MAC Addresses, UDIDs, and Privacy

Fri 06 April 2012 by Adam Drake

There has been quite a bit of fuss in the days since Apple started rejecting apps that make use of the UDID. The deprecation was announced months ago, but the rejection started without warning and was a surprise to some. Firms that had been planning for the change typically already had multiple secondary solutions in place, many of which rely on using the Media Access Control (MAC) address from the wireless network interface controller (wireless NIC) on the device. There have since been complaints that this is just as much of a privacy problem as using the UDID that Apple banned access to (keep in mind, they still have access to it), but these complaints demonstrate a lack of understanding on what a MAC address is, why it exists, and most notably the fact that it is transmitted in a plainly-readable form that can be viewed by every other device on any network to which you are connected.

Some background on MAC addresses

As noted before, MAC stands for Media Access Control, and it is a special identifier that is assigned by the manufacturer to every NIC inside electronic devices. In theory, every NIC in every device has a unique MAC address assigned to it. This has been the case for decades, so there is nothing new or revolutionary going on here. If you have a laptop with an ethernet NIC (where you plug in a cable to get on a network) and a wireless NIC (so that you can access wireless networks), and a Bluetooth controller (for keyboards, mice, etc.) then your laptop will have three distinct MAC addresses, one for each NIC. These MAC addresses are used to route the information from your device to other devices or points on the network. The MAC address is somewhat like a return address written on a letter, and due to its importance for network communication, it isn't going anywhere any time soon. Any time you send any information over the network, say to access a web page, check your email, or any other task, this information is broken up into tiny chunks, and each chunk contains information about where it came from and where it's going. Maybe a more concrete example would better illustrate how this works.

Say you want to mail a big book to a friend. If you used the same method to send the book that your electronic device uses to surf the web, then you wouldn't just send one big book in one big box. What your computer/iPhone/whatever does is splits the book into stacks of say, 20 pages. Then it puts each stack of pages into its own envelope and writes your friend's address and the return address (yours), so that your friend knows where the letter came from. It also writes a number on each envelope so that your friend can reassemble the pages inside the envelopes in the correct order and make sure that they received all the envelopes required to reconstruct the complete book. People are not shocked by the fact that anyone who happens to see one of the envelopes will also see the addressing information that you wrote on them.

This process works just the same when electronic devices communicate. The difference is that the address of the sender and recipient are not a name, street, city, and country. They are other identifiers, one of which is the MAC address of your NIC. In general these pieces of information can be seen by everyone who is on the same network as you, and in some cases even people outside your network. In order words, if you are surfing the web on your phone using a wireless network in a coffee shop, then everyone else who is connected to that wireless network can see your MAC address, and you can see theirs too. It's 100%, completely, public. It is not encrypted, anonymized, or otherwise abstracted. The MAC address from your device is broadcasted as clear as if you wrote it on a huge piece of paper and held it above your head. Everyone could easily read it, and they'd think you were crazy if you yelled at them for doing so. They would probably already think you were crazy for writing a MAC address on a huge piece of paper and holding it over your head, but you get my point.

The Privacy Problem

So then the question becomes, is making use of information someone has publicized actually a privacy problem? I am guessing that most people who are raising the privacy issue in relation to the usage MAC addresses don't realize that the MAC address is being constantly broadcast by their device any time they are doing anything on any network. User privacy is important, and that's why I fully advocate that companies making use of the MAC address should anonymize it first. By doing so they are voluntarily protecting the user.

From the opposite perspective, there is no way to easily disable or change a MAC address. You can pretend to have a different one, called MAC Spoofing, but it isn't always easy or possible to do so. In that sense, anyone who is using a device connected to some network doesn't really have a choice in regards to the visibility of their MAC address. The MAC address exists and has for decades, it's pretty much required in order for most devices to communicate, and there is nothing you can easily do to get rid of it. In that sense, using the MAC address as a device identifier poses the same problems as the UDID.

The big problem here is something that is very common when technology and privacy intersect. People don't understand the details of how the technology works, and for the most part they don't really care. This causes people to use features that probably aren't good for their privacy even though they shouldn't. This ignorance also causes them to freak out about things that don't really have as much of an impact on their privacy, because they don't understand the technology and this lack of understanding results in fear. They will go along happily using their iPhone, checking in with Foursquare, which is cross-posted to their Facebook (or they check in with Facebook directly), and they tweet pictures with Instagram, and they think nothing of doing all of this. In reality, they are giving away an amazing amount of information about who they are, where they are, and what they are doing.

For example, if you are checking in with Facebook or Foursquare then people know where you are and where you aren't. If you have personal photos on your (likely public) Facebook profile then someone can easily just go to wherever you are (since you checked in), wait for you to come out (since they have your photo), and follow you around. They could follow you home, wait until you leave again, see that you have checked in at work, and proceed to steal all your possessions. People are voluntarily sharing all these things, this data that could be formed into a very real threat, and people seem to be perfectly comfortable with that. Why? You could make the argument that people are comfortable sharing so much information because they are choosing to do so, but that's not really a good argument if the choice is not a well-informed one. I would advise people to visit the Electronic Frontier Foundation (EFF), which has a specific page set up for social network privacy and security. As is often the case, the privacy argument all comes down to user education. They never knew anything about MAC addresses, and now they're unhappy that there is some unique token that is tied to their device. They just didn't know that it's been this way all along.

Conclusion

So using UDIDs is not possible anymore, and that isn't a bad thing. Many companies have switched to alternative methods, including using an anonymized version of the MAC address. The MAC address is a necessary part of communication between networked devices and is readable by all devices on the same network (and always has been), so taking the step to anonymize it (which every company should) is actually a step up for user privacy.

You don't get to drive a car without license plates, you don't get to send letters without writing an address on them, and you don't really get to connect electronic devices to a network without a MAC address. You do get to choose if you will drive, write letters, or surf the web, and in these situations the user still does have the choice to opt-out. Whether or not they feel the risks outweigh the benefits is something only they can decide, but that decision should be an informed one. In the meantime, companies making use of the MAC address should keep in mind user privacy concerns, should always hash the MAC address so they are not accessing the original, and should take all possible steps to facilitate privacy and transparency for users.