Apple adds privacy-protecting MAC spoofing (when Aaron Swartz did it, it was evidence of criminality)

Apple has announced that it will spoof the MAC addresses emitted by its wireless devices as an anti-tracking measure, a change that, while welcome, is "an umbrella in a hurricane" according to a good technical explainer by the Electronic Frontier Foundation's Jeremy Gillula and Seth Schoen.

One notable and sad irony here is that MAC spoofing was held up as evidence of criminality in the indictment of Aaron Swartz: the US prosecutors characterized changing your MAC address as the sort of thing that only criminals do. Either this is proof that "when privacy is criminalized, only criminals will have privacy" or that federal prosecutors are lying assholes. These are not mutually exclusive possibilities.

Unfortunately, in the overall scheme of location-tracking technology, Apple's privacy-protective step is something like opening an umbrella in the middle of a hurricane. Smartphones still transmit cellular signals containing a different hardware identifier called the IMEI (as well as other mobile device identifiers). Cell towers (and specialized surveillance equipment that's becoming increasingly widely available) can still use such information to pinpoint where you are. We don't have a good solution for that today, and it needs to be recognized as a major privacy risk. And other mobile and "Internet of things" technologies, including Apple's new iBeacons, also have important implications and risks for location privacy.

But even when we just focus on Wi-fi, the Wi-fi probe packets sent by your smartphone also contain the names of networks that your phone wants to join (because it's joined them before). Not only does this broadcast a history of where you've been (through the names of these networks), it's also highly distinctive in itself. Just as you're probably the only person who both lives in your home and works in your workplace, you're probably the only person whose phone and laptop have joined both your home network and your work network. That means that, even without a persistent hardware MAC address, carefully watching the network list itself can allow an astute watcher to identify you.

Some retail analytics companies, and, we presume, some government agencies, are already doing just that. That means that, for many users, the benefit of Apple's privacy enhancements is circumscribed by other leaks that might end up giving away almost the same information. Still, Apple's move is extremely welcome and, to our knowledge, makes Apple the first device maker to have protected its users' privacy this way. We hope other vendors will rise to the challenge of protecting their users in the same way, but recognize that this is just the first step down the road of preventing mobile devices from broadcasting information about their users' whereabouts.


An Umbrella in the Hurricane: Apple Limits Mobile Device Location Tracking
[Jeremy Gillula and Seth Schoen/EFF]

(Image: nRF24L01+ Promiscuous Mode, Travis Goodspeed, CC-BY)