Why MAC Addresses Are Used for Tracking

A MAC address (Media Access Control address) is a 48-bit physical address assigned to a network interface. This identifier, transmitted by your device every time it connects to Wi-Fi, functions as a semi-permanent identifier tied to the device's hardware - unlike an IP address.

Wi-Fi access points installed in shopping malls, airports, and train stations can collect MAC addresses from Wi-Fi probe requests emitted by nearby devices - regardless of whether those devices actually connect. This mechanism enables location tracking that silently records your movement patterns without your knowledge.

How Wi-Fi Probe Requests Work

Smartphones and laptops constantly send probe requests when Wi-Fi is enabled. These are broadcast frames that search for available access points and contain the following information:

  • Source MAC address
  • SSIDs of previously connected networks (Preferred Network List)
  • Communication standards and speeds supported by the device

The problem is that these probe requests are transmitted unencrypted. Any receiver within a range of several dozen meters can intercept and record MAC addresses. Even if you're not connected to Wi-Fi, simply having Wi-Fi turned on makes you a tracking target.

What Probe Requests Reveal

MAC address collection alone can estimate the following:

  • Dwell time and visit frequency of a specific device (patterns of the same MAC address appearing)
  • Movement paths (detecting the same MAC address across multiple sensor locations)
  • Device manufacturer (the upper 24 bits of a MAC address are registered as an OUI with IEEE)
  • Previously connected Wi-Fi network names (SSID leakage)

The Reality of MAC Address Tracking in Commercial Facilities

In the retail industry, foot traffic analysis using MAC addresses is widespread. Wi-Fi sensors installed in stores collect MAC addresses from shoppers' smartphones to generate data including:

  • Real-time visitor counts
  • In-store traffic flow analysis (how long shoppers spend in each department)
  • Repeat visit rate measurement (return frequency of the same MAC address)
  • Visitor overlap analysis with nearby competing stores

This type of analysis is offered as a service by companies like Euclid Analytics, RetailNext, and ShopperTrak, and is widely adopted by major retail chains. In most cases, shoppers are unaware that such tracking is taking place.

Tracking in Public Spaces

MAC address collection isn't limited to commercial facilities. It also occurs at airports, train stations, event venues, and even smart city sensors installed on streets. London's Underground has been conducting passenger movement pattern analysis using Wi-Fi tracking since 2016.

MAC Address Randomization - OS-Level Countermeasures and Their Limitations

Apple (iOS 14+), Google (Android 10+), and Microsoft (Windows 10+) have implemented features that randomize the MAC address sent in Wi-Fi probe requests. This has reduced direct exposure of devices' actual MAC addresses.

Randomization Methods

  • iOS: Generates a unique random MAC address per network and consistently uses the same random address for the same network (per-network randomization)
  • Android: Enabled by default since Android 10. In addition to per-network randomization, Android 12+ also randomizes probe requests when not connected
  • Windows: Per-network random MAC addresses can be configured (may require manual activation)

Limitations of Randomization

MAC address randomization is not a silver bullet. Tracking can still succeed through the following vectors:

  • Fixed MAC after connection: Most OSes continue using the same random MAC address for a network once connected. Tracking remains possible within that network
  • Information entropy in probe requests: Research has shown that combining information other than the MAC address (supported standards, frame sequence numbers, order of information elements) can re-identify devices with randomized MAC addresses with high accuracy
  • SSID leakage: Some devices include previously connected SSIDs in probe requests. If a unique SSID (like your home Wi-Fi name) is included, individuals can be identified even when the MAC address changes
  • Bluetooth correlation: If Bluetooth MAC addresses aren't randomized, simultaneous observation of Wi-Fi and Bluetooth can identify the actual device

Practical Defenses

Basic Measures

  • Turn off Wi-Fi and Bluetooth when not in use. This is the most reliable countermeasure
  • Verify that your OS's MAC address randomization is enabled (iOS: Settings → Wi-Fi → Network → Private Wi-Fi Address; Android: Settings → Network → Wi-Fi → Randomized MAC)
  • Delete saved connections to unnecessary Wi-Fi networks to prevent SSID leakage
  • Disable automatic connection to public Wi-Fi

Advanced Measures

  • Use a VPN to protect your traffic content from the connected network
  • Combine with browser fingerprint countermeasures for multi-layered tracking resistance
  • Use a Faraday pouch (signal-blocking case) to physically block radio transmission and reception
  • Use a privacy-focused OS (such as GrapheneOS). GrapheneOS features per-connection MAC address randomization

Check Your Status

Check your current connection information on IP Check-san, understand the risks of public Wi-Fi, and take appropriate measures. Since MAC address tracking operates on a different layer than IP address tracking, it's important to combine it with ad tracking protection for multi-layered defense.

Regulatory Landscape

Regulations on MAC address collection vary significantly by region.

  • EU (GDPR): The prevailing interpretation is that MAC addresses constitute personal data. Collection requires a legal basis (consent or legitimate interest)
  • Japan (Act on the Protection of Personal Information): A MAC address alone may not constitute personal information, but it may qualify if it can be easily cross-referenced with other information to identify an individual. The 2022 amendment introduced the concept of "personal-related information," requiring consent for third-party provision of cookies and device identifiers
  • United States: No comprehensive federal regulation exists, but California's CCPA/CPRA includes device identifiers as personal information

Regardless of regulations, it's important to be conscious of managing the information your devices emit.

Summary

MAC addresses are physical identifiers that operate on a different layer than IP addresses. Simply carrying a device with Wi-Fi enabled can result in your movement patterns being recorded by sensors in commercial facilities and public spaces.

OS-level MAC address randomization is an important advancement, but it's not a complete defense. Multi-layered protection combining turning off Wi-Fi and Bluetooth when not needed, cleaning up saved networks, and using a VPN is necessary. Start by checking your network information on IP Check-san and understanding how visible your digital footprint really is.

Related Terms

MAC Address A 48-bit physical address assigned to a network interface. Set during device manufacturing and used for communication within local networks. IP Address A numerical address that identifies devices on the internet. Comes in two types, IPv4 and IPv6, used to specify communication endpoints. VPN (Virtual Private Network) A technology that encrypts internet traffic and routes it through a server in another location, protecting your real IP address and communication content. Browser Fingerprint A technique that uniquely identifies users without cookies by combining browser attributes such as settings, plugins, fonts, and screen resolution. Wi-Fi Wireless LAN technology based on the IEEE 802.11 standard. Connects devices to networks using radio waves, providing internet access without cables.