Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Data from wearable devices could soon land you in jail

Lucas Mearian | Dec. 9, 2014
Health privacy laws don't cover your wearable and information it's collecting.

"Police use social media accounts like Facebook and, going forward, will police find some way to use this data? Sure they will. That seems pretty clear," said Scott Valentine, president of Vivametrica.

Wearables are a perfect fit for litigation, according to Neda Shakoori, an attorney who leads an eDiscovery initiative with the law firm of McManis Faulkner.

Wearables not only track physical activity, but they can transmit geolocation information, and more sophisticated wearables, like Google Glass, can also take photos and videos and perform web searches.

Shakoori said she is not aware of any other civil case where data from wearables is being used to prove or disprove a claim, but "I do think that's coming down the pike. It's just a matter of time."

There are clear obstacles to gathering and using wearable data in a case where the user isn't willingly sharing it with the courts to buttress their own case. For one, the accuracy of the data could be called into question.

"I could be sitting at desk shuffling my feet and the device could track that as me walking for three hours or walking three miles a day," she said.

There are also privacy and evidentiary rules. And the cost of retrieving electronic data through legal avenues could be prohibitive, Shakoori said.

Privacy obstacles are easily circumvented
Rainey Reitman, activism director for privacy advocacy group Electronic Frontier Foundation, said wearable device companies that collect data from users in cloud services can be subpoenaed -- just as Google and Microsoft have been for years.

In just the first half of 2013, Google received requests from the U.S. Foreign Intelligence Surveillance (FISA) court for information on between 9,000 and 10,000 user accounts; that was up from requests for info affecting between 7,000 and 8,000  accounts in the first half of 2011.

The FISA court hit up Microsoft for data related to between 15,000 and 16,000 accounts during the same period, up from requests affecting 11,000 to 12,000 accounts in the second half of 2011.

There is a clause in the privacy policies of most service providers that states they will release data in response to valid legal requests, Reitman said.

For example, Fitbit's privacy policy states it will release data "necessary to comply with a law, regulation, or valid legal process."

Another misperception about personal data is that if it contains health-related information, it is protected under the Health Insurance Portability and Accountability Act (HIPAA).

"Health privacy laws generally only cover certain, specific medical entities -- and wearable technology manufacturers aren't one of them," Reitman said.

Even if medical privacy laws did cover data recorded by a Fitbit band, it wouldn't matter, Reitman said, because there's an exception to HIPAA for law enforcement queries, national security and many other legal requests.

"To be clear, Fitbit and other companies could choose to challenge the subpoena. That could be a way for Fitbit to prove it's willing to stand up for the privacy of its users," Reitman said.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.