indigo wrote

today I read that with iOS 14 apple is changing the behavior of MAC adresses used for wifi-connection. Each new connection (to the same wifi) another random MAC adress will be used.

If I understand this technical note from Apple correctly, a randomized MAC address will be used for each different network, but not for each different connection (that would break all existing sessions while roaming and it would introduce a lot of other issues):

https://support.apple.com/en-us/HT211227

However, even Apple seems to not be sure about the possible implications of their new feature, else they wouldn't recommend to casually turn off this privacy extension if things are not working. IMO they go crazy now, because MAC randomization once was specified for WiFi surveys only as described in the white paper for MAC randomization (and this makes sense to avoid tracking of clients just passing by a nearby WLAN, but not connecting to it at all).

IMO MAC randomization makes no sense for persistent connections to a specific WLAN selected during such a survey, even if the user connects to the same WLAN next day, especially if the WiFi hostname of the device is something like »John Doe's iPhone« which can still be tracked by its name and even reveals more than a MAC address does.

If WLAN hotspot providers can't identify the device in their own WLAN, they cannot offer certain functions expected by hotspot users such as authorization, roaming etc. 

Albeit I cannot answer your followup questions about how users can invalidate vouchers, my opinion is that Apple users have to take care of this if they want a seamlessly working WLAN connection.

JSchnee21 wrote

But seriously who is tracking MAC addresses from Wifi network to Wifi network to localize people's devices (other than the government).

Shops and warehouses do so. They track customers to find out from which rummage table customers go to which other rummage table. This is even offered by some big WiFi manufacturers as a ready-made software solution in their products.

And you probably noticed that smartphones fire up geolocation services if you search for nearby WLANs. Map services of the usual data collectors (Apple, Google) create SSID-to-GPS mappings to make the map services more precise. This way, they also get detailed motion profiles which are then used to bomb you with personalized ads. Of course, they don't cut you in on their profits they make from those ads using your devices. But I guess they don't use MAC addresses at all when they can collect the phone's IMEI number.

BTW: better than MAC randomization is a portable Faraday cage. Also good as a protective cover against rain while riding a motorcycle.

I like this gadget :-)

JSchnee21 wrote

I don't have anything to hide.

So, you run naked through the streets? Bravely! 

You could also just turn your phone off or put it in Airplane mode -- assuming off is really completely off --

Wrong assumption.

the ability to muster a coordinated user data tracking effort in store or store to store seems highly unlikely.

Again wrong. From their white paper:

red-light/traffic cam license plate OCR

Motorbikes have no front license plate. I've never been fined for being flashed when I was a bit too fast, but of course I'm not tired of life and do stop on red traffic lights.