One of the most unnerving things about modern communications technology is the way devices constantly leak information about their physical whereabouts—to mobile carriers, network operators, e-mail providers, web sites, governments, even shopping mall owners. Many of these information leakages are simple historical accidents. The designers of technologies never considered that technical standards would let everyone around you notice your device's presence. They never considered that technical choices would let web sites infer when two people are (or aren't) spending the night in the same residence, or let your phone company follow you around virtually from moment to moment.
This spring the Federal Trade Commission took a look at one surprising form of location tracking: the way the retail analytics industry is watching our mobile devices to produce reports about our behavior in retail spaces. (EFF presented at the FTC's workshop and filed comments.) Even our neighbors at Philz Coffee were using a retail analytics technology to track customers, but, following reporting by the San Francisco Appeal, they've agreed to stop. (Thanks, Philz!)
Most of the retail analytics technologies take advantage of a weird combination of technical facts. First, Wi-Fi devices each have a unique hardware serial number, called a MAC address. Second, the MAC address is broadcast whenever the Wi-Fi device sends a signal of any kind. Third, Wi-Fi devices (including smartphones) are constantly transmitting a signal in order to find familiar Wi-Fi networks to join. That means that just by listening to these signals, you can tell whether particular devices are nearby—and retail analytics firms, among others, have done just that.
The inventors of these technologies probably never meant for them to be used to track individuals. The decision to make the MAC address unique and persistent, for example, was made when Ethernet was first invented, way back in the 1970s. But the technology was meant to be used in an office environment on computers that weren't portable at all, and that were laboriously wired into the network. The tradition of unique hardware identifiers was inherited by subsequent generations of Ethernet technology, including Wi-Fi, until the devices with these identifiers ended up in our pockets, broadcasting a permanent and unique identifier wirelessly everywhere we go.
This accident of history could be fixed if MAC addresses were instead temporary and randomly assigned—that way strangers would no longer be able to recognize you or figure out where you are or where you've been.1 We told the FTC that device makers could help fix this problem this way, but we didn't expect much progress any time soon. That's why we were extremely happy to learn that Apple announced this week that future iPhone and iPad operating systems will use a random MAC address, rather than a fixed one, when probing for Wi-Fi networks. That makes it harder to identify particular devices, and is an important step in limiting the use of this technology to track iPhone and iPad users.
Unfortunately, in the overall scheme of location-tracking technology, Apple's privacy-protective step is something like opening an umbrella in the middle of a hurricane. Smartphones still transmit cellular signals containing a different hardware identifier called the IMEI (as well as other mobile device identifiers). Cell towers (and specialized surveillance equipment that's becoming increasingly widely available) can still use such information to pinpoint where you are. We don't have a good solution for that today, and it needs to be recognized as a major privacy risk. And other mobile and "Internet of things" technologies, including Apple's new iBeacons, also have important implications and risks for location privacy.
But even when we just focus on Wi-Fi, the Wi-Fi probe packets sent by your smartphone also contain the names of networks that your phone wants to join (because it's joined them before). Not only does this broadcast a history of where you've been (through the names of these networks), it's also highly distinctive in itself. Just as you're probably the only person who both lives in your home and works in your workplace, you're probably the only person whose phone and laptop have joined both your home network and your work network. That means that, even without a persistent hardware MAC address, carefully watching the network list itself can allow an astute watcher to identify you.
Some retail analytics companies, and, we presume, some government agencies, are already doing just that. That means that, for many users, the benefit of Apple's privacy enhancements is circumscribed by other leaks that might end up giving away almost the same information. Still, Apple's move is extremely welcome and, to our knowledge, makes Apple the first device maker to have protected its users' privacy this way. We hope other vendors will rise to the challenge of protecting their users in the same way, but recognize that this is just the first step down the road of preventing mobile devices from broadcasting information about their users' whereabouts.
- 1. Using the MAC address to authenticate devices that are allowed to join a network is a common use case, but is a stop-gap measure; we have much better technologies to accomplish this today.