A new report in the Washington Post reveals that new features in iOS 8 intended to limit tracking of iPhones may be more limited than users might expect. According to Apple’s Privacy Page, iOS 8 will protect user’s privacy by “randomizing your device’s MAC address when the device is passively scanning for Wi-Fi networks,” thereby preventing persistent tracking of a device based on the normally-fixed hardware addresses that are common to all Wi-Fi devices.
However, a new post from a principal systems engineer of the WiFi analytics firm AirTight Networks, Bhupinder Misra, reveals that the feature may not be as useful as Apple’s description implies. Misra specifically notes that the privacy feature is limited to the iPhone 5c/5s and likely newer models, and in fact is only operational when the iPhone is in sleep mode and location services are disabled. For example, Misra explains, the device’s actual Wi-Fi hardware address is broadcast whenever a user wakes up their iPhone for just about any reason, such as sending a text message—even if they’re not connecting to a Wi-Fi network but simply relying on their carrier’s cellular data connection.
Although a publicly available iOS Security White Paper from Apple explains some of these limitations, it makes no mention of the requirement that location services be disabled, making it unclear whether this is intentional behaviour or a bug in the feature’s implementation. It is also worth noting, however, that the Wi-Fi hardware address only reveals the identity of a specific device; no personal information about the user of the device is accessible in this manner. In other words, a store could track how often a specific customer had visited their store based on their device’s Wi-Fi address, but would be unable to identify the specific customer with this method unless they connected to the store’s Wi-Fi network and specifically provided personal information in some way, such as signing onto a Wi-Fi hotspot.