At this year’s Worldwide Developer Conference, Apple announced that it’s changing how a device’s MAC address is communicated to WiFi access points in iOS 8.
This modification puts a damper in companies’ ability to track brick-and-mortar shoppers who use iPhone’s and iPad’s, forcing developers to crank up their innovation and figure out another way to capitalize on location data. Despite some concerns from others, Apple’s decision is the right thing to do in order to protect consumers and reduce potential privacy risks.
What is a MAC Address?
A MAC address is a hardware-based identification number, provided by any device that connects to a network. Hardware-based identifiers are read-only, meaning they can’t be changed. They’re written to the physical network chip in each device. When a device connects to a Wi-Fi network it’s identified by its MAC address for the duration of its connection. This allows the right traffic to be sent to and from your phone, PC, or TV regardless of how many devices are connected.
We’ll be exploring the importance of mobile privacy at MobileBeat 2014 in San Francisco on July 8-9.
Your device is constantly looking for a known Wi-Fi network to join, which is why when you pull out your phone at home or at work it’s already connected and ready to go. But as your phone searches for Wi-Fi, it’s broadcasting its MAC address to any Wi-Fi access points that are within range. It’s part of the handshake devices engage in to recognize each other.
Recently, a few companies have developed Wi-Fi hubs that remember the MAC addresses they see. They log your device as it scans for a hub, whether or not you join the Wi-Fi access point. These companies have installed these logging hubs in many places, allowing them to compare visitors as they move from place to place, without their knowledge.
Even if people were informed that their devices were being monitored, the only way to prevent this type of tracking is to turn off Wi-Fi completely, which is an extreme step.
Finally, there’s a difficulty with hardware-based identifiers. The mobile advertising industry, including big players like Google and Apple, has worked hard to move away from hardware-based identifiers. Software-based identifiers, like Apple’s IDFA, can be reset by users or blocked entirely. Hardware identifiers won’t change for the life of the device so if there’s a data leak and a malicious source obtains a hardware-based device identifier, the only way to ensure you will not be affected is to buy a new device.
Apple’s Privacy Challenge
So Apple faced a challenge: their users’ devices were being logged without their knowledge and without their consent. Apple’s adherence to standard network practices — broadcasting MAC addresses to WiFi hubs — created an environment where this situation could occur, leading Apple to make a change.
Starting in iOS 8, iPhones, iPads, and iPod Touches will broadcast random MAC addresses. In Apple’s words, “The MAC address for Wi-Fi scans may not always be the device’s (universal) address.” Companies that log MAC addresses won’t be able to connect individual visits to a single device. They’ll know someone is there, but not where else they’ve gone.
Some have suggested that this move is to get more people using Apple’s own iBeacon API. While this may be true, iBeacons are much more user friendly. To see a company’s iBeacons, users must install an associated application and grant it the appropriate location permissions. Applications that use iBeacons are opt-in and users are always able to opt-out by managing their location permissions.
The Right Move
iOS has a history of protecting user privacy and providing access controls. In fact, this isn’t their first big MAC address change. Last year they blocked applications from accessing the MAC address. Their only location privacy update this year called for more explicit background location access controls.
Overall, Apple’s decision to randomize MAC addresses is a win for users and the location data ecosystem. They provide a managed space where developers can innovate without overstepping user expectations.
As a growing number of applications use location in more diverse ways, they can now do so in an environment where users still retain control.
Drew Breunig is PlaceIQ’s vice president of strategy.