Sophos Cloud Optix
Google’s about to jump into the growing fitness data marketplace – a mosh pit that consumer advocates are already calling a privacy nightmare – to wrestle with Apple and Samsung for the data created by fitness trackers and health-related apps.
Sources told Forbes that Google’s planning to launch its new health service, called Google Fit, at its Google I/O developers conference, held on 25 and 26 June 2014.
Google Fit will reportedly collect and aggregate data from popular fitness trackers and health-related apps via open APIs.
One source familiar with Google’s plans told Forbes that Google Fit would allow a wearable device that measures data such as steps or heart rate to interface with Google’s cloud-based services and to become part of the Google Fit ecosystem.
Google has been working not just on wearable tech such as the much-loved, much-loathed Glass, but also on medical products, such as contact lenses for diabetics that read tears to ascertain glucose levels, according to the Washington Post.
The data-rich landscape being created by the proliferation of this type of fitness app has tech heavyweights drooling.
Earlier in June, Apple launched HealthKit, a system that pulls together health metrics from exercise, nutrition and medical apps such as blood pressure.
Samsung last month unveiled Sami, another biometric data platform that likewise gobbles up health information from devices and apps.
Deborah Peel, the executive director of Patient Privacy Rights, has called this growing fitness data marketplace a “privacy nightmare”, given that the vast majority, if not all, of the health data these apps collect has “effectively zero” protection.
But while the fitness and health apps makers might have dropped the ball on protecting the data, the mega-data handlers who want to aggregate it all – Google, Apple and Samsung, so far – are tiptoeing around the landmines of privacy and security.
Sources told Forbes that creating these health platforms has been tough going for Google and Apple, given the delicacy required to deal with privacy issues and how best to process information as sensitive as health data – data that’s protected with legislation such as the US’s Health Insurance Portability and Accountability Act (HIPAA), which can carry onerous fines for medical data bungling.
Then again, Forbes’s sources said, the data giants have to juggle the issue of how to provide valuable feedback without veering into the realm of diagnosis, which could get them into hot water with US Food and Drug Administration (FDA) regulations.
Back in 2011, Sophos’s Chester Wisniewski wrote that from time to time, he’d ask health care professionals what they were doing to comply with HIPAA.
Here’s what one doctor told him:
When they start putting doctors in jail, I'll worry about encrypting my records.
Oh dear. Have medical professionals changed their minds since then?
I’m sure many have. But we’re still dealing with cases such as the woman who sued a medical center for posting her STD diagnosis on Facebook.
Whom can we trust with data this sensitive if we can’t trust medical personnel?
Can we trust Google? Apple? Samsung?
The idea makes one’s blood pressure rise ever so slightly, but we’ll keep the actual systolic and diastolic stats to ourselves for now, thank you very much.
Image of dumbbells courtesy of Shutterstock.
Surely such collecting of personal data is contrary to the Data Protection Act in force in the UK? I’m not sure whether the USA has any equivalent laws, but if not they desparately need some.
I would not want any of my personal medical data to be made available to anyone other than the medical professionals who may be treating me. I have already told the NHS (in the UK) that I do not want any of my medical data to be ‘shared’ with anyone not treating me and that it should not be stored on any cloud-based system – they are too vulnerable.
“Surely such collecting of personal data is contrary to the Data Protection Act in force in the UK? I’m not sure whether the USA has any equivalent laws, but if not they desparately need some.”
Not if people are going to Google, purchasing these devices and allowing the data to be collected, regardless of the country they live in. As long as they’re not going after personal health data held in database maintained by doctors or health facilities and it’s “opt-in” I don’t see how much any law can do to prevent it. People need to start reading the EULA and privacy statements attached to these apps… but that will never happen.
These aren’t records from doctor appointments (although the article did veer off in that direction towards the end), it’s more stats and results from fitness apps. Basically just how lazy I am when attempting to get off the couch and go running. Currently most (if not all?) of these apps have an option to post results to Facebook, Twitter, Google+, etc…, which is fine as it’s an option (i.e. not compulsory). As long as Google Fit is also optional, then I personally don’t see any issue.
The issue is that Google ends up with a very large database. If you have a lot of data you can use it to determine things that are not immediately obvious from looking at the individual data points.
That is the essence of Big Data.
Having months or years worth of data from fitness apps probably allows you discover all manner of things about the people and populations involved and may be enough to draw conclusions about their health, or changes in their health.
That makes Google custodians of some very sensitive data and the consequences of a data breach much more serious.
I’m not sure if I’m allowed to name drop here, but the app I use is Endomondo which already has details of everything I’ve used it for. I’m sure the people working at Endomondo are all doing a great job (I wouldn’t use it if I thought otherwise), but I’m more inclined to trust Google to keep this stuff secure… cue about 40,000 people clicking the thumbs down icon for me saying something positive about Google 😐 Of course, any other app would have the same data, and probably more if I used My Tracks (Google’s own fitness app).
While they certainly will accumulate a load of data, I suspect the intention is to provide statistics, such as any improvements in my fitness attempts over the past year (for anyone else who wants this info, the answer is “not much”)… and of course to better target advertising. So Google know I go running in a country where it’s raining 95% of the time and may want to advertise waterproof running gear – I can live with this. The key part though is that this integration should really be opt-in, and as long as it is, I see no problem.
Of course, Endomondo already have all this information about me, and do target ads at me when I visit their website (not while using the app). That’s what I get for a free service, and I’m happy with this trade.
You make perfectly fine points but where I think you’re making a mistake is in assuming you understand the nature of the data you’re sharing and trading off (or that Google understand it).
For example, it is possible to diagnose certain medical conditions by gait analysis performed using the accelerometers on phones.
I don’t imagine for a second that Google would track that specifically but what if, inadvertently, the data they collect can be used in that way?
And what if gait analysis can be determined using less accurate measurements, provided you have tens of thousands of hours of measurements?
In such a scenario it’s possible for Google to collect (without ever meaning to) and for you to share (without ever meaning to) very sensitive medical data.
I’m not trying to make a specific point about gait analysis – I have no idea if Google are tracking the right things to do that – I’m simply trying to illustrate that it’s possible to determine a lot than might think from innocuous data points provided you have enough of them.
Assuming that you’re using the Android version of this app, here is a list of what is has access to on your phone… by default.
This app has access to:
In-app purchases
Allows the user to make purchases from within this app
Identity
Uses one or more of: accounts on the device, profile data
Contacts/Calendar
Uses one or more of: calendar, contact information
Location
Uses the device’s location
Phone
Uses one or more of: phone, call log. Charges may apply.
Photos/Media/Files
Uses one or more of: files on the device such as images, videos, or audio, the device’s external storage
Device ID & call information
Allows the app to determine the phone number and device IDs, whether a call is active, and the remote number connected by a call
I don’t know about you, but I wonder why does it need to do all of that?
What you have all said IS contrary to the UK’s Data Protection Act if it has been privided by the owner, you, for a specific purpose but used for something else. So if I buy a set of dumbells for upper body toning then someone else, apart from the vendor I bought from, gets to know that I made that purchase by gathering data from an ‘app’ then that is against UK law.
Trouble is that the application of laws is not easy in these cases and the variations in laws across different countries (or even different states in one country) makes if very hard for any common approach to personal privacy.
The internet has some advantages but also some disadvantages, so we all need to remember that many ‘apps’ gather information about us without our prior permission and without telling us that they are gathering such personal data nor that in many countries that is actually illegal.
Stay safe.
How fast people forget… Google already HAD a health data service until 2 years ago. Microsoft still has HealthVault, too…
This is not Google’s first attempt to acquire personal health care data. They were accompanied by WalMart, Microsoft and AOL the last time. The devil’s bargain was a free, online repository for all your medical records. The usual worthless promises of security and privacy were offered along with the fine print negating any obligation to honor their guarantee of anonymity.
The repeated insidious efforts to rape personal privacy will only be ended by long prison terms and devastating fiscal penalties. The rush to mine data makes the insanity over Sutter’s gold insignificant.
FYI: Deborah Peel, the executive director of Patient Privacy Rights was shilling for Microsoft originally. While I believe she was played and likely learned her lesson, beware anyone who attempts to justify corporate acquisition of medical data today. Even the well intended with otherwise perfect credentials can be misled by the upside of better fitness data being of benefit.
Google is getting into levels of surveillance on ordinary people that exceeds anything the NSA (used to be able to do) on terrorists.
Google claims it is all ok because we have a choice. (Though not with regard surveillance of our homes and wifi by street view cars)
It’s essential that people like Lisa continue to publicise what they are doing so that people are aware of everything they are opting in to with apparently benign decisions to use ‘free’ Google products.
I agree with two of your points, but this one could use some additional language.
“The repeated insidious efforts to rape personal privacy will only be ended by long prison terms and devastating fiscal penalties. The rush to mine
data makes the insanity over Sutter’s gold insignificant.”
The old saying “buyer beware” applies to free services as well as paid ones. People need to protect their own privacy by curtailing their obsessive need to share everything about their life. When people try to market their own life by writing about and sharing pictures of their achievements, mischief, family, friends, fitness, wealth, beauty, popularity, adventures, vendetta’s, and everything else (ie: Facebook), they are encouraging the widespread collection of their personal data.
Readers who want to counter that my statement is akin to saying a woman invites rape by the clothes she wears just don’t get it. It’s not the same. The use of the word “rape” in that statement is not the same definition as the crime of “rape”. A more accurate word would be misappropriate. The nature, intent and severity of any misappropriation should dictate the penalty. So yes, fines and prison terms might discourage such data mining, but if the “gold” isn’t there in the first place, it can’t be mined.
While I’d love to believe in ‘buyer beware’, the very nature of a scam is to acquire by deception. Also factor Arthur C Clarke’s observation: ‘Any sufficiently advanced technology is indistinguishable from magic’ and we have a scenario where all but the most security conscious are prey.
I would posit Facebook and Google are the Rohypnol of the Internet. I do not ascribe to the nonsense clothing encourages bad behavior. Nor do I accept a euphemism for “an act of plunder, violent seizure, or abuse; despoliation; violation” as that is precisely what happens when the unknowing digitally encounter the surreptitious.
Yes, some foolishly grandstand on social media. The vast majority are totally unaware their every word and image is being “misappropriated” by a nefarious business.
I bet in future Google will come up with what they call a ‘Smart Pill’, which one can swallow, which contains a minute radio device, which can be used to confirm your identity. No more having to validate emails or bank accounts or even open doors for your home or car. This smart device will do all of its own and keep itself recharged by making use of the body heat. Along with it it will claim to record your vital bodily functions, communicate with your doctor and emergency services and also show you products based on a well complicated algorithm on what you should be buying or eating. Health insurance premiums shall be per day and one big mac and the price goes up and comes down after a week of eating healthy. Still I am pretty sure people would want to try it out and then cry about loosing their privacy or health related information. Only Google can tell what their plans are for the future.
This article was plagiarized nearly word-for-word from Forbes.com.