Thinking About Privacy Rights and Wearable Devices

May 13, 2015

Because the Learn section of TalkRights features content produced by CCLA volunteers and interviews with experts in their own words, opinions expressed here do not necessarily represent the CCLA’s own policies or positions. For official publications, key reports, position papers, legal documentation, and up-to-date news about the CCLA’s work check out the In Focus section of our website.

The development and use of wearable devices has accelerated in recent years, with the advent of inconspicuous items that can be used in the home, on the street, and in the office. The variety of uses for wearable devices, also referred to as wearables, makes them difficult to describe. The purpose of wearables is that they are able to collect very detailed and intimate information about yourself and your surroundings. Most of these devices currently relate to areas such as health, safety, productivity, and entertainment, using environmental, social, and behavioural data. Wearable devices come in forms such as fitness bracelets, smartglasses, clothing, jewelry, watches, and other items like small wearable cameras, all of which operate in what is referred to as the Internet of Things.

The Internet of Things is the network created by an ever-widening range of devices that rely on wireless communication for enhanced function. For a wearable device to work as designed, it needs to communicate through the internet and exchange data between itself and another device or database, such as a cloud. Those related to health can track information such as diet, exercise, blood sugar levels, heart rate, and sleep. Among other things, these wearables are designed to send collected data to an app that can then collate and analyze the data. One such device, for example, can monitor sleep habits and patterns it can track how many times a person wakes up at night, how often they toss and turn, if and when they snore, etc. An app then creates reports on these sleeping habits that the person can use and analyze afterwards. The use of wearables can be very convenient, and can help a person monitor health matters, make convenient mobile payments, and record our daily lives. One such device, which includes a small wearable camera, can take snapshots of your daily life and create scrapbooks in an app. As convenient and entertaining as these wearables may be, there are many risks involved in their use and proliferation that need to be considered.

The use of wearables involves the collection and exchange of personal data within the Internet of Things. One issue is that once it is known that a person uses a wearable for something, that person can become the target of hackers. If a person uses a wearable for mobile payments, for instance, a hacker can try to attack their account to access their financial information and commit identity theft. This leads to questions of security and whether this data is protected appropriately, both where it is stored, and when it is transmitted [link].

Another area of concern is the issue of privacy policies and the concept of digital rights. Privacy policies do not seem to be adapting to the technology as quickly as the technology is advancing. Wearables, apps, and devices are often not designed with security and privacy as a priority during the design stage, and due to the lack of overall privacy standards, privacy concerns are frequently not dealt with proactively. This is particularly problematic when we consider how sensitive some of the wearable-collected data may be. A collection of very sensitive data is a valuable commodity, and not just wearable developers but also third parties would like to use it—but not necessarily to benefit the users. For example, if an insurer were to access lifestyle or health-related data, the information could be used to put that person’s ability to obtain insurance in jeopardy. Would a job applicant be comfortable with a potential employer being able to access health records, or being capable of monitoring the heart rate and perspiration of an applicant during an interview? Surely no one would want this data left unsecured, or have it sold to unknown organisations for undetermined purposes.

A 2014 report by PriceWaterhouse Cooper in the United States discovered that 82% of people studied were concerned about wearable devices invading privacy, and 86% were concerned about security. This report clearly indicates that these two areas are concerns for consumers, which is another motivation for the development of robust privacy and security settings within these devices and the environment in which they operate. Furthermore, it should be considered that the impact that wearables have on society can be intrusive and lead to the redefining of social decorum. For example, questions are raised about their use in areas such as courts, law offices, hospitals, public washrooms and schools. Since many of the devices in question are very inconspicuous and easy to conceal, it becomes very difficult to control their use in places where they should not be in operation. The potential for privacy violations here is troubling. The Chief Privacy and Security Counsel at Intel proposes the implementation ofdevice neutral policiesthat can apply to all devices equally when it comes to privacy and security, since current policies are designed to be device-specific. Device-specific policies are not designed to anticipate new technologies that frequently enter the market the way device-neutral policies would.

The data that wearable devices generate is vast, and its storage and use raises concerns [link]. The reuse and reselling of this data leads to questions of transparency and the need to allow access and control of personal data to the people that they pertain to. Although some individuals may not be concerned with how their information is handled, others most certainly are. This is why wearable devices should always allow you to access and control your data if you so choose, including opting out of any data sharing. Corporations of many stripes, including advertisers, would be very interested in accessing the data generated by wearable devices, as the data is very personal and potentially profitable. The potential that wearable devices have when it comes to marketing is revolutionary.

The Future of Privacy Forum in the U.S. lists a number of proposals with regards to wearable devices and the Internet of Things. These include: respect for context, benefit-risk analysis, transparency, de-identifying data, reasonable individual access, appropriate security, and the development of a code of conduct. A code of conduct would not only alleviate some of the discomfort that many people have with wearable devices, but would also set up a framework for companies to work within when designing and developing devices and applications in this industry. De-identifying data prior to it being shared is another potentially useful development for wearables and the data that they produce, although it remains unclear whether to what extent this might help and there is uncertainty as to the effectiveness of de-identification. Efforts to ensure that the devices, and the collection, retention, use and disclosure of data all adhere to privacy law such as PIPEDA in Canada should also be mandatory.

See also the Office of the Privacy Commisioner’s report: Wearable Computing – Challenges and opportunities for privacy protection.