Protecting against the misuse of data from wearables

As consumers we gladly gobble up devices that track our personal information, whether it’s running time, pulse, how healthy we are, sleeping patterns or what excites us. Many of us do it without a moment’s thought, entrusting our private data to numerous software applications, device manufacturers and the internet.

“This data collection is necessary in order for the devices to be able to perform the functions they were designed for,” says Garry Partington, chief executive of RealityMine and chairman of mobile app developer Apadmi.

“Wearables require data to gain insight into how people are engaging with the technology and how the user experience can be enhanced. Fitbit, for example, collects data on the user’s health levels, and uses it to improve its algorithms and provide better personalised fitness programmes.”

Security threats

occaisions-when-wearable-devices-are-worn-each-dayHowever, Sian John, Europe, Middle East and Africa chief strategist at cyber-security firm Symantec, warns: “As the internet of things takes off, companies are building gadgets that connect to the internet without considering the potential security threats.”

A bracelet might talk to your phone, which talks to your computer to record your movements, which then sends this data to a third-party computer that analyses your behaviour and gives you lifestyle recommendations. Each point of contact represents an opportunity to exploit any vulnerability and the data is only as secure as the weakest link in the chain

These systems are not only vulnerable to an attack, they also lack notification methods for consumers and businesses when vulnerabilities are discovered. Ms John says: “Even worse, they don’t have a friendly end-user method to patch these new vulnerabilities. Given this, we are going to see new threats in ways in which we’ve never seen before.”

Wearable tech providers are thus balancing the demand for constant innovation and battery efficiency with device security. Serge Huber, chief technology officer and co-founder of digital customer management platform Jahia, says: “The wearable market is booming, but there is a pervasive concern in that consumers are not fully aware they are being tracked from a data standpoint via their device. Even more, third-party apps may be accessing their information and, all too often, the organisation which contracted the third-party apps does not know what is happening with that data.”

The particular sensitivities which surround wearable tech arise from the fact that much of the data being collected is of a very sensitive nature, for example health and location data.

Mike Llewellyn, associate at international law firm Olswang, identifies two concerns: “Firstly, where categories of data are being collected which are not strictly necessary to perform the functionalities of the wearable, and secondly, where companies use data that’s required for performing the functionalities of the wearable for other means, including their own commercial purposes, as well as making this data available to third parties.”


Consumer awareness

From a legal perspective, Mr Llewellyn says: “It’s important to ensure the consumer is aware of the categories of data that are being collected, how it’s being used and the extent to which these are necessary.” This, he says, empowers the consumer to make informed decisions about their data.

But there are guidelines. Wearable devices must comply with UK data protection laws, such as the Data Protection Act. This means that only relevant data should be collected, and this information should then be stored securely and deleted when no longer required. Companies developing wearables must also be transparent with users about what type of personal detail will be gathered and how it will be used.

Competing interests need to be balanced, which can be hard when collection and monetisation of data is a crucial aspect of the business model that supports the wearable tech industry

“The ICO [Information Commissioner’s Office] labels ‘personal’ data as anything that can be used to identify an individual, and companies that hold such details face fines of up to £500,000 from the ICO and criminal prosecution if this information is breached or lost,” says Mr Partington. “To avoid facing these serious consequences, companies must ensure they are collecting and processing data in line with the legislation, and have processes in place to keep their customer’s information safe.”

Kolvin Stone, a partner in the technology companies group at international law firm Orrick, warns: “While consumers do have strong rights, these are not absolute and wearable tech companies may use data for their legitimate interests. These often competing interests need to be balanced, which can be hard when collection and monetisation of data is a crucial aspect of the business model that supports the wearable tech industry.”

Mr Huber says it simply comes down to honesty. “Organisations need to be transparent with consumers about what information they have about them, how they plan to use the data and also give the consumer the choice of opting out of any data collection or even better give them some sort of control over it,” he says.

“Gaining their trust in these data exchanges will actually become a competitive advantage and major differentiator as we enter the new phase of more personalised experiences. The best experiences are based on trust, transparency and professionalism, so it is no longer acceptable to sacrifice the privacy of consumers, hoping they won’t notice it.”