Indeed, even if it does not contain specific PII, Spiezle noted that, “the data on wearables is unique to an individual and ultra-sensitive in the data types collected.”
Its value, especially when accumulated over time, can be significant, and more intimate than users may expect. If it is shared with insurers, it could affect the rates people pay. If it is shared with employers, it could affect job status.
Mother Jones reported in January 2014 that Ira Hunt, then the CIA’s chief technology officer, had said at a data conference in New York City that the agency, “likes these things (fitness trackers). What’s really most intriguing is that you can be 100% guaranteed to be identified by simply your gait – how you walk.”
Much more recently, just last month, Open Effect, along with the Citizen Lab at the Munk School of Global Affairs at the University of Toronto, released a report titled, “Every Step You Fake: A Comparative Analysis of Fitness Tracker Privacy and Security.” They studied eight popular fitness trackers and found that all but the Apple Watch, “wirelessly emit a persistent unique identifier over Bluetooth. This leakage lets third parties, such as shopping centers or others interested in location-based monitoring, collect and map out people’s movements over time.”
The study also found vulnerabilities that could allow the user or an intruder to manipulate the data generated, which would falsify activity levels.
Another privacy problem is the one that exists with virtually any connected device: Terms of service and privacy policies are long, complex and hard to read – most of them are 4,000 words or more. Beyond that, if a user does not check the “agree” box, thereby “consenting” to the policy, in many cases the device or app may limit functionality or it can’t be used at all.
Not surprisingly, experts agree that most users simply check the box without reading the policy. And that puts their information at risk. The Federal Trade Commission (FTC) reported in 2014 that when they studied a dozen health and fitness apps, they found they were collectively disseminating data to 76 third parties. One app alone shared data with 18 other entities.
Also in 2014, Jessica Rich, director of the Bureau for Consumer Protection at the FTC, said data from fitness trackers could end up in the hands of data brokers or other companies, and eventually be used, “to market other products and services to (users); make decisions about (their) eligibility for credit, employment, or insurance; and share with yet other companies.”
Even if it is shared voluntarily, with an employer or insurance company, the results could be unwelcome. “At the start, we may look at this as a great way for people to get a break on their medical or life insurance,” Velasquez said. “But what if I gain 20 pounds and my insurer knows I’ve stopped exercising regularly? I could see it first being an option, then being compulsory and then leading to penalties if you’re not meeting a standard.”
Sign up for CIO Asia eNewsletters.