"As much granularity as there is in the [smartwatch] data, you can see where a person goes, where they work, what they are doing, and what they are purchasing in some cases so that you can identify someone very easily and uniquely," she said.
EPIC's general response to such threats has been to support strong privacy laws that aren't specific to any given device and that emphasize minimal collection of data from users while also requiring minimizing of the data once it's collected. That final point means not keeping huge files of data for long periods in hopes of selling it for ad or other revenues. Users also need the ability to access the data that's being kept about them, EPIC believes.
Some smartwatch vendor privacy protections
There's disagreement between experts over which smartwatch makers offer users the best privacy protections. Forrester's Khatibloo credited smartwatch maker Pebble, for example, for being upfront at least about its use of personal data. "You can own and control and even delete your data" with Pebble, she said.
Raicu, of Santa Clara University, noted that Apple requires approval by an institutional ethics review board for all the apps that use the company's ResearchKit, an open-source software platform for researchers and developers to make apps for use in medical studies. Apple's move "suggests that Apple takes seriously the potential of harm resulting from the user of such apps; other companies don't require such review," Raicu said.
Gartner analyst Annette Zimmerman said many wearable vendors aren't transparent with users about what data is being shared from the apps on their smartwatches and wearables or where the data ends up. "Fitbit, for example, is not really clear at all what data I am sharing with my friends or with the whole universe of people who use a Fitbit," Zimmerman said. "There is much room for improvement at this stage."
Zimmerman said some smartwatches can show sensitive corporate email and calendar items when connected to a smartphone, and that capability can't always be wiped remotely via a company's device management software. For example, Zimmerman's personal Samsung Galaxy Note 4, when connected to her Samsung Gear S smartwatch, won't forward corporate emails to the smartwatch because of an Airwatch remote management system designed to provide greater security. Yet, when she uses her Apple Watch, she can get her corporate emails on that device, even with Airwatch in operation.
As always, buyer beware
With such confusion over uses of private data from smartwatches, analysts advise customers to beware.
"Consumers should only get wearables from a trusted source and where they know who is using their data and what they're doing with it," said Patrick Moorhead, an analyst at Moor Insights & Strategy.
Sign up for CIO Asia eNewsletters.