How to enhance your network security with private Wi-Fi network addresses

Macworld

You might think that connecting anonymously to a public Wi-Fi network doesn’t reveal much about you. You might be using a VPN (virtual private network) to protect everything you do. Even if you aren’t, the vast majority of websites and email servers (and pretty much all those run by companies) use client-to-server encryption. But what if you could be tracked anyway?

Apple has a solution for this as it does for many tracking systems. The company’s trick lies in how Wi-Fi (and ethernet) adapters identify themselves over a local network.

How MAC addresses work

Every network adapter has a unique, factory-assigned address baked in or programmed in at its manufacture. It’s called a Media (or Medium) Access Control address; the abbreviation is MAC, confusingly enough, but it has nothing to do with Macintoshes. Where an IP (Internet Protocol) address defines your machine’s location on the internet, a MAC address defines it on your local area network (LAN). The MAC is in part how devices on a LAN all communicate with one another, whether over Wi-Fi or ethernet.

Apple recognized that any fixed identifier could be used to track someone if the ID could be tied to records shared beyond a local network. When you connect to a wireless hotspot, your Wi-Fi MAC address gets transmitted because it’s an inherent part of that connection. If that MAC address doesn’t change over time, the backend of a hotspot portal or a business location’s point-of-sale system could build up a profile of you (or your device) using a variety of clues that includes any Bluetooth broadcasts, logging into a portal to gain free access, using a discount card while paying, and emitting other broadcast identifiers.

They could sell this information to third-party information brokers who could track you widely across locations that also share and sell information and target you with ads even if all your web, email, and file-transfer connections were secure, as is the case in most scenarios today. Worse, it’s clear that law enforcement and government agencies routinely purchase access to location information without use of subpoenas or legal mechanisms that a provider or you would be informed of and could fight.

While a MAC address is factory assigned, it can be changed. For instance, you may have had the experience of connecting to a Wi-Fi gateway to configure it and seeing an option buried in advanced settings to modify the MAC address. (This can sometimes be helpful when you’re replacing a router, and your ISP’s broadband modem or adapter is registered to that older device’s MAC address.)

The ability for a MAC to change and the potential for a MAC to be tracked is why Apple introduced a Private Wi-Fi address as a feature in iOS 14, iPadOS 14, and watchOS 7. It later added it to macOS. The feature is enabled by default for all Wi-Fi connections on all platforms. Apple made this feature more granular—offering ways to tune it further—in iOS 18, iPadOS 18, macOS 15 Sequoia, and watchOS 11.

Apple uses the term “Private Wi-Fi address” to refer to the MAC address for a Wi-Fi adapter. It’s identical to a MAC address, but the company doesn’t offer private MAC addresses for Ethernet connections.

Change your private address settings

You can view the settings only for individual networks because Apple lets you have different settings for each network to which you connect.

On an iPhone or iPad, go to Settings > Wi-Fi and tap the connected network name. You can also change Private Wi-Fi options by tapping the i (info) icon next to a nearby network, or tapping Edit at the top of Wi-Fi settings and tapping the i icon.

On a Mac, go to System Settings > Wi-Fi and click Details next to the connected network. You can also tap the … (More) button next to a network shown as nearby to make changes to the Private Wi-Fi address settings. (You can’t change stored MAC settings in macOS.)

On a Watch, go to Settings > Wi-Fi, tap the name of the network, and the Private Address setting appears.

The Private Wi-Fi address setting lets you control how much long-term information you leak about your device to nearby networks.

Foundry

The latest releases of operating systems added a menu that offers Off, Fixed, and Rotating choices.

By default when you connect to an open network (one with no encryption) or one using outdated encryption methods (WEP or the original WAP flavor), your operating system automatically sets the option to Rotating. In this case, your device invents a MAC address for every network you join and uses that address for two weeks. The address also changes if you choose Forget This Network and then connect again after 24 hours, or if you use the device’s settings to reset your network settings (Settings > General > Transfer or Reset iPhone/iPad > Reset > Reset Network Settings).

You might ask: what if Apple generates a MAC address already in use? The number of possible addresses is vast—over 280 trillion possibilities—and unlike a global IP address, it only needs to be unique on the local network.

If you connect to a network with WPA2 or later encryption, your device uses Fixed by default. You might also choose this on a personal or office local network even if Apple’s default isn’t set to Fixed in order to ensure your address stays consistent.

If you pick Off, you’re warned about tracking and have to confirm before Private Wi-Fi address is disabled.

You might change from Rotating to Off or Fixed if you think you’re experiencing problems with a hotspot network that keeps losing your login. I’ve seen this with airplane Wi-Fi and haven’t diagnosed whether it’s an issue with the airplane’s authentication system or private MAC addressing.

This Mac 911 article is in response to a question submitted by a Macworld reader.

Ask Mac 911

We’ve compiled a list of the questions we get asked most frequently, along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to mac911@macworld.com, including screen captures as appropriate and whether you want your full name used. Not every question will be answered, we don’t reply to email, and we cannot provide direct troubleshooting advice.