In this article, we are going to talk about wearable devices and privacy. In my opinion, this is a heavily underrepresented topic, with exponentially growing importance in today's technology landscape. New devices are launching almost every week on Kickstarter and IndieGoGo and to top that off, in September 2014, Apple and Intel both announced their first important steps in the wearables market. Before you start using a wearable device, here's what you expose yourself to in terms of data privacy.
A Regular Person's Perspective
As part of my newest projects using wearables, I am talking to US consumers about their awareness and concerns with the latest gadgets. Almost every time, I hear that they are worried about how the data from their wearables might be used. Let me give you a few quotes:
- Alex: "These days, you give up personal information for each new downloaded app."
- Jacob: "I did not know that the device makers own my data. That feels like an invasion of privacy."
- Gregory: "I am reluctant to share my personal information with someone who does not know me."
- Michael: "It bothers me that my health info is not fully controlled by me."
So why are these people concerned? For one thing, avid technology users are familiar with the phrase: "If you're not paying for something, you're not the customer; you're the product being sold". It was initially coined here but today we are facing a whole new model. Not only are we paying for these devices, but the data extracted from them is being anonymized, aggregated and sold to third parties who are willing to and able to extract insights from it. In some contexts, the data is being used to power corporate wellness programs in huge corporations like British Petroleum. To me, this isn't surprising at all. I consciously make a choice to share my data with the device maker for some benefits like sleep analysis, or longer term reporting capabilities with my data. But I am a power user, who is very much into the quantified self movement and is able to derive a good chunk of benefit out of getting the measurements. The main question here is, however, is it worth it for the average person?
What Is A Privacy Policy?
"A privacy policy is a statement or a legal document (privacy law) that discloses some or all of the ways a party gathers, uses, discloses and manages a customer or client's data." (source: Wikipedia). I currently wear 7 fitness trackers, each with its own privacy policy:
-
Pebble Steel Watch, here's the Privacy Policy.
-
Basis Carbon Steel B1 Watch, here's the Privacy Policy.
-
FitBit Flex, here's the Privacy Policy.
-
Nike Fuelband, here's the Privacy Policy.
-
BodyMedia, here's the Privacy Policy.
-
Jawbone UP, here's the Privacy Policy.
-
Misfit Shine, here's the Privacy Policy.
Why do I do that? Well, for multiple purposes. One is for to able to experiment with data differences between them (yes, don't act surprised — most of the time they will not give the same results). Another is to understand better which are the pros and cons for each of them, on myself. I have reviewed the privacy policies for all of these devices. Let's see what I found out:
The Common Themes I Have Found
The common themes among all the privacy policies are somewhere along the following lines: Your data is owned by them. Surprisingly enough, only BodyMedia actually has the balls to state this up-front (buried somewhere in legalese, of course): "All data collected including, but not limited to, food-logs, weight, body-fat-percentage, sensor-data, time recordings, and physiological data (collectively, the "Data"), are and shall remain the sole and exclusive property of BodyMedia". However, all devices sync their data to the maker's services first, and then to your mobile phone application. This ensures two things:
- They see the data before anyone else does.
- You cannot directly fetch the data from the device without going through them.
Actually, the 2nd point is not entirely accurate. There have been disparate attempts at liberating the data from these devices and accessing it directly, such as libfitbit. However, they are not easy to use as a non-programmer, and for people who are extremely careful about their privacy, this makes the devices a no-no. If forced by a warrant or by business interests (M&A / bankruptcy / trade secrets protection), they will share your data with third parties. This means that effectively, they will not fight that hard if they get a FISA court order to surrender your data, and you get this warning up-front. I think this is honest, because, let's face it, as a business, you can't do much to fight the government's policies, even if you disagree with some of them. They will share aggregated, anonymized data with third parties for market research and research purposes. Note that 5 of 7 even use the word "sell" in sentences related to data sharing. That comes into 2 flavours: either "we do not sell personally identifiable data collected from you" or "ACME Inc. can sell anonymized data to third parties". How in the world could this data be useful to marketers? Read below in the dedicated section to find out. Next, I will highlight some specifics for each vendor's privacy policy that seemed interesting to me.
The Privacy Policies Used By Jawbone UP & Nike & Misfit
Jawbone UP, Nike Fuelband and Misfit Shine were the most disappointing. They have general privacy policies that do not mention wearables data in any specific way. They have all the cookie tracking and "web beacons" (tracking pixels) language, but nothing related to the data itself. I have reached out to all 3 companies on Twitter and will update this article if I receive something of value. Note that even if I did not manage to find the correct Privacy Policy on their website, it's still worrisome that a computer programmer with 8 years of experience cannot do that in a reasonable amount of time. What's even more interesting, is that all three companies have automated ways for developers to pull in your data, with your approval, of course. In programmer parlance, this is what we call an API (Application Programming Interface). So there are people out there developing apps on top of my data, but I cannot easily find how my data is being stored and processed, at least by the device maker. Ouch.
Pebble - A Positive Example
I like Pebble's privacy policy the best. It contains a simple summary at the top, meant to get you a quick overview of the legalese that is to follow. However, reading it I saw no reference to biometric data collected by the Pebble. Yes, Pebble has an accelerometer and there are a bunch of applications using it for fitness and sleep tracking in their store. But the official application only has productivity functions such as notifications. This puts them in the sweet spot of delegating responsibility for the biometrics data to the third party application developers and their own privacy policies.
BodyMedia & Their Privacy Policy
The thing I like about BodyMedia is that they are upfront with their users: "The system uses an armband activity-monitor which records "armband data". You may opt-out of armband-data recording at any time, for any period of time, by not wearing the armband." So either you find a good enough benefit in using our device, so that you are willing to share your data with us, or you don't and we don't really want to waste each other's time. This can also be seen in their pricing strategy, since they are the only ones on the market that charge you ($7 per month, after the first 6 months for free) to see your data in their dashboard. I found that a lot of people (even from the US) disagreed with this, even if it's a very small price. In my opinion, the best use-case for the BodyMedia is weight loss and weight maintenance. And that is how they market themselves on the front page. To me, that is valuable enough that I would share my data with them. It has a major impact in my day to day life. They are also the only one to mention that there might be situations where you will agree to share your data with a third party, for a perk of, say, receiving the device for free. This happens in real life, in some companies that are running corporate wellness programs with these devices.
Basis & Their Privacy Policy
I find it interesting that Basis keep insisting that they do not correlate your biometrics data with who you are, what you are talking about or where you are. I personally find it much creepier for someone to know my sleep patterns than to know where I am. Besides, the cell phone towers, the cell phone company and thus the government already know where I am. So I don't have any issue with that. True story with Basis: when I was getting my US visa, and just entering the embassy in Bucharest for the interview, the guards obviously told me to leave my belongings and electronic devices at the entrance. I was curious if they would let me through with the B1 watch — but then they asked: "Is that thing Bluetooth enabled?". I grinned and took it out.
Fitbit Flex & Their Privacy Policy
Fitbit is the champion in terms of the number of units sold and I paid quite a bit of attention to their privacy policy. What shines about their privacy policy is the enumeration of the interactions with them and what data gets recorded in each case: when you sign up, when you sync your data, etc. I would say that is also due to their extensive penetration in the corporate world and the need to be more transparent with their data policies when making big deals like that.
What About Third Party Apps?
What about them? You cannot really control what they do with your data, since most development shops behind them are a one-man show (or well, a several-person team working in their pajamas :D). Yes, they are responsible for the safeguarding of your data, but probably that will not be the number one priority on their list. That's both a good thing, and a bad thing. It's good because they are focusing on making that data useful to you. You know, the wearables industry has a huge retention problem. According to a Endeavour Partners report from January 2014 ("Inside Wearables: How the Science of Human Behavior Change Offers the Secret to Long-Term Engagement"), at least 50% of people stop using an activity tracker completely after no more than 18 months. And that does not take into account that most people only use them occasionally (for example, only to measure their workouts). It's bad because we are all concerned about who receives our personal information and how safe it is there. To be honest, at this point in time, you would have to go naked to a secluded island and hide in a cave to stop data collection for yourself. It's really really hard, and I'm not sure if the benefit is worth it for the average person. Getting back to the engagement problem: this has prompted the device makers to respond in a very interesting way. Most have shifted towards fashion (the only objects you wear on your body that have no function) and productivity (the new wave of smart watches, all of which have built in notifications). In my opinion, these are just strategies to keep them on your body just a little longer, until they figure out what to really do with your biometrics data. But everyone is ignoring third party apps almost completely in this play. They are essential to the long term retention that the device makers want from us. They are essential for finding insights in the data that are good enough to benefit us. You know, the device maker companies have limited bandwidth and the recent wave of acquisitions has shown that it's not sustainable to do it all. Yet, us, as consumers, are very skeptical of sharing our data with them. I think that at this point, sharing your data is just like sharing your business idea: some people will be afraid to share it, but they don't realise that most other people are not even interested (or don't have the time) to look at it in the first place.
How Could Marketers Use Aggregated Wearables Data?
Above, we mentioned that most of the privacy policies mention aggregated data being sold to marketers in an aggregated form. Are you still wondering how the data might be useful to marketers? Jawbone started to give us the first hints about that in its series of reports on sleep. A few obvious use-cases that I can think of are:
- Use the data to know which demographics need sleeping pills (or related products) more. Then create campaigns for them.
- Use the data to determine when it is more effective for content producers to deliver some relevant piece of content to them. I guess TV show owners never knew if I was really watching their show or just dozing off. Now they still won't know, but at least they will get a pretty good idea from a statistical point of view.
- Find out which demographics are more active, and show them more ads related to sports products (for example, protein shakes).
However, these use-cases clearly need a constant flow of data into the systems of the device makers. And data with gaps and inconsistencies is very hard to process, trust me. But without some good privacy policies that would convince the end-users to trust the device makers more and some strong support for the 3rd party app developers from both sides, I do not see this taking off the ground. And the sad part is that wearables can have a huge impact on your life.
Conclusions
First off, I think the situation of the wearables data is quite tangled at this point. I see concern at all levels, starting from the actual consumers that I interviewed and ending with big companies. However, it will take a while until this gets sorted out, and this is probably the reason for Apple's Health application and underlying government-approved data storage. We can see similar initiatives from other players as well. I think that most device makers are struggling with more pressing issues right now and there is ample evidence for that. Lack of longer term engagement is preventing them from properly monetizing the data they are collecting and thus from having a sustainable business model. What, you thought that the margin from selling the hardware device will be enough to keep them in the business? Maybe, but probably only for the high-end ones such as the MotoX or Apple Watch. My last point is that a lot of consumers are buying them or want to use them because they see them around, being used by friends or coworkers, but they do not really understand their benefit. While this was enough to drive smartphone adoption, that was because the smartphone was also a phone. But these devices have an unprecedented functionality, that nobody is really sure is useful. Failing to see the benefits makes consumers concentrate on privacy instead of functionality. In my opinion, that is a very bad sign for a product. We all know GMail is sharing our data with the government, but the functionality is so good that most of us still see an added benefit to using it.