Law in the Internet Society

View   r3  >  r2  ...
AmyTangFirstEssay 3 - 17 Mar 2022 - Main.AmyTang
Line: 1 to 1
 
META TOPICPARENT name="FirstEssay"
Changed:
<
<

Wearable Data: Will it Improve Your Freedom of Choice or Destroy it?

>
>

Wearable Data: The GDPR and its Gaps

 -- By AmyTang - 23 Oct 2021

Introduction

Changed:
<
<
Information is valuable because it plays a vital role in our day-today decision-making and behaviour. The logical deduction to this mantra is that the more information we have, the better our chances are to make informed decisions. This is why the arrival of revolutionary technology which allows us to track the most basic but intimate information such as our health and fitness data, and to access real time monitoring and health care resources, was life-changing for many, because it gave us tools to measure and quality our physiological state without having to consult physicians and third-parties. The arrival of this new revolutionary technology does not come without its cons, the main one being the serious threat to violating our privacy.
>
>
The arrival of technologies that allowed us to track the most basic but vital information, such as our health and fitness data, and to access real-time monitoring and health care resources, was revolutionary for many. This technology, often presenting itself in the form of a wearable, gave us tools to quickly measure and qualify our physiological state and wellness without having to consult physicians or third parties. It is capable of measuring a myriad of parameters (see examples of different applications of wearable technology here). However, despite the benefits this revolutionary technology may bring, we cannot ignore the serious threats of violation to our privacy in relation to our most intimate information. By purchasing the wearables, consumers are willingly signing away their privacy rights. For example, wearables store their collected data on a commercial and sometimes unsecured platform that is prone to breaches. The thought of finding stolen sensitive information about our health, lifestyle and habits in the hands of ill-intended individuals or on the black market is disconcerting, to say the least.
 
Changed:
<
<
This paper suggests that there are ways to benefit from this new technology without striping away our freedom by violating our privacy, and calls for systematic reform of the way we treat the sensitive health data, akin to medical data.
>
>
This paper discusses the application of one of the world’s strictest and most far-reaching privacy laws, the GDPR, and explains why it is ill-adapted to protect sensitive health data, akin to medical data, collected by the wearables. This paper suggests that there are ways to benefit from this new technology without stripping away our freedom and calls for systematic reform of the way we build analytical models of these wearables to avoid mass breaches of the company databases.
 
Changed:
<
<

Privacy Issues

>
>

The GDPR

 
Changed:
<
<
Despite their benefits, these fitness tracking technology and app companies lack transparency with regard to what they do to the data accumulated from consumers. By purchasing the new Fitbit or Garmin smartwatch, consumers are willingly signing away their privacy rights to these companies who harvest data for ulterior motive and purposes. In a study titled “Mobile health and privacy: cross sectional study” by the Macquarie University, researchers found a serious problem with regard to privacy in mobile health applications, stating that numerous app data was being collected and shared in an unauthorised manner. The study shows that 87.5% of the health apps’ data collection was related to third party services, where 55.8% of detected transmission of data was toward third party servers. Further, only 34.0% of health apps showed full compliance while 49.0% showed no compliance either because a privacy policy was not present or all the user data transmissions violated the privacy policy. In light of the study results, it is fully understandable that consumers have a distrust of these companies.
>
>
There is a lack of transparency with regard to how wearable technology companies gather and collect our personal information and what they do with the accumulated data, making it difficult to determine exactly what rights we are giving up. Researchers have warned against serious privacy problems in the field of mobile health applications, finding that numerous app data were being collected and shared in an unauthorised manner. However, this does not mean that wearable companies have carte blanche to do whatever they please with our data. The European Union’s General Data Protection Regulation (GDPR) controls how personal information is collected, stored and used by organizations. I outline below different protections offered by the GDPR that may be enforceable against wearable technology companies: - Request for informed consent before gathering data (article 7); - Notification of personal data breach (articles 33 and 34); - Erasing data when the data subject withdraws consent (article 17); - Taking measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed (article 32); - Limiting data usage to what is necessary and must not process such data in a manner that is incompatible with the purposes of the GDPR. Processes and products should be structured and developed in a way that collects only data that is required to perform a specific purpose; and - Implementing appropriate technical and organisational measures by involving different levels of stakeholders, such as operating systems and device manufacturers, app stores, app developers and social media platforms that are all a part of the infrastructure (article 25).
 
Changed:
<
<
It is clear that even if these companies provide users with a privacy policy, the drafting and crafting of these documents are purposely elusive, vague and misleading. Even if policies exist, there are currently no easily available legal recourses or watchdogs to ensure that they are enforced, therefore resulting in 49% of apps being non-compliant.
>
>
More importantly, the GDPR strictly prohibits the processing of genetic data, biometric data and health data to uniquely identify a natural person (article 9) unless consent was provided or other conditions of article 9 were met. Biometric data is defined as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person” (article 4), which covers specifically data collected by wearable technology companies.
 
Changed:
<
<
Further, there may be violations of privacy by third parties, such as hackers and legal obligations such as subpoenas targeting the companies that operate the health trackers and app. The breach of privacy concerning UnderArmour? ’s MyFitnessPal? in 2018 is a great example to the vulnerability of these companies. The hack caused the divulgation of the usernames, passwords, and email addresses of more than 150 million users.
>
>

The Gaps

 
Changed:
<
<
Industry giants such as Fitbit also admit to selling anonymized data to marketers and researchers. Some insurance companies even offer the option to their insured to sync and submit their fitness and wearable data to allow for premium adjustments. The data collected are akin to medical data, as one could predict numerous health issues and based on statistics and actuary calculations.
>
>
Although consumers have slightly more control over their data under the GDPR, certain loopholes allow wearable technology companies to continue getting away with privacy violations. The GDPR does not solve the issue of ownership of the collected data. When the data is anonymized to the extent that it can no longer uniquely identify a natural person, it is unclear under the GDPR what transactions wearable technology companies can make with such collected data because it is comprised of a mix between biometric, health and general personal data. For example, would Fitbit still be permitted to sell de-identified data that cannot reasonably be used to identify an individual? Further, users have no choice but to consent to the processing of their sensitive personal data when purchasing and using the wearable, which allows for the gathering of data under the GDPR. The notion of consent in this situation is a mere fallacy.
 
Changed:
<
<
Although anonymized, with enough congregate information and geolocation data, it is possible to determine the identity of a person. In fact, six days of “step counts” may be enough to identify an individual among 100 million others and may reveal sensitive information such as an user’s address and routine. Consequences of leaking and divulging data are often unpredictable. For example, Strava accidentally pinpointed to the location and outline of secret US military bases, as military personnel were using fitness trackers. Aggregating and divulging such sensitive information becomes a gold mine for marketers, and even for the black market. Criminals will have the possibility of accessing a person’s routine by a few clicks on the dark web.
>
>
Even when data is anonymized, with enough congregate information and geolocation data, it is possible to determine the identity of a person. For example, it was found that six days of “step count” data may be enough to identify an individual among 100 million others and may reveal other sensitive information such as a user’s address and routine. Additionally, even if these companies provide users with a privacy policy, the drafting and crafting of these documents are sometimes purposely elusive, vague and misleading and may be unilaterally changed at any time. Regardless, there are currently no easily-available legal recourses or watchdogs to ensure that the policies are enforced.
 
Changed:
<
<
This begs the question: by purchasing these products, did users implicitly consent to share their intimate information? What are some rules businesses and legislature should implement and enforce to avoid the catastrophic consequences of revealing sensitive health and wearable data? The benefits of the fitness and health tracking technologies are non-negligeable and could be entirely advantageous to society. For example, they provide a sense of community, improve general well-being and allow for better decision-making with regard to one’s health, eating habits, working out habits, athletic performance and much more. It can even allow for crime solving, if the data is being divulged responsibly and lands in good hands.
>
>
The consequences of leaking and divulging data are often unpredictable. For example, Strava accidentally pinpointed the location and outline of secret US military bases, as military personnel were using fitness trackers. Aggregating and divulging such sensitive information becomes a gold mine for marketers, and even for the black market. Criminals will also have the possibility of accessing a person’s routine with a few clicks on the dark web.
 
Changed:
<
<

Solutions

To benefit from fitness and health tracking technologies, a systematic reform is necessary. The European Union General Data Protection Regulation and the US Health Insurance Portability and Accountability Act provide good ideas and baseline of privacy protection. However, their application and enforceability stop at their respective jurisdictions.
>
>

Solutions to Explore and Conclusion

 
Changed:
<
<
On the business side, changes in the business models of companies gathering fitness data and how they protect the data will be required. For example, encryption of data should be common practice in the industry. However, businesses won’t voluntarily spend money and lose a source of revenue to make these changes without having exterior pressure, such as legislature forcing them to take action.
>
>
In order to avoid these risks, systematic reform of technology, its infrastructure, framework and software is necessary. The way we process and store data collected by wearables should be revisited and reworked. For example, analytic models can be run on user-controlled computers instead of the platform’s cloud. This would effectively shield all individual data from disclosure.
 
Changed:
<
<
Policy changes are also called for to force these businesses to consider ethics, data privacy and anti-discrimination with regard to the data they collect.

There should be an international watchdog and international treaty with regard to the privacy rules, enforcement and imposition of legal consequences, along with financial penalties to those who do not respect such rules. It can be similar to anti-spam legislation enforcement in certain countries.

Improving this draft means making space by removing unnecessary factual recitation. You link to no sources, which gives the reader no way to read them for herself, and requires you to spend valuable space conveying what a couple of sentences well linked would suffice to do. With the resulting space you can then do some real analysis. The chances of the global treaty on fitness data you call for are precisely mathematically zero, which is also the level of government enthusiasm. You don't actually discuss the legal effect of GDPR or HIPAA, or for that matter CCPA, or show why they are ill-adapted to the purposes you haven't precisely defined. You have said nothing about the actual technology, though it is self-evidently possible to make the sensor array attached to the body store its data not with a platform, but in personal storage, and to build analytic models that run not in the platform's cloud, but on user-controlled computers, shielding all individual data not intentionally contributed to the model from disclosure to anyone. Progress along these three axes—to provide technical analysis, to make specific the legal analysis and to make realistic the political discussion—would produce an outstanding essay.
>
>
The benefits of wearables are plenty and could be entirely advantageous to society. For example, they can help save lives by measuring heart rate and blood pressure to indicate when mediation or medical intervention is necessary. They allow for better decision-making with regard to one’s health, lifestyle habits and athletic performance by providing data and insight.
 
You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable.

Revision 3r3 - 17 Mar 2022 - 22:06:19 - AmyTang
Revision 2r2 - 06 Dec 2021 - 13:02:24 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM