Description
Designing wireless human-sensing systems that satisfy a meaningful privacy contract — typically: no persistent identifiers, no re-identifiable trajectories, no extraction of capabilities the application does not need. Wireless sensing is often promoted as "more private than cameras", but this is only true if the system actively avoids the side-channel capabilities (gait, keystroke-recognition, bathroom-activity detection) that the same hardware unlocks. The thesis treats privacy as a system-level invariant: BLE de-randomization is bounded to calibration windows, CSI features are aggregated before persistence, and identifier hashing is enforced at the sensor.
Why it's hard
- Wireless RF gait, keystroke, and activity signatures are biometric data under most regulations.
- MAC-randomization countermeasures work, but BLE manufacturer data and probe-request fingerprinting can re-identify devices.
- Aggregation that preserves epidemiological / counting utility while destroying re-identification is non-trivial.
- Differential privacy bounds are hard to set when the "individual" record is a continuous CSI stream.
- User consent is operationally awkward for passive sensing in shared spaces.
Common approaches
- Sensor-side identifier hashing with rotating keys.
- Aggregate-only data flows; raw CSI never leaves the sensor.
- Differential-privacy mechanisms for aggregate counts.
- Federated learning so per-user models stay local.
- Active deactivation of CSI extraction in sensitive zones (bathrooms, bedrooms).
Source Papers
- ficara2024_f89b ↗ — tutorial on privacy, RCM, and implications in WLAN.
- david2025_866a ↗ — Battery Insertion Attack — limits of pseudo-random BLE beacon privacy.
- rusca2024_ccca ↗ — privacy-preserving WiFi-fingerprint counting for crowd management.
- darsena2023_50b7 ↗ — sensing tech for crowd management (privacy considerations).