In a recently released report titled “Wi-Fi Positioning Systems: Beware of Unintended Consequences” – by Ontario's Information and Privacy Commissioner, Dr. Ann Cavoukian, and Kim Cameron, a leading digital identity expert – indicates that availability of mobile device WiFi Media Access Control (MAC) in plaintext over the air can lend itself to mapping the device at various locations, which can potentially cause privacy concerns for the device owner.

While releasing the report, referring to the popularity of smart mobile devices, the commissioner said: “Mobile devices are becoming more crucial in our daily lives, with people now carrying them and using them practically everywhere.”

Also, considering the use of unregulated WPS (WiFi positioning systems) she explained that, “Whenever an individual uses location-based services on his or her mobile device, a unique identifier of nearby traceable WiFi access points called a Media Access Control (MAC) address is relayed.” Indicating the consequences of this, she then added, “This raises privacy concerns because this location information may be compiled into a profile of an individual over time, such as where they have travelled to, shopped, eaten or banked.” Further, due to the availability of device WiFi MAC over the air, she warned “MAC addresses are core to current networked communications. But with minimum time and resources, one may be able to associate MAC addresses of mobile devices to physical addresses and then to a specific individual.”

Looking into the warnings and privacy concerns raised by the commissioner, it can be understood that similar to Ethernet, every WiFi capable device is assigned a unique, persistent identifier in the form of a MAC address to take part in networked communication. However, the WiFi MAC is available in plaintext over the air in packets related to ongoing WiFi communications, network broadcasting, or network probing.

With the availability of the device’s unique WiFi MAC over the air, a wardriving expert with sufficient resources (to sample WiFi data) can easily establish the device (and, by relation its owner) association with multiple locations. This can potentially reveal a lot of personal information about the device’s owner.

Advertising of the WiFi MAC also forms the basis of WiFi Positioning Systems, which at its core consists of a database of geo-tagged fixed WiFi Access Points indexed by their WiFi MAC addresses. Whenever, a WiFi capable device requests/uses services based on WPS, data such as a device’s own WiFi MAC and nearby traceable Access Points MAC are being relayed to the WPS service providers, who then use this information in conjunction with an available WPS database to determine the approximate location of the device.

Many groups/companies are involved in building the WPS database using techniques, such as wardriving, for commercial purposes. The database is then usually shared with third parties for location-based services and advertising. However, since the collection, maintenance, and use of WPS data and associated applications may not come under the existing regulatory environment, there can be potential privacy concerns for users of WPS services. These concerns can arise due to the fact that the devices, and by association, the device owner’s movements at various places can be profiled over a period of time. Such profiling can reveal quite a bit of personal information without the knowledge of the device owner.

Adding to WPS privacy concerns, the privacy commissioner also said, “Furthermore, depending on future developments, it may even be possible that individuals using geolocation services could inadvertently report the MAC address (and, simultaneously, location) of mobile devices belonging to friends, family or co-workers – creating an unintended 'unknowing informant' model of data collection.”

This means that due to the availability of WiFi MAC addresses of nearby devices, it may happen that an individual can inadvertently relay these addresses while using the WPS services on his/her device, thereby making it possible to reveal nearby devices' (in effect, the device owner’s) location information also. This can be considered as a privacy breach for such device owners when they are not participating in location-based services. Also, such unintended location mapping can potentially reveal personal information about them. At the same time, the individual relaying such additional information becomes the ‘unknowing informant’.

After outlining the privacy concerns, the commissioner advocated the use of certain practices such as, "Privacy must be designed into WiFi positioning systems to prevent unintended consequences," she said. It was also emphasized that “In no case, should the MAC address of end-user devices be collected or tracked without the consent of the owners of such devices.”