You might think that connecting anonymously to a public Wi-Fi network doesn't reveal much about you. You may be using a VPN (virtual private network) to protect everything you do. Even if it doesn't, the vast majority of websites and email servers (and almost all those run by businesses) use client-server encryption. What if you could still be followed?
Apple has a solution for this, as with many tracking systems. The company's trick lies in how Wi-Fi (and Ethernet) adapters identify themselves on a local network.
How MAC Addresses Work
Each network adapter has a unique address, factory assigned, built-in or programmed during manufacture. This is called a media (or medium) access control address; the abbreviation is MAC, which is confusing, but it has nothing to do with Macintoshes. Where an Internet Protocol (IP) address defines your machine's location on the Internet, a MAC address defines it on your local area network (LAN). MAC is, in part, how devices on a local network communicate with each other, whether over Wi-Fi or Ethernet.
Apple recognized that any fixed ID could be used to track someone if the ID could be linked to records shared beyond a local network. When you connect to a wireless hotspot, your Wi-Fi MAC address is transmitted because it is an integral part of that connection. If this MAC address does not change over time, the backend of a hotspot portal or the point-of-sale system of a commercial site could create a profile of you (or your device) using various cues including Bluetooth broadcasts, logging into a portal to get free access, using a discount card when paying, and issuing other broadcast IDs.
They could sell this information to third party information brokers who could track you widely in places also sharing and selling information and target you with advertisements even if all your web, email and file transfer connections were secure, like this is the case in most scenarios today. Worse, it's clear that law enforcement and government agencies routinely purchase access to location information without resorting to subpoenas or legal mechanisms that a provider or you would know about and could fight.
Even if a MAC address is assigned at the factory, it can be changed. For example, you may have had the experience of connecting to a Wi-Fi gateway to configure it and seeing an option buried in the advanced settings to change the MAC address. (This can sometimes be useful when you're replacing a router and your ISP's modem or broadband adapter is registered to that old device's MAC address.)
The ability to change a MAC and the ability to track a MAC is why Apple introduced private Wi-Fi address as a feature in iOS 14, iPadOS 14, and watchOS 7. It later added it to macOS. The feature is enabled by default for all Wi-Fi connections on all platforms. Apple has made this feature more granular, providing ways to fine-tune it further, in iOS 18, iPadOS 18, macOS 15 Sequoia, and watchOS 11.
Apple uses the term “private Wi-Fi address” to refer to the MAC address of a Wi-Fi adapter. It is the same as a MAC address, but the company does not offer private MAC addresses for Ethernet connections.
Change your private address settings
You can view settings only for individual networks, because Apple allows you to have different settings for each network you connect to.
- On an iPhone or iPad, go to Settings > Wi-Fi and tap the name of the connected network. You can also change Private Wi-Fi options by tapping the i (info) icon next to a nearby network or by tapping To modify at the top of the Wi-Fi settings and tapping the i icon.
- On a Mac, go to System Settings > Wi-Fi and click Details next to the connected network. You can also tap the … (More) button next to a network displayed as Nearby to change the private Wi-Fi address settings. (You cannot change MAC settings stored in macOS.)
- On a watch, navigate to Settings > Wi-FiTap the network name and the Private Address setting appears.
The private Wi-Fi address setting allows you to control how much long-term information you disclose about your device to nearby networks.
Foundry
Latest versions of operating systems have added a menu offering Disabled, Fixed, and Rotating choices.
By default, when you connect to an open network (without encryption) or using outdated encryption methods (WEP or original WAP), your operating system automatically sets the option to Rotate. In this case, your device invents a MAC address for each network you join and uses that address for two weeks. The address also changes if you choose Forget this network and then reconnect after 24 hours, or if you use the device settings to reset your network settings (Settings > General > Transfer or reset iPhone/iPad > Reset > Reset network settings).
You might ask: what happens if Apple generates a MAC address that is already in use? The number of possible addresses is vast (more than 280,000 billion possibilities) and unlike a global IP address, it only needs to be unique on the local network.
If you connect to a network with WPA2 or later encryption, your device uses Fixed by default. You can also choose this option on a home or work LAN, even if Apple's default is not set to Fixed, to ensure your address consistency.
If you choose Off, you are notified of tracking and must confirm before the private Wi-Fi address is disabled.
You can switch from Rotating to Disabled or Fixed if you think you're having problems with a hotspot network that constantly loses your connection. I've seen this with the plane's Wi-Fi and haven't diagnosed whether it's a problem with the plane's authentication system or private MAC addressing.
This Mac 911 article answers a question submitted by a igamesnews reader.
Ask Mac 911
We've compiled a list of the questions we get asked most frequently, along with answers and links to columns: read our super FAQ to see if your question is covered. Otherwise, we are always looking for new problems to solve! Send yours to [email protected], including screenshots where applicable and if you would like your full name used. We will not answer all questions, we do not respond to emails, and we cannot provide direct troubleshooting advice.
