Wearables: Are we handing more tools to Big Brother?

Most of us would love a break on our health insurance. We would generally appreciate the convenience of seeing ads for things we're actually interested in buying, instead of irrelevant "clutter." A lot of us would like someone, or something, else keeping track of how effective our workouts are.


They are not regulated by the Food and Drug Administration (FDA) either. A footnote on the FDA website about apps says the agency does not regulate those that, "are not marketed, promoted or intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, or do not otherwise meet the definition of medical device."

Dixon, co-author of a paper on consumer privacy titled, "The Scoring of America: How Secret Consumer Scores Threaten Your Privacy and Your Future," said that once data from things like fitness trackers get into the hands of third parties, they can be used for predictive analysis of how much of a health risk a person is.

"What we found and substantiated with great repetition is that health scoring is happening," she said. "It is used, even under the Affordable Care Act, not to determine your eligibility but to determine how much you pay."

And at this point, consumers who want to use wearables have little choice about their information getting into the hands of third parties. Experts point out that one is required to accept the Terms of Service to use the device, which means in most cases that the information collected by the device is being uploaded and shared.

While most makers of wearables allow users to opt out of GPS location tracking, they are reminded that they will not get the full range of services. And while most privacy policies express a "commitment" to the "privacy, integrity and security" of the personal information of its users, that is generally followed by fine print about sharing information with "strategic partners," plus other companies that, "provide services such as information processing, order fulfillment, product delivery, customer data management, customer research and the like.""

[Smart devices get smarter, but still lack security]

Beyond that, most privacy policies say they disclose, "non-personally identifiable aggregated user data," including data gathered from the devices.

That, Dixon insists, should not reassure anyone. "When the industry says the data is aggregated and anonymized, it really isn't," she said. "There is no such thing as anonymous data any more."

Even the Federal Trade Commission (FTC) has expressed concern about the rampant sharing of personal information by data brokers. That, of course, extends well beyond wearables, but the agency, in a recent report titled, "Data Brokers: A Call for Transparency and Accountability," noted that among the thousands of data points collected on just about every U.S. consumer are, "sensitive categories include(ing) health-related topics or conditions, such as pregnancy, diabetes, and high cholesterol."

That information is at risk from more than data brokers. Experts also note that it is relatively easy for hackers to intercept data from users when it is being uploaded to the cloud.

"If wearables transmit data wirelessly in the clear, then it could be captured out of the air," said Lee Tien, senior staff attorney with the Electronic Frontier Foundation. "A general issue in the Internet of Things is the exposure of data."

And besides the basic privacy risk, there is the problem of accuracy. Dixon and her colleague, Robert Gellman, noted in their report that people currently, "remain in the dark about many of their consumer scores and about the information included in scores they typically don't have the rights to see, correct, or opt out of."

[The use of mobile credentials is on the rise, but can they be secured?]

There are a variety of responses proposed for what more than one expert has called a "wild, wild West" privacy environment for wearables. The FTC has recommended that "Congress consider enacting legislation to make data broker practices more visible to consumers and to give consumers greater control over the immense amounts of personal information about them collected and shared by data brokers."

Ben Edelman, an associate professor at the Harvard Business School and a privacy advocate, said he thinks wearable companies need to be held to their promises. "If a company promises to keep users' wearable-collected data secure, then does not, what happens next?" he said. "With ever-more-sensitive data being collected, we should hold companies to their promises strictly -- including significant penalties if they do not."

Rebecca Herold said it would likely take an aggressive push by government or a groundswell of protest from the grassroots -- or both -- for the makers of wearables to build privacy provisions into their devices.

"Over the past year I've posed the question to hundreds of medical and wearable device manufacturers: 'Will you build privacy controls, such as encryption, GPS turn-off switches, etc. into your devices?'" she said.

"Almost all of them have replied that they will not unless it is required to by laws, or if they get an overwhelming number of requests from customers or potential customers."

[The Internet of things: An exploding security minefield]

And with huge companies like Google creating medical and fitness devices with a philosophy dedicated to opening up health information, "how likely do you think it is that they are going to build them with privacy options, such as turning off GPS trackers, built in?" Herold asked.

"Pretty slim to none from what's been reported."

Still keen on wearables? Check out our view of 11 of today's hottest smartwatches

"Recommended For You"

Invasion of the body snatchers: wearable devices are coming for you Consumer technologies in healthcare - what are the security challenges?