Don’t Track My MAC!


The latest technology in mobile seems to be identification.  It has nothing to do with credentials.  Instead, it has everything to do with creating a database of who you are and where you are.  Location-based identification is the new holy grail for marketing people.  And the privacy implications are frightening.

Who Are You?

The trend now is to get your device MAC address and store it in a database.  This allows the location tracking systems, like Aruba Meridian or Cisco CMX, to know that they’ve seen you in the past.  They can see where you’ve been in the store with a resolution of a couple of feet (much better than GPS).  They now know which shelf you are standing in front of.  Coupled with new technologies like Apple iBeacon, the retailer can push information to your mobile device like a coupon or a price comparison with competitors.

It’s a fine use of mobile technology.  Provided I wanted that in the first place.  The model should be opt-in.  If I download your store’s app and connect to your wifi then I clicked the little “agree” box that allows you to send me that information.  If I opt-in, feel free to track me and email me coupons.  Or even to pop them up on store displays when my device gets close to a shelf that contains a featured item.  I knew what I was getting into when I opted in.  But what happens when you didn’t?

Wifi, Can You Hear Me?

The problem comes when the tracking system is listening to devices when it shouldn’t be. When my mobile device walks into a store, it will start beaconing for available wifi access points.  It will interrogate them about the SSIDs that they have and whether my device has associated with them.  That’s the way wifi works.  You can’t stop that unless you shut off your wireless.

If the location system is listening to the devices beaconing for wifi, it could be enabled to track those MAC addresses that are beaconing for connectivity even if they don’t connect.  So now, my opt-in is worthless.  If the location system knows about my MAC address even when I don’t connect, they can push information to iBeacon displays without my consent.  I would see a coupon for a camping tent based on the fact that I stood next to the camp stoves last week for five minutes.  It doesn’t matter that I was on a phone call and don’t have the slightest care about camping.  Now the system has started building a profile of me based on erroneous information it gathered when it shouldn’t have been listening.

Think about Minority Report.  When Tom Cruise is walking through the subway, retinal scanners read his print and start showing him very directed advertising.  While we’re still years away from that technology, being able to fingerprint a mobile device when it enters the store is the next best thing.  If I look down to text my wife about which milk to buy, I could get a full screen coupon telling me about a sale on bread.

My (MAC) Generation

This is such a huge issue that Apple has taken a step to “fix” the problem in the beta release for iOS 8.  As reported by The Verge, iOS 8 randomizes the MAC address used when probing for wifi SSIDs.  This means that the MAC used to probe for wifi requests won’t be the same as the one used to connect to the actual AP.  That’s huge for location tracking.  It means that the only way people will know who I am for sure is for me to connect to the wifi network.  Only then will my true MAC address be revealed.  It also means that I have to opt-in to the location tracking.  That’s a great relief for privacy advocates and tin foil hat aficionados everywhere.

It does make iBeacon configuration a bit more time consuming.  But you’ll find that customers will be happier overall knowing their information isn’t being stored without consent.  Because there’s never been a situation where customer data was leaked, right? Not more than once, right?  Oh, who am I kidding.  If you are a retailer, you don’t want that kind of liability on your hands.

Won’t Get Fooled Again

If you’re one of the retailers deploying location based solutions for applications like iBeacon, now is the time to take a look at what you’re doing.  If you’re collecting MAC address information from probing mobile devices you should turn it off now.  Yes, privacy is a concern.  But so is your database.  Assuming iOS randomizes the entire MAC address string including the OUI and not just the 24-bit NIC at the end, your database is going to fill up quickly with bogus entries.  Sure, there may be a duplicate here and there from the random iOS strings, but they will be few and far between.

More likely, your database will overflow from the sheer number of MACs being reported by iOS 8 devices.  And since iOS7 adoption was at 87% of compatible devices just 8 months after release, you can guarantee there will be a large number of iOS devices coming into your environment running with obfuscated MAC addresses.

Tom’s Take

I don’t like the idea of being tracked when I’m not opted in to a program.  Sure, I realize that my usage statistics are being used for research.  I know that clicking those boxes in the EULA gives my data to parties unknown for any purpose they choose.  And I’m okay with it.  Provided that box is checked.

When I find out my data is being collected without my consent, it gives me the creeps.  When I learned about the new trends in data collection for the grand purposes of marketing and sales, I wanted to scream from the rooftops that the vendors needs to put a halt to this right away.  Thankfully, Apple must have heard my silent screams.  We can only hope that other manufacturers start following suit and giving us a method to prevent this from happening.  This tweet from Jan Dawson sums it up nicely:

10 thoughts on “Don’t Track My MAC!

    • I think Apple is to be commended for taking a stand against some of the location tracking based solely on wifi. Now, I’m sure part of this is to get retailers and other users to buy into iBeacon using Apple frameworks and technologies rather than half-assing it with just wifi MAC addresses. Time will tell.

  1. According to the Apple presentation from WWDC’14 on user privacy, the MAC address will be randomly generated from the pool reserved for “Locally Administered Addresses”. Based on this, the “random” MAC address should follow one of the below formats:

  2. The example seems a bit weak – if I enter a store, and my device automatically searches for an access point, should I really have an expectation of privacy that they would not collect the information that my device willingly sent them in the first place?

    • The intent here is the key. If I pull out my device and connect to the WLAN in the store then I am showing intent to have my data collected. That’s a given. However, if the retailer is taking advantage of a protocol behavior to store my data, that’s not good.

      For another technical example, imagine if the “tap to pay” credit card readers stored every card number that got close to them. Do you want the reader only storing the information for the card you used to pay? Or for any card that happens to get within 8 inches of the reader? Who is ultimately responsible for restricting that transfer? Should I be forced to hold my wallet away from the reader (or turn off my wifi in the first example)? Or should the merchant be responsible?

  3. Pingback: Newsletter: June 15, 2014 | Notes from MWhite

  4. Can you explain how advertisers get the MAC? The AP hears my beacon probe, but that doesn’t mean anyone else does. I’m also curious how the fake MAC helps, since eventually I need to connect with a real MAC.

    • If the AP hears your beacon, that information is forwarded to the controller for logging. That’s how controllers can find rogue APs and clients that aren’t associated. If the location system is setup to munge the log files for these non-associated clients, they will have your MAC and consider you a potential customer device. You don’t have to join and no one else has to hear you. It’s a basic function of the way wifi automatically joins networks.

      The fake MAC just keeps these systems from cataloging your MAC address without an association. When you choose to join a specific SSID, the device will complete the join process using the actual MAC address of the radio interface. It will have to do that to ensure proper communication. Again, the fake MAC spoofing is only to prevent cataloging of your MAC in the event you *don’t* join the network. If you do, I’m sure the captive portal page will need to include a legal disclaimer saying that you agree to have your MAC address stored and used for analytics purposes (if it’s not already there).

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s