feature article
Subscribe Now

Erasing Your Network Footprint

Startup LEVL Bypasses the Hard-Wired MAC Address

“You wouldn’t worry so much about what others think of you if you realized how seldom they do.” – Eleanor Roosevelt

Like most things about computers and the Internet, MAC addresses were created with the assumption that people aren’t jerks. Sadly, that notion proved incorrect, and we’ve spent the last 40-odd years trying to curb spam, malware, Wi-Fi spoofing, ad tracking, and any number of other modern ills. 

To that list add the many and varied attacks on online privacy. In a pre-digital society, we took it for granted that if your neighbors couldn’t see or hear you, they didn’t know where you’d been or what you’d been doing. (They probably didn’t care, either.) Nowadays, we’ve learned that tech-savvy firms probably do know where you’ve been, what you’re reading, what you’ve purchased, and what kind of music you like. They’re also adept at piecing together a pretty good profile that includes your age, gender, appearance, place of birth, school friends, employment history, and other details that we’d prefer not to think about. 

Our collective response has been varied, from totally unaware, to aware but unconcerned, to vaguely uncomfortable, to obsessively paranoid. We all fall somewhere along that spectrum. We’re grateful for whatever concessions to privacy that vendors care to give us and we learn to accept the rest. 

Hardware MAC addresses are part and parcel of networking, which also makes them a tool for the forces of privacy/antiprivacy. The lowly media access control (MAC) address is every connected device’s unique network ID, an immutable and exclusive identity assigned at birth. MAC addresses sit near the bottom of the seven-layer OSI stack, and, unlike, say, an IP address, MAC addresses don’t change. 

That’s great, because it gives each client on the network a permanent ID that’s guaranteed to be unique. But it’s also a problem because each client on the network has a permanent ID that’s guaranteed to be unique. It’s like a tattoo: a good idea at the time, but a permanent mark that you can never remove. That’s a problem if you’re concerned about network privacy. 

Among the online marketers’ various and nefarious bag of tricks is MAC tracking. Your MAC address follows your device everywhere, so it’s relatively easy to tell that the laptop you carried into Starbucks yesterday is the same one you used in the lobby of the Hilton last year. Same goes for your phone, tablet, e-book reader, smart home appliances, and absolutely everything else that has an Ethernet, Wi-Fi, or Bluetooth interface. It’s possible to track online activity with MAC addresses, and you can locate MAC addresses in physical space, almost like GPS. It’s an online beacon highlighting your peripatetic presence. 

Enter startup company LEVL. The 20-person firm aims to wean network operators off the ubiquitous MAC address and to use an alternative it calls LEVL-ID instead. It’s a different way to assign network identity without necessarily also revealing everything else about your device – or yourself. 

Like a MAC, a LEVL-ID is a 48-bit identifier. It’s unique to your device, so no two devices on the same network will ever have the same LEVL-ID. But, unlike a permanent MAC, a LEVL-ID changes with each network you join. That is, you get one LEVL-ID at home, a different LEVL-ID at the coffee shop, yet another one at the hotel, and so on. There’s no correlation between LEVL-ID addresses from one network to the next, so there’s no way for apps or online vendors to follow your activity. (At least, not by using hardwired network identifiers. Tracking cookies, IDFAs, MAIDs, and other methods still exist.) 

LEVL-IDs are generated using a nonrandom algorithm, so if/when you rejoin a previous network, you’ll get the same LEVL-ID. The company says each ID is generated using information gleaned from all seven levels of your device’s network stack, including subtle physical characteristics like chip voltage, signal response, timing, and other “fingerprints” that uniquely identify the device but that are also repeatable and reliable. Like MACs, LEVL-IDs are tied to an interface, so a laptop will have one LEVL-ID for its Ethernet port, a separate one for Wi-Fi, and a third for Bluetooth. 

The LEVL-ID doesn’t replace the MAC address – how could it? – but rather lives alongside it. MACs are enshrined in global networking standards, so it’s too late to overhaul them. The idea is to get network managers and operators to selectively ignore MAC addresses when they can and to use comparatively anonymous LEVL-IDs instead. 

Which raises an interesting feature of the technology. LEVL-IDs don’t live on the client device at all and are completely transparent to the user. Your laptop or phone doesn’t know – and in fact has no way of knowing – that LEVL-IDs are even in use. It all lives on the network access point or router. That means there’s no software to install, no new settings, and no changes to operating systems or drivers. Your network devices are already LEVL-ID ready, and they don’t even know it. 

It does mean the networking equipment needs to be updated with LEVL’s software, and that’s where the company focuses its business. Hotels, large enterprises, event centers, and municipalities are all target markets – anywhere that someone controls the infrastructure and access to the user data. LEVL’s business model is to license its software technology on a subscription basis, with pricing dependent on the number of client nodes. A large hotel, for example, might pay more per month than a retirement home that has fewer online users. 

The implication is that network operators won’t sell, rent, or otherwise share their users’ data with marketers, although, to be honest, there’s nothing to prevent them from doing so anyway. A LEVL-ID is still a unique identifier, so it’s easy to tell if a certain user regularly returns to your network or how much time they spend online. LEVL-ID provides the tools for anonymization; it doesn’t provide the incentive. 

LEVL is clearly aware of this and the company touts “targeted marketing” as one of its unique selling advantages, as well as its ability to identify the type, manufacturer, and exact model of client devices attached to the network. Worryingly, the company also brags that “LEVL essentially transforms every connected device into a sensor… and offers state-of-the art human presence and motion detection, device motion indication, and device localization to ISPs with best-in-class response time and sensitivity.” 

So… is LEVL a privacy play or not? Or is the company just shifting the responsibility – and the financial rewards – to itself and its customers? It’s a little of both. 

The company points out that LEVL-IDs are more private than any MAC address. A LEVL-ID never reaches the upstream telecom conglomerate, nor does it ever make it down to the client device. There’s no “secret” on the device for apps to steal because LEVL-ID exists only on the network. Your LEVL-ID changes the minute you leave the network, which decreases the incentive to misuse it. But it does allow the local network operator – and only the local network operator – to collect some limited information. 

Tim Colleran, the company’s BizDev VP, says, “Device identity has always been used for marketing and advertising purposes… There is more accountability via the network operator [with LEVL-ID]. We would expect network operators to have opt-in or opt-out clauses. Personally, I prefer to have my information in the hands of a regulated company I trust, and am subscribing to, versus a company that only makes money by selling my information.”

LEVL-ID certainly can be more private than a MAC address, which is tracked without our conscious content. It shifts the responsibility to the local network operator, which may have some incentive to keep its users happy.  MAC tracking is on by default; LEVL-ID makes it optional and more fine-grained.

LEVL’s technology isn’t the only approach to the scourge of MAC address tracking. Plenty of operating systems (Android, iOS, Windows, etc.) have offered MAC randomization since at least 2014. The idea is that your actual hardware MAC address is kept secret, and a new, pseudo-random one is generated in the network driver for public consumption. This technique works, but it also has drawbacks. Some applications complain or get confused when they see the underlying MAC address change. Security apps, in particular, often bind their authentication to a MAC address, either to enable or to deny network access. If the MAC address changes, the apps assume you’re on a different machine. LEVL-ID bypasses those problems, mostly because client apps and operating systems never see the new ID. It’s not a client solution, it’s an infrastructure change. 

It was too much to hope that MAC address tracking could be eliminated at a stroke. MACs will be with us for a long time, but LEVL-ID does a good job of providing an alternative, and it does so in a way that doesn’t inconvenience every user and every networked device. Says Colleran, “User privacy is a multi-headed beast, and it depends on consumer behaviors around opt-ins and license agreements. We are doing what we can with our current technology to let users reclaim their privacy.” Amen to that. 

Leave a Reply

featured blogs
Feb 22, 2024
The new Cadence training website is online! This newly redesigned website provides an overview of our well-respected training methods and courses, plus offerings that might be new to you. Modern design and top-of-the-page navigation make it easy to find just what you need'”q...
Feb 15, 2024
This artist can paint not just with both hands, but also with both feet, and all at the same time!...

featured video

Shape The Future Now with Synopsys ARC-V Processor IP

Sponsored by Synopsys

Synopsys ARC-V™ Processor IP delivers the optimal power-performance-efficiency and extensibility of ARC processors with broad software and tools support from Synopsys and the expanding RISC-V ecosystem. Built on the success of multiple generations of ARC processor IP covering a broad range of processor implementations, including functional safety (FS) versions, the ARC-V portfolio delivers what you need to optimize and differentiate your SoC.

Learn more about Synopsys ARC-V RISC-V Processor IP

featured paper

Reduce 3D IC design complexity with early package assembly verification

Sponsored by Siemens Digital Industries Software

Uncover the unique challenges, along with the latest Calibre verification solutions, for 3D IC design in this new technical paper. As 2.5D and 3D ICs redefine the possibilities of semiconductor design, discover how Siemens is leading the way in verifying complex multi-dimensional systems, while shifting verification left to do so earlier in the design process.

Click here to read more

featured chalk talk

PIC32CX-BZ2 and WBZ451 Multi-Protocol Wireless MCU Family
Sponsored by Mouser Electronics and Microchip
In this episode of Chalk Talk, Amelia Dalton and Shishir Malav from Microchip explore the benefits of the PIC32CX-BZ2 and WBZ45 Multi-protocol Wireless MCU Family and how it can make IoT design easier than ever before. They investigate the components included in this multi-protocol wireless MCU family, the details of the software architecture included in this solution, and how you can utilize these MCUs in your next design.
May 4, 2023
34,811 views