Skip to Content

Privacy & Data

iOS 8 Empowers Consumers to Limit Retail Tracking

Last week, Apple revealed iOS 8, the newest version of the operating system that runs on its mobile devices. From a privacy perspective, there were some welcome new features – such as the ability to limit an app’s collection of location data, and the inclusion of DuckDuckGo as a search engine option. But one of the most exciting developments in iOS 8 is the inclusion of randomized MAC addresses. Randomized what, you may be asking? Basically, it means that consumers will be able to avoid persistent, pervasive tracking of their devices in stores and businesses.

Your mobile device sends out an identifier called a MAC address when searching for WiFi networks. Because that identifier is hard to modify and because it is sent out frequently when your WiFi antenna tries to connect, businesses can collect it and use it to track your phone – and presumably you – over time, creating very detailed location profiles of the device’s movements. The recent controversy involving Philz Coffee tracking of its customers’ devices demonstrates people don’t want businesses collecting location data from their phones and tablets without being notified and without being asked to opt-in to such tracking. As a coffee addict, I can understand why Philz customers were concerned about a coffee shop – or any other business that doesn’t seem to need such data – collecting identifying information. To its credit, in the face of consumer backlash Philz announced that it would stop.

Companies that track devices without explaining how or why to their clientele may face the wrath of angry customers and have to backtrack publicly

Like Philz, companies that track devices without explaining how or why to their clientele may face the wrath of angry customers and have to backtrack publicly. The most established companies are beginning to compete on privacy (like Facebook’s anonymous login or Google’s support of end-to-end encryption), and smaller companies should consider doing so as well.

In our March 2014 comments to the FTC on device tracking, we discussed the possibility of using dynamic device identifiers to evade or limit these forms of retail surveillance. While there are definite benefits to this kind of tracking – such as more efficient store layouts and fraud prevention – consumers should fundamentally have control over what their devices collect and transmit, and they should be able to affirmatively choose to receive advertisements or marketing communications based on this covert device tracking. By using dynamic MAC addresses when searching for WiFi networks, iOS 8 allows a phone owner to more effectively control what data gets transmitted, empowering the user rather than allowing third parties to exploit privacy flaws in technical standards.

Hopefully, other mobile operating system providers will introduce the same functionality. And while dynamic MAC addresses won’t eliminate the possibility of tracking by businesses (which can be done by offering WiFi services in exchange for inputting an email address on your phone, for example), it does signal that platform providers are aware of the flaws in the dominant method devices use to scan for WiFi networks. Making dynamic MAC addressing an industry standard at the platform level would engender greater consumer trust, and would allow device owners to exercise ultimate control over what they transmit to the world.