How Apple iOS MAC address spoofing affects location-based services

Many consumer-facing companies are relying on Wi-Fi location-based services to improve end-user experience and generate revenue. But location-based services also raise questions about wireless privacy, and those concerns could interfere with a company's ability to push out information -- like promotions, coupons or directions -- to its customers.

Apple recently announced a media access control (MAC) address spoofing feature in iOS 8 to enhance a user's wireless privacy. Apple devices will be able to hide their MAC address or present a fake one to Wi-Fi networks. Some experts have speculated that Google will make the same change within its Android operating system for mobile devices.

Wi-Fi networks can use MAC addresses to identify, locate and track devices, even those that aren't connected to the network. Apple's MAC address spoofing feature won't hide a user's presence completely, but it will affect Wi-Fi-based locationing and analytics systems, giving businesses less information about the user.

Wireless privacy is always a concern for end users, but businesses can still take advantage of location-based Wi-Fi services to engage with customers and deliver a better experience, while ensuring information is not used for nefarious purposes.

"Users naturally have questions about privacy, and especially location-based privacy," said Melvin Yuan, director of product marketing for Ruckus Wireless' location services. "We have the ability to see the locations of users -- just like telcos have been able to do for years -- but these user concerns have to be a primary focus for businesses, and they must make sure that [users] are benefiting from the location data being collected."

How much will Apple's MAC address spoofing affect location-based services?

Many Wi-Fi location-based systems can see and use a device's MAC address, even if that device hasn't connected to the network. Apple's wireless privacy feature will present fake MAC addresses only to networks that a user has declined to connect to. When a user does connect to a network, the device will present its true address.

"If users are not choosing to connect, Apple decided that no one necessarily has the right to know who they are," said Craig Mathias, principal at the advisory firm Farpoint Group, based in Ashland, Massachusetts.

Since these devices are not connecting to a network, the fake MAC addresses don't present a significant security problem. A business won't be able identify users or devices, but a powered-on device still transmits pings and can be located.

Some users like to receive relevant content, however. By hiding their MAC address and not joining networks, businesses won't have enough information to push out the right data to these users. Retailers, for example, can use location-based technology to send a recognized user a promotion for shoes while they are in the shoe department if they open the store's smartphone app. If a user enters the store with a masked MAC address however, they may receive no promotions at all, or their app might push out irrelevant information, Ruckus' Yuan said.

If the iOS device does join the network or accesses an enterprise application, however, it will share its real MAC address. If a user has visited a business in the past and joined the network or opened up the application, that business could recognize the user, which is still a concern for some customers, Mathias said.

"A lot of information about your behavior can be inferred based on you MAC address, and users have no control over that, which is still an issue," he said. "We have a long way to go with solving this problem."  

Ensuing wireless privacy and a personalized experience for end users

To avoid a backlash from people who worry about their privacy, Wi-Fi network operators who are using location-based services -- including retail stores and public venues -- must make opting in and out of such services easy for users.

"Some users are absolutely against [joining Wi-Fi networks and position technology], and others want to take advantage of location-based services. Businesses have to respect both," said Rohit Mehra, vice president of network infrastructure research at Framingham, Massachusetts-based IDC.

Some users are well aware that certain applications or networks have access to their data, and welcome a more personalized experience -- especially if they are a repeat visitor. Still, others can just as easily be turned off if spammed with information they don't want, Ruckus' Yuan said.

Businesses can track a user without being intrusive, Mehra said. "Sometimes just knowing that a user or customer is physically there on a device is good enough."

"The same use of data could have very different results, so the onus is on the business to create a good user experience," Yuan said. "Provide users with really compelling promotions if you a retailer, or content if you are a public venue, like a museum. Make it about the end user, not the [business]."

Let us know what you think about the story; email: Gina Narcisi, news writer, and follow @GeeNarcisi on Twitter.