W3C home > Mailing lists > Public > public-privacy@w3.org > October to December 2010

Re: MAC addresses and privacy...

From: David Singer <singer@apple.com>
Date: Mon, 4 Oct 2010 16:02:44 -0700
Cc: public-privacy@w3.org
Message-Id: <8232E363-1787-4931-903A-0680FAB0BD0D@apple.com>
To: Richard Barnes <richard.barnes@gmail.com>
Indeed, it's the more general concern I was having an anxiety attack about.  I always imagined it was *infrastructure* Mac addresses that were harvested.  The thought that my *laptop's* Mac address is in the database feels rather different.  And no, I never put my laptop into 'infrastructure mode' at home.

Bluetooth also uses Mac addresses.  Maybe someone is harvesting those as well.  You could probably track a person's movements by following sightings of their WiFi or Bluetooth.  Ugh.  I am effectively broadcasting "It's me, I'm nearby" all the time, to anyone who cares to listen.

Can I have a tin-foil hat, please?

On Oct 4, 2010, at 11:47 , Richard Barnes wrote:

> Worth noting that this attack doesn't even involve any advanced web APIs.  It's a generic XSS against the web-based interfaces that home gateways present.  The more general concern is of course the existence of MAC-to-location databases.
> 
> 
>> On Oct 4, 2010 2:09 PM, "David Singer" <singer@apple.com> wrote:
>> 
>> I was actually quite disturbed when I entered the mac address of my *laptop* on this page:
>> 
>> http://www.samy.pl/mapxss/
>> 
>> and it got my location to within one house (i.e. it attributed it to the house next door).
>> 
>> This means anyone sniffing my mac address when I am traveling will have a pretty good idea of where I am from.  My iPhone's MAC address did not trace....
>> 
>> David Singer
>> Multimedia and Software Standards, Apple Inc.
>> 
>> 
> 

David Singer
Multimedia and Software Standards, Apple Inc.
Received on Monday, 4 October 2010 23:03:52 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 4 October 2010 23:03:54 GMT