skip to main content
Back to all blog posts

Posted in: Data Security/Privacy

Jul 28, 2016

Privacy - From the Inside Out

By Paige Backman

Wearable technologies can track an incredible amount of biometric information - heart rate, blood pressure and sleep habits are but a few. Some can track sexual activities (in at least one case, much to the dismay of the users, the results of these activities were posted online and searchable).

We are seeing the development of wearable technologies that analyze sweat which could be used to replace certain blood tests. It is real-time data, highly personal and highly sensitive. It is similar to information that a person's doctor would collect and yet the wearable technology industry is regulated by very different rules than medical industry.

There is a tremendous benefit from using some wearable technologies. A recent report from PwC reveals that health is a major motivator for wearable consumers. The report also found that privacy concerns are becoming less and less of a deterrent. This is great news for insurance companies that wish to utilize the data harvested from widespread usage of wearable devices.

In February, Manulife announced that they will be introducing a policy that involves wearing a fitness tracker to save money on life insurance. Insureds will earn points when they reach exercise milestones, and in return for their healthy lifestyle, they will be rewarded with discounts on insurance. The personalized program is analogous to usage-based auto insurance programs, where drivers who speed less and brake smoothly are rewarded with savings if they install a telematics device on their vehicle. If tracking your car motivates you to become a better driver and tracking your body motivates you to become healthier, where is the harm? Are we at a place where if we don't want to wear health trackers, we will have to pay higher insurance premiums?

Fitness data could be also used to authenticate claims filed by the insured. A Canadian company called Vivametrica analyzes raw fitness and health data gathered by a single wearable device, in comparison to data from a bank of other wearable devices, to determine the standard for the average healthy user. In 2014, the services of Vivametrica were used to analyze data from a plaintiff's FitBit in a personal injury case in Calgary. In that case, the insured was relying on information to support her claim, but as an article from The Atlantic notes, insurance companies can request a court order to demand disclosure of wearable data to undermine a claim.

Other data that is worrisome to users of telematics and wearable devices is location data. In the context of fitness trackers and life insurance, it is easy to see how location data could get a user into trouble; if a user is tracked repeatedly visiting locations deemed by the insurer as "dangerous" or if the insured has filed a claim for disability and is tracked visiting locations that seemingly contradict that claim, this information could be used against the insured.

In a 2016 study published by Open Effect and Citizen Lab entitled "Every Step You Fake: A Comparative Analysis of Fitness Tracker Privacy and Security," researchers tested the privacy precautions taken by popular wearable computing companies to protect user's Bluetooth data. The Apple Watch was the only device to randomize MAC addresses every ten minutes and when rebooted, making the tracking of a wearer more difficult. Other devices, including the popular Fitbit Charge HR and Jawbone UP 2, did nothing to protect the privacy of a wearer's location. Users unfamiliar with the ins and outs of Bluetooth technology are likely unaware that location data is even being gathered by a fitness tracker or that this information is stored by the makers of wearable devices.

As with any technology that collects personally identifiable information, there are trade-offs between the benefits and what a person has to 'give up' for those benefits. As long as the company informs the individuals of what information is being collected, how it will be used or shared and for what purposes (as well as complying with other requirements under privacy laws), and as long as it is truly a choice, then the adult individual can make that choice. We are not seeing that the individuals are given the information and, in some cases, they may not be given a realistic choice.   For instance, if the only way someone could afford health insurance is by wearing the health tracking device, is that truly a choice?

Very few know the depth of the information collected by wearable technologies. Most people also don't know where that information is sold or shared, what third parties might do with that information or that the information may be disclosed as part of court proceedings. This is certainly not a new issue in the information age, but there is a difference. We have entered into a realm where the information being collected is far more personal and far more sensitive than before. This information could be used or disclosed quite easily in a manner that could significantly harm the individual.

The future is extremely bright for wearable technologies as we have only started to understand the scope of application and potential benefits. There is also a tremendous upside to society with these technologies. What we're missing to date is a direct discussion about the implications of these technologies, the risks and, more importantly, how to manage them in way that benefit both the developers of the technologies and the users.

Related Categories

Related Blogs

Posted in: Data Security/Privacy

Insights TheSpotlight
Phishing Risk Deemed Sufficient in Alberta to Trigger “Real Risk Of Significant Harm” Threshold By Steve J. Tenai Mar 13, 2018 Since 2010, Alberta’s Personal Information Protection Act (“PIPA”) requires private sector organizations to notify the Office of the Information and Privacy Commissioner (“OIPC”) of a breach of personal information where a “reasonable person would con...

Posted in: Data Security/Privacy

Insights TheSpotlight
Cybersecurity Disclosure Guidance for Public Companies By Steve J. Tenai Mar 01, 2018 On February 21, 2018, the United States Securities and Exchange Commission issued interpretive guidance on cybersecurity disclosure obligations for public companies subject to U.S. securities laws. The Guidance underscores that public companies should inform investors about material cybersecurity...

Posted in: Data Security/Privacy

Insights TheSpotlight
Embracing Artificial Intelligence at Your Law Firm 3 Keys to Successfully Introducing AI By Aaron Baer Jan 05, 2018 Advances in technology are transforming entire industries: Airbnb and Uber have wreaked havoc on the hotel and taxi industries; Netflix and online-streaming have turned the media industry on its head; self-driving cars are set to revolutionize the automotive industry.