Network engineers say wireless network privacy is misunderstood
by: Gina Narcisi
With high-profile security breaches and NSA snooping in the news, wireless network privacy has never been more misunderstood. Should users be concerned about Wi-Fi location-based services, and should the government get involved?
Wireless network privacy is a touchy subject. With high-profile security breaches and government snooping continuing to make the news, it's no wonder users are wondering what information their mobile devices are revealing about them and how that information is used.
"Privacy is the political end of security," said Craig Mathias, principal at the advisory firm Farpoint Group based in Ashland, Massachusetts. "Except for regulations like [Health Insurance Portability and Accountability Act] HIPAA for healthcare privacy, there are no accepted government standards pertaining to Wi-Fi yet regarding what information about you should be kept private, and this is one of the most difficult and defining issues facing society today."
Wireless network privacy: Should the government get involved?
Many consumer companies use Wi-Fi location-based services to collect information about their customers and to market to them. While most companies do not have nefarious intentions, a lot of information about a user's behavior can be inferred once a Wi-Fi network knows your device'sMedia Access Control (MAC) address, Mathias said. And that data could be used improperly in the event of a data breach.
"There are a lot of people out there getting very paranoid about things like this and it's going to be up to the government to react and set law [regarding] who can collect information about whom," he said.
"If you are out in public with a device that is giving out minimal information for the most part, trying to legislate around what [businesses] are allowed to do with the information can be a bit of a slippery slope -- where would it stop?" said Matthew Norwood, solutions engineer for Bedroc, a Franklin, Tennessee-based systems integrator.
"I think that what you do in public is public. As soon as [the user] is in a private space -- like a home – that's a different story," said Jonathan Davis, a network engineer who works at a global manufacturer.
Wi-Fi location-based services can collect information and metrics about a user's behavior without knowing who the person actually is, such as how often a user comes into a store, or which aisles they linger in, Davis said. The problem is, some businesses can obtain metrics about a user by tracking their MAC address, regardless of whether the user joins the Wi-Fi network. "I think that is the big concern for users -- if a company has this information in a database, who's to say someone else isn't looking at it too?" Davis said.
Are users concerned about Wi-Fi location-based services?
Apple recently announced that its iOS 8 release would include MAC address spoofing, a feature that would allow iPhone and iPad users to present a fake MAC address to Wi-Fi networks that users haven't joined. This option would allow network operators -- like retail stores or public venues --to see Apple devices, but they would not be able to identify or track user behavior and patterns. This privacy feature would disrupt businesses that use Wi-Fi location-based services to market to their end users, but it would offer some protection for users who are not interested in those services.
Apple's MAC address spoofing may protect some users from overzealous retailers, but it might also be a gimmick that appeals to consumer paranoia about network security, Norwood said. "It doesn't help that we've had so much news in the past year -- with the NSA monitoring, etc. -- and people are extra sensitive to that now," he said.
Many users don't realize that, even with Apple's MAC address spoofing feature, an iOS device will share its real MAC address as soon as a user joins a wireless network, Davis said.
Network engineers doubt that many iOS users will even use the spoofing feature. "If the MAC address spoofing feature is an option that users have to turn on manually, you'll see a much lower rate of adoption … because many average smartphone users -- like consumers -- have no idea what a MAC address is and the purpose it serves," Norwood said.
Network engineers also point out that MAC addresses are not a means to collecting personally identifiable information like a user's name. "Since it's hard to understand, there is the potential for panic over who can grab my information and what can be done with it. I [understand] the concern some users have, but I personally don't think it's that big of a deal," he said.
Many users don't mind having their location tracked, as long as their identity remains anonymous. Users must also have the ability to opt out, and wireless vendors and businesses using location-based services need to respect those wishes, said Rohit Mehra, vice president of network infrastructure research at Framingham, Massachusetts-based IDC. "Many users think: 'As long as they don't know me but can still see where I am, that's fine by me,'" he said.
Retail analytics isn't going anywhere. Wi-Fi vendors are still developing their location-based services aimed at improving customer experiences, and businesses are becoming more interested in these products, Norwood said. "You will be marketed to in some way, whether you like it or not, and you won't be able to get around it too much," he said.
"As far as tracking is concerned, I'm apathetic to it," Davis said. "Users are tracked via security camera anyway, so we don't have a dog in the fight. Arguing against this one is not going to solve the overall problem of wireless privacy."