I'm under the impression that most "mobile" WiFi-enabled devices will actively probe [0] for APs that they've been associated with in the past. It's the SSIDs and MACs of these APs that will be used to figure out who you are, despite your ever-changing client MAC address.
[0] By the gods, this is such a stupid idea. Aren't beacons often sent at a 10Hz rate? Assuming that we've associated with a network that actually sends beacons, why wouldn't remaining silent, listening for the beacon, then associating work just as well as probing?
I think this is a great example of how security and privacy gets sacrificed for convenience -- everyone seems more concerned with how fast they can connect to the first open WiFi network they find when they're roaming than what info they're broadcasting, and software's behaviour and interface reflects that. I'd like finer control over what my device does, like
- whether to automatically connect to any networks
- whether to use active scanning (and if it's off by default, I should be able to force one); passive scanning is fine unless you need to connect to networks without SSID broadcast, since it's just listening. Probably saves a tiny bit of battery too.
- better management of SSID list; I find the design where items in the list appear/disappear dynamically while you're trying to manipulate it rather irritating to use. I would prefer if there was an option to control whether the list gets updated, so it will stop accumulating useless networks. Finally, one for iOS (and Windows 8, which has regressed in this area): make it possible to forget and/or otherwise manage networks that are not in range.
I think they're saying you can still identify a device with pretty good certainty by the probe requests it sends. Probe will include the MAC of your home AP and other known APs, which are unique enough, even if your phone's MAC is changing with each probe.
[0] By the gods, this is such a stupid idea. Aren't beacons often sent at a 10Hz rate? Assuming that we've associated with a network that actually sends beacons, why wouldn't remaining silent, listening for the beacon, then associating work just as well as probing?