Appendix B — MAC Address Randomization

This appendix examines MAC address randomization, the primary challenge for WiFi-based pedestrian sensing, and validates the toolkit’s approach to handling it. We explain what randomization is and how it has evolved, present empirical evidence that the toolkit’s preprocessing preserves urban activity patterns, and discuss which analyses remain feasible in the current environment.

B.1 How Randomization Has Evolved

MAC address randomization, where devices broadcast fake identifiers instead of their real ones, has progressed through three broad phases. Since 2014, this has been the central challenge for WiFi sensing research.

WiFi sensing relies on a simple premise: every device broadcasts a unique identifier (its MAC address) and a sensor records it. When the same address appears repeatedly, the sensor infers that the same device (and by proxy, the same person) is present. Randomization breaks this link by generating a new, fake address for each broadcast.

  Without randomization              With randomization

     Device A                           Device A
       │                                 │
       ├── A1 ──→ Sensor                  ├── X1 ──→ Sensor
       ├── A1 ──→                         ├── X2 ──→
       └── A1 ──→                         └── X3 ──→

     1 unique address                  3 unique addresses
     = 1 device ✓                      = 3 "devices"?

Early adoption (2014–2018)

Apple introduced randomization in iOS 8 (2014) for background WiFi scanning, and Google followed with Android 6.0 (2015). In practice, these early implementations were incomplete: devices often reverted to their real address when connecting to a network, and many Android manufacturers did not implement randomization at all. A large-scale measurement study found that over 96% of Android phones did not effectively randomize during this period (Martin et al. 2017). Even when randomization was active, other information in WiFi frames could still be used to identify devices (Vanhoef et al. 2016).

Transition to default-on (2019–2021)

The turning point came when Android 10 (2019) and iOS 14 (2020) made randomization the default behavior for all WiFi activity: not just background scanning but also network connections. This was the first time randomization applied broadly enough to affect WiFi sensing in practice.

However, adoption remained uneven. A follow-up study testing 160 phone models from 18 manufacturers found that while recent devices approached effective randomization, manufacturer fragmentation (particularly among budget Android phones that never receive OS updates) left significant gaps (Fenske et al. 2021).

Current state (2022–present)

Since 2021, randomization has continued to tighten. iOS 18 (2024) now offers three modes: a stable per-network address for secured WiFi, a rotating address that changes every two weeks for open networks, and the option to disable randomization entirely. Android has maintained per-network randomization as the default through version 15 (2024). As of 2024, MAC address randomization has been formally incorporated into international WiFi standards (IEEE Standard for Information Technology–Telecommunications and Information Exchange Between Systems Local and Metropolitan Area Networks–Specific Requirements - Part 11 2025; JC. Zúñiga and Andersdotter 2025). How these policy changes show up in field data is summarized in Appendix C, using five deployments that span the transition.

B.2 Addressing Randomization

Randomization is now the default, but how a device randomizes depends on its relationship to nearby WiFi networks, and not all addresses change.

When a device has saved a WiFi network (e.g., a campus network such as eduroam, a saved workplace network), it uses a fixed address for that network. This per-network address persists across connections and reboots (Nozari et al. 2025; Mishra et al. 2025; JC. Zúñiga and Andersdotter 2025); changing it each time would force re-authentication, so both Android and iOS keep it stable. In settings where most users have registered the local WiFi (university campuses, office buildings, commercial districts with public networks), a large share of devices carry these stable addresses.

Devices without a saved network broadcast fully randomized addresses that change with each probe burst. Both kinds of randomized address, per-network and fully random alike, carry the same marker: a single bit in the MAC address header (the locally-administered bit). The toolkit removes every address with this bit during preprocessing (Chapter 5), so the devices it retains are those still broadcasting a permanent, manufacturer-assigned address. Per-network stability is therefore a property of addresses the toolkit discards, not a signal it uses; it matters for which analyses remain feasible as randomization tightens (Section B.4).

This filtering raises a question: do the retained devices capture the same temporal and spatial patterns as the broader population, or does removing randomized addresses introduce bias? The next section tests this with data from two deployments.

B.3 Empirical Validation

We validate the toolkit’s filtering approach using data from two deployments collected during the transition period: the UNIST campus (24 sensors, October–November 2019) and a commercial district near the University of Ulsan (17 sensors, July 2020). For each hour, we independently count unique devices among randomized addresses and non-randomized addresses. Because the two groups share no addresses, a strong correlation between them indicates that both respond to the same underlying pedestrian activity.

Randomization rates at two levels

Randomization rates differed substantially between the two sites, but the gap between detection-level and MAC-level percentages was consistently large.

At the UNIST campus, randomized devices account for only 4.6% of detection events but 92.4% of unique MAC addresses, an inflation factor of 20\(\times\). In the commercial district, the detection-level share is higher (22.3%) but the MAC-level share reaches 96.7% (inflation of 4.3\(\times\)). This gap reflects rotation inflation: a single randomized device generates many distinct addresses over time, while each non-randomized device maintains one. The headline figure of “over 90% randomized” substantially overstates the impact on the actual data stream.

Figure B.1: Randomization rates at two measurement levels across two deployment sites. The gap between detection-level and MAC-level percentages illustrates rotation inflation.

Temporal co-variation

If non-randomized devices are representative of overall pedestrian activity, their hourly counts should rise and fall with those of randomized devices. Figure B.2 tests this by plotting the hourly unique device count for each group (randomized-only vs. non-randomized-only) across both sites. The two groups are fully independent (no address appears in both), so any correlation reflects shared response to the same foot traffic.

The relationship is strong at both sites: \(r\) = 0.916 at the UNIST campus (624 hours) and \(r\) = 0.833 in the commercial district (222 hours). The lower value in the commercial district likely reflects its higher randomization rate (22.3% vs. 4.6%): when randomized devices dominate, each address is used only briefly before rotating, making the hourly unique count noisier. Even so, the correlation remains well above 0.8 at both sites.

Figure B.2: Hourly unique device counts for randomized-only vs. non-randomized-only addresses across both sites. Each point is one hour; lines show linear fits.

Generalization across sensor locations

The temporal co-variation holds not only in site-level aggregates but at individual sensor locations. We computed the same hourly correlation separately for each sensor, yielding 41 per-sensor Pearson \(r\) values (24 from the UNIST campus, 17 from the commercial district). Figure B.3 summarizes their distribution.

The UNIST campus shows a median per-sensor \(r\) of 0.834 (IQR: 0.808–0.897); the commercial district shows a median of 0.805 (IQR: 0.745–0.840). Most sensors cluster well above \(r\) = 0.7, confirming that the temporal co-variation generalizes across diverse locations: academic buildings, dormitories, transit stops, restaurants, and retail streets.

Figure B.3: Distribution of per-sensor Pearson \(r\) (randomized vs. non-randomized hourly counts) at both sites. The dashed line marks \(r\) = 0.9.

Four sensors show notably lower correlations (sensor names as mapped in Appendix A), but for different reasons. On the UNIST campus, Whitehouse (\(r\) = 0.377) is located near a campus bar where activity is concentrated in late-night hours: 21% of hours contain two or fewer randomized devices, while the remaining hours spike sharply. tennis_court (\(r\) = 0.526) captures episodic match attendance with long idle periods between games. At both sensors, the hourly correlation is unstable because many hours have near-zero counts.

In the commercial district, u02 (\(r\) = 0.504) and u13 (\(r\) = 0.515) present a different pattern. Both are positioned on the pedestrian-priority street (Section A.2) and detect ample devices every hour. Here, the issue is an extreme imbalance: u13 averages 1,798 randomized devices per hour but only 285 non-randomized, a 6.3:1 ratio. The few non-randomized devices at these locations likely represent regular customers and staff with saved WiFi, whose daily rhythms differ from the transient foot traffic captured by the randomized count.

Neither mechanism indicates a failure in the filtering approach. The campus outliers reflect sparse, irregular activity; the commercial-district outliers reflect locations where transient passers-by vastly outnumber WiFi-connected returning visitors.

Boundaries

This validation demonstrates that non-randomized devices preserve temporal activity patterns across diverse environments. The approach has clear boundaries, however. Revisits analysis (identifying returning visitors across days) is limited to devices with persistent addresses. In the UNIST deployment, this yields approximately 25,600 unique non-randomized devices over 26 days after preprocessing: a viable sample in institutional settings, but not representative of all visitors. In open public spaces without institutional WiFi, cross-day revisit tracking is not feasible with current passive sensing methods, a fundamental constraint of passive WiFi sensing rather than a limitation specific to the toolkit.

B.4 Implications for the Five Metrics

Randomization does not affect the toolkit’s five metrics equally. The deployment environment (specifically, whether most visitors have saved the local WiFi network) determines which analyses are feasible.

Location analyzes individual detections, using signal strength to position each one. It does not require recognizing the same device across time, so it is the least affected by randomization.

Count relies on the temporal co-variation validated above. At both sites, non-randomized hourly counts rose and fell with randomized counts (\(r\) = 0.916 and 0.833), confirming that relative patterns (peak hours, weekday–weekend contrasts, spatial comparisons) are preserved. Where absolute pedestrian numbers are needed, manual calibration counts can establish the conversion factor.

Track and Activities both require recognizing the same device over the length of a visit: track to link detections at successive sensors into a path, activities to measure whether a device stays in place or passes through. The toolkit computes both from the retained manufacturer-assigned addresses, and the per-sensor validation (median \(r\) > 0.8 at both sites) shows these devices appear across diverse locations in proportion to overall traffic. As randomization tightens, per-network addresses (Section B.2) stay stable for the length of a visit wherever most visitors have saved a shared local network, which is what these two metrics need.

Revisits is the most constrained metric. Recognizing returning visitors across days requires persistent addresses, limiting the analysis to devices with saved WiFi networks. Institutional environments with shared WiFi infrastructure provide a viable sample; open public spaces do not support cross-day identification with current passive sensing methods. The returning-visitor analysis in the commercial district case study (Chapter 12) was feasible because its 2020 data predate iOS 14’s default-on rollout; under current operating systems, the same classification would require an environment where most visitors have saved the local network.

In general, institutional settings support the full range of metrics, while open public spaces are better suited to aggregate analyses: temporal rhythms, spatial comparisons, and within-session trajectories. Regardless of environment, two practices help maximize the value of any deployment: reporting randomization rates at both the detection and unique-MAC levels (to expose the rotation inflation in each dataset and allow comparison across studies), and collecting a small number of manual pedestrian counts at representative time points (to ground WiFi-based estimates in observed reality).