Re: MAC addresses and privacy... from David Singer on 2010-10-04 (public-privacy@w3.org from October to December 2010)

From: David Singer <singer@apple.com>
Date: Mon, 4 Oct 2010 16:42:39 -0700
To: Harry Halpin <hhalpin@ibiblio.org>
Cc: public-privacy@w3.org
Message-Id: <691F79F3-E1FA-4A71-A8EE-51E54FE648F2@apple.com>

I think we have the inverse here.

Skyhook and the like tell *me* where *I* am, based on the Mac addresses that can be seen in the vicinity (as I say, I always assumed it was of infrastructure base stations).

I think this is miles away from it telling *me* where *you* are, based on sightings of your phone/laptop/netbook etc.'s MAC address near other points.  At the moment, the database 'only' says (when you look up my MAC address) "you're seeing an address I'd normally expect to find in San Francisco", so if you see this in (say) Algiers, you might notice.  It's not far to stretch this to "you're seeing a MAC address usually associated with <something that more closely identifies me>". 

Imagine an ISP who supplies integrated WiFi base stations and DSL or Cable termination equipment.  They probably claim that that termination equipment belongs to them, and that they have every right to listen to see what MAC addresses they see in the vicinity of each.  They see this MAC address in this area of the city, then this, then this other, and so on.  They are tracking me because I 'chose' to carry a unique address around with me all the time, and (kinda) broadcast it.  I'm not sure how easy it is to 'see' MAC addresses of WiFi points that are not currently connected to anything, but it is *quite* easy for Bluetooth.

A few years ago there was a fashion for little bluetooth base stations that would look for phones in their vicinity and send them a 'contact' (one of the few things you can send without recipient consent) that actually advertised a local business ("Best gelato in town - right here!" as the 'name' of the contact).  They, at least, were telling me that they had seen my Bluetooth address.  Others may not be so ... courteous?

On Oct 4, 2010, at 16:27 , Harry Halpin wrote:

> Of course Skyhook [1] whose business model is precisely this. I was
> under the impression this was how Apple devices up till April of this
> year) (then Apple apparently switched [2]) as well as Google
> determined location for Apps like Google Maps.
> 
> The only way I can think of stopping these datbases is by changing
> your MAC address using (at least on Linux) using ifconfig. However, is
> that secure?
> 
> Also, the main loss here is that many people (for example, my Uni.)
> use the MAC address when logging in on our internal wifi, something I
> wouldn't like to lose access to.
> 
>             cheers,
>                 harry
> 
> [1]http://en.wikipedia.org/wiki/Skyhook_Wireless
> [2]http://techcrunch.com/2010/07/29/apple-location/
> 
> 

David Singer
Multimedia and Software Standards, Apple Inc.

Received on Monday, 4 October 2010 23:43:13 UTC