Posted by: Jason O'Grady
Date: Saturday, September 27th, 2014, 15:36
Category: iOS, iOS 8, iPhone, privacy
You know that we love, cherish and respect your privacy here at The PowerPage, right?
Privacy bugs will be interested in reading Apple’s new “Privacy built in” microsite, which extolls the virtues of some of the new privacy features that are baked into iOS 8. While it’s a huge step in the right directions for the consumer (so much so that the FBI is spreading FUD about it), some industry experts are taking issue with one of the new features.
At issue is what Apple calls Randomized Wi-Fi addresses. In reading that section of Privacy Built In, one could be left to believe that merchants and retailers can no longer track your movements and behavior by scanning your iPhone’s Wi-Fi MAC address. While Apple has taken steps to obscure it in iOS 8, it’s not a simple (or automatic) as Apple leads us to believe.
A new blog post from AirTight Networks’ Bhupinder Misra called “iOS8 MAC Randomization – Analyzed!” (read parts 1 and 2) takes issue with Apple’s claims that iOS 8 uses randomized and locally administrated Wi-Fi MAC addresses in the probing state. For his blog posts Misra used sophisticated packet sniffing gear to dig into the inner workings of randomized MAC addresses.
On the iPhone 5s, MAC randomization happens only under the following conditions:
- Phone is in sleep mode (display off, not being used)
- Wi-Fi should be ON but not associated
- Location services should be OFF in privacy settings
Then after reading scandalous reports from The Washington Post and Gizmodo stating that “Apple’s new feature to curb phone tracking won’t work if you’re actually using your phone” he decided to dig a little deeper and discovered that location services should be OFF for random MAC addresses to actually show up.
It has to do with the cellular data connection setting. Basically, if the phone’s cellular data connection is ON, there is no MAC randomization! If you now turn OFF the cellular data connection (Settings -> Cellular -> Cellular Data OFF), random MAC addresses show up.
So if both Cellular Data and Location Services have to be switched off to randomize MAC addresses, it’s not really much of a privacy feature then, is it? I think that Apple needs to clarify how this feature really works and it should probably remove it completely from the fancy new Privacy Built In page.
Misra says it best:
Bottom line, this further shrinks the population which is covered by MAC address randomization, perhaps to inconsequential levels and maybe even zero. Who turns OFF location services AND turns OFF cellular data connection while using their iPhone. That is why I now call it “iOS8 MAC RandomGate”.
Apple’s done a lot right with respect to user privacy, but this one seems a tad disingenuous to me.