WiFi sensing has moved from a research curiosity to a founder problem. If ordinary routers can help identify people without cameras, the next privacy-tech market may be hiding in plain sight.
The important part of WiFi surveillance research is not that radio waves can sense people. That has been true for years. The important part is that researchers are showing how standard wireless infrastructure can be used to recognize individuals without asking them to carry a device, look into a camera, or touch a scanner.
For anyone building in physical AI, security, retail analytics, smart buildings, or privacy infrastructure, that changes the shape of the opportunity. A router is no longer just a networking box. Under the right conditions, it can become a passive sensor that watches how bodies alter radio signals in a room. That sounds like science fiction until you remember how many offices, cafes, airports, stores, apartment buildings, and campuses are already full of WiFi equipment.
According to research published by Karlsruhe Institute of Technology, a team led by Julian Todt, Felix Morsbach, and Thorsten Strufe demonstrated an identity inference attack called BFId that uses beamforming feedback information, or BFI, from ordinary WiFi communications. The paper, presented at ACM CCS 2025, evaluated WiFi recordings from 197 people and found that identity could be inferred with very high accuracy across different walking styles and perspectives.
This matters because BFI is not exotic. Beamforming was introduced with WiFi 5, also known as 802.11ac, to help wireless devices steer signals more efficiently. Devices send feedback so the network can improve transmission quality. The problem is that the same feedback can reveal how radio waves travel through an environment, including how they bounce off people.
Most surveillance debates still begin with images. Cameras are visible, familiar, and increasingly regulated. Facial recognition has become a known category, which means people at least understand the basic bargain being made when a store, stadium, or office lobby installs it.
WiFi identification is more subtle. It does not need light. It can work around obstacles. It does not require the target to carry a phone. In the KIT work, the system used radio based patterns created by normal wireless activity around a person. Once the machine learning model was trained, identification could happen within seconds.
That is why this should not be treated as just another lab result. The commercial path is easy to imagine. Security teams could use similar sensing for access control in areas where cameras are unwanted. Retailers could measure repeat visits without relying on phone identifiers. Warehouses could monitor restricted zones. Building operators could detect presence, movement, and identity using infrastructure they already own.
There is also earlier work pointing in the same direction. Researchers at La Sapienza University of Rome described WhoFi, a system that uses channel state information to re-identify people based on how they disrupt WiFi signals. That research reported 95.5% accuracy and positioned the method as a non-visual biometric approach. Different method, same message: the wireless environment is becoming a data layer about human bodies.
The startup opportunity comes with a warning
Founders will see two markets here. The first is obvious: products that use WiFi sensing for useful physical intelligence. Think elder care without cameras, intrusion detection without video, smart offices that understand occupancy, and industrial safety tools that notice when workers enter dangerous areas.
The second market may be bigger over time: protection from invisible sensing. If routers can produce biometric signatures, companies will need ways to audit, limit, encrypt, or scramble those signals. Privacy-tech startups have spent years helping companies manage cookies, device IDs, location data, and facial recognition. WiFi biometrics could become the next compliance headache, especially because most consumers have no idea this type of inference is possible.
The legal question is not simple. Existing biometric privacy rules were mostly written with fingerprints, face scans, voiceprints, and hand geometry in mind. A WiFi body signature does not fit neatly into those categories, but that will not stop regulators from asking whether it identifies a person, whether consent was obtained, and whether the data can be used across locations.
Europe will likely examine the issue through privacy and data protection rules. In the United States, state biometric laws and consumer protection authorities may become the first pressure points. The risk for businesses is that a system marketed as anonymous occupancy analytics could look very different if it can recognize the same person again later.
There is a standards angle too. IEEE 802.11bf is being developed around wireless sensing, which keeps the issue current even though the core research is not brand new. If sensing becomes a formal feature of future WiFi systems, privacy cannot be added as a public relations line after deployment.
For entrepreneurs, the lesson is straightforward. The market for physical intelligence is expanding beyond cameras, but every new sensor creates a new trust problem. The companies that win will not be the ones that simply prove WiFi can identify people. The stronger businesses will be the ones that make the technology useful, explainable, consent based, and defensible before regulators and customers force the issue.
What happens next will depend on how quickly infrastructure vendors, standards bodies, and founders treat radio based identification as a real biometric surface. Once ordinary networks can recognize people, privacy is no longer only about what you click or carry. It is also about the spaces you walk through.
Also read: Fenwick's FTX settlement puts crypto advisers on notice • Data center opposition is becoming a founder risk • Polymarket’s wallet breach tests its credibility as it pushes abroad
