How to stay anonymous in public wireless network?
Partly, yes...but mostly no - there are many other things that can identify you.
The Media Access Control address is used on the local network segment only. Yes, it is (supposed) to be unique to each network interface device, and sometimes can be changed/spoofed.
So to a slight extent, regularly changing your MAC address will provide you with some degree of anonymity against basic analysis on the WiFi network you're connecting to - they won't see the same MAC address twice in their WiFi controller logs. More advanced techniques (e.g. Packet inspection) will still be effective against you - see #1 and #2 below.
However, there is more to anonymity than just your MAC address. You may also want to be anonymous to the machines on the internet you're connecting to, or to any observers/agencies performing bulk surveillance:
HTTP connections are visible to the local network and internet. You might accidentally reveal identifying information by accident. For example, you might login to a poorly designed website that sends the username in cleartext. You might transmit a long-lived advertising cookie that was previously observed.
Your web browser might act in a unique way, or your machine might transmit a unique series of packets that allows your computer or browser to be identified. This is known as browser fingerprinting, or device fingerprinting.
You might physically visit the same WiFi location multiple times in an observable pattern. Even if no one sees you, the security cameras will. It would not matter how well you spoof your MAC address if there are other ways of tying you to the traffic.
To remain anonymous in the broad sense of the term, you need to consider every aspect of your actions. The WiFi network you connect to is only a small portion of what you need to consider.
Protecting your MAC address is completely ineffective and should be the least of your concerns.
Actually, constantly changing your MAC address will draw even more attention, since the network administrators will see a large amount of MAC addresses associated with an access point and will investigate further.
Staying truly anonymous is hard, tedious, time-consuming, annoying and ineffective in your day-to-day operations, whatever they may be. Anonymity cannot be achieved by relying solely on technology. It requires discipline, mindfulness and attention to detail.
That being said, you should first consider the following questions:
- Who do you want to protect your identity from?
- Based on the consequences of a compromise, does it worth the time and effort?
Below are only few of the things you might want keep in mind:
Modern operating systems are very "noisy" and have a wide range of networked services that can leak all sorts of interesting information about a user, when they announce themselves or interacting with another host on the local network segment. Depending on your operating system and configuration, your first step would be to pin-point those services and disable them.
A good practice is to avoid using any information that can personally identify you in your system's configuration. For example, do not use for usernames or hostnames your real name, home address, work address, phone or nicknames that can be easily tied to your real identify.
Tunnel your network traffic through a VPN connection. The VPN end-point should not be tied to your real identity. For example, do not connect to a VPN server that you run from your home on the public IP address that your ISP has assigned to you.
Do not access services and sites from the aforementioned public network that are somehow connected to your real identity or have been accessed in the past from locations that can be tied to your real identity.
The hardware and software configuration of your system may be uniquely identified among the users of a public area network. Avoid using that system on this network if you have used it again in the past while not attempting to protect your identity.
The longer you work on a hostile public network, the more chances you are offering to your adversary to compromise you.
Try to blend in and do not give any visual clues that may lead people to associate you with stereotypes. For example, do not wear t-shirts with stamps from technical conferences or use stickers on your laptop if you want to conceal your technical competence. It's easier to remember "that guy with the DefCon t-shift and the massive amounts of infosec stickers on his laptop".
Keep your mouth shut.
The list goes on. You might want to read the grugq's Hacker OPSEC blog and watch his presentation on the topic, since it offers valuable advises on preserving your anonymity.
Here is an example of what not to do, and a demonstration of how easy it is to compromise the anonymity of careless users.