“You wouldn’t worry so much about what others think of you if you realized how seldom they do.” – Eleanor Roosevelt
Like most things about computers and the Internet, MAC addresses were created with the assumption that people aren’t jerks. Sadly, that notion proved incorrect, and we’ve spent the last 40-odd years trying to curb spam, malware, Wi-Fi spoofing, ad tracking, and any number of other modern ills.
To that list add the many and varied attacks on online privacy. In a pre-digital society, we took it for granted that if your neighbors couldn’t see or hear you, they didn’t know where you’d been or what you’d been doing. (They probably didn’t care, either.) Nowadays, we’ve learned that tech-savvy firms probably do know where you’ve been, what you’re reading, what you’ve purchased, and what kind of music you like. They’re also adept at piecing together a pretty good profile that includes your age, gender, appearance, place of birth, school friends, employment history, and other details that we’d prefer not to think about.
Our collective response has been varied, from totally unaware, to aware but unconcerned, to vaguely uncomfortable, to obsessively paranoid. We all fall somewhere along that spectrum. We’re grateful for whatever concessions to privacy that vendors care to give us and we learn to accept the rest.
Hardware MAC addresses are part and parcel of networking, which also makes them a tool for the forces of privacy/antiprivacy. The lowly media access control (MAC) address is every connected device’s unique network ID, an immutable and exclusive identity assigned at birth. MAC addresses sit near the bottom of the seven-layer OSI stack, and, unlike, say, an IP address, MAC addresses don’t change.
That’s great, because it gives each client on the network a permanent ID that’s guaranteed to be unique. But it’s also a problem because each client on the network has a permanent ID that’s guaranteed to be unique. It’s like a tattoo: a good idea at the time, but a permanent mark that you can never remove. That’s a problem if you’re concerned about network privacy.
Among the online marketers’ various and nefarious bag of tricks is MAC tracking. Your MAC address follows your device everywhere, so it’s relatively easy to tell that the laptop you carried into Starbucks yesterday is the same one you used in the lobby of the Hilton last year. Same goes for your phone, tablet, e-book reader, smart home appliances, and absolutely everything else that has an Ethernet, Wi-Fi, or Bluetooth interface. It’s possible to track online activity with MAC addresses, and you can locate MAC addresses in physical space, almost like GPS. It’s an online beacon highlighting your peripatetic presence.
Enter startup company LEVL. The 20-person firm aims to wean network operators off the ubiquitous MAC address and to use an alternative it calls LEVL-ID instead. It’s a different way to assign network identity without necessarily also revealing everything else about your device – or yourself.
Like a MAC, a LEVL-ID is a 48-bit identifier. It’s unique to your device, so no two devices on the same network will ever have the same LEVL-ID. But, unlike a permanent MAC, a LEVL-ID changes with each network you join. That is, you get one LEVL-ID at home, a different LEVL-ID at the coffee shop, yet another one at the hotel, and so on. There’s no correlation between LEVL-ID addresses from one network to the next, so there’s no way for apps or online vendors to follow your activity. (At least, not by using hardwired network identifiers. Tracking cookies, IDFAs, MAIDs, and other methods still exist.)
LEVL-IDs are generated using a nonrandom algorithm, so if/when you rejoin a previous network, you’ll get the same LEVL-ID. The company says each ID is generated using information gleaned from all seven levels of your device’s network stack, including subtle physical characteristics like chip voltage, signal response, timing, and other “fingerprints” that uniquely identify the device but that are also repeatable and reliable. Like MACs, LEVL-IDs are tied to an interface, so a laptop will have one LEVL-ID for its Ethernet port, a separate one for Wi-Fi, and a third for Bluetooth.
The LEVL-ID doesn’t replace the MAC address – how could it? – but rather lives alongside it. MACs are enshrined in global networking standards, so it’s too late to overhaul them. The idea is to get network managers and operators to selectively ignore MAC addresses when they can and to use comparatively anonymous LEVL-IDs instead.
Which raises an interesting feature of the technology. LEVL-IDs don’t live on the client device at all and are completely transparent to the user. Your laptop or phone doesn’t know – and in fact has no way of knowing – that LEVL-IDs are even in use. It all lives on the network access point or router. That means there’s no software to install, no new settings, and no changes to operating systems or drivers. Your network devices are already LEVL-ID ready, and they don’t even know it.
It does mean the networking equipment needs to be updated with LEVL’s software, and that’s where the company focuses its business. Hotels, large enterprises, event centers, and municipalities are all target markets – anywhere that someone controls the infrastructure and access to the user data. LEVL’s business model is to license its software technology on a subscription basis, with pricing dependent on the number of client nodes. A large hotel, for example, might pay more per month than a retirement home that has fewer online users.
The implication is that network operators won’t sell, rent, or otherwise share their users’ data with marketers, although, to be honest, there’s nothing to prevent them from doing so anyway. A LEVL-ID is still a unique identifier, so it’s easy to tell if a certain user regularly returns to your network or how much time they spend online. LEVL-ID provides the tools for anonymization; it doesn’t provide the incentive.
LEVL is clearly aware of this and the company touts “targeted marketing” as one of its unique selling advantages, as well as its ability to identify the type, manufacturer, and exact model of client devices attached to the network. Worryingly, the company also brags that “LEVL essentially transforms every connected device into a sensor… and offers state-of-the art human presence and motion detection, device motion indication, and device localization to ISPs with best-in-class response time and sensitivity.”
So… is LEVL a privacy play or not? Or is the company just shifting the responsibility – and the financial rewards – to itself and its customers? It’s a little of both.
The company points out that LEVL-IDs are more private than any MAC address. A LEVL-ID never reaches the upstream telecom conglomerate, nor does it ever make it down to the client device. There’s no “secret” on the device for apps to steal because LEVL-ID exists only on the network. Your LEVL-ID changes the minute you leave the network, which decreases the incentive to misuse it. But it does allow the local network operator – and only the local network operator – to collect some limited information.
Tim Colleran, the company’s BizDev VP, says, “Device identity has always been used for marketing and advertising purposes… There is more accountability via the network operator [with LEVL-ID]. We would expect network operators to have opt-in or opt-out clauses. Personally, I prefer to have my information in the hands of a regulated company I trust, and am subscribing to, versus a company that only makes money by selling my information.”
LEVL-ID certainly can be more private than a MAC address, which is tracked without our conscious content. It shifts the responsibility to the local network operator, which may have some incentive to keep its users happy. MAC tracking is on by default; LEVL-ID makes it optional and more fine-grained.
LEVL’s technology isn’t the only approach to the scourge of MAC address tracking. Plenty of operating systems (Android, iOS, Windows, etc.) have offered MAC randomization since at least 2014. The idea is that your actual hardware MAC address is kept secret, and a new, pseudo-random one is generated in the network driver for public consumption. This technique works, but it also has drawbacks. Some applications complain or get confused when they see the underlying MAC address change. Security apps, in particular, often bind their authentication to a MAC address, either to enable or to deny network access. If the MAC address changes, the apps assume you’re on a different machine. LEVL-ID bypasses those problems, mostly because client apps and operating systems never see the new ID. It’s not a client solution, it’s an infrastructure change.
It was too much to hope that MAC address tracking could be eliminated at a stroke. MACs will be with us for a long time, but LEVL-ID does a good job of providing an alternative, and it does so in a way that doesn’t inconvenience every user and every networked device. Says Colleran, “User privacy is a multi-headed beast, and it depends on consumer behaviors around opt-ins and license agreements. We are doing what we can with our current technology to let users reclaim their privacy.” Amen to that.