Identifier Creeps

This is an interesting story by a journalist with significant “good story” form, James Colley. It’s worth a read, but not essential for the purposes of why I’ve gathered you here today. I’ll cover it myself.

From June 1, New South Wales police will require all pawnbrokers to record and provide to them, the MAC address of the wifi card in everything that has one. This includes phones, laptops, and ostensibly cameras, recreational drones and a bunch of other things. It’s 2016 after all and basically everything has wifi.

Paris Cowan’s late January story that Colley expanded on immediately grabbed my attention, as did the Australian Privacy Foundation’s mailing list community which mulled through the laws. There’s a lot to unpack here, but the first thing that grabbed my attention was the comment of the inspector in a dedicated pawnbrokers unit;

Inspector Tony Heyward of NSW Police’s operational information agency called the 12-character identifier “a simple yet powerful crime-fighting tool”.

No it isn’t.

I mean, it’s not.

Let’s back up a bit.

If you aren’t aware what a MAC address is, it’s not that complicated. It’s a serial number for every bit of your computer that connects it to a network like the Internet. If you have a laptop with a wired jack in it to plug in to a network that jack (or the bits behind it) will have a MAC address, and if you have wifi (which you should if your laptop was manufactured in the last two decades), the wifi radio in it will have a MAC address too. They’re made up of 12 hexadecimal digits meaning instead of just 0–9 they go up to F. 0,1,2,3,4,5,6,7,8,9,A,B,C,D,E,F is the hexadecimal digits 0 through to 15. The first half of a MAC tells you the manufacturer, the next half is the unique(ish) device they manufactured. The one on the wired jack in the laptop I’m writing this on is 50:26:90:9c:20:43. If you look it up you’ll see 50:26:90 means Fujitsu, and the remaining half of the number is my specific Fujitsu laptop Ethernet jack.

MAC addresses are sortof unique. For many years they were absolutely unique and unchangeable but over time reasons have emerged for them to change. It’s possible you can dig around on your laptop and find a setting to change this string, and iPhones cycle them periodically to protect iPhone users from devices in malls that track whose phones they can see. But they’re pretty much unique, you’re unlikely to deliberately change it or even know how. They’re certainly much more unique than IP addresses which CSI:Miami describes as a one-to-one computer to person relationship which is hilariously inaccurate because your IP address changes all the time.

So why do NSW Police want to know everyone’s? It’s to track theft right?

Well no, if you were going to do that, you’d ask for the serial numbers of the device, which I’d suspect pawnbrokers record already right? That’s less techie, but its express purpose is to be a unique identifier.

Do NSW Police want the wired port’s MAC too? No they don’t. That’s weird, why focus on the wifi one?

MAC addresses aren’t the best or even a particularly good identifier for uniquely tracking a device that someone owns, but they do have one feature as a unique identifier that the serial number on the underside doesn’t have. They’re visible at a distance.

If your wifi adapter is on, you broadcast your MAC address everywhere you go, even if you aren’t connected to a wifi network. If NSW Police have a list of everyone who’s bought or sold a second hand mobile device from a pawnbroker (with their drivers’ license or other identifier), and the MAC address of the device they bought and sold, then they have a key-value pair of where device holders are that’s detectable from a patrol car for a good three blocks if the window’s down. I suspect the police don’t want the wired port MAC because you can only see it from the computer itself, or the device you’re ultimately plugged into. You can see the wifi MAC from a blue and white chequered Holden Commodore with a $500 laptop or a $50 custom device. With a simple lookup, a mobile police unit would be able to predict with a fair chance of being accurate, who within 100m has a Galaxy S5 they bought from Cash Converters, and what their driver’s license number is.

I’m sceptical of this but I think I have good reason to be. There’s a much better unique identifier for an electronic device that’s being ignored, and an almost identical not-as-good-but-still-pretty-good identifier that’s being ignored, and the only identifier that police will mandate come June 1 is the remotely detectable one.