As smartwatches gain traction, personal data privacy worries mount
- 27 May, 2015 03:59
Growing interest in smartwatches has sparked user privacy concerns as companies find ways to collect and use personal health, location and purchasing data found on the wearable devices of their customers and workers.
"Consumers need to demand, at a minimum, clear information about what exactly the collected information will be used for," said Irina Raicu, director of Internet ethics at the Markkula Center for Applied Ethics at Santa Clara University in an email. "The broader privacy concern is that information collected from various [wearable] sources is increasingly being combined to create profiles from individual users and draw inferences about their future actions, preferences, etc."
Some experts worry that a smartwatch user's health and fitness stats, location or buying habits could be discovered and later used against the owner -- to deny a work promotion or an insurance claim or to cause any number of other problems. The question isn't whether the personal data is being collected -- it already is, increasingly -- but how the parties collecting the information use the data.
Part of the problem is that users expect their personal information to remain anonymous when, in fact, there isn't good or widespread technology to anonymize data, said Forrester analyst Fatemeh Khatibloo.
"Consumers are beginning to expect this kind of data sharing from a wearable or any other Internet of Things device, with the assumption that a company will attempt to anonymize the data and aggregate it and sell it, but is not going to sell the PII" -- the personally identifiable information, Khatibloo said in a telephone interview.
In theory, a smartwatch vendor or other party could collect huge masses of personal data from millions of smartwatch users to create an audience segment that is then sold to a data management platform without including PII. "Then, somebody could send those users an ad for weight-loss stuff, but that gets a bit sketchy because we don't have really good tech that anonymizes data," Khatibloo explained.
"There's data collection and data use, and if we're being upfront, businesses need to have a much clearer data use policy. If they are collecting data, they are creating risk," Khatibloo said.
Government action urged
A government entity, particularly in the U.S., needs to step in before it's too late, Khatibloo said. If a company didn't get permission to use a person's data, there should be significant fines, she argued. "It has to be a government role; I don't think self-regulating trade bodies will do that effectively," she said.
Privacy experts have taken to heart last year's instance of a personal injury lawyer who used a Canadian woman's Fitbit data to show how an accident had affected her ability to work. The lawyer relied on analytics software from Vivametrica, which tracked the woman's physical activity.
"I worry about what will happen" if the data is used against a smartwatch owner in a future case, Khatibloo said. "There's a lot of information on a wearable. Maybe a car insurance company could subpoena somebody's smartwatch data saying she didn't sleep well last night or slept only four hours a night, which led to an accident. That's the kind of stress that wearable users have to worry about. We don't have a good handle on the use of that data from a regulatory perspective and we need to write regulations to encompass all these...egregious and discriminatory uses of data."
Fitness data used to lower insurance rates
At a few companies, fitness data from smartwatches and fitness bands worn by employees is being used to prove they are staying physically active, which in turn is used to help lower corporate insurance rates. Cloud computing provider Appirio has reported a 5% decline in its corporate insurance rates as a result of such a program, said Forrester analyst JP Gownder.
Separately, insurer John Hancock's Vitality program offers up to 15% off its life insurance to customers who voluntarily share health data collected in part via a free Fitbit wrist wearable, Gownder said. Members of the program get Vitality points by going to the gym, staying tobacco free or getting annual health screenings.
"The systemwide issue is how the individual feels about this trend," Gownder said. "For the benefits I'm getting, what are the risks? If my health data is out there and somehow gets compromised, it might show that I'm not very active and you wonder how that can hurt you. There are a lot of questions."
If companies gather data on products a person buys or how often he or she works out, the data might be used to populate an algorithm used to predict heart disease or diabetes. Some analytical tools look not only at how many steps a person takes while wearing a device, but even the distance between steps as an indicator of a health problem, Gownder said.
"Theoretically, it's quite possible and suspect that a person won't get a job because he's some kind of a couch potato," Gownder said. "These new devices are opening up all kind of categories for potential discrimination."
One possible scenario is that a business might track a smartwatch user's location to see how many times he or she leaves his desk to have a bathroom break or a smoking break, said Carolina Milanesi, chief of research at Kantar WorldPanel. "Think about being the first time that data is used against a pregnant employee," she said. "The scenarios are endless."
Strategic value with wearables for workers and customers
Companies of all types are focused on using smartwatches and other wearables both for their employees and their customers. A survey of 500 business professionals conducted in March found that all were using or planning to implement wearable technology for workers and customers, and that 79% felt such devices would be strategic to their company's future success.
The survey, conducted by a division of Salesforce, predicted a tripling of growth for employee wearable use cases in the next two years, mainly to improve the customer experience. These include business analytics and alerts, but also an employee's biometric data.
For customer wearable tech, the survey found the biggest growth area will be in integrating mobile apps and location-sensing technology onto customer's wearable devices.
Location will not only be possible with GPS, which is found in some smartwatches already, but also through monitoring of indoor location, such as through the gates and doorways the user passes through, which can be activated via Bluetooth or other wireless technology available from a smartwatch.
Gownder noted in a separate Forrester report that location data could be used to show how often an employee is moving to work with peers in order to determine if he or she is hitting a manager's benchmarks for collaboration.
Forrester's own research tends to bolster Salesforce's survey. More than half of 3,104 global technology decision makers that Forrester surveyed last year said wearables are a critical, high or moderate priority for their companies.
Growing public concerns with privacy
Contrasted with the corporate interest in wearables is the public's growing concern over personal privacy. Recent surveys by data privacy management company Truste found that 92% of U.S. Internet users worry about their online privacy and 91% said they would avoid companies that do not protect their users' privacy.
A complicating factor is that because smartwatches are relatively new and growing in popularity, it isn't clear to many buyers just how their personal data will be used or what the potential threats could be.
EPIC, the Electronic Privacy Information Center, believes location data from smartwatches and others wearables is potentially insecure because a GPS or Bluetooth scanner could be used to track a person's whereabouts when the device is separated from a smartphone.
"Smartwatches make personal tracking a lot easier," said Julia Horwitz, director of EPIC's consumer privacy project.
Horwitz also warned workers to consider how fitness data from a smartwatch will be used by an employer in an attempt to lower the company's insurance costs. "Employees are told if they accept health data monitoring, they will get gift cards or other incentives," she said.
With so much personal data available from a smartwatch or similar smart device, a name or Social Security number isn't necessary to identify someone, even with the use of anonymization software, Horwitz said.
"As much granularity as there is in the [smartwatch] data, you can see where a person goes, where they work, what they are doing, and what they are purchasing in some cases so that you can identify someone very easily and uniquely," she said.
EPIC's general response to such threats has been to support strong privacy laws that aren't specific to any given device and that emphasize minimal collection of data from users while also requiring minimizing of the data once it's collected. That final point means not keeping huge files of data for long periods in hopes of selling it for ad or other revenues. Users also need the ability to access the data that's being kept about them, EPIC believes.
Some smartwatch vendor privacy protections
There's disagreement between experts over which smartwatch makers offer users the best privacy protections. Forrester's Khatibloo credited smartwatch maker Pebble, for example, for being upfront at least about its use of personal data. "You can own and control and even delete your data" with Pebble, she said.
Raicu, of Santa Clara University, noted that Apple requires approval by an institutional ethics review board for all the apps that use the company's ResearchKit, an open-source software platform for researchers and developers to make apps for use in medical studies. Apple's move "suggests that Apple takes seriously the potential of harm resulting from the user of such apps; other companies don't require such review," Raicu said.
Gartner analyst Annette Zimmerman said many wearable vendors aren't transparent with users about what data is being shared from the apps on their smartwatches and wearables or where the data ends up. "Fitbit, for example, is not really clear at all what data I am sharing with my friends or with the whole universe of people who use a Fitbit," Zimmerman said. "There is much room for improvement at this stage."
Zimmerman said some smartwatches can show sensitive corporate email and calendar items when connected to a smartphone, and that capability can't always be wiped remotely via a company's device management software. For example, Zimmerman's personal Samsung Galaxy Note 4, when connected to her Samsung Gear S smartwatch, won't forward corporate emails to the smartwatch because of an Airwatch remote management system designed to provide greater security. Yet, when she uses her Apple Watch, she can get her corporate emails on that device, even with Airwatch in operation.
As always, buyer beware
With such confusion over uses of private data from smartwatches, analysts advise customers to beware.
"Consumers should only get wearables from a trusted source and where they know who is using their data and what they're doing with it," said Patrick Moorhead, an analyst at Moor Insights & Strategy.
"As we've seen through history, consumers are willing to sacrifice some level of privacy for a benefit. It's what has driven the Web through advertising and social media," Moorhead said. "I believe that consumers will get more savvy with their privacy, which could spell trouble for Google, Facebook and Amazon, who thrive on this kind of data."
As far as the U.S. government's ability to regulate uses of private data from smartwatches or other smart devices, there hasn't been much of a call to action, EPIC and others said.
In Germany, laws prevent a vendor from selling PII to a third party, unless the data has been completely anonymized, Zimmerman noted. "In the U.S., there is no federal law really, there's only a patchwork of laws. In general, you can do in the U.S. what is not allowed in Germany to sell this kind of data."
When smartwatch users expose their health data, financial transactions, location and other data to the cloud, "they should expect that the data is no longer their own and will be shared, mined and repurposed," warned Jack Gold, an analyst at J. Gold Associates.
"Consumers are leery of the lack of privacy and very much should be," Gold said. "Users should expect any app or cloud access to be less than private in the future if they want to get services, especially free services."