A bank’s privacy policy lists a lot of data they collect, including customers’ MAC addresses. I was dumbfounded. How is that possible? The router on your LAN obviously knows your device’s MAC address. And I guess the ISP’s router would know your gateway’s MAC address. But from there wouldn’t the bank only see your IP address from the WAN?
Then it occurred to me-- the bank has a smartphone app. So the app likely demands perms to get the phone’s MAC. But then what would the likely purpose be? To check vendor consistencies (to block VMs) and raise impostor flags if your MAC changes?
(update) Another question: instead of using the bank’s shitty phone app, you use their shitty web app instead. I would assume the JavaScript engine is naturally blocked from obtaining your MAC address and transmitting it. But I would like a sanity check.. anyone know for certain?
It's a fingerprint that can be used to cross-reference and de-anonymize your online activity, either by your bank, or by the 298 unscrupulous partners who your bank has decided to share your information with. Kinda like cookies, but they don't need to ask for permission.