‘Wi-fi sniffing’ can be used to generate useful insights for businesses without breaching data protection laws. However organisations collecting data this way need to be aware of the malleable interpretation of personal information under the law. We discuss how data from wi-fi sniffing might contain information that identifies individuals, and the obligations that arise from this.
Devices such as laptops, smartphones and tablets constantly scan and ping for wireless networks to see if they can connect. In searching for network connections, the devices generate small traces of ‘header data’ that can be intercepted by other devices that have been configured to pick up on such scanning activity in the geographic area.
Header data sent by probing devices may include information such as:
The tracking software can use this information to draw other insights, such as:
A MAC address is a unique identifier for devices connecting to the internet. It is assigned at the point of manufacture and may be used to trace transmitted data back to the source device. Whilst in theory they can be changed or ‘spoofed’, in practice this is difficult.
Interception of the probing ping does not necessarily collect information about whether the probing device connected successfully, or for how long.
Wi-fi sniffing may be used for internal networking diagnostics or statistical applications, such as generating patterns of foot traffic in areas with public wireless connections. It may, for example, be used within a shopping centre to get a sense of the number and distribution of shoppers at particular locations in the centre.
In addition to the header data, the other type of data that can be ‘sniffed’ is payload data. This is the user-generated content and other communication-specific data from the transmission, and there is little doubt that this constitutes personal information.
In 2007, Google Street view was launched and vehicles were deployed to map and take panoramic photographs of roads. The publicised reason for this was to improve and develop mapping functions on Google Maps. However Google also used the Street View vehicles to catalogue and map all the Wi-Fi access points they drove past. Today this process is dubbed ‘war-driving’. Whilst wardriving, Google collected both header data (that designates the Origins/Destination of data transmissions/communications from devices), and payload data (i.e. the user-generated substance of the data transmission/communications).
By 2010 multiple regulatory investigations had been launched, and class actions had been filed in the US. The majority of the investigations focused on whether the payload data constituted PI. Less attention was given to whether the header data was PI, though the Australian Privacy Commissioner (now the ‘Information Commissioner’) concluded that it was.
Under the Privacy Act, PI includes data from which an individual is ‘reasonably identifiable'[1]. An Individual will be ‘reasonably identifiable’ if someone who accessed, viewed or received data about the individual would be able to identify the individual by applying a ‘reasonable’ amount of effort (i.e. with access to practically available resources, including in respect of time and cost). To find out more, check out our analysis of the definition of personal information under the Privacy Act.
Information collected via wi-fi sniffing may not on its own be reasonably be capable of identifying specific individuals. However, when combined with other information, it can be. For example, if the data is transferred to an entity that stores MAC addresses of customers, like internet service providers, and combined with other information, it can be transformed to ‘PI’.
Organisations engaging in wi-fi sniffing should treat sniffed data as potentially rich in PI, even if it is not readily attributable to specific individuals. Such organisations need to be aware of their obligations under privacy laws. Corporate entities may need to consider implementing IT safety systems, security policies and rules to prevent the identification of unique individuals from the sniffed data. One step in this regard is the technological measure of rigorous siloing of sniffed data from other sources of PI.
Organisations holding sniffed data need to be aware their obligations under the Notifiable Data Breaches Scheme (’NDBS’). The Privacy Act was amended in 2018 to introduce a mandatory data breach notification scheme for PI breaches. If PI is disclosed without approval from the individual, and serious harm is likely to occur, the organisation must notify affected individuals and the Information Commissioner.
If a sniffed dataset is breached, organisations must assess the breach in accordance with the NDBS. A key consideration is whether a malicious recipient of a sniffed dataset can extract PI from it. This assessment will need to made at the time, giving specific attention to contextual factors relevant at the time of the breach, like advances in computer hardware and data analysis techniques.
Wi-fi sniffing can be a powerful tool for organisations to learn more about their wireless networks and potential customers. However, with the collection of this data, organisations may be getting access to PI, whether they are aware of it or not. This comes with a raft of legal obligations and responsibilities under the Privacy Act which organisations must observe.
The information above is general in nature. If you want to learn more about how wi-fi sniffing can create obligations under the Privacy Act, please contact us below.