Sophos Cloud Optix
Lately, Zumba has been killing me.
My right knee aches, and I swear I’ll need a new hip within a few years.
Is that really data that I want sold to the highest bidder, from whence it could find its way into the hands of prospective employers, insurers, or mortgage lenders, any of which could conceivably discriminate against me based on this intimate information?
Unfortunately, privacy advocates warn, we’re jogging with our fitness apps straight into that type of privacy quagmire.
The Washington Post quotes Deborah Peel, the executive director of Patient Privacy Rights, who called the growing fitness data marketplace a “privacy nightmare”, given that the vast majority, if not all, of the health data these apps collect has “effectively zero” protection.
Take, for example, Facebook’s recently acquired fitness and activity tracking app, Moves.
Moves describes itself as an “activity diary” for iPhone and Android mobile devices. It does things like count how many steps you take every day, then presents it in a slick interface on your mobile phone.
It gets that information by mixing data from mobile phones’ motion sensors with GPS information to track a user’s location and activity throughout the day.
Moves’s algorithms can differentiate between different types of exercise, such as biking or running, and can calculate distances traveled and calories burned.
That means the app knows not only a user’s location, pinpointed down to an exact building, but also whether he or she got there on foot, bike or bus.
The data-rich landscape being created by the proliferation of this type of fitness app has tech heavyweights drooling.
Apple, for one, has been on a hiring spree in the biomedical field, Reuters recently found when rifling through LinkedIn profile changes, with much of the hiring being centered on sensor technology that could feed into its development of the iWatch and other wearable technology.
Google, for its part, has been working not just on wearable tech such as Glass, but also on other medical products, such as contact lenses for diabetics that read tears to ascertain glucose levels, the Post reports.
Google pre-briefed Lorenzo Hall, chief technologist at the Center for Democracy & Technology, before its January announcement about the contact lenses. Google assured Hall that data collected by the contacts would be kept out of the wealth of personal data collected by the company through its other services, Hall told the Post.
So who’s keeping an eye on the sensitive data collected by fitness apps?
Unfortunately, we can expect little oversight by traditional medical watchdogs.
The data isn’t protected by the Food and Drug Administration, given that fitness apps or gizmos don’t generally qualify as medical devices.
Nor does it merit the privacy protection of the US’s Health Insurance Portability and Accountability Act (HIPAA), which covers privacy with regards to information handled by medical professionals.
As the Post reports, fitness apps seem to be falling through an FDA loophole:
A list of examples of types of apps that fall into this category on the FDA Web site appears to encompass features commonly found in fitness tracking apps, but a footnote includes a potential loophole -- saying that when these type of apps "are not marketed, promoted or intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, or do not otherwise meet the definition of medical device, FDA does not regulate them."
The FDA for now is pretty much steering clear of regulating health-related apps unless they pose a clear and present medical danger to consumers.
The Federal Trade Commission, for its part, hosted a public conference about consumer-generated health data earlier this month as it tries to figure out where it fits into this new regulatory scene.
But the FTC has limited means to punish companies if they break their promises to consumers, lacking the power to issue fines over first offenses.
That leaves it up to consumers to watch their own backs when it comes to reading the privacy policies for these apps, FTC Senior Staff Attorney Cora Han pointed out to the Post:
Consumers may not always read the privacy policies of some of these apps. And even if they do some of them might be worded in legalese so consumers might not understand the choices they are making with their information.
Some things to keep in mind when reading such privacy policies, as privacy advocates point out:
- Just because an app’s privacy policy rules out selling data doesn’t mean it’s not getting around that on a technicality by trading the same data.
- Beyond an FTC investigation, there’s nobody really auditing these apps’ privacy promises.
- As Moves’s privacy policy change made clear, privacy policies aren’t immune to being changed – particularly when changing them benefits an acquiring company.
Image of jogger with phone courtesy of Shutterstock.
This type of data will soon find it’s way to health insurance providers and enable them to justify rate increases in the same way that they have been doing for years with data obtained from grocery store “club” cards. People who purchase excessive amounts of alcohol, red meat, or cigarettes for example pay much more than those who stay away from these and purchase large amounts of fresh vegetables.
Technically my fitness data is already being used for my medical insurance. My work has given us discounts on Fitbit to track our steps, to be automatically synced to our “HealthySpirit” web portal, which gives us a discount on our medical insurance monthly, since the company I work for has its own branch of BCBS. So far, it’s only being used for good – they want us to be healthy because then it costs less for them. The problem is when they start using the data for evil.
Insurance companies are always looking to reduce risk, and knowing more details about their subscribers does that. Whether that reduces costs or not is a separate question – because now they will know the good and the bad about everyone in your insurance pool. Your costs are based on everyone in your pool. They can, and likely already have used that data to make decisions about what they will/will not pay for, using their data to justify those decisions. I am not at all comfortable with insurance companies having this data. If you are healthy, you may see this as an over-reaction, but one bad car accident or one large health event I think would make you reconsider.
Yes, policies can be changed, but Moves’ policy obliged them to 1. notify you of any change, and 2. let you delete your data. Often this isn’t the case, so it’s really important to have a look at a service’s privacy policy!
Yes, Moves’s policy did require them to notify users of changes, but it actually hadn’t done that when it changed its policy after the Facebook acquisition—at least, not that news outlets could discern by the time I published the Moves piece last week.