UniWireless & Your Privacy

This will be updated from time to time as more information becomes available. Last updated on 30.04.2025.

First things first – none of this is really new.

Rather, the Uni has changed its Terms of Use to be more explicit about what it was already doing.

This explainer is not intended to promote paranoia or panic, however UMSU has fielded a significant number of enquiries from students concerned by the UniWireless Terms of Use they have recently been asked to read and agree to. Coupled with the recent introduction of strict rules about protest and assembly on campus (which are controversial in themselves), some students worry for example, that just being near a protest may see them caught up in the university’s surveillance. The Human Rights Law Centre, Amnesty International and Human Rights Watch have collectively written to the Vice Chancellor with concerns about the recently amended Terms of Use. This excellent article on campus restrictions at Australian Universities more broadly also provides a succinct description of the uptick in campus restrictions on protest and dissent. However, it is also reasonable to expect that many students may simply feel weirded out by the idea that Uni staff could see what websites they have been browsing while on campus.

So, this explainer is intended to offer both a shallow skate across the surface of the issue, and a deeper dive into how your privacy sits with what personal information the Uni can access when you login to its UniWireless network.

I have a right to Privacy…right?

The idea of having information about your activity on campus being recorded and looked at by uni staff may feel creepy - but, is it a breach of your right to privacy for the Uni to snoop at where you have been online or identify your physical location on campus?

Well… maybe/sometimes – but it’s complicated. Legally your online privacy on campus is more of a vibe than an absolute right. Whereas in some countries the right to privacy is enshrined in the Constitution or Human Rights Charters,[1] and individuals can sue for a breach of that right, that is not currently the case in Australia.

Guaranteeing individual privacy as an absolute right is complicated by the requirement to balance that privacy against other public interests (such as security). Accordingly, while privacy is considered a fundamental human right in Australia, it is primarily protected through disparate bits of legislation rather than as an absolute right.

The Office of the Australian Information Commissioner maintains that privacy includes the right:

• to be free from interference and intrusion
• to associate freely with whom you want
• to be able to control who can see or use information about you.

Importantly, in the context of privacy as a human right – it is worth prefacing this explainer with a crucial observation about how the mere idea that we are being surveilled – the panopticon effect – will almost certainly have a chilling effect on peaceful activism on campus (remember when student activism was celebrated by the University?)

TL;DR – an FAQ for the impatient

When I am connected to UniWireless can the Uni locate my position and check what I’ve been browsing?

Yes.

Is it a breach of my privacy?

Depends.

The University can collect and use your personal information when you log in to its IT infrastructure for a range of purposes as long as it tells you with some specificity that that is what it’s doing. In other words, when you log in to UniWireless, you are consenting to the collection, use and disclosure of your personal information for specific purposes. You don’t have to consent, but if you don’t then you can’t use the network.

Are the University’s current protest and surveillance policies compatible with students’ human rights? No, and that is discussed further below.

Is this unusual?

The collection of personal information from public WiFi is not really unusual – but the purposes of the collection by the University definitely give pause for thought.

All “public” networks (as in those where a large number of people are connecting rather than your own private one) will be subject to some sort of collection and use of your personal information. They are also inherently insecure to some degree. For example, have you ever logged into the WiFi at Melbourne Airport? According to the Terms of Use, every time you do that you consent to Melbourne Airport collecting, holding and disclosing the following information:

• the answers to any survey questions you provide in order to access the Hotspot;
• information regarding your web browser type and/or operating system information as used by your wireless enabled device, in order to determine the most effective and/or customised way to display the requested webpage on your device;
• your first name, email address and postcode;
• location data at Melbourne Airport;
• the IP and MAC address of the wireless enabled device that has accessed the Hotspot.

Pretty standard stuff. However, the Airport will not be using this information for the purpose of “the detection and investigation of any actual or suspected unlawful or antisocial behaviour”, which includes detection, identification, and investigation of network users, including by using network data to infer the “location of an individual via their connected device”. These are two purposes for which the University is collecting your personal information via UniWireless - so, while the collection of the personal information may not be controversial, its potential use most certainly is.

UMSU views these new purposes as contravening international human rights law both because the new purposes are too ill-defined (what is “anti-social”?) to be clearly “necessary and proportionate to a legitimate aim”  and because the use of the data is not limited to situations of any actual or suspected wrongdoing.

UMSU will continue to advocate for the University to respect students’ human rights and to reconsider its current protest and surveillance policies.

Can the Uni see what I have been looking at online?

Yes – unless you use a VPN, the Uni may look at the sites (domains) you are connecting to (but generally won’t be able to see what you are doing on those sites especially if you only look at HTTPS sites).

Your browsing history is logged by the Uni routers. You can change what is stored on your local history, but not what the Uni logs. So, browsing incognito in Chrome won’t work,  neither will Firefox’s Private Mode and deleting your browser history is not effective either – your online adventures while connected to UniWireless are available in all their glory on the WiFi router logs accessible by the University and this is perfectly legal if it needs to look at them for one of the identified purposes in its Terms of Use and Information Collection Statement. However – you could use a VPN to keep your browser history private.

Regardless, this raises the question of how long these logs are stored. Unfortunately, that information is not published anywhere in the privacy collection statements or policies. The university Records Management Policy (MPF1106) refers to the University Records Retention and Disposal Authority  which “sets out the requirements for the retention and destruction of University records and information, in line with legislative and business needs”.  This database has two entries for “Systems Logs”, one for Maintenance which should be destroyed after they are no longer required for reference and the other for System Development & Management which must be destroyed 7 years after the date of entry. This doesn’t go a long way to telling us how long logs of your individual activity are retained in practice – other than it shouldn’t be longer than 7 years.

UMSU contacted the University’s Privacy and Data Protection Officer to request more detailed information on data retention of your WiFi logs. We received a prompt and detailed response advising the following retention periods.

There are several components of data collected when using UniWireless:

1. Okta/Active Directory logging is retained for 365 days
2. Firewall logs are retained for 90 days
3. Network data including personal information is retained for 30 days, and de-identified/technical data is retained indefinitely to support analytics

We requested more specificity about what is meant in the Terms of Use by "application and web activity". The Privacy Office advises that, in addition to the account usernames, IP addresses, and MAC addresses listed, the University also collects timestamp data and the Uniform Resource Identifier (URI) that identifies the specific network application or service being accessed by the user of the network. This data is retained for a period of up to 12 months. This retention duration allows the University to access and review the logs as needed for the stated purpose of in the Provision and Acceptable Use of IT Policy (MPF1314) and related policies.

Alright, VPN – check. But can my physical location on campus be identified using WiFi?

Yup. Remember this? Well, the threat of function creep became real last year at Arts West.

How does this work? Whenever you are close to a WiFi access point on campus and your device has WiFi enabled – a few things are happening. As you move around the campus, you will pass various WiFi access points – typically little while boxes with antennae on the side. When your device has WiFi enabled, it will interact with that little box and that interaction is logged.

Wi-Fi access points on campus have capacity to passively collect information about nearby devices, even if they are not connected to the network. This includes the signal strength (RSSI) of the device and the MAC address.

Wi-Fi positioning, also known as Wi-Fi triangulation or trilateration, is a method used to determine a device's location by analysing the signal strengths of nearby Wi-Fi access points.

By the way, it’s probably worth remembering that your device can be used to locate and track you in a range of ways that don’t involve UniWireless – so if you’re concerned about being tracked for any reason (outside of the Uni’s policies), make sure you are aware of how your device deals with location and GPS for example.

How can I Avoid the University having Access to my Data?

The simplest way to minimise what the Uni can collect is not to use UniWireless. If you don’t freely consent to the University’s collection and use of your personal information, you are not compelled to use UniWireless, but if you do, you are consenting to the collection and use of the personal information described in the Terms of Use.

If you’re worried about surveillance on campus, remember you can turn WiFi on and off as you wish. It does not have to be all or nothing. Airplane Mode is your friend, and you can easily turn off WiFi and Bluetooth in your settings, switch them back on when you need them. Some students have become spooked by the new rules on protest and the well-known use of UniWireless to locate students as participants in protests. If you are worried about being caught up in all of this - there are some useful US resources for those concerned generally about digital privacy, and more specifically about digital security and protest, among other things.

But c’mon – surely I have some legal rights here about my privacy?

That requires a bit of a deeper dive. The simplest answer is that — providing the University is only collecting the personal information it has advised you about and what it may use that information for, and you have consented to that collection and use — then it is not breaching any Australian privacy laws to do so.

Of course, much depends on the specific situation, so if you are not sure, you can always contact the Uni’s Privacy and Data Protection Officer.

Ready for a Deeper Dive?

The Laws

 So, what does Australian law actually say about privacy?

Well firstly, it doesn’t say what privacy is - there is no statutory definition of privacy in Australia. There is also no clearly recognised law against invasion of privacy for anyone who feels there right to privacy has been breached (yet).[2]

However, under the Privacy Act 1988 (Cth) which is Australia’s key information privacy law, there are 13 ‘Australian Privacy Principles’ (APPs) that regulate the collection, use, disclosure and other handling of personal information. The APPs primarily cover Australian Government agencies and large private sector organisations with a turnover of more than $3 million (hello Unimelb). There are also Information Privacy Principles under the Privacy and Data Protection Act 2014 (Vic) and Health Privacy Principles under the Health Records Act 2001 (Vic) – but we’ll stick with the APPs which tend to cover the most ground for this explainer.

A crash course on Australian Privacy Principles

The University must comply with Australian Privacy Laws, and it sets out its obligations under the APPs here. The critical way the APPs protect your privacy is that they provide strict requirements for collection and use of personal and sensitive information.

Personal Information

Firstly, the relevant APPs only apply in relation to your  personal and sensitive information. WiFi data is not always personal information, that depends on what is being collected. In the case of the UniWireless Terms of Use however, it is clear that the Uni is collecting account usernames (which are connected with your actual name and your email address), IP addresses, MAC addresses, what network applications you are using, and your web activity. Collectively this is personal information.

Collection Principles

The key privacy principles in this context are:

Purpose Limitation: Personal information should be collected only for purposes that are directly related to the functions or activities of the entity collecting the data.

Data Minimisation: Only the information necessary for the specified purpose should be collected.

Notification of Collection: Entities must notify individuals about the collection of their personal information, including the purpose of collection, at or before the time of collection, or as soon as practicable afterwards.

Consent

Under APP 6 – the use or disclosure of your personal information must align with the primary purpose notified to you in the collection notice, unless consent or specific conditions apply.

However, information can be used for secondary purposes providing you would reasonably expect that use of your information and that use is directly related to the primary purpose.

How does all of this apply to UniWireless?

Let’s step through (broadly) what is required by the APPs and how the Uni addresses those requirements.

Your use of the UniWireless network on campus is governed by the following suite of policies:

• The Information Security Policy (MPF1270);
• The Provision and Acceptable Use of IT Policy (MPF1314); and
• The Privacy Policy (MPF1104).

and both the IT Terms of Use and the Wireless Terms of Use.

The Privacy policy requires that:

5.4. Privacy collection notices specific to particular projects or activities must be provided at the point of collection of any personal information from individuals.

The UniWireless Terms of Use are effectively the collection notice in this case, but there is also a more detailed Student Privacy Statement which overlaps quite a bit but is in a different part of the website. In order to clearly demonstrate compliance with this provision, it would be better if the Uni at least referenced this in the Terms of Use.

In any event, let’s look at the Wireless Terms of Use and how they operate as a collection notice of sorts under the APPs.

When you agree to the University of Melbourne's Wireless Terms of Use, you expressly consent both to the collection, use, and disclosure of your personal information such as account usernames, IP addresses, MAC addresses, and web activity. We don’t actually know the full extent of what is being collected because the Terms of Use say “including but not limited to…” which is intended to leave open other things that may be secondary to this collection and use – but seriously, it would be better if they were more specific and listed things exhaustively, so your consent is properly informed.

The Terms of Use tell us that the purpose of the collection is for six reasons:

1. to ensure that the use is authorised – that is, that you are logged in as a student who is authorised to use the network.
2. for the management of the network and related University systems and services collecting certain data – that might reasonably include information related to the coverage, capacity and performance, user data which looks at user locations and usage patterns among other things.
3. to obtain analytical data relating to the use of the network and the physical University campus, for future planning and space/infrastructure management – this is fairly self-explanatory.

So far, these are exactly the things you would expect your data to be used for. The next three are where the rubber hits the road.

     4. to investigate use or misuse of the network in connection with a breach of any law or University           policy (including but not limited to misuse within the meaning of the Provision and Acceptable             Use of IT Policy (MPF1314)).

    5. to assist in the detection and investigation of any actual or suspected unlawful or antisocial                  behaviour or any breach of any University policy by a network user, including where no           unauthorised use or misuse of the network is suspected; and

     6. to assist in the detection, identification, and investigation of network users, including by using     network data to infer the location of an individual via their connected device.

Purposes 4-6 collectively broaden the potential use of the collected data beyond its use to safeguard the security and performance of the network itself – to allow for your personal information to be used to detect or evidence of alleged breaches of any university policy – including the Student Conduct Policy.

Now we have the purposes the Uni is collecting your personal information for when you login to UniWireless, the APPs require that only as much data as is required to achieve those purposes is able to be lawfully collected. Of course, you won’t know how much is collected unless you ask. The APPs require the Uni to tell you how you can request access to your personal information – the Uni Privacy Office is a good place to start. UMSU can assist if you would like help to contact them.

To make things more confusing – the Uni’s privacy statement that covers students’ personal information is stuck away in a different corner of the Uni website, and not connected to the UniWireless Terms of Use or related policies – you need to go here to see the statement. The way the information is presented is further obfuscated by being broken into separate sections.

One section states that occasionally “the University may collect students' personal data indirectly or automatically for specific purposes where direct collection is not reasonable or practicable”. This includes “data collection via the University's wireless network … to inform space utilisation and campus management, and to develop and refine student services and support” – but does not mention the collection and use of your personal information for the purpose of student conduct investigations.

However, that use is included as a secondary use in “exceptional circumstances … to assist in the detection and investigation of any actual or suspected unlawful or antisocial behaviour or breaches of University policies. Such data is limited to only what is strictly necessary for the purpose required and access is restricted to authorised personnel”.

The reason for this approach is presumably to make clear that there is no one sitting pouring over your personal information actively looking for misconduct. Of course, you would not necessarily know if this was happening.

Want more information?

If you are concerned about any of these issues, for further information about how the Uni manages personal information, or to make an enquiry or complaint, or for contact details of the University’s Privacy and Data Protection Officer, you can email them:  privacy-officer@unimelb.edu.au

Intro:

You may request access to, or correction of, your personal data held by the University, or exercise your individual rights as applicable, unless this would have an unreasonable impact on the privacy of others or would contravene its other legislative obligations.

------8<-----------

Dear Sir / Madam

Re: <Topic>

We are making a complaint regarding actions of the University of Melbourne in <doing something>.

We believe that the actions of the University constitute an interference with privacy for the following reasons:

It will assist if you can explain:

• What happened
• When it happened (including dates)
• What personal information of yours was affected
• Who did it (include names of individuals involved if known)
• How and when you found out about it.

<The clearer your explanation the better. Please feel free to attach additional information>.

This matter is important because:

• …

The resolution or action I am seeking is

<What action would you like the respondent to take to resolve your complaint?>

As well as investigating the specific complaint about breach of the APPs, we also request your advice as to what discussions your office had with the University of Melbourne about <issue>.

Yours sincerely