By Sheryl Nance-Nash
You have your Fitbit, Apple Watch or whatever wearable serves as a personal trainer of sorts. Kudos for your quest for fitness.
You have good intentions, but others see opportunity in that band on your wrist: It’s loaded with data.
“Don’t be naïve and think that a simple fitness application isn’t harmless, or at least, doesn’t pose any risks,” Paul Howard, investigative coordinator with the Smith Investigation Agency, told Digital Privacy News. The Ontario-based company specializes in internet scams.
“We live in a greedy world,” Howard added. “People make a lot of money gathering information.”
Truth is, the line is blurred when it comes to privacy.
“People buy a device, like a WeFit or Fitbit, and just start uploading information into the application without knowing privacy terms and conditions,” Howard said.
“We live in a greedy world. People make a lot of money gathering information.”
Paul Howard, Smith Investigation Agency.
Understand how the company can share your information and with whom.
“Will your information be identified as from you or be ‘deidentified’?” asked Kayte Spector-Bagdady, chief of the research ethics service at the Center for Bioethics & Social Sciences in Medicine at the University of Michigan.
“Will it be your individual information, or just summary statistics across groups of people?”
Not Covered by US Laws
Information gathered and stored through devices is uploaded and stored onto company servers.
“Access to these servers can be granted or obtained by several different people,” Howard told Digital Privacy News. “The data could be traded, sold, hacked and accessed in a variety of ways.”
How does this loophole exist?
“Will your information be identified as from you or be ‘deidentified’?”
Kayte Spector-Bagdady, University of Michigan.
“Because these companies are not health-care providers, they’re not covered by federal health-privacy laws and can basically do whatever they want with the data,” explained Susan Grant, director of consumer protection and privacy at the Consumer Federation of America.
Customers should presume companies plan to profit from it, Grant said.
For instance, when Google acquired Fitbit last November for $2.1 billion in cash, customers fretted about how Google might use the Fitbit health and location information they would now have access to.
“Even selling or using the data in de-identified forms,” Grant told Digital Privacy News, raises concerns about whether it will be used by pharmaceutical or other companies in ways that could be negative for people.
Those include raising prices for certain drugs or directing research into certain potentially profitable directions versus less profitable, though much-needed, areas.
“They’re not covered by federal health-privacy laws and can basically do whatever they want with the data.”
Susan Grant, Consumer Federation of America.
“And deidentified data can sometimes be easily re-identified,” she said.
Users could be adversely affected in other ways, like if the information is used to make judgments about credit, employment, or life and health insurance.
Those instances could result in higher premiums, unless users try to score discounts from insurers with the data.
Users also might be annoyed by targeted advertising that comes as a result of someone having the deets on your habits. Another concern is the vast location information you create.
“This data is highly personal and identifiable,” Katie McInnis, policy counsel with Consumer Reports, told Digital Privacy News. “Be careful with it.”
Working With Police
Fitbit’s GPS data has been used by law enforcement to corroborate or attack court testimony.
For example, a Pennsylvania woman in 2015 was charged with three misdemeanor offenses — making a false report to police, among them — after claiming she was assaulted while sleeping in a home owned by her employer during a business trip.
“The situation is a very odd one. Most healthy people don’t make false claims to the police.”
Steven Feldman, Murphy & McGonigle.
“The data collected from her Fitbit found on the ground where she claimed she was assaulted showed no movement during the period she was allegedly being attacked,” noted Steven Feldman, an attorney at Murphy & McGonigle in New York.
She ultimately pleaded guilty and was sentenced to two years of probation, said Feldman, who did not represent the woman.
What’s the lesson?
The truth can find its way out of darkness — and sometimes from the most unsuspecting places — like the band on your wrist.
“The situation is a very odd one,” Feldman told Digital Privacy News. “Most healthy people don’t make false claims to the police that they were attacked while sleeping during a business trip.
“This individual likely had some mental-health issues,” he added. “It’s good to see that probation was imposed and not a more drastic sentence.”
Protect Yourself
Who knew wearables could be so complicated? But don’t toss your partner in good health. Protect yourself.
Here’s how:
- Read the fine print. “What rights do you have to your data and what data is being collected by the company?” posed fitness author Joey Thurman. How are they going to use it? Can you opt out of certain things?”
- Be aware of privacy settings for sharing your data on social media. “Make sure you’re aware of what they are and change them if you can,” said Kayte Spector-Bagdady of the University of Michigan. “They’re usually set to allowing for the most data-sharing as possible.”
- Then, there’s the fake out. “Provide pseudo data,” said Abdul Rehman, a cybersecurity editor at VPNRanks. “The gadget will still track your heartbeat even if you don’t add your real email address and name. Thus, the data getting sent won’t be authentic or targeted back to you.”
— Sheryl Nance-Nash
Sheryl Nance-Nash is a New York writer.
Sources (external links):