They know where you are

On the (accidental) gathering of MAC addresses

There was a bit of a hubbub today when CNET published an article on Google’s apparent collection of MAC addresses as part of its Street View service. The problem, according to the article, is that these unique numbers were from more than just Wi-Fi access points, they were from laptops, phones and other Wi-Fi devices, and this data was cross-referenced with their locations. Furthermore, all this information could be accessed by any Joe Public through a simple API made available (until recently) by Google. To add to the problem, Google don’t provide you with a way to remove any of the data associated with yourself.

With a bit of mash-up experience one could trace the location and activity of any Wi-Fi user who was not protected by encryption, which apparently is most of us. Privacy is no more.

Mountains and molehills come to mind. Popular networking protocols generally broadcast the unique MAC address as a means of advertising the potential to communicate. It’s how your device makes its initial connection to the network, and your entire Internet connectivity depends on it.

People who dwell in houses or apartments will be familiar with a similar scheme. It’s called your mailing or postal address. It’s the means by which you receive many important paper documents, and most of what fills your recycling basket. And guess what, it can easily be translated into a geo-location.

The MAC address is a little different. Unlike the address of your front door, the MAC address is only advertised within a short radius. A stone’s throw. Think of it like the name plate that some people attach to their houses in addition to the official address. The postal delivery people can sometimes deliver to these addresses, but only because the delivery people happen to have been within visual range of your abode and have taken note of the name. Much like Google taking note of the MAC addresses it “sees”.

OK, so far so good. The MAC addresses were collected during the Street View image collection process as an aid to geo-location, presumably so that suitably equipped devices could guess their location based on seeing the names of the houses nearby. I mean, based on seeing the MAC addresses nearby. Yes, that sounds right.

But would taking the registration numbers of the cars and vans parked and driving nearby also help someone recognise where they were? Unlike a house, these things move. Plus, it’s easy to spot the difference between the immovable address of a house and the movable identification of a car. Similarly, it is easy to spot the difference between an immovable Wi-Fi access point (such as the type present in many homes and businesses) and the movable Wi-Fi of devices like mobile phones and laptops. In that case, why were all the MAC addresses scooped up, regardless of being fixed or movable? Implementation oversight, perhaps. In fact, probably.

Unless you believe the conspiracy theories.

Categorised as: Security

Comment Free Zone

Comments are closed.