Read update
- Google has clarified to us that the old implementation only randomized 'probe' requests for a network (so established connections still revealed the real MAC), while Android P uses the randomized address for the actual connection.
The 'MAC address' is a unique identifier present on most devices connected to a network. Since the address is assigned during the manufacturing process, and often can't be changed, it is commonly used as a way of tracking people connecting to different networks. To combat this, several operating systems (iOS 8+, Windows 10, etc) give networks a randomly-generated MAC address.
Android added MAC address randomization back in Android 5.0 Lollipop, but not only is the feature disabled on most devices, it has several major flaws. A research study from last year pointed out it was still possible to reveal the real MAC address somewhat easily, even when Wi-Fi is completely disabled (thanks to network-based location settings).
The feature can be enabled from Android P's Developer options.
Android P improves this functionality, by generating a different MAC address for every Wi-Fi network you connect to. This way, you can still be identified on networks (thus not breaking anything), but still not be tracked between different ones. It's not clear at this time if Android P addresses all the security issues the previous implementation had, but Google is still calling it an experimental feature.
UPDATE: 2018/03/10 8:42am PST BY
Google has clarified to us that the old implementation only randomized 'probe' requests for a network (so established connections still revealed the real MAC), while Android P uses the randomized address for the actual connection.
Source: Android Developers Blog
Thanks: Everyone who sent this in