WiFi can track your body’s fingerprint

Surveillance

Researchers at La Sapienza University (Rome) have published a proof-of-concept called WhoFi that uses ordinary Wi-Fi signals to create unique “fingerprints” of people’s bodies and re-identify them across locations. The team reports up to 95.5% accuracy using Channel State Information (CSI) and a neural network on data collected with two basic TP-Link N750 routers. The tech can work in darkness and through obstructions, which raises fresh privacy and regulatory questions for Australia.

What is WhoFi?

WhoFi is an academic system that treats the way a human body disturbs Wi-Fi radio waves as a biometric-like signal. By analysing small changes in the wireless channel (known as Channel State Information, or CSI) and feeding them into a deep neural network, the researchers say the system can identify and re-identify individuals without cameras, phones or physical contact.

How it works

  • Wi-Fi signals scatter, reflect and absorb when they hit objects and people; those changes are captured in CSI.
  • A Transformer-style neural network learns patterns in that CSI that are stable enough to act like a fingerprint for a person’s body and movement.
  • The paper shows the method can re-identify people even in different rooms or lighting conditions, and through walls.

Key results and testing caveats

  • Reported top accuracy: 95.5% with the neural network on the authors’ dataset.
  • Hardware used in experiments was unremarkable consumer kit — the paper notes two TP-Link N750 routers were used to collect the CSI data.
  • The dataset was small and controlled: 14 people, each wearing combinations of base clothes, outerwear and a backpack. That makes the result impressive for a lab demo but limits immediate real-world forensics or legal use.

Why this matters

  • Unlike cameras, Wi-Fi sensing isn’t affected by light and can operate when sightlines are blocked. That makes it potentially more persistent and less obvious.
  • It doesn’t rely on a person carrying a device (phone), so device-based tracking countermeasures (airplane mode, switching off Bluetooth/GPS) wouldn’t stop it.
  • Compared with conventional biometrics (face, fingerprint), WhoFi’s signal is non-visual but still potentially identifying — which blurs existing legal categories around biometric data and “personal information”.

Australian privacy and legal context

  • In Australia the Office of the Australian Information Commissioner (OAIC) treats biometric information as sensitive information and has recently published guidance for assessing risks from biometric and facial recognition systems. Any organisation collecting or using biometric-style data will face stronger obligations under the Privacy Act.
  • The OAIC’s recent material on facial recognition and biometric handling suggests regulators are watching closely; unauthorised collection, secondary use or sale of identifying data can attract complaints and enforcement. Organisations considering similar tech should expect privacy-impact assessments, strict handling rules and possibly explicit legal limits.

Practical risks and realistic timelines

  • WhoFi is a lab demonstration, not a commercial product — but the underlying idea uses widely available Wi-Fi hardware, which makes it technically feasible that variants could be reproduced outside a lab.
  • Real-world accuracy will vary with crowding, clothing diversity, furniture, different router models, multi-storey buildings and deliberate countermeasures. The small sample size in the paper means you should treat the 95.5% figure as a strong signal that the technique works in controlled settings, not as proof it’s ready for everyday surveillance everywhere.

What Australians (and businesses) can do now

  • Treat Wi-Fi networks as part of your privacy surface: keep SSIDs and admin interfaces secured, apply firmware updates, use strong admin passwords and segregate guest networks.
  • Be cautious about third-party access to network telemetry — organisations that collect detailed Wi-Fi metadata may be handling information that could be re-purposed. Keep clear policies and avoid long-term retention unless strictly necessary.
  • If you operate a venue or retail business, consult privacy counsel or the OAIC guidance before experimenting with any form of identification or in-store analytics that infers identity.

Bottom line

WhoFi demonstrates that radio-frequency sensing is moving from curiosity to a practical privacy challenge. The research is a reminder that the wireless environment around us carries far more information than a Wi-Fi icon suggests — and that regulators and businesses in Australia will need to decide how to treat and control non-visual biometric-style data before misuse becomes widespread.