Every Wi-Fi transmission arrives at the receiver as a mess of overlapping reflections. The signal bounces off walls, furniture, and people, and each path arrives with slightly different timing and strength. Wi-Fi chipsets measure this constantly, in a data structure called channel state information (CSI), because they need it to decode the transmission correctly.
A human body is mostly water, and water absorbs and reflects 2.4 GHz and 5 GHz radio energy. When a person moves through a room, the pattern of reflections shifts in a measurable, characteristic way. Wi-Fi sensing is the practice of reading those shifts deliberately: not to decode data, but to infer what is physically happening in the space the signal passes through.
What the research has demonstrated
Academic groups have been publishing on this for over a decade, and the results go well past simple motion detection. Using commodity Wi-Fi hardware, researchers have demonstrated presence detection through interior walls, gesture recognition, fall detection, and respiration monitoring from the tiny periodic movement of a chest rising and falling. In 2023, researchers at Carnegie Mellon published work showing that signals from ordinary Wi-Fi routers, processed with a neural network, could estimate full human body poses in a room.
The person being sensed carries nothing. There is no app to decline, no permission dialog, no MAC address to randomize. The sensing target is the body itself, and the sensor is the ambient radio environment. This is a different category of problem from the device-tracking issues covered in our post on MAC address randomization, and none of those defenses apply here.
Wi-Fi sensing operates at the physical layer. It reads how the radio wave was distorted in flight, not what data the wave carried. A network running WPA3 with perfect key hygiene is exactly as usable for sensing as an open one. There is no cryptographic defense against a capability that never touches the payload.
This is shipping, not speculative
Wi-Fi sensing left the lab years ago. Comcast ships a feature called WiFi Motion that turns Xfinity gateways into whole-home motion detectors. Standalone products such as Origin Wireless's Hex Home sell Wi-Fi sensing as a security system: a few plug-in pods, no cameras, motion alerts derived entirely from signal analysis. Router and chipset vendors market sensing as a value-add for elder care, sleep tracking, and intrusion detection.
The IEEE has been working since 2020 on 802.11bf, an amendment that standardizes how Wi-Fi devices coordinate and exchange sensing measurements. Standardization matters because it moves sensing from a proprietary trick in a few products to an interoperable capability across the installed base. Once client devices, access points, and mesh nodes can all participate in coordinated sensing sessions, the resolution improves and the deployment cost drops to zero: the hardware is already in the walls.
The bystander problem
The person who buys a Wi-Fi sensing product at least made a choice. The people around them did not. Radio does not respect property lines: a sensing-capable access point in one apartment receives reflections from the unit next door. A guest in a home with WiFi Motion enabled is being motion-tracked without any notice. A landlord who controls the building's mesh network controls a building-wide presence sensor.
There is no consent mechanism in the protocol, and it is hard to imagine what one would look like. You cannot opt your body out of reflecting radio waves. The closest legal analogue is Kyllo v. United States, the 2001 Supreme Court case holding that police use of a thermal imager to observe activity inside a home was a search requiring a warrant. The reasoning turned partly on thermal imagers not being "in general public use." Wi-Fi sensing inverts that premise: the sensing hardware is the most widely deployed radio equipment in human history.
Law enforcement interest follows capability. Utility records, license plate readers, and geofence warrants all became routine investigative tools once the data existed. If ISP-managed gateways log motion events, those logs are held by a third party and reachable with legal process, the same structural weakness we describe in push notification surveillance: data that exists gets requested.
What you can actually do
The individual mitigations here are thinner than we would like, and it is worth being clear about that rather than padding the list.
- Know what your gateway is running. If your router is ISP-managed, check whether motion or sensing features exist in the account settings and whether they are on by default. Comcast's WiFi Motion, for example, is opt-in and can be turned off.
- Prefer hardware you control. A router you own, running firmware you chose, does not ship sensing features you never agreed to. This is the same reasoning that applies to ISP surveillance generally.
- Reduce always-on radios where they serve no purpose. Fewer active transmitters means a coarser sensing picture. Wired backhaul for stationary devices helps at the margin.
- Treat this as a policy problem. The durable fixes are regulatory: notice requirements for sensing features, warrant requirements for sensing-derived data, and privacy review inside the 802.11bf process itself. Individual workarounds do not scale to a capability embedded in the ambient infrastructure.
The wider pattern
Wi-Fi sensing belongs to a family of techniques that extract surveillance value from infrastructure built for something else: ultrasonic beacons riding on speakers, Van Eck emanations leaking from displays, timing side channels in shared hardware. The pattern is consistent. A signal deployed for a benign purpose turns out to carry more information than its designers intended, and the extraction cost falls every year.
What makes Wi-Fi sensing distinctive is scale. There are billions of compatible transmitters already installed, in nearly every home, office, and public building. The question is no longer whether the capability exists. It is who gets to use it, against whom, with what notice, and under what legal standard. Those questions are being settled now, mostly in standards meetings and product launches, while almost nobody outside the industry is watching.