• Part 1: Wearables – New Freedom
• Part 2: Wearables – Technology on the Body
• Part 3: Wearables – New Threat
• Part 4: Wearables – No Privacy for Your Biometry
• Part 5: Wearables – A look ahead

Wearables record a lot of personal data: pulse, sleep patterns, heartrate, number of steps taken and a lot more. Manufacturers face new challenges when it comes to data security and privacy. Research shows: Many a manufacturer allows themselves to do a lot and protect little when it comes down to it.

Google Glass, Nike FuelBand and similar products that are worn directly on the human body come with a contract. By buying the product, the user agrees to give the company that sold him the device and the software some rights to the recorded data. The problem: Hardly anyone ever reads the End User License Agreements (EULA) as usability expert Jeff Sauro has discovered. According to his research, users spend an average of six seconds on the screen displaying the EULA. That’s nowhere near enough time to read the entire agreement. The EULA that comes with iTunes is seven A4 pages long, Google Play’s is eleven. And that’s not even all. Further documents that a customer should read and understand are the privacy statement that defines the privacy the user gets and the terms of use. It’s safe to assume that they’re not being read either.

By accepting the EULA, users agree to – among other things – not do anything illegal with the software, that the manufacturer is not to blame in case of accidental or deliberate misuse and that all liability of any kind is being denied by the manufacturer. Often, the vendors of a product protect themselves against loss or theft of the user’s data or – as seen in cases like Facebook’s – they claim rights to user data. Similar EULAs are being accepted with the purchase of Wearables and the installation of the software that comes with it. That probably also only takes six seconds.

Users Need to Read Multiple EULAs and Understand Them

Before the purchase of a Wearable, customers need to ask themselves this question, assuming they’re interested: Who do I give my data to? Because the transfer of data brings many a risk in terms of privacy. If a Wearable displays and processes all the data in one device, there still is the risk that someone glances over the user’s shoulder and gains the data by these means. Also, the user agreed to one EULA before using the device. If the data is being transmitted from Wearable to smartphone, the user has to agree to two EULAs after having read and understood them. If the data is being forwarded to server, then it’s more than two EULAs, read and understood. Every transfer carries the risk of data leakage.

That ist he exact thing the vendors protect themselves against. That, and against data leakage in memory. In the Privacy Policy of the smartphone app Moves it states:

However, we cannot guarantee the security of your data, which may be compromised by unauthorized entry or use, hardware or software failure, and other factors.

Moves isn’t alone with these sentences that, legally speaking, are some sort of Get out of Jail Free_-card to mistreat the user data and are against national and international data privacy laws anyways. Other vendors try to stay vague as well. The privacy statement of “Body Media”: http://www.bodymedia.com that got bought up by Jawbone Up promises that the vendor aheres to all _Best Practises of Data Security. FuelBand’s manufacturer Nike gets more precise:

All credit card information you supply is transmitted via Secure Socket Layer (SSL) technology and then encrypted within our databases.

«Biometrische Data is not Personal Information»

The most negligent, but also the most honest, company that appeared during research is OMSignal, the manufacturer of a shirt with integrated sensors.

OMsignal does not consider your biometric data to be personal information and this data may be used as de-identified data for any lawful purpose as detailed below [on the website].

Among the details listed are the export of the data to third parties, which requires reading and understanding yet another EULA. The reading and understanding of the EULA is up to the users themselves and is not getting checked by OMSignal.

Nike also takes liberties with user data. On its website, the manufacturer of sporting goods advertises that the wearers of the FuelBand have collectively taken 85 billion steps and thus burned 12 billion calories. The website is counting automatically.

Data Is More Sensible than Just a Photo

From an expert’s point of view, it’s also disconcerting that the data recorded by a Wearable can in most cases be shared on Facebook or as pictures on Instagram. An example:

After filling out his profile of his new Wearable, a 50 year old man from Switzerland gets up at least twice every night. The Wearable on his wrist records the following:

• Sleep interrupted.
• Short distance walk
• Short time of no movement
• Short distance walk
• No more movement
• Sleep

Experts know what this means: The man gets up, goes to the toilet and goes back to bed again. But that’s not where the data correlation stops. With some certainty, the following things can be stated with some certainty:

• The exact location of the man due to GPS data
• Bedroom and bathroom can also be deducted from the GPS data.
• The man most likely has issues with his prostate, even if he’s not aware of it himself.

If the vendor sells the data to third parties, it’s suddenly entirely possible that a user gets mails with content like:

Hi, we’ve found out that you get up several times every night and go to the toilet. Do you have prostate issues? Here’s a list of the best products that could interest you.

A case like this actually happened, where supermarket chain “Target”: http://www.nytimes.com/2012/02/19/magazine/shopping-habits.html?pagewanted=1&_r=2&hp& figured out a teenage girl was pregnant before the father of said girl knew.

Dealing with Always-On Devices

The crux of Wearables is this: They don’t sleep and they’re recording 24 hours a day. If the wearer takes them off, the data is being falsified and thus becomes useless.

This situation raises questions, for customers, developers and manufacturers alike.

• Where is the data stored? Does it stay on the computer or are they being transmitted to a remote server? Every transfer raises the risk of leakage.
• How is the data being transmitted? Which technology is used? How secure is it? Is there encryption?
• How is the data being processed? Is the data being looked at by humans or are only machines analysing it? Can a user do this on their own or do they need assistance from man or machine?
• How is the data being displayed? If the data is only on the Wearable, then the risk of theft and manipulation is relatively small, because there just aren’t that many attacks to perform. If the data is being transmitted to a web application – thus being displayed in a web browser – then there are many ways an attacker could get to user data.

Leaving pondering these questions and answering them up to the customer doesn’t make a lot of sense, from neither the perspective of the customer nor that of the developer. A decision made from a point of expertise can’t be left to a consumer. Besides, careful handling data creates a lot of advantages for a business. Most importantly: The user’s trust is far more likely to be gotten and thus they are far more likely to buy more products.

About the Author

Dominik Bärlocher has been working with IT subjects since 2006. The journalist relied on his affinity for all things IT during his tenures at news papers and benefited from it. At scip, he conducts OSINT researches and is an expert at information gathering.

Links

• http://www.facebook.com
• http://www.instagram.com
• http://www.jawbone.com
• http://www.measuringusability.com/blog/eula.php
• http://www.omsignal.com/pages/privacy-policy
• https://secure-nikeplus.nike.com/plus/
• https://www.moves-app.com/privacy