Data PrivacyWearable Technology and Fitness Trackers: Navigating the Privacy Maze

INTRODUCTION

In a global survey of fitness trends, wearable technology has been topping the charts since 2016; while this is a positive display of growing concern for physical well-being, it paints a much less rosy picture when the resulting blatant violation of data privacy comes to the fore.

Before delving into the possible misuses of these devices it would be pertinent to note the strides made in personal well-being from these devices. Smartwatches have tracking technology that monitors heartbeats automatically, all day, during workouts and beyond. This perpetual tracking can give wearers of the device the ability to document heart rhythms that could be of use for individuals and doctors as well.

The readings from smartwatches may not be as accurate as an eco-cardio graph (hereinafter “ECG”) or blood pressure (hereinafter “BP”) machine but they are still useful in other ways such as sending alerts in case of accidents or sudden rise or stop in heart rate. There have even been instances where the smartwatches have sent timely alerts about the fluctuation in heart rates leading up to heart attacks to the wearers who were able to reach the help or the hospital before the symptoms could start, which ended up saving their lives.

It is essential to inform, and educate, wearable technology users that health and wellness data and medical information may be difficult to differentiate since these devices often track these variables within the same application.

DATA COLLECTION BY WEARABLE DEVICES

There are primarily three types of Machine Learning algorithms:

a. Supervised

b. Semi-supervised and

c. Unsupervised

Supervised learning algorithms are trained by fully labelled datasets which can then make predictions about new data on the basis of its understanding of the previously fed data. Supervised learning is mainly applicable for the classification of a discrete class problem.

Unsupervised learning algorithms process unlabelled data and find patterns and relationships from them. Data collected from mobile-based activity recognition applications are commonly defined as unsupervised.

Smart environments integrated with a set of sensors generates heterogeneous data in terms of both semantics and format. An Artificial Neural Network (hereinafter “ANN”) based classifier performs well in real-time gesture identification using Inertial Measurement Units (hereinafter “IMU”) data inputs. To extract movement data from a sensor-enabled smartphone, pattern recognition algorithms are used. Human motion detection and categorisation from IMU sensors have been used to aid in sporting activities. The wearable devices use such unsupervised algorithms and make decisions upon the pattern of such data.

The data collected from wearable smart devices may differ depending on the features. model and brand, but the following is a list of the data most widely collected:

1. Biometric and Wellness Data:

• Heart rate
• Blood pressure
• Blood oxygen levels (SpO2)
• Electrocardiogram (ECG/EKG) data
• Stress levels
• Respiratory rate
• Body temperature
• Menstrual date

2. Physical Activity and Fitness Data:

• Step count
• Distance travelled
• Calorie expenditure
• Sleep patterns and duration
• Skin temperature variation
• Accelerometer data for movement detection
• Gyroscope data for orientation tracking

3. Environment and Location Data:

• GPS tracking for movement and exercise
• Location history for fitness and navigation features
• Temperature
• Altitude
• UV exposure
• Air Quality Index

4. Social Interaction and Audio Data:

• Voice commands for voice-activated devices
• Communication logs (calls, messages)
• Social media activity (depending on integrated features)

5. Personal and User-Generated Data:

• User preferences and settings
• User-generated notes and comments

6. Device Usage Data:

• Usage patterns (e.g., screen time, active hours)
• Battery usage and charging patterns

PRIVACY CONCERNS REGARDING WEARABLE DEVICES

In the industry of healthcare and its surrounding policy and regulatory bodies the Electronic Health Records (hereinafter ‘EHR’) technology is used as a major asset for sharing of health data among the triad of health policymakers, healthcare providers, and patients. It gives patients access to their own health information and diagnosis, involving them in collaborative interaction with care providers.

The case of Fitbit is worth noting at this stage. Fitbit, founded in 2007, was one of the earliest companies focusing on smart device technology and was the first to see commercial renown with its wearable smartwatches, however it came to eventually be acquired by Google in 2019 leading to privacy concerns for the data of the millions of users’ who had already bought the devices prior to the acquisition.

Data has become the most valuable resource for finance, SAAS and tech companies. A new owner could have different data policies and attempt to exploit user data by selling health information to advertisers, insurance companies, and others. Interestingly, Fitbit on its official website has disclosed their plan of action for integration of Google Maps and Google Wallet in their smart watch. The availability of Google Wallet Bank would be available in limited countries and the select Fitbit products would not be intended for use by people under 22 years old or with known Atrial Fibrillation.

Electronics Health Records (2016) and Standards of India by Department of Health Family Welfare, Ministry of Health & Family Welfare, describes Data Ownership of Health Records.

Under the clause of Denial of Information, the healthcare provider will be able to deny information to a patient or representative or third party, in contravention of normal regulations, if in the opinion of a licensed healthcare professional the release of information would endanger the life or safety of the patients and others. This will include but not be limited to as follows:

• Information obtained from an anonymous source under a promise of confidentiality
• Psychotherapy notes
• Information compiled for civil, criminal or administrative action

Besides the risk of data being un-ethically integrated to create digital profiles of the users, wearable devices also run the inherent risk of data breaches through black-hat hacking. The risk of data breaches is a significant concern, as unauthorized access to health and activity data could lead to identity theft or other malicious activities.

Most fitness trackers on smart watches can be connected with phone via Bluetooth. This means that potential security loopholes could allow hackers to access the user’s information. Thus, there is no need to even hack the device, the malevolent party need only detect the Bluetooth frequency and send back a signal to the user’s smartphone to guess their PINs.

Cracking PIN codes are not that difficult for modern hackers; once the same has been deciphered, the third party can gain access to all the crucial data that the device has collected and also the additional data on the user’s phone which is also paired to the smart device.

SECURITY MEASURES IN WEARABLE TECHNOLOGY FOR USERS

Aware of the huge potential for breach of extremely private data being leaked through their smart device, manufacturers of these devices have brought in some security measures to minimise the potential for date breaches through the following methods:

• Wearable devices often rely on secure pairing mechanisms with companion apps on smartphones. This ensures that only authorized devices can connect to each other, preventing unauthorized access.
• Periodically review the apps connected to your wearable device. Remove any apps that you no longer use or trust, as these can pose potential security risks.
• Monitor your device for any unusual or unauthorized activity. Be vigilant for signs of unauthorized access, such as unfamiliar devices connecting to your wearable.
• Be selective in enabling location services on your wearable device. Only allow access to location data for apps that genuinely require it, and turn off location services when not needed.

AMLEGALS REMARKS

Wearable devices nowadays are used by people from almost all age groups from children to aged persons. Due to the culture of excess around smartwatches, many people have shifted from standard watches to smart devices without the appropriate awareness or even requirement for the same but rather to flaunt such expensive and feature-rich watches.

Users must be made aware of the potential risks of owning such extremely sensitive smart devices and thus should be encouraged to only use those models of electronic devices that serve the purpose of their needs and requirements.

As wearable technology continues to evolve, it is essential to strike the right balance between technological innovation and privacy preservation which can only be ensured by collective collaboration between manufacturers, regulatory bodies, and users.

By fostering awareness, implementing best security practices, and advocating for transparent data practices, users can enjoy the benefits of wearable devices while mitigating potential privacy risks and an era of responsible use of personal information can be ushered.

For any query or feedback, please feel free to get in touch with dataprivacy@amlegals.com or tanmay.banthia@amlegals.com or mridusha.guha@amlegals.com