Skip to content

ZeroTrace AirLeak

Privacy & Legal

How AirLeak handles data, what's legal where, and recommended practices

AirLeak is a passive BLE-monitoring tool. The information it collects is publicly broadcast by every Bluetooth device in range, but that doesn't mean every use of that information is appropriate or legal.

This page explains what AirLeak does and doesn't capture, the legal context for passive RF monitoring in major jurisdictions, and recommended practices for responsible use.

What AirLeak does NOT do

  • No decryption. AirLeak only reads BLE advertisements and scan responses that broadcast in plaintext. Encrypted traffic, and anything inside a paired BLE connection, is not captured.
  • No WiFi capture. AirLeak is BLE-only. It does not sniff WiFi, capture management frames, or read probe-requests / SSIDs.
  • No active intrusion. AirLeak does not pair with BLE peers, does not connect to anything, and does not transmit beyond the protocol-standard BLE SCAN_REQ used by active scanning.
  • No data exfiltration. Captured data streams over Bluetooth to your own phone. The unit doesn't send anything to a cloud or server on its own.
  • No identification of bystanders by default. AirLeak captures publicly broadcast identifiers (MACs, BLE names), it doesn't look up people or correlate with online services.

What AirLeak does capture

  • BLE advertisements and scan responses on the 2.4 GHz BLE advertising channels (37, 38, 39). These are broadcast unencrypted by every BLE peer in advertising state, the protocol's public discovery layer, designed to be heard by any nearby radio.

That's it, the discovery layer of Bluetooth Low Energy. No data-plane contents, no WiFi.

Legal context (general guidance, not legal advice)

The legal status of passive RF monitoring varies by jurisdiction. We aren't lawyers; this is general orientation only.

United States

Passive reception of radio signals on shared frequencies is generally legal under federal law (47 USC § 605). The same statute prohibits divulging the contents of intercepted communications without authorization and using interceptions for personal gain.

Broadly understood as legal:

  • Listening to broadcast advertisements in a space you occupy
  • Recording aggregate observations for personal use, security research, or property surveys

Risky:

  • Publishing identifiable information about specific bystanders
  • Using captured data for stalking, harassment, or commercial profiling
  • Capturing in a space you don't occupy and aren't authorized to monitor

European Union (GDPR)

GDPR considers MAC addresses (even rotating ones) personal data when associated with an identifiable person. Passive capture in a private capacity is generally permitted under the "household exception" (Recital 18). Commercial deployments and retention beyond personal use require a lawful basis under Article 6.

Practically: capturing in your own home or office, for your own use, with no retention beyond what's needed, is fine. Deploying AirLeak in a public space and saving, sharing, or otherwise using identifiable data is regulated.

United Kingdom

Similar to the EU under UK GDPR / Data Protection Act 2018. Personal-use captures in spaces you occupy are not generally prohibited.

Other jurisdictions

Germany, Switzerland, Japan, Australia, and Canada all have privacy frameworks that treat passive RF monitoring within the household exception or its local equivalent. Public deployments and commercial uses are regulated.

The common thread: the act of reception is generally legal; the use, retention, and sharing of identifiable data is what's regulated.

Recommended practices

Use spaces you control or are authorized to monitor

Your own home, your own office, or a space where you have explicit authorization is the cleanest scenario. Avoid retaining identifiable data from captures in spaces you don't control.

Limit retention

The live stream isn't stored on the unit, but the app's Drive History and exported CSVs accumulate over time. Periodically delete drives you no longer need, and keep wardrive exports only as long as you need them.

Don't publish identifiable data

Captured MACs and BLE friendly names are identifying information. Don't post them where they can be linked back to specific people. If you publish capture results (research, vendor disclosure), aggregate and anonymize, replace MACs with index numbers, redact names.

Switch to Setup when not capturing

When you're moving locations or not actively monitoring, switch to Setup. The radio stops scanning, so you're not accumulating data you'll never use.

What about active scan?

In Monitor mode the unit transmits BLE SCAN_REQ packets to elicit scan responses, which is how it captures friendly device names. This is a transmission, but:

  • The packets are protocol-standard (Bluetooth Core specification).
  • They're sent only in response to scannable advertisements.
  • Every BLE-capable device in scanning mode does this, your phone does it constantly.

The legal status of active scanning is the same as passive scanning in every jurisdiction we know of, because the SCAN_REQ is part of the discovery protocol the advertising peer expects.

Special note: tracker-following detection

The multi_hour_follower, findmy_separated, and unknown_tracker_near alerts can detect AirTags and similar trackers being used to follow someone, a genuine safety feature.

If an alert fires and you don't recognize the tracker:

  1. Don't panic. Many false positives exist (a tracker forgotten in a public place you passed twice).
  2. Verify. Use the Hunt tab to lock onto the device and check whether it follows you across locations.
  3. Locate. Modern AirTags can be made to play a sound via the iOS / Android Find My app, even by non-owners.
  4. Document. Note the MACs, fingerprint, and timestamps.
  5. Contact authorities in genuine stalking scenarios, local police can subpoena Apple / Tile / Samsung for the owner's identity.

Data we encourage you not to retain

Some categories of BLE traffic are sensitive even when technically captured:

  • Medical devices, pulse oximeters, glucose meters, BP cuffs.
  • Hearing aids, their advertisements can identify a user's accessibility needs.
  • Children's devices, toys, smart watches, baby monitors.

If you're capturing in a space with these present, prefer Setup mode or don't retain the data.

Reporting issues

If you discover a privacy concern with AirLeak itself, report it via security@zerotrace.pw. We treat privacy bugs the same as security bugs.

Use AirLeak responsibly

The same capability that helps you find a stalker AirTag in your bag can be misused to track strangers. Use it in spaces you control, retain only what you need, never publish identifiable data about people who haven't consented, and remember that the people whose devices you're capturing have not opted in.