Wearable Fitness Devices: Who Owns Your Data?
The short (and scary) answer: not you
Your smart watch or fitness band is a bit like a Hollywood star’s hairdresser: It knows your secrets. It may know your heart rate history, how many steps you took yesterday, how well and how long you sleep at night and where you like to run. And that’s just for starters, since these devices get more sophisticated by the day. (Soon they’ll be able to monitor the chemicals in your sweat, for instance.)
But who owns all that data? Oftentimes, it’s not you, but the device maker, which can collect and store it.
The myriad of ways the company can use your personal data is where things get complicated. “It varies on a case-by-case basis from device to device and from software to software,” says Anura S. Fernando, principal engineer of medical software and systems interoperability at UL.
How anonymous is “anonymized” data?
Some manufacturers sell data back to the users by charging a monthly fee. But they also collect and store the data to sell it to third parties. Some experts say this can pose a security risk — even when the data is “anonymized” for your protection.
Anonymizing data removes identifying features and uses simple encryption, but that’s not enough, argue the authors of an essay on consumer health wearables published in PLOS Medicine. The authors write:
“Some manufacturers charge users a monthly fee for access to their own raw data, which is regularly sold to third-party agencies. Other companies are also willing to share a users’ location, age, sex, email, height, weight, or ‘anonymized’ Global Positioning System (GPS)-tracked activities. However, ‘anonymizing’ data via a simple distortion or removal of identifying features does not provide adequate levels of anonymity and is not sufficient to prevent identity fraud.”
By cross-referencing wearable data with other digital traces of user behavior, hackers can figure out a person’s identity, they say.
Fernando advises thinking carefully about how hackers might be able to use “seemingly innocuous information” like your age, sex, height, weight and email — combined with digital traces like the time or location of your activity or social media updates — “to gather increasingly sensitive information,” such as a password.
For instance, is your wearable data synced to your Facebook account? “Some friends of friends of friends could be cybercriminals. Do you really want to expose your daily jogging route to all those people?”
For hackers, knowing your running path or daily routine can lead to knowing where you typically make stops to knowing the exact places you use your credit or debit card on a regular basis. By gathering enough of this kind of data, Fernando says, it “becomes easier and easier for them to access higher value assets.”
While some regulations govern the world of wearables, the huge number of devices makes it difficult for government legislation to keep up. Some wearables coming on the market qualify as medical devices regulated by the Food and Drug Administration, but others don’t. (If a wearable device records or touches data protected under the Health Insurance Portability and Accountability Act (HIPAA), it must satisfy HIPAA requirements (often demonstrated through certification), which means the data must be protected, according to Fernando.
“There’s so many out there, it’s difficult to enforce through legislation,” Fernando says. “So [consumer] awareness and understanding … is as important or possibly more important than legislation itself.”
Be proactive about protecting your data
Fernando goes back to stressing the importance of really studying the capabilities of your products — what technologies do they employ? what networks do they operate on? — and what the privacy policies say.
Because manufacturers and developers are not always up front — many, in fact, don’t even offer privacy policies at all, according to a recent study published in the Journal of the American Medical Association — it’s up to the consumer to protect himself, Fernando says.
- Opt out of data collection if possible.
- Disable data sharing to stop automatic updates to social media.
- Consider turning off Bluetooth when a device or app is not in use to minimize the risk of a hacker breaking in via open access points.
Like this article? Share it with friends by clicking the Facebook or Twitter button below. And don't forget to visit our Facebook page!