Law in the Internet Society

Why were there no disclaimers that tracking your 10.000 daily steps could lead to disastrous data breaches?

-- By OnaMunozRuscalleda - 13 Oct 2023

Introduction: The quantified self

In May 2022, The Economist issued a series of articles named "The quantified self". The main premise of these articles is that humans can now measure all sorts of health data through their smart wristbands, watches or other devices, and enhance their health using that information. These devices can track all sorts of data: daily steps, sleeping habits, blood pressure, heart rate, and respiration, among others. The articles claim that there’s several benefits to measuring your health data with wearable devices, for example: increasing daily movement among sedentary people, reducing spikes in blood sugar after meals and thus helping people with diabetes, and helping design AI-personalised diets, among others. It sounds too good to be true: you put on a watch, and it can help you design a meal plan, a workout plan and a daily routine that will reduce your risk of disease and your risk of mortality and increase your health and well-being. All this, with just a watch! Unfortunately, it is too good to be true: the privacy risks that these data-collecting wearable devices pose is not explored in The Economist’s articles, despite being a real threat to consumer’s privacy.

The problem: A centralized data design, and its breach

The situation that these wearable devices create is that almost all this data, which includes information about virtually all your physical information, your habits, your overall health, and even your location, is now bundled together in one of these devices and their respective databases. Apple Watch's services were designed to centralize all information collected, instead of not collecting it at all. Problems arise when there’s a data breach, and all this information is not private anymore (was it ever?). This was the case for FitBit? and Apple: in 2021, an unsecured database containing more than 61 million records was hacked into, leaking all the information collected from fitness tracking and wearable devices. The information leaked included names, birthdares, weight, height, gender and geolocation. The main reason for the data breach was the fact that the database was not password-protected and the data was not encrypted.

What can the current law do about it?

Facing a situation such as Fitbit and Apple’s data breach, the question arises: what can the law do about this, if anything? The question is particularly problematic because these wearable devices lie at the intersection of several areas: health, data protection and personal fashion accessories. There are many laws that partially apply to this issue: the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the FDA's Medical Device Tracking Regulation are the most relevant. However, this essay will not delve further into the current legislation.

What should the law do about it?

After reading this essay, most people will reach the conclusion that the way forward is very easy: there just needs to be a piece of legislation passed which tackles smart devices and protects the data of the consumers. However, the answer is not as straightforward as it may seem.

One of the main issues regarding legislation around portable devices, such as smart watches, is that they often are reactive pieces of legislation. A problem happens, such as the data breach in Apple's and Fitbit's case, and then a piece of legislation arises which protects consumers from data breaches. Nonetheless, the real issues are not tackled:

Firstly, the law does not tackle the underlying issue of data centralization. Thus, the law is simply a reactive weapon against an issue that will keep on occurring if the main cause is not eliminated. The law should thus tackle the main root of the issue, rather than protect consumers against the consequences of it.

Secondly, these devices evolve so fast that as soon as a potential piece of legislation is passed, it will likely already be obsolete. Very soon there will no longer be smart watches tracking our movements, but there will be implants on our bodies which will do that function. What then? Should we pass a new piece of legislation? Should we predict the future developments already and include them all in this potential piece of legislation? What about what we cannot predict?

So, what should the law do about it? The law should shape the change that we want to see in privacy concerns regarding portable devices. In other words, the law has the potential to create effective change and shape the technological development we would like to see in terms of data privacy concerns with portable devices. To conclude, by tackling the root cause of the data breaches, the law can shape how we want to protect consumers in cases of portable health trackers, and the general technological development we want and we must foster.

You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.


Webs Webs

r4 - 10 Jan 2024 - 17:09:32 - OnaMunozRuscalleda
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM