A new enterprise technology is arriving straight out of a spy novel. Standard Wi-Fi signals that can see and map human forms through solid walls are transforming existing networks into a powerful surveillance tool. But some experts say the technology could be operating in a legal blind spot. Now, the new and unmanaged liability demands a new strategy for risk and governance.

One of those experts is Delano Collins, Chief Information Officer at Electronic Office and former CIO at In-Telecom. With over 30 years of experience designing, building, and implementing Security Operations Centers (SOCs) from the ground up, Collins has spent his career at the center of high-stakes security, from leading managed security practices with double-digit revenue growth to serving as the final executive escalation point for operational crises. He says Wi-Fi sensing creates a novel category of privacy and liability risks for which current legal frameworks were simply not designed.

For organizations offering Wi-Fi services, Wi-Fi sensing can deliver the power of video surveillance with none of the legal guardrails, Collins explains. It can even identify individuals based on unique biometric identifiers, such as their height, body shape, and even their specific gait, all through walls and in private spaces.

• Off the legal grid: The new capability creates a powerful tool for observation that challenges the traditional meaning of physical property boundaries, according to Collins. But it also operates entirely outside of established privacy laws. "Wi-Fi sensing doesn't fall under video surveillance, yet it can identify individuals. Conceivably, it could even track movements. That certainly challenges the understanding of what personally identifiable information is and what should be protected. The possibility of people being able to traverse boundaries of ownership is very real."

But the lack of individual control over personal data is creating a deep and pervasive trust gap between consumers and technology, Collins says. "There just doesn't seem to be a place to escape technology right now." Compounding the problem is a corporate environment where the financial incentives to prioritize privacy are increasingly misaligned.

• A slap on the wrist: To give individuals more ownership over their data, the U.S. could look to frameworks like the European Union's GDPR, Collins said. "Lawsuits don't really punish companies to the fullest extent because they want to protect the livelihood of the business. But if we let individuals own their data, it would make organizations think twice before implementing solutions that could track what people do in private places."

In the current environment, the question of who bears responsibility is fundamentally unanswerable, Collins continues. Individual protection is unworkable, and corporate self-regulation has proven insufficient. With no clear guardian for public data, he suggests the focus should turn toward understanding liabilities instead.

• The cost of connection: For any organization offering Wi-Fi, the mere existence of this data can create a significant and unforeseen risk, he explains. "Someone could hack into that system and start to track specific individuals to establish patterns of behavior. If that information is then used to harm someone, that opens the mall up for a huge lawsuit in my mind. Now, let's take the same example and make it scarier: a school. If someone wanted to identify patterns of where students are at different times of the day, they would know the time and place where they can harm the most people with the least amount of travel."

• A nation-state affair: Beyond the danger of simple inaccuracies, Collins highlights the threat of deliberate data manipulation. Introducing the concept of perturbation attacks, he describes a scenario where an adversary could maliciously alter Wi-Fi data to create a false record of events. "This is where things get really spy-novel-ish. It would certainly be a nation-state-level attack if they're accessing law enforcement or surveillance systems to make it appear someone is there who is not, or vice versa. The sky's the limit as far as what could potentially happen."

The boundless potential for misuse is a modern failure of imagination, according to Collins. Because the threat is so complex and multifaceted, it's almost impossible to predict. Now, it represents an existential risk that defies conventional security planning, he explains. But the risk also has a psychological dimension that's reshaping our connection to technology itself.

• It's not you, it's AI: As an example, he points to a trend where the conversational nature of AI is causing some users, including technical experts, to let their guard down in unprecedented ways. "I'm seeing very technical people start to share personal information at an AI prompt, thinking they're building a relationship. But it's just AI. Nowhere else in technology do we see people oversharing with the expectation of reciprocation. This is bending the nature of the human-technology relationship like I've never seen before."

Faced with such complex risks, Collins offers one parting piece of advice for enterprise leaders: simplification. "To establish a better defense, start by stripping out unneeded services to shrink the digital attack surface. This may be the worst AI we will ever use, but it's also the best opportunity to set meaningful protections in place for the future."