How I sold an old Mac and unknowingly had access to its location for over 3 years
So this crazy thing happened recently with an old Mac I sold on Craigslist a few years ago. I noticed it was still showing up in my Find My iPhone app. Well, at first I didn’t realize it was that particular Mac. I just happened to notice there was a computer I didn’t recognize in Find My iPhone called “Michael’s iMac”.
I clicked in and saw a computer that wasn’t mine showing up on a map about 100 miles north of my house.
I vaguely remembered selling an iMac on Craigslist 3 years ago, and figured that was this one. Then I realized that meant for over 3 years, I had access to this person’s exact location. That’s insane to me.
How the hell did that happen?
Before selling, I erased the computer and re-installed a fresh MacOS
I did a hard erase of the computer and reinstalled MacOS factory fresh. The mistake I made was that before erasing the computer, I didn’t sign out of iCloud / Find My Mac. I figured erasing the computer would do that. It didn’t.
I sold the computer and the user didn’t log into iCloud
For whatever reason, this person didn’t need to sign into iCloud. So this meant that Apple still associated the computer hardware with my iCloud account. The computer wasn’t logged into my iCloud account, but was still associated with my account, so I still could track the computer’s location in real time.
For me (the seller), this isn’t much of a security risk
The buyer won’t see or have access to any private iCloud data; the hardware is just associated with it. But the seller can’t disassociate it without the buyer’s help (and I didn’t have any way to contact them), so it’s a pain.
No, logging all devices out of iCloud doesn’t work. And no, this has nothing to do with if the computer is in your Support Profile.
The only options I had were Play Sound, Lock, and Erase.
For the buyer, there are massive privacy concerns
The biggest privacy issue is for the buyer. If they don’t turn on Find My Mac with their own iCloud account, they leave a lot of power in the previous owner’s hands.
The previous owner can track the buyer’s location.
At any time in the past 3 years I could have tracked this computer’s exact location. Not a huge deal with an iMac, but if this was a laptop, I’d basically know where this person was at all times. Terrifying.
The previous owner can erase everything remotely.
With two clicks, at any point, I could shut down this user’s computer and completely wipe it clean. They couldn’t stop it and would have no control. They’d lose everything.
The previous owner can lock the buyer out.
This is what I ended up doing. It was the only way I could get in touch with the owner. So I remotely locked the computer and in the lock message, put my phone number.
The new owner texted and we got it resolved. As mentioned, it wasn’t that they were still logged into my iCloud account, it was that they never signed into their own iCloud account.
Resolving it showed one last nugget of privacy ugh
When Michael finally logged into his own iCloud account and turned on Find My Mac, the computer was nice enough to tell him my full name.
Not a huge deal, but for people who want to remain anonymous when selling a computer, this sucks.
Overall, this seems like a massive privacy / security flaw. Maybe Apple has patched this in a more recent MacOS update. Again, I sold this computer 3 years ago. But just in case, if you sell a computer, turn off Find My Mac BEFORE wiping it. And if you buy a computer, immediately sign into iCloud so there’s no chance the seller can track you.
No, removing it from iCloud Settings doesn’t help
[ADDED 2/27/18]: A few people have commented that I should have just removed it from my iCloud account. In a PCMag article, it said
As Apple notes, you can also remove devices from your iCloud account that you no longer have access to by hitting up Settings on icloud.com, clicking on a device you want to disassociate, and clicking the big “x” delete button next to any devices you no longer have access to. It’s unclear if Mulligan attempted that approach, but his advice still stands for buyers, at least — sign into iCloud yourself to confirm that your seller isn’t keeping tabs on where you are.
I tried this, both from the iOS app, the Find My iPhone web app, and the iCloud settings. Although it seems like you can remove the app, all it does is remove it from the account until the person logs in again: “This device will reappear if it connects to the Internet.” See below.
You might get excited to see a link to “Lost, sold, or gave away this device?”. One would think that would have the answer. But alas, it does not. It tells you to do the above, and caveats:
If you remove a device from iCloud, and the device reconnects to the Internet, it reappears in the My Devices section of Settings.
So, none of this helps. You can’t remove it for good.
[ADDED 2/26/18]: I’ve gotten feedback that this is a feature not a bug, and that this allows an owner to track their computer if a theft occurs. I supposed that’s true, but the only thing a thief has to do to override this feature would be to sign into any iCloud account. Then the tracking would stop. So my opinion is that the benefit of that “feature” is outweighed by the privacy issues it causes.