[moyix]

It's not part of the IP packet, but in some previous cases exploits on Tor (such as the one the FBI used in the Freedom Hosting takedown) have explicitly queried the MAC address and then exfiltrated that information. I assume the intent was that they could then arrest the suspect and compare the captured MAC address to the physical machine to prove it was the same person.

[angry_octet]

In addition to providing confirmatory evidence, MACs are essentially serial numbers in a can. Every batch of chips sold can be traced to an OEM. If that was a laptop OEM then the manufacturer will know the serial number of the device with that MAC, and CPU ID etc. There is a good chance they can trace who initially purchased the laptop.

Also, if it is a WiFi MAC then your laptop is blasting that out constantly, and many services collect that info. Fortunately we are slowly seeing a move to randomisation of the MAC used when scanning. Unfortunately an active probe can pierce the veil by causing the true MAC to be used. Lots of venues (shopping malls) offer free Wifi because it causes the phone to reveal its true address when it connects, allowing tracking (lots of other entropy in Wifi apart from the MAC though).

There is no reason random MACs shouldn't be used for all transmissions in modern systems except for software inertia.