The New Alternative to UDIDs Seems to Be The MAC Address, But Privacy Issues Still Loom

By Kim-Mai Cutler Comment

Earlier this year, Apple said it was deprecating the ID system that developers and mobile ad networks have relied on to target consumers with personalized experiences or ads. At the time, there wasn’t a clear substitute to Apple’s Unique Device IDs (or UDIDs), but I mentioned the Wi-Fi MAC address as a possibility.

The MAC, or Media Access Control, address is an identifier that’s assigned to networked devices (whether they’re smartphones or laptops). Most developers seem to be targeting the MAC address of the Wi-Fi interface on iOS devices. Because it’s hard for normal people to change or spoof the Wi-Fi MAC Address, this shift rekindles the very same privacy issues The Wall Street Journal raised last year. The newspaper had criticized mobile apps like Pandora for sharing UDIDs with third-party ad networks.

Compared to tracking tools on the web like cookies, UDIDs and the MAC Address might be more sensitive because they’re tied to people’s phones and can be connected with their location. Ad networks have used UDIDs to keep track of what mobile apps a user has, so they can show ads that match their interests or block ads about apps they already have. Unlike cookies on the web, the UDID can’t be cleared or erased.

Since Apple announced it would deprecate UDIDs, developers have been hunting for something else — and the MAC address has looked the most promising.

One of the companies that specializes in driving downloads for mobile developers, W3i, recently ran a test where they were able to grab more than 78,000 MAC addresses from users of their free-app-a-day service AppAllStar. They did the test to help out developers who are unsure of what to replace UDIDs with.

Apple approved W3i’s app even as the company made it very explicit that they were going to grab MAC addresses by placing the code at a high-level with very clearly named classes showing that they were collecting the data. They also found that 99.96 percent of the addresses they collected were unique. (There were a few were duplicates, but this was probably because the devices were jailbroken or hacked. Unsurprisingly, China produced the largest number of duplicate MAC addresses.)

W3i’s findings underscore what I’ve been hearing anecdotally from multiple developers and ad networks: they’re turning to the MAC address as a substitute for UDIDs. What that means, however, is that the original privacy issues that UDIDs raised haven’t been solved at all. MAC Addresses are too complicated to change for most people unless you’re into jailbreaking and hacking into your iPhone.

Basically, The Wall Street Journal’s series on privacy won them a prestigious Loeb award for business journalism. But it didn’t really fix anything (at least in terms of privacy for mobile app users). At the time the Journal’s series broke, I said that there would be one of two outcomes. Either “uninformed policymakers will draft poorly targeted legislation. It could end up being unnecessarily destructive to consumer Internet businesses.” Or I said a fix could “be so cosmetic that it doesn’t really fix underlying problems.”

We’ve ended up with the latter situation. Apple has still not produced an elegant solution that balances the needs of developers to provide their customers with relevant experiences with respect for a user’s privacy.

Apple has said that developers should create unique identifiers that work specifically with their apps. There are a couple of issues with this though. If you’re a developer with a portfolio of apps, this doesn’t help with tracking a single user across multiple apps. Also, since a user can back-up their iPhone and put that data on another device, you might end up with a single ID code assigned to more than one device.

Because of these drawbacks, developers seem to be turning to an alternative that carries many of the same privacy issues the UDID had.