Responding to “What harm can possibly come from a MAC address“, Hal Berenson writes:
“The real problem here is technological not legal. You could ban collecting SSIDs and MAC addresses and why would it matter? Your sexual predator scenario wouldn’t be prevented (as (s)he is already committing a far more heinous crime it just isn’t going to deter them). The real problem is that WIFI (a) still doesn’t encrypt properly and (b) nearly all public hotspots avoid encryption altogether. I’ll almost leave (b) alone because it is so obvious, yet despite that we have companies like AT&T pushing us (by eliminating unlimited data plans) to use hotspots rather than their (better) protected 3G access.
“Sure my iPad connects nicely via WIFI when I’m in the United Red Carpet Club, but it also leaves much of my communications easily intercepted (3G may be vulnerable, but it does take some expertise and special equipment to set up my own cell). But what the *&#$#&*^$ is going on with encrypted WIFI not encrypting the MAC addresses? If something needs to be exposed it should be a locally unique address, not a globally unique one! I seem to recall that when I first looked at cryptography in the early 70s I read articles about how traffic analysis on encrypted data was nearly as useful as being able to decrypt the data itself. There were all kinds of examples of tracking troop movements, launch orders, etc. using traffic analysis. It is almost 40 years later and we still haven’t learned our lesson.”
I assume Hal is using “*&#$#&*^$” as a form of encryption. Anyway, I totally agree with the technical points being made. WIreless networks used the static MAC concept they inherited from wired systems in order to facilitate interoperability with them. Designers didn't think the fact that the MAC addresses would be visible to eavesdroppers would be very important – the payload was all they cared about. As I said in the Fourth Law of Identity:
Bluetooth and other wireless technologies have not so far conformed to the fourth law. They use public beacons for private entities.
I'd love to figure out how we would get agreement on “fixing” the wireless infrastructure. But one thing is for sure: it is really hard and would take a while! I don't think, in the meantime, we should simply allow our private space to be invaded. Just because technology allows theft of the identifiers doesn't mean society should.
Similarly, in reference to the predator scenario, the fact that laws don't prevent crime has never meant there shouldn't be laws. Regulation of “wirelesstapping” would make the emergence of this new kind of crime less likely.