Apple adds privacy-protecting MAC spoofing (when Aaron Swartz did it, it was evidence of criminality)

Apple has announced that it will spoof the MAC addresses emitted by its wireless devices as an anti-tracking measure, a change that, while welcome, is "an umbrella in a hurricane" according to a good technical explainer by the Electronic Frontier Foundation's Jeremy Gillula and Seth Schoen.

One notable and sad irony here is that MAC spoofing was held up as evidence of criminality in the indictment of Aaron Swartz: the US prosecutors characterized changing your MAC address as the sort of thing that only criminals do. Either this is proof that "when privacy is criminalized, only criminals will have privacy" or that federal prosecutors are lying assholes. These are not mutually exclusive possibilities.

Unfortunately, in the overall scheme of location-tracking technology, Apple's privacy-protective step is something like opening an umbrella in the middle of a hurricane. Smartphones still transmit cellular signals containing a different hardware identifier called the IMEI (as well as other mobile device identifiers). Cell towers (and specialized surveillance equipment that's becoming increasingly widely available) can still use such information to pinpoint where you are. We don't have a good solution for that today, and it needs to be recognized as a major privacy risk. And other mobile and "Internet of things" technologies, including Apple's new iBeacons, also have important implications and risks for location privacy.

But even when we just focus on Wi-fi, the Wi-fi probe packets sent by your smartphone also contain the names of networks that your phone wants to join (because it's joined them before). Not only does this broadcast a history of where you've been (through the names of these networks), it's also highly distinctive in itself. Just as you're probably the only person who both lives in your home and works in your workplace, you're probably the only person whose phone and laptop have joined both your home network and your work network. That means that, even without a persistent hardware MAC address, carefully watching the network list itself can allow an astute watcher to identify you.

Some retail analytics companies, and, we presume, some government agencies, are already doing just that. That means that, for many users, the benefit of Apple's privacy enhancements is circumscribed by other leaks that might end up giving away almost the same information. Still, Apple's move is extremely welcome and, to our knowledge, makes Apple the first device maker to have protected its users' privacy this way. We hope other vendors will rise to the challenge of protecting their users in the same way, but recognize that this is just the first step down the road of preventing mobile devices from broadcasting information about their users' whereabouts.

An Umbrella in the Hurricane: Apple Limits Mobile Device Location Tracking [Jeremy Gillula and Seth Schoen/EFF]

(Image: nRF24L01+ Promiscuous Mode, Travis Goodspeed, CC-BY)

Notable Replies

  1. You mean when Swartz was illegally entering areas that he wasn't supposed to and trying to hide activity that he admitted that he was trying to hide because he was violating something he knew he wasn't supposed to (regardless if it was illegal or just a violation of an agreement)?

    Just confused, because in Swartz's case, it kinda was, regardless of how raw a deal he may have gotten. Regardless, in Apple's case, once connecting to a network -- not just putting random packets into space to ping if there is a network, it will transmit only the correct address. This is only few cases of searching for networks and nothing more. That said, it isn't like I didn't do the same things Swartz was doing...errr...except I was running an illegitimate FTP at a university that I was actually paying to attend back in '92. I think of some of the things I did and how lucky I was I didn't get in much trouble.

  2. The worst thing Aaron Schwarz did was put his laptop in the wiring closet. If he just sat in the library, or ran it from his office...

    That poor kid. He didn't deserve what was being done to him.

  3. "If he just sat in the library, or ran it from his office..."

    You are absolutely right. He had an office at ANOTHER university that allowed him to be there a short distance away and gave him an office. MIT didn't. They didn't give him permission to be trying to break into network closets. He might not have broken in, but it was most certainly illegal entry. Does illegal entry require someone to go to jail or require a cop to make a judgement call to say You Damn Kid, Get Out Of Here? Well, depends. Sounds like the later to me.

    That doesn't change the very fact that he KNEW he was doing something wrong, he bragged about his civil disobedience, and even if he was trying to do something positive -- he knew the actions he had taken were illegal to some extent.

    The point isn't whether Swartz got a raw deal, or otherwise, it is the conflation and equivocation of the headline that one is evidence of criminality (which is it) so the other should be as well or the world jus' ain't not fairs. Its an argument that works on 14 year olds. I mean, if there was a way to sell this sort of outrage to 14 year olds, a journalist could get mildly rich comfortable.

  4. I've never heard anybody claim Swartz was blameless, just that he was treated unfairly, yet the straw man that is constantly presented, is the same one you're using right now.

    Is MAC spoofing wrong in and of itself? No. Then MACspoofing is no more evidence of criminality than owning a gun. (which is what Cory wrote)
    If you own a gun, you CAN use it for crime, and if you do, you can get charged for it, but owning said gun is not evidence in and of itself that anything you have done has criminal intent.
    There was someone else, not too long ago who was "accused" of using a nefarious tool called wget. this was presented as evidence of hacking the same way that MAC spoofing was used with Swartz.
    The prosecution did not need to charge him with MAC spoofing, and they didn't, they just tried to drum up the charges as much as possible in as unfair a manner as possible.

    To be clear, this is what you are defending right now, aren't you? Your point is to say that he deserved the treatment he got?
    Because nobody here is defending his innocence, its too late for that, Cory wrote "When Aaron Swartz did it, it was evidence of criminality", which is a direct comment on how his trial was grossly unfair.
    His trial wasn't fair, the charges weren't fair, therefore the sentence he was faced with was unfair, The way he was treated ensured that even if he was 100%, without a doubt, guilty of something, he would not be charged with it and justice would not have been served.
    And this is what you are defending with your straw man.

    Go ahead, say he was guilty, and of what, please, but go ahead, here's the link to the wikipedia article:

    Its pretty clear why, and I'll speak for myself here, I believe that the charges were trumped up in order to get an easy conviction, not because they thought they could prove them.


    Whatever you may think of Swartz's actions, MAC spoofing is not a crime, it is not scary "hacking" either which is what was claimed and is in fact something so simple it will be available on iphones soon.
    Coming in here just talking about how Swartz was guilty (You are most definetly not saying he was innocent or wronged in any way) is only serving to derail the conversation.

    Or is your point that MAC spoofing is wrong?

  5. I read it as a reminder that technology is always scary until a corporation allows us to believe it isn't.
    If Apple gives you a way for mainstream users to use wget, you'll forget that it was once presented as an evil hacking tool and nobody challenged it.

Continue the discussion

10 more replies