How a 30-year-old technology – WiFi – will turn into our next big privacy problem

WiFi can be traced back to 1991, but it was in the late 1990s that the technology began to be taken up by the general public. Its success back then was by no means guaranteed. Although largely forgotten now, there was a rival approach called Home RF, which only gave up the fight in 2003 when it became clear that WiFi would become the standard for wireless local area networks (WLANs).

Since then, WiFi has become an increasingly important part of modern life, with hotels, restaurants and many other venues providing it for free as an expected part of their services. Over the years, the technology has improved, mostly in terms of speed and range. But there is a new iteration of the WiFi standard being developed that will have massive implications for privacy and surveillance. It goes by the unmemorable name of 802.11bf. Here’s how the IEEE, the organization that is drawing up the new standard, describes it:

IEEE 802.11bf will enable stations to inform other stations of their WLAN sensing capabilities and request and set up transmissions that allow for WLAN sensing measurements to be performed, among other features. WLAN sensing makes use of received WLAN signals to detect features of an intended target in a given environment. The technology can measure range, velocity, and angular information; detect motion, presence, or proximity; detect objects, people, and animals; and be used in rooms, houses, cars, and enterprise environments.

The idea is simple. Radio waves are emitted from WiFi units that support the new 802.11bf, but not only to transfer data, as today. Instead, details of how those waves bounce off objects in their vicinity are gathered and analyzed to detect key features. Different uses are made possible by the availability of license-exempt frequency bands between 1 GHz and 7.125 GHz, and also above 45 GHz. The former will allow relatively large-scale motions to be detected – people or animals moving around, for example – and have the useful ability to pass through obstacles such as walls. The high frequencies, on the other hand, will have a shorter range, but be more precise: as well as gestures, it will be possible to track finer movements on a keyboard, for example. The two might be used in tandem, with the lower frequencies deployed to guide the tighter radio beam used with the higher frequencies.

As well as these powerful features, what makes the new WiFi standard different – and important – is that it will be built routinely into future generations of WiFi stations, both in the home and outside. A paper about the new standard by Francesco Restuccia, Assistant Professor of Electrical and Computer Engineering at Northeastern University, quotes some forecasts from Cisco that give a sense of how widespread the technology could become in public locations. According to the Cisco Visual Networking Index, the number of public WiFi hotspots will grow from 94.1 million worldwide in 2016, to 541.6 million this year. Few of those will support the new IEEE 802.11bf standard initially, but it is likely that many hundreds of millions of WiFi hotspots will do so in due course. No additional equipment will be required in order to create a new and invisible surveillance system that will automatically cover the inhabited areas of most countries.

The paper by Restuccia provides more details of the roadmap for the new standard, also known as SENS. The plan is to release the final version of the specification in September 2024; manufacturers will doubtless be working on devices to support it as soon as they can, given the range of new uses the technology will allow. Restuccia is well aware of the privacy issues that SENS will raise:

the pervasiveness of SENS into our everyday lives will necessarily elicit security and privacy (S&P) concerns by the end users. Indeed, it has been shown that SENS-based classifiers can infer privacy-critical information such as keyboard typing, gesture recognition and activity tracking. Given the broadcast nature of the wireless channel, a malicious eavesdropper could easily “listen” to [Channel State Information] reports and track the user’s activity without authorization. Worse yet, since Wi-Fi signals can penetrate hard objects and can be used without the presence of light, end-users may not even realize they are being tracked. As yet, research and development efforts have been focused on improving the classification accuracy of the phenomena being monitored, with little regard to S&P issues.

To help address privacy concerns, Restuccia suggests that people should be able to opt out of SENS services – that is, avoid being monitored by the 802.11bf WiFi devices around them. As he says, this would require the introduction of reliable algorithms for detecting humans. Even if viable approaches could be developed, which is by no means clear, it’s easy to imagine that the default state for WiFi stations supporting the new 802.11bf will be for the privacy algorithms to be turned off. Many people will welcome the ability to detect intruders in their homes, cars and offices, using their new WiFi systems, and will therefore prefer this to be enabled out of the box. The security expert Bruce Schneier is pessimistic. He writes on his blog: “Security and privacy controls are still to be worked out [for 802.11bf] , which means that there probably won’t be any.” That’s troubling, since there is every reason to think this latest WiFi standard will be finalized and then widely adopted, as with previous iterations, and with little thought to the consequences of new features. As ever, that is a recipe for disaster when it comes to protecting privacy and minimizing surveillance.

Featured image by Drumcliff.