How does Basking ensure data privacy through the randomization of MAC Addresses?

According to GDPR, MAC addresses are considered PII information. How does Basking implement strong techniques to ensure data privacy?

In order to ensure strong IT security and data privacy compliance, Basking implements several advanced technical and organisational security mechanisms

This article applies to the following integrations:

  • WiFi-Based integrations
  • LAN-Based integrations

What are MAC addresses and why do they matter?

MAC stands for Media Access Control. Each network device has a unique MAC address and uses it to operate within the network. MAC addresses are therefore essential for each network. 

Because MAC addresses are unique to a device (generally once it connects to the network), they are considered within the GDPR framework as PII (Personal Identifiable Information). They do not represent a person directly, but it is theoretically possible to do so by merging multiple Databases. 

MAC addresses are therefore considered sensitive, and Basking implements mechanisms to minimize data privacy-related risks.

How does Basking minimize data privacy-related risks associated with MAC addresses?

Step 1: Irreversible hash

In order to operate and provide an advanced yet data-protective analytics solution, Basking uses an irreversible hash as a replacement for MAC addresses. The algorithm contains 3 parts:

a) Salt Keys

The MAC address is extended by two separate and customer-specific salt keys. 

b) Hashing Algorithm

Basking employs the SHA264 algorithm to hash the MAC alongside the salt keys. 

By this point, the hash result is irreversible. 

c) Prevent brute force

In order to prevent a brute force attack, Basking shortens the hashing results and therefore loses information. By implementing this technique, Basking ensures that a brute-force attack is impossible.

Step 2: Drop MAC addresses during ingestion 

Most importantly, Basking does NOT store MAC addresses in any way. Regardless of whether the occupancy data source integration sends the MAC address or any other identifier, Basking always drops the identifier during ingestion. 

So, what is the outcome of MAC randomization?

By adopting the above mechanisms Basking is able to achieve the following outcomes: 

  • Concealing the original MAC address.
  • This makes it impossible to track devices based on MAC.
  • Thereby compliant with GDPR data anonymization requirements.