The University of Melbourne violated students’ privacy by using Wi-Fi location data to trace them to pro-Palestine demonstrations last year, a government investigation has found a year after 21 students were threatened with expulsion.
The May 2024 protests saw students occupy the university’s Arts West building for 10 days, with 150 classes cancelled and 6,000 students affected amidst widespread global protests over declining conditions in Gaza.
The following month, the Office of the Victorian Information Commissioner (OVIC) began investigating the university’s use of its Wi-Fi network to identify protesters – ultimately producing a new report released Wednesday that criticised the uni’s “serious” privacy breach.
The university “engaged in function creep by using surveillance of users of on-campus Wi-Fi”, OVIC found, tapping a previously installed location capability “without substantially considering the human rights or privacy impacts of doing so”.
Victoria’s Privacy and Data Protection Act 2014 requires that organisations “must collect personal information only by lawful and fair means and not in an unreasonably intrusive way”, and that individuals be made aware.
The University of Melbourne, however, violated Information Privacy Principle (IPP) 1.3, OVIC found, because it “failed to take reasonable steps to make individuals aware of the purposes for which their Wi-Fi location data was collected and may be used”.
It also violated IPP 2.1 because its “investigation of misconduct was not a primary purpose of collecting Wi-Fi location data, and that using the Wi-Fi location data to identify individuals was not [something] individuals would have reasonably expected”.
Communication is key when it comes to privacy
Use of Wi-Fi to track individuals was symptomatic of “a disturbing trend of increasingly repressive measures against student protesters”, said Human Rights Law Centre legal director Sarah Schwartz, who argued “students who wish to stand up for human rights should be encouraged to do so”.
While OVIC did not recommend punitive sanctions – citing the university’s engagement since the protests and improvements to communications with Wi-Fi network users – it did find repeated poor communication had violated students’ rights.
The university’s privacy and IT policy documents were “poorly presented, contained misleading headings and titles, and contained information that made the purpose of collection and use unclear”, the report found.
It also concluded the university’s use of on-screen popups to convey notices about Wi-Fi use “was also not an effective mechanism for explaining complex terms and conditions”.
“In failing to consult with stakeholders about the policy change, the university failed to obtain a social license for the use of this technology,” OVIC found.
The Office of the Victorian Information Commissioner investigated the University of Melbourne following May 2024 protests. Image: The University of Melbourne / Supplied
The university also admitted “technical issues” since April 2023 meant it was “not clear” whether new users may not have seen the Wi-Fi terms of use allowing collection of location data.
“Effective communication is an essential ingredient in good privacy practices,” OVIC said in advising organisations collecting data to “communicate clearly and simply, in a manner that facilitates understanding”.
The university also used student card photos and CCTV video to identify students and had not breached state laws by doing so, OVIC found.
Pushing back on surveillance
OVIC’s condemnation of the university’s processes illuminated privacy regulators’ expectations that use of widely available surveillance tools be handled carefully.
“Verbal”, impromptu, and largely undocumented decision-making led Melbourne University CIO Byron Collins to authorise the use of Wi-Fi location data during what the university called a “dynamic and complex… situation and operating environment”, OVIC found.
Use of that data to identify who was in the Arts West building was proposed and authorised on 20 May – five days after protesters occupied it – and ultimately saw 22 students and three staff members identified and reprimanded.
Processes allowing investigators to search 10 staff email accounts for 16 keywords “fell below the standard the Deputy Commissioner expects”, OVIC found, noting it “occurred after the urgency of protest had passed, and could have been dealt with more carefully”.
“Surveillance by its nature is antithetical to human rights,” it said of the breach.
“Surveillance of individuals should only ever be undertaken in the most serious of circumstances, where clear guidelines are available, authorising processes are well-managed, and individuals understand the [data use’s] purpose and limitations.”
The University of Melbourne said it “takes its privacy obligations seriously … And could have provided clearer active notice to students and staff members in relation to the use of Wi-Fi location data”.
“However,” it said, “we maintain that the use of Wi-Fi location data in student misconduct cases was reasonable and proportionate in the circumstances, given the overriding need to keep our community safe and conduct our core activities.”
