A tiny technical change in iOS 8 could stop marketers spying on you

Hey, I just met you, and this is crazy, but I’m taking your MAC address, lady.
Hey, I just met you, and this is crazy, but I’m taking your MAC address, lady.
Image: Reuters/Gleb Garanich
We may earn a commission from links on this page.

This item has been corrected.

Whenever you walk around a major Western city with your phone’s Wi-Fi turned on, you are broadcasting your location to government agencies, marketing companies and location analytics firms.

In shopping malls, for instance, a firm called Euclid Analytics collects, in its own words, “the presence of the device, its signal strength, its manufacturer (Apple, Samsung, etc.), and a unique identifier known as its Media Access Control (MAC) address.” In London last year, one start-up installed a dozen recycling bins that sniffed MAC addresses from passers-by, effectively tracking people through the area via their phones. Such companies go to great lengths to explain that such information in not personally identifiable—except that repeated studies have shown that this data can indeed be used to infer a great deal about your life.

At the core of such tracking is the MAC address, a unique identification number tied to each device. Devices looking for a Wi-Fi network send out their MAC address to identify themselves. Wireless routers receive the signals—and addresses—even if a connection is never made. Companies like Euclid or its peer Turnstyle Solutions use the data to track footfall in stores, how people move about in shops, how long they linger in certain sections, and how often they return. Store-owners use the information to target shoppers with offers (paywall) or to move high-value items to highly-trafficked parts of the shop, among other things.

Even though stores may not mine this data to try to identify individuals, there are plenty of legitimate privacy concerns about the data collection, especially since people tend to be unaware that it is happening. Apple’s solution, as discovered by a programmer, is for iOS 8, the new operating system for iPhones which will be out later this year, to generate a random MAC addresses while scanning for networks. That means that companies and agencies that collect such information will not necessarily know when the same device (i.e., person) visits a store twice, or that the same device pops up in stores across the country or the world, suggesting a much-travelled owner.

This is not the first time Apple has fiddled around with the way it administer MAC addresses. The current operating system for iPhones, iOS 7, prevents app developers from using MAC addresses to track how many people have installed their apps or to target ads—again, for privacy reasons. The change in iOS 8 has wider ramifications because it doesn’t just affect developers who build iOS apps, but any company that uses the nature of wireless networking to identify a device.

But while Apple’s move is good for its customers and for their privacy, it is not an invisibility cloak. If there is one thing we have learned from the past year of exposés about government snooping, it is that people are easily gulled into surrendering their online privacy. For example, stores increasingly offer customers free Wi-Fi to convince customers to linger longer, but also to extract valuable data from them, such as name and other basic personal information, browsing patterns, and more. Apple’s change to how MAC addresses are used won’t prevent that. By connecting to a Wi-Fi network, customers willingly give up such data and then some: A survey by Purple Wi-Fi, which provides tracking services for Wi-Fi networks to businesses in the UK, found that some 17% of consumers log on to internet banking from unsecured, public networks.

Correction: This item misstated the nationality of the programmer who tweeted about the change as Swiss. He isn’t.