feature article
Subscribe Now

Erasing Your Network Footprint

Startup LEVL Bypasses the Hard-Wired MAC Address

“You wouldn’t worry so much about what others think of you if you realized how seldom they do.” – Eleanor Roosevelt

Like most things about computers and the Internet, MAC addresses were created with the assumption that people aren’t jerks. Sadly, that notion proved incorrect, and we’ve spent the last 40-odd years trying to curb spam, malware, Wi-Fi spoofing, ad tracking, and any number of other modern ills. 

To that list add the many and varied attacks on online privacy. In a pre-digital society, we took it for granted that if your neighbors couldn’t see or hear you, they didn’t know where you’d been or what you’d been doing. (They probably didn’t care, either.) Nowadays, we’ve learned that tech-savvy firms probably do know where you’ve been, what you’re reading, what you’ve purchased, and what kind of music you like. They’re also adept at piecing together a pretty good profile that includes your age, gender, appearance, place of birth, school friends, employment history, and other details that we’d prefer not to think about. 

Our collective response has been varied, from totally unaware, to aware but unconcerned, to vaguely uncomfortable, to obsessively paranoid. We all fall somewhere along that spectrum. We’re grateful for whatever concessions to privacy that vendors care to give us and we learn to accept the rest. 

Hardware MAC addresses are part and parcel of networking, which also makes them a tool for the forces of privacy/antiprivacy. The lowly media access control (MAC) address is every connected device’s unique network ID, an immutable and exclusive identity assigned at birth. MAC addresses sit near the bottom of the seven-layer OSI stack, and, unlike, say, an IP address, MAC addresses don’t change. 

That’s great, because it gives each client on the network a permanent ID that’s guaranteed to be unique. But it’s also a problem because each client on the network has a permanent ID that’s guaranteed to be unique. It’s like a tattoo: a good idea at the time, but a permanent mark that you can never remove. That’s a problem if you’re concerned about network privacy. 

Among the online marketers’ various and nefarious bag of tricks is MAC tracking. Your MAC address follows your device everywhere, so it’s relatively easy to tell that the laptop you carried into Starbucks yesterday is the same one you used in the lobby of the Hilton last year. Same goes for your phone, tablet, e-book reader, smart home appliances, and absolutely everything else that has an Ethernet, Wi-Fi, or Bluetooth interface. It’s possible to track online activity with MAC addresses, and you can locate MAC addresses in physical space, almost like GPS. It’s an online beacon highlighting your peripatetic presence. 

Enter startup company LEVL. The 20-person firm aims to wean network operators off the ubiquitous MAC address and to use an alternative it calls LEVL-ID instead. It’s a different way to assign network identity without necessarily also revealing everything else about your device – or yourself. 

Like a MAC, a LEVL-ID is a 48-bit identifier. It’s unique to your device, so no two devices on the same network will ever have the same LEVL-ID. But, unlike a permanent MAC, a LEVL-ID changes with each network you join. That is, you get one LEVL-ID at home, a different LEVL-ID at the coffee shop, yet another one at the hotel, and so on. There’s no correlation between LEVL-ID addresses from one network to the next, so there’s no way for apps or online vendors to follow your activity. (At least, not by using hardwired network identifiers. Tracking cookies, IDFAs, MAIDs, and other methods still exist.) 

LEVL-IDs are generated using a nonrandom algorithm, so if/when you rejoin a previous network, you’ll get the same LEVL-ID. The company says each ID is generated using information gleaned from all seven levels of your device’s network stack, including subtle physical characteristics like chip voltage, signal response, timing, and other “fingerprints” that uniquely identify the device but that are also repeatable and reliable. Like MACs, LEVL-IDs are tied to an interface, so a laptop will have one LEVL-ID for its Ethernet port, a separate one for Wi-Fi, and a third for Bluetooth. 

The LEVL-ID doesn’t replace the MAC address – how could it? – but rather lives alongside it. MACs are enshrined in global networking standards, so it’s too late to overhaul them. The idea is to get network managers and operators to selectively ignore MAC addresses when they can and to use comparatively anonymous LEVL-IDs instead. 

Which raises an interesting feature of the technology. LEVL-IDs don’t live on the client device at all and are completely transparent to the user. Your laptop or phone doesn’t know – and in fact has no way of knowing – that LEVL-IDs are even in use. It all lives on the network access point or router. That means there’s no software to install, no new settings, and no changes to operating systems or drivers. Your network devices are already LEVL-ID ready, and they don’t even know it. 

It does mean the networking equipment needs to be updated with LEVL’s software, and that’s where the company focuses its business. Hotels, large enterprises, event centers, and municipalities are all target markets – anywhere that someone controls the infrastructure and access to the user data. LEVL’s business model is to license its software technology on a subscription basis, with pricing dependent on the number of client nodes. A large hotel, for example, might pay more per month than a retirement home that has fewer online users. 

The implication is that network operators won’t sell, rent, or otherwise share their users’ data with marketers, although, to be honest, there’s nothing to prevent them from doing so anyway. A LEVL-ID is still a unique identifier, so it’s easy to tell if a certain user regularly returns to your network or how much time they spend online. LEVL-ID provides the tools for anonymization; it doesn’t provide the incentive. 

LEVL is clearly aware of this and the company touts “targeted marketing” as one of its unique selling advantages, as well as its ability to identify the type, manufacturer, and exact model of client devices attached to the network. Worryingly, the company also brags that “LEVL essentially transforms every connected device into a sensor… and offers state-of-the art human presence and motion detection, device motion indication, and device localization to ISPs with best-in-class response time and sensitivity.” 

So… is LEVL a privacy play or not? Or is the company just shifting the responsibility – and the financial rewards – to itself and its customers? It’s a little of both. 

The company points out that LEVL-IDs are more private than any MAC address. A LEVL-ID never reaches the upstream telecom conglomerate, nor does it ever make it down to the client device. There’s no “secret” on the device for apps to steal because LEVL-ID exists only on the network. Your LEVL-ID changes the minute you leave the network, which decreases the incentive to misuse it. But it does allow the local network operator – and only the local network operator – to collect some limited information. 

Tim Colleran, the company’s BizDev VP, says, “Device identity has always been used for marketing and advertising purposes… There is more accountability via the network operator [with LEVL-ID]. We would expect network operators to have opt-in or opt-out clauses. Personally, I prefer to have my information in the hands of a regulated company I trust, and am subscribing to, versus a company that only makes money by selling my information.”

LEVL-ID certainly can be more private than a MAC address, which is tracked without our conscious content. It shifts the responsibility to the local network operator, which may have some incentive to keep its users happy.  MAC tracking is on by default; LEVL-ID makes it optional and more fine-grained.

LEVL’s technology isn’t the only approach to the scourge of MAC address tracking. Plenty of operating systems (Android, iOS, Windows, etc.) have offered MAC randomization since at least 2014. The idea is that your actual hardware MAC address is kept secret, and a new, pseudo-random one is generated in the network driver for public consumption. This technique works, but it also has drawbacks. Some applications complain or get confused when they see the underlying MAC address change. Security apps, in particular, often bind their authentication to a MAC address, either to enable or to deny network access. If the MAC address changes, the apps assume you’re on a different machine. LEVL-ID bypasses those problems, mostly because client apps and operating systems never see the new ID. It’s not a client solution, it’s an infrastructure change. 

It was too much to hope that MAC address tracking could be eliminated at a stroke. MACs will be with us for a long time, but LEVL-ID does a good job of providing an alternative, and it does so in a way that doesn’t inconvenience every user and every networked device. Says Colleran, “User privacy is a multi-headed beast, and it depends on consumer behaviors around opt-ins and license agreements. We are doing what we can with our current technology to let users reclaim their privacy.” Amen to that. 

Leave a Reply

featured blogs
Aug 3, 2021
Picking up from where we left off in the previous post , let's look at some more new and interesting changes made in Hotfix 019. As you might already know, Allegro ® System Capture is available... [[ Click on the title to access the full blog on the Cadence Community si...
Aug 2, 2021
Can you envision intelligent machines creating a 'work of art' involving biological implementations of human legs being used to power some sort of mechanism?...
Jul 30, 2021
You can't attack what you can't see, and cloaking technology for devices on Ethernet LANs is merely one of many protection layers implemented in Q-Net Security's Q-Box to protect networked devices and transaction between these devices from cyberattacks. Other security technol...
Jul 29, 2021
Learn why SoC emulation is the next frontier for power system optimization, helping chip designers shift power verification left in the SoC design flow. The post Why Wait Days for Results? The Next Frontier for Power Verification appeared first on From Silicon To Software....

featured video

Vibrant Super Resolution (SR-GAN) with DesignWare ARC EV Processor IP

Sponsored by Synopsys

Super resolution constructs high-res images from low-res. Neural networks like SR-GAN can generate missing data to achieve impressive results. This demo shows SR-GAN running on ARC EV processor IP from Synopsys to generate beautiful images.

Click here for more information about DesignWare ARC EV Processors for Embedded Vision

featured paper

How to optimize a motor-driver design for 48-V starter generators

Sponsored by Texas Instruments

Learn how to help enable 30% smaller, 30-kW motor systems with functional safety support up to ASIL-D.

Click to read more

featured chalk talk

Thunderbolt Technology Overview

Sponsored by Mouser Electronics and Intel

Thunderbolt is the closest thing we’ve got to universal interconnect between a wide variety of devices and systems. With a universal USB-C connector, it can do video, power, data communication - all at scalable rates with smart adjustment. In this episode of Chalk Talk, Amelia Dalton chats with Sandeep Vedanthi of Intel about the latest in Thunderbolt technology - Thunderbolt 4, which brings a number of benefits over previous versions.

Click here for more information about Intel 8000 series Thunderbolt™ 4 Controllers