Wearables - No Privacy for Your Biometry

Wearables

No Privacy for Your Biometry

Dominik Bärlocher
by Dominik Bärlocher
time to read: 8 minutes

Wearables record a lot of personal data: pulse, sleep patterns, heartrate, number of steps taken and a lot more. Manufacturers face new challenges when it comes to data security and privacy. Research shows: Many a manufacturer allows themselves to do a lot and protect little when it comes down to it.

Google Glass, Nike FuelBand and similar products that are worn directly on the human body come with a contract. By buying the product, the user agrees to give the company that sold him the device and the software some rights to the recorded data. The problem: Hardly anyone ever reads the End User License Agreements (EULA) as usability expert Jeff Sauro has discovered. According to his research, users spend an average of six seconds on the screen displaying the EULA. That’s nowhere near enough time to read the entire agreement. The EULA that comes with iTunes is seven A4 pages long, Google Play’s is eleven. And that’s not even all. Further documents that a customer should read and understand are the privacy statement that defines the privacy the user gets and the terms of use. It’s safe to assume that they’re not being read either.

By accepting the EULA, users agree to – among other things – not do anything illegal with the software, that the manufacturer is not to blame in case of accidental or deliberate misuse and that all liability of any kind is being denied by the manufacturer. Often, the vendors of a product protect themselves against loss or theft of the user’s data or – as seen in cases like Facebook’s – they claim rights to user data. Similar EULAs are being accepted with the purchase of Wearables and the installation of the software that comes with it. That probably also only takes six seconds.

Users Need to Read Multiple EULAs and Understand Them

Before the purchase of a Wearable, customers need to ask themselves this question, assuming they’re interested: Who do I give my data to? Because the transfer of data brings many a risk in terms of privacy. If a Wearable displays and processes all the data in one device, there still is the risk that someone glances over the user’s shoulder and gains the data by these means. Also, the user agreed to one EULA before using the device. If the data is being transmitted from Wearable to smartphone, the user has to agree to two EULAs after having read and understood them. If the data is being forwarded to server, then it’s more than two EULAs, read and understood. Every transfer carries the risk of data leakage.

That ist he exact thing the vendors protect themselves against. That, and against data leakage in memory. In the Privacy Policy of the smartphone app Moves it states:

However, we cannot guarantee the security of your data, which may be compromised by unauthorized entry or use, hardware or software failure, and other factors.

Moves isn’t alone with these sentences that, legally speaking, are some sort of Get out of Jail Free_-card to mistreat the user data and are against national and international data privacy laws anyways. Other vendors try to stay vague as well. The privacy statement of “Body Media”: http://www.bodymedia.com that got bought up by Jawbone Up promises that the vendor aheres to all _Best Practises of Data Security. FuelBand’s manufacturer Nike gets more precise:

All credit card information you supply is transmitted via Secure Socket Layer (SSL) technology and then encrypted within our databases.

«Biometrische Data is not Personal Information»

The most negligent, but also the most honest, company that appeared during research is OMSignal, the manufacturer of a shirt with integrated sensors.

OMsignal does not consider your biometric data to be personal information and this data may be used as de-identified data for any lawful purpose as detailed below [on the website].

Among the details listed are the export of the data to third parties, which requires reading and understanding yet another EULA. The reading and understanding of the EULA is up to the users themselves and is not getting checked by OMSignal.

Nike also takes liberties with user data. On its website, the manufacturer of sporting goods advertises that the wearers of the FuelBand have collectively taken 85 billion steps and thus burned 12 billion calories. The website is counting automatically.

Data Is More Sensible than Just a Photo

From an expert’s point of view, it’s also disconcerting that the data recorded by a Wearable can in most cases be shared on Facebook or as pictures on Instagram. An example:

After filling out his profile of his new Wearable, a 50 year old man from Switzerland gets up at least twice every night. The Wearable on his wrist records the following:

Experts know what this means: The man gets up, goes to the toilet and goes back to bed again. But that’s not where the data correlation stops. With some certainty, the following things can be stated with some certainty:

If the vendor sells the data to third parties, it’s suddenly entirely possible that a user gets mails with content like:

Hi, we’ve found out that you get up several times every night and go to the toilet. Do you have prostate issues? Here’s a list of the best products that could interest you.

A case like this actually happened, where supermarket chain “Target”: http://www.nytimes.com/2012/02/19/magazine/shopping-habits.html?pagewanted=1&_r=2&hp& figured out a teenage girl was pregnant before the father of said girl knew.

Dealing with Always-On Devices

The crux of Wearables is this: They don’t sleep and they’re recording 24 hours a day. If the wearer takes them off, the data is being falsified and thus becomes useless.

This situation raises questions, for customers, developers and manufacturers alike.

Leaving pondering these questions and answering them up to the customer doesn’t make a lot of sense, from neither the perspective of the customer nor that of the developer. A decision made from a point of expertise can’t be left to a consumer. Besides, careful handling data creates a lot of advantages for a business. Most importantly: The user’s trust is far more likely to be gotten and thus they are far more likely to buy more products.

About the Author

Dominik Bärlocher

Dominik Bärlocher has been working with IT subjects since 2006. The journalist relied on his affinity for all things IT during his tenures at news papers and benefited from it. At scip, he conducts OSINT researches and is an expert at information gathering.

Links

You need support in such a project?

Our experts will get in contact with you!

×
OTPs as Second Factor

OTPs as Second Factor

Mark Zeman

JWT Issues

JWT Issues

Andrea Hauser

CIS Controls

CIS Controls

Tomaso Vasella

Ransomware Detection, Defense, and Analysis

Ransomware Detection, Defense, and Analysis

Marc Ruef

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here