker placement
US States (general)	State stalking / criminal harassment statutes; state electronic-tracking-device statutes (enacted in ~40 states)	Wide variation in elements, thresholds, and available civil remedies; many statutes updated post-2021 in response to AirTag-enabled stalking; check your specific state’s criminal code
California (example)	California Penal Code § 637.7 (electronic tracking device without consent — verify current text); California stalking statute; CPRA (California Privacy Rights Act) for data handling	CA has long had a specific prohibition on covert electronic tracking; CPRA adds data-subject rights relevant to location data
EU / EEA	GDPR (Regulation (EU) 2016/679): location data = personal data; processing requires lawful basis; consent must be freely given, specific, informed, unambiguous (Article 7); plus each member state’s criminal stalking law	GDPR violation track (administrative fines) runs parallel to criminal stalking track; both may apply
UK	UK GDPR / Data Protection Act 2018; Protection from Harassment Act 1997; Stalking Protection Act 2019 (all — verify current text)	UK GDPR functionally mirrors EU GDPR for this analysis; Stalking Protection Orders available pre-prosecution
Canada	Criminal Code of Canada (criminal harassment); PIPEDA / federal successor Privacy Act; provincial privacy statutes (AB, BC, QC)	Criminal harassment covers courses of conduct including surveillance; privacy statutes treat location data as personal information
Australia	State and territory stalking laws (each jurisdiction has its own); federal Privacy Act 1988 and Australian Privacy Principles (verify current text)	Each state may have tracking-device provisions; federal Privacy Act covers personal information handling by covered entities
All other jurisdictions	Look for: (1) stalking / harassment criminal provision; (2) any electronic-tracking-device statute; (3) applicable data-protection law	Essentially every modern legal system reaches covert personal surveillance through one or more of these tracks; specific provisions vary widely — consult local counsel

This table is a pointer map, not legal advice. Every cell says “verify current text” because laws change, and the specific applicability to a given situation depends on facts a table cannot capture. Use this as the first question you ask a local attorney, not as the answer.

14.6 Data Handling During Detection Sweeps

14.6.1 What you learn when you sweep for trackers

When you run a detection sweep — using AirGuard, the OS-native unwanted-tracker alerts, a DIY BLE scan (Vol 12), or owned Hack Tools gear (Vol 13) — you may encounter BLE advertisements from trackers that are not targeted at you at all. A sweep of your own home, vehicle, or person will pick up BLE advertisements from anyone’s device within range: neighbors’ trackers on their property, a tagged bag belonging to a visitor, tags belonging to people walking past. This is normal; BLE advertising is a broadcast medium and any scanner hears everything in range.

The ethical and legal obligation is proportionality. You are sweeping for your own safety; you are not building a surveillance database of your neighbors’ property movements. The data you incidentally collect about other people’s trackers carries obligations of its own.

14.6.2 A found tag’s NFC read — evidence for police, not for you

If you find a tracker that appears to have been placed on your property or person without your consent, the NFC tap (Vol 4 §2) reveals the tag’s serial number and — if the owner put it in Lost Mode — a partially masked phone number or email. This information has specific proper uses and specific improper ones.

Proper uses of the NFC-read data:

Recording the serial number as the key piece of evidence for a law-enforcement report (the serial links to an Apple/Samsung/Tile account via legal process)
Documenting what the found.apple.com page shows, as a screenshot, preserved as evidence
Providing the serial and screenshots to law enforcement for an account-lookup subpoena

Improper uses of the NFC-read data:

Using the last-4-digits of a phone number (displayed in Lost Mode) to try to identify the owner yourself
Publishing the serial number, the owner contact, or any tag data publicly (online, on social media, in a neighborhood group)
Trying to confront the owner based on the tag data
Using the data to investigate the owner privately rather than through law enforcement

The last-4-phone-digits display in Lost Mode is there to help a good Samaritan return a genuinely lost tag to its owner — not to give a stalking victim a partial identifier to investigate on their own. Private investigation of the tag’s owner based on this data carries its own legal risks (harassment, doxxing, privacy violations) and is likely to compromise any criminal case law enforcement might build.

14.6.3 Minimize retention — the data-handling checklist

Table 5 — 6.3 Minimize retention — the data-handling checklist

Data type	Rule	Rationale
Your own sweep logs (AirGuard history, BLE scan exports of your own space)	Keep only as long as serves your safety purpose; delete after the threat has passed or been reported	You are not building a surveillance archive; proportionality applies
Detected trackers not belonging to you (observed incidentally during a sweep)	Do not retain, publish, or act on information about incidentally-observed trackers beyond confirming your own safety	These were observed as a byproduct of protecting yourself; you have no standing to surveil their owners
NFC-read data from a found unknown tag (serial number, owner contact)	Preserve as evidence for law enforcement; do not use it for independent investigation; do not publish it	LE has the legal authority and the database access to link a serial to an account; you do not; publishing it could compromise a prosecution
AirGuard detection history (timestamps and GPS coordinates of detection events)	Export and provide to law enforcement if pursuing a case; otherwise limit retention to the necessary window	The history log is an evidence-chain tool; it is not a diary of where you were and when, for general retention
Owner last-4 phone digits (from an NFC read in Lost Mode)	Pass to law enforcement; do not try to use it to identify the owner yourself; do not publish it	Partial phone data with no other identifier is unlikely to identify anyone without carrier records; attempting to use it yourself inverts the legal process
Photographs and screenshots of a found tag	Preserve as evidence with time/GPS metadata intact; do not post publicly	Evidence integrity; premature public disclosure can compromise a criminal investigation
Location data from your own sweep (where your sweep covered)	Delete when no longer needed	Your sweep path is your personal data; minimize unnecessary location data retention

   Data-handling decision flow for a found tag
   ════════════════════════════════════════════

   Found an unknown tracker during a sweep
                   │
                   ▼
   NFC-tap → screenshot the found.apple.com page
   Note: serial + any contact info (if in Lost Mode)
                   │
                   ▼
   Preserve for law enforcement?
                   │
           ┌───────┴────────┐
           YES               NO (casual sweep, no threat)
           │                  │
           ▼                  ▼
   Keep screenshots        Delete incidental data
   intact; export          promptly; do not retain
   AirGuard history;       other people's tag data
   provide to LE           beyond confirming safety
           │
           ▼
   DO NOT:
   ✗ try to identify the owner yourself
   ✗ publish the serial or contact data
   ✗ confront anyone based on the data
   ✗ investigate using the last-4 digits
   → these are LE's tools, not yours

14.7 DIY-Beacon ToS — The OpenHaystack / Macless-Haystack Envelope

14.7.1 What a DIY Find My beacon does and why the ToS matters

Vol 10 documents building a DIY Find My beacon: flashing an ESP32, nRF51822, or nRF52 board with the OpenHaystack or Macless-Haystack firmware, generating a compatible public/private key pair, broadcasting the Find My advertisement PDU, and reading back the encrypted location reports that Apple’s ~1-billion-device finder network collects. The result is a custom tracker that participates in Apple’s Find My network — a powerful capability that works because the protocol was reverse-engineered by academic researchers (the TU Darmstadt SEEMOO group) and the core cryptography is documented.

That capability comes with two overlapping obligations: Apple’s Terms of Service (ToS) governing use of the Find My network, and the legal posture framework of this volume. They are related but not identical. The ToS governs your relationship with Apple’s service. The law governs your relationship with other people. Both apply simultaneously.

14.7.2 Apple’s Terms of Service and what it means for your beacon

Apple’s Find My Terms and Conditions, and the broader iCloud Terms of Service that govern access to Find My infrastructure, restrict the network to uses consistent with its design: finding Apple devices and authorized third-party accessories. Using the network via an OpenHaystack-derived beacon is not an Apple-authorized accessory arrangement — it uses the protocol without Apple’s approval. The ToS prohibits using Apple’s services in ways not authorized by Apple.

What this means in practice: Apple could, in principle, detect that a non-standard beacon is using its network and terminate access. More concretely, operating a DIY Find My beacon puts you in a ToS-violation posture with Apple — you are riding their network without authorization. The research community treats this as acceptable for academic and personal research purposes, and OpenHaystack explicitly frames itself as a research project. Apple has not (as of this writing) taken enforcement action against individual OpenHaystack users. But using the network at scale, for commercial purposes, or in ways that generate large numbers of reports and impose meaningful costs on Apple’s infrastructure would be a different matter.

Spec-sourced caveat: ToS agreements change. The exact terms applicable to Find My network use at any given time are in Apple’s current Terms and Conditions (icloud.com/legal or similar — verify current text). Review the current terms before undertaking DIY Find My beacon work at any meaningful scale.

14.7.3 In-bounds vs out-of-bounds DIY use

The ToS and legal posture together define a clear in-bounds zone for DIY Find My beacon work:

Table 6 — The ToS and legal posture together define a clear in-bounds zone for DIY Find My beacon work

Use case	In-bounds?	Why
DIY beacon on your own bag / bike / keys, for your own finding	Yes (ToS-permissive for research/personal use)	Own property; small-scale; research-consistent use
DIY beacon for academic research into the Find My protocol	Yes	The OpenHaystack project’s design intent
DIY beacon to locate gear you own (e.g. toolbox, equipment case)	Yes	Own property; personal use
DIY beacon in a fleet of personal devices for location recovery	Marginal — depends on scale	Large-scale Find My network use is further from the research intent; verify Apple ToS
DIY beacon placed on property you don’t own (another person’s vehicle, bag, etc.)	No	Both a ToS violation and criminal covert tracking; the DIY nature does not change the analysis
DIY beacon placed on a person’s belongings to track their location	No	Criminal stalking regardless of how the beacon was made; Apple’s network is being used to commit a crime
DIY beacon configured to deliberately NOT emit the DULT separated signal	Ethically unacceptable	A beacon that evades the anti-stalking detection framework (Vol 4 §7) is designed to be harder for victims to detect; the omission is itself an ethical violation separate from the criminal-use analysis
DIY beacon for commercial product without Apple’s MFi / Works with Find My authorization	No	Requires Apple’s formal accessory-authorization program; OpenHaystack is a research bypass, not a commercial-product path

The DIY beacon constraint in one sentence. Tag your own stuff for your own finding; keep it research-scale; respect the ToS; and never use a DIY beacon — or any tracker — to follow a person without their consent. The DIY construction of a beacon does not exempt it from the stalking-law analysis any more than building a custom listening device would exempt it from wiretap law.

14.8 Detection-Tool Ethics

14.8.1 A detector gives presence, not proof

Vol 11 §6.5 introduced this caveat as a product-landscape point. It belongs in this volume too, stated as an ethical obligation:

A detector gives presence, not proof. Detecting a BLE tracker in DULT/Find My format near your person or vehicle establishes that such a device was physically present in that moment. It does not prove: who placed it; whether placement was intentional; how long it has been following you; whether the presence is coincidental; or what the owner intended. Detection is the start of an inquiry — the NFC serial tap, the AirGuard history log, and the law-enforcement investigation that follows are the next steps. Acting on a detection alone — confronting someone, making accusations, posting information publicly — is premature and potentially harmful.

This caveat flows directly from the technical architecture. An unknown AirTag in separated state, detected by AirGuard, tells you: a BLE beacon matching the Find My service-data signature (Vol 2 §2.4) with a separated-state status byte (Vol 4 §4.2) was within Bluetooth range of you at a given time and location. The beacon is separated from its owner. You did not recognize it as yours. That is the complete evidentiary content of the detection. Who the owner is, and why the tag is near you, requires: the NFC-tap serial (Vol 4 §2.2), an AirGuard correlation log showing repeated co-travel (Vol 11 §3.2), and Apple’s account-lookup process via law enforcement subpoena (Vol 11 §7.2). The detection is a data point; it is not a conclusion.

14.8.2 False positives and the attribution problem

The detection system is designed to produce low false-positive rates — the “sustained co-travel over time and distance” gate (Vol 4 §6.3) filters most incidental proximity. But false positives still occur, and the consequences of acting on a false positive as if it were confirmed stalking can be serious.

Table 7 — 8.2 False positives and the attribution problem

False-positive scenario	What it looks like	Why it happens
A neighbor’s AirTag on their car, parked in a shared lot	AirGuard flags a tag that appears at home, at work, and in transit	The tag belongs to a neighbor who parks in the same locations you do
A ride-share driver’s tracker on their own vehicle	Alert fires during a trip	Separated-state tag in the vehicle; belongs to the driver’s gear
A gym bag stored near yours with a Tile in it	AirGuard sees the Tile across multiple gym visits	The tag belongs to someone who goes to the same gym at the same times
A transit tag on a shared bus or train	Tag correlated across multiple commutes	The tag is on the vehicle itself, not following you
A returned borrowed item with a forgotten tracker	Alert fires days after returning the item	A tracker in the item remained with you during the loan period

In each of these cases, AirGuard or the OS-native alert is doing exactly what it is designed to do — detecting a separated tracker that is moving with you. The tracker is real. The “following you” framing may not be. The response is to use the investigation tools (NFC tap for serial, AirGuard history review) to gather more information before drawing a conclusion or taking action.

14.8.3 Do not confront or investigate alone

The wrong response to a tracker alert is to confront the person you suspect. The right response is to document and report. This is true for several overlapping reasons:

Safety. If the alert is genuine and someone has placed a tracker on you as part of a stalking or abusive pattern, confronting that person directly may escalate the danger. Safety planning — done in coordination with law enforcement or a domestic violence advocate — is the appropriate path.

Evidence integrity. Confronting the suspected tracker owner without involving law enforcement may alert them to destroy evidence, change behavior, or remove the tracker before police can document it. The same goes for disabling the tracker prematurely — a tracker left in place, with a preserved chain of evidence (photos, AirGuard history, serial number), gives law enforcement a much stronger investigative tool than a disabled tracker with no documentation.

Legal risk to you. Confronting someone based on an incorrect attribution — a false positive, or a correctly-detected tag that belongs to someone innocent — could expose you to harassment or defamation liability. The NFC serial is the identifier that LE can trace; it is not one you can independently investigate to a conclusion.

The NFC last-4 problem. If the tracker is in Lost Mode, the NFC read shows the last four digits of the owner’s phone number. These four digits, in isolation, are essentially useless for identification — thousands of accounts might match any four-digit suffix. Attempting to use them to identify the owner is both legally risky (accessing accounts or carrier records without authorization) and practically ineffective. Pass them to law enforcement; they have the legal tools to follow that thread.

14.8.4 The right response: document, preserve, report

   I found a tracker that isn't mine — now what?
   ═════════════════════════════════════════════════════════════════

   Unknown tracker detected (alert / AirGuard / physical find)
                       │
                       ▼
   Are you in IMMEDIATE physical danger?
                       │
               ┌───────┴────────┐
               YES               NO
               │                  │
               ▼                  ▼
           CALL POLICE       DOCUMENT FIRST
           FIRST;            ─────────────
           then disable      1. Photograph the tag in place
           and leave;        2. Note exact location, time, date
           report the        3. Note how long AirGuard
           serial when          has been tracking it
           safe to do so     4. Do NOT touch or move yet
               │
               ▼
           NFC-TAP the tag with any NFC phone (Vol 4 §2)
           ─────────────────────────────────────────────
           • Opens found.apple.com
           • Shows the SERIAL NUMBER (always present)
           • Shows owner contact only if Lost Mode is on
           • Screenshot everything — this is your key evidence
               │
               ▼
           EXPORT AirGuard detection history
           (timestamps, GPS coordinates of sightings)
               │
               ▼
           ASSESS: is this a genuine stalking concern?
                       │
               ┌───────┴────────────────┐
               YES (threat pattern /     NO (likely false positive
               repeat co-travel /         or innocent explanation)
               intimate-partner context)  │
               │                          ▼
               ▼                      Review AirGuard history
           CONTACT LAW ENFORCEMENT    for corroboration;
           ─────────────────────────  if no clear threat
           Provide: serial number,    pattern, no further
           AirGuard export, photos,   action needed
           timeline, circumstances
           → LE can subpoena Apple /
             Samsung / Tile for the
             account linked to serial
               │
               ▼
           DISABLE the tag
           (when LE has documented /
            or when immediately safe
            to do so)
               │
               ▼
           SAFETY RESOURCES if applicable:
           ─────────────────────────────────────────────────
           • US: National Domestic Violence Hotline
             1-800-799-7233 (or text START to 88788)
           • US: National Center for Victims of Crime
             1-855-4-VICTIM (1-855-484-2846)
           • UK: National Domestic Abuse Helpline (Refuge)
             0808 2000 247 (free, 24 hours)
           • Safety planning with LE or an advocate BEFORE
             confronting or alerting the suspected person

   ─────────────────────────────────────────────────────────────────
   WHAT NOT TO DO:
   ✗ Confront the person you suspect based on the detection alone
   ✗ Post the serial number or owner contact data publicly
   ✗ Destroy or discard the tag before documenting it
   ✗ Try to use the last-4 phone digits to identify the owner yourself
   ✗ Disable the tag immediately if law enforcement has not yet been
     involved (in a genuine stalking situation, the intact tag is evidence)
   ─────────────────────────────────────────────────────────────────

14.8.5 Safety resources

Detection is the beginning of a response, not the end. If you believe you are being tracked by an intimate partner, former partner, or any person in a threatening context, technology is only one part of the safety picture. The most important resources are human:

Table 8 — Detection is the beginning of a response, not the end. If you believe you are being tracked by an intimate partner, former partner, or any person in a threatening context, technology is only one part of the safety picture. The most important resources are human

Resource	Contact	Scope
National Domestic Violence Hotline (US)	1-800-799-7233 or text START to 88788	24/7; also chat at thehotline.org; safety planning, shelter referrals
National Center for Victims of Crime (US)	1-855-4-VICTIM (1-855-484-2846)	Stalking, harassment, crime victim resources
Refuge National Domestic Abuse Helpline (UK)	0808 2000 247 (free, 24 hours)	UK domestic abuse and stalking support
Victim Support (UK)	0808 1689 111	Crime victims including stalking
Local law enforcement non-emergency line	Search: “[your city/county] police non-emergency”	For non-immediate concerns; for immediate danger call emergency services
Apple law enforcement process	apple.com/legal/privacy/law-enforcement-guidelines/	For LE to understand how to request account information linked to a tag serial

Safety advocates with experience in intimate-partner abuse can also provide guidance on technology-facilitated stalking that goes beyond what a detection tool can tell you: screening your vehicle, devices, and accounts for additional monitoring; planning safe exits; understanding the legal-process timeline for subpoenaing account records.

14.9 Cheatsheet Updates

This volume’s contributions to the Vol 15 laminate-ready cheatsheet — the posture and legal bright-lines that must be carried without re-reading:

The make-vs-find line. This series teaches both making trackers and finding them. The line is: consent and ownership. Track your own property and consenting adults — lawful. Track a non-consenting person — criminal stalking in essentially every jurisdiction.
Not legal advice. Every legal pointer in this series is a map, not a guide. Laws vary, change, and apply differently to specific facts. Verify with a licensed attorney in your jurisdiction before acting on any legal framing here.
“I was worried” is not a defense. Anti-stalking and electronic-surveillance statutes are conduct-based, not intent-based. Good motives do not eliminate criminal liability for covert tracking of a person without consent.
Lawful uses: own property, consenting adults, minor-child supervision (with age nuance), research on your own gear, counter-surveillance sweeps of your own space. The common thread: you own it, or the person who is affected has consented.
Unlawful uses: covert tracking of any person without consent. Intimate partner, ex, employee’s personal vehicle, adult child, anyone. The relationship does not create permission. The reason does not create permission.
Minor children are not adults. Parental tracking of young children: generally lawful. Parental tracking of a teenager: mostly lawful but age-sensitive. The moment a child reaches the age of majority (typically 18 in most US states): adult analysis applies; covert tracking without consent is stalking.
US law is a patchwork. Federal stalking statute (18 U.S.C. § 2261A — verify), ECPA (18 U.S.C. §§ 2510 et seq. — verify), and ~40 state electronic-tracking statutes. California Penal Code § 637.7 (verify) is an example of a specific state GPS-tracking prohibition. Check your state’s law.
EU/UK: location data is personal data. GDPR / UK GDPR require a lawful basis for processing. Covert tracking has no valid basis. Verify current GDPR text and local member-state criminal stalking law.
Jurisdiction pointer: check (1) the stalking statute, (2) any specific electronic-tracking statute, and (3) the privacy/data-protection framework. Those three tracks cover covert tracking in essentially every modern legal system.
Data handling during sweeps: minimize retention. You are sweeping for your safety, not building a surveillance database. Incidentally-detected tags belonging to others — do not retain, publish, or act on. Found-tag serial and NFC data — preserve for LE, do not investigate independently.
NFC-read data (serial, last-4 of phone) is evidence for law enforcement, not for you. Do not use it to investigate or confront the tag’s owner. Pass it to police with your AirGuard history log.
DIY beacon (Vol 10) in-bounds envelope. Your own property, personal/research scale, ToS-consistent use. Out of bounds: tracking people, commercial-scale use, intentionally omitting the DULT separated signal to evade victim detection.
A detector gives presence, not proof. Detection confirms a DULT/Find My-format BLE beacon was nearby. It does not prove intent, duration, or identity. NFC serial + AirGuard history + LE subpoena = the evidence chain. Detection is the starting point.
When you find a tracker: document first, disable later. Photograph it, NFC-tap for the serial, export AirGuard history, contact LE — then disable. Premature destruction of a found tracker destroys the evidence most useful for LE account-lookup.
Do not confront alone. Safety planning with LE or a domestic-violence advocate comes before any confrontation. National Domestic Violence Hotline (US): 1-800-799-7233. Refuge (UK): 0808 2000 247.
Vol 15 carries this forward as the bright-lines card: consent, ownership, presence-not-proof, document-then-disable, and the “not legal advice” rider that belongs on every legal summary in this series.

This is Volume 14 of a fifteen-volume series — the ethical and legal capstone. Everything in the detection half (Vols 11–13) points here for the posture and legal framework. The make-vs-find line established in this volume is the answer to the question that should be asked before any tracker work: is this aimed at my own property, or at a person? The technology is the same in both cases; the legal and ethical analysis is completely different. Vol 15 synthesizes the bright lines from this volume alongside the technical cheatsheet content of every other volume into a single laminate-ready reference. The hub’s broader legal/ethics charter remains at _shared/legal_ethics.md, and the Hacker Tradecraft/ deep dive covers the legal-ethics landscape of the full Hack Tools lineage — this volume is the AirTags-specific cut of that framework, applied to item trackers and the people they can harm.

AirTags Volume 14 — Operational Posture, Legal & Ethics