You’re no doubt acquainted with the Internet of Things and the novel privacy issues it raises. But have you heard of the “Internet of Bodies”?
The term was coined by Andrea Matwyshyn, a law professor at Pennsylvania State University, and adopted by the Rand Corporation as the title of a report it issued last year. IoB can be viewed as a subset of the IoT universe and involves, in Matwyshyn’s words, “using the human body as a technology platform.”
IoB devices encompass everything from heart pacemakers to Bluetooth-enabled cochlear implants to (coming soon) smart pills that, upon being swallowed, can monitor your gut microbiome. But the fastest-growing market segment is health trackers, such as the Fitbit, that are being sold directly to consumers.
I’m a member of the band of so-called “biohackers” who have gone down the rabbit hole of strapping various devices to their bodies to monitor and influence their activity levels, sleep patterns, heart rate variability and other biomarkers. But despite being a privacy lawyer, I’ve paid scant attention to how these devices are using my personal data. Until now.
The potential privacy hazards of using IoB devices are obvious. Health-related data is among the most sensitive personal data there is. It is also among the most valuable. Knowing an individual’s health status would provide a gold mine of information to marketers from insurance companies to purveyors of food supplements. And yet consumer-focused IoB devices are generally outside the scope of the protections afforded to health information under the U.S. Health Insurance Portability and Accountability Act since there’s no “covered entity” in the picture.
That means — at least in the U.S. — IoB device users must rely for privacy protections upon the commitments made by IoB device providers in their privacy policies. Even California’s stringent new privacy law, the California Consumer Privacy Act, doesn’t give health information any special status (HIPAA-protected health information is excluded from CCPA coverage).
Below, I dive into the privacy practices of three IoB devices I’m currently using, with a focus on what I consider to be best practices in the IoB space. My own devices are:
- The Oura ring, a sleep and activity tracker.
- The Amazon Halo, which measures body composition and monitors “tone of voice,” along with tracking sleep and activity.
- The Levels Health glucose monitor, which purports to measure metabolic health by tracking glucose levels.
Does the privacy policy declare its commitment to your privacy?
This one is a gimme because it is a rare privacy policy that doesn’t at least gesture in the direction of upholding privacy — often right before describing all the ways your data will be monetized.
- Oura: At Oura, they “take data protection seriously.” Good to know!
- Halo: Amazon assures us Halo is “built with multiple layers of privacy and security features to keep your data safe and in your control.” We’ll see.
- Levels: Levels “takes privacy extremely seriously.” Levels upped the ante by throwing in “extremely.” But it takes some digging to locate its privacy policy.
Is the privacy policy clear as to what data is collected and how it is used?
- Oura: Oura’s privacy policy does a good job of describing exactly what data gets collected and assures personal data is only used to provide the service. Aggregated, non-personally identifiable data can be used to improve the application quality. Advertising won’t be delivered to users unless they explicitly consent.
- Halo: Amazon is thorough in describing (in plain English) its data collection and use practices. Amazon has drafted a separate white paper that goes into additional detail about its privacy practices, in particular, regarding voice tone and body composition data.
- Levels: Personal data collected is used solely to provide the services, although Levels may offer “related or additional products and services.”
Does the privacy policy limit the sharing of personal data?
- Oura: Personal data is only shared with third parties to enable the service and with appropriate contractual commitments in place.
- Halo: Sharing with third-party programs only happens if the user deliberately chooses to link to those programs.
- Levels: Levels may provide personal data to its service providers but only if their privacy commitments are equivalent to those of Levels and only to provide the Levels services.
Is personal data permanently deleted when the user ceases using the device?
- Oura: Oura won’t keep data longer than necessary to provide the services, and backups are deleted every six months.
- Halo: The user can delete data at any time. Voice tone data is only processed on the phone (never makes it to the cloud), and body scan images are processed in the cloud and then automatically deleted.
- Levels: Fails to address data deletion at all. Not good.
Does the privacy policy provide the user with adequate options?
- Oura: As a Finnish company subject to the EU General Data Protection Regulation, Oura is careful to spell out all of the GDPR-guaranteed rights of data subjects.
- Halo: Amazon is strong on options, providing the user with the ability to delete data and turn off functions in the settings.
- Levels: The user can opt out of sharing data with Levels.
Is personal data kept secure?
- Oura: Oura’s security language tracks the GDPR requirements, and Oura assures that it uses encryption, pseudonymization and access right systems as appropriate.
- Halo: Amazon says all Halo customer identifiers are one-way hashed with a secret key to ensure no linkage between stored health data and a particular customer. Impressive. Amazon further assures that it uses “rigorous security protocols,” including encryption.
- Levels: Levels promises “a controlled, secure environment, protected from unauthorized access, use, or disclosure” but then spends equal time talking about how security can’t be guaranteed.
How can the privacy policy be changed?
- Oura: Oura won’t make substantial changes without prior notice.
- Halo: Oddly, not addressed.
- Levels: Levels can modify its privacy policy “at any time” simply by posting an updated version of its privacy policy on its website, so the user must check for updates. Not sufficient, in my view, when it comes to health data.
Having reviewed these privacy policies, I feel pretty comfortable in continuing to use my IoB devices (although the Levels privacy protections could use some bolstering, and I intend to voice my concerns with the company). Understandably, not everyone will share my comfort level. The Mozilla Foundation, for instance, has declared the Amazon Halo to be “the creepiest fitness tracker we’ve seen yet,” and reviews of the Amazon Halo prompted U.S. Sen. Amy Klobuchar, D-Minn., to send a letter of alarm to the Department of Health and Human Services (never mind that HHS has no regulatory jurisdiction over the Amazon Halo).
One thing is certain: Consumer-focused IoB devices will continue to proliferate, and it will be “buyer beware” unless state or federal Legislatures decide to step into the fray. In the meantime, if you’re an IoB device user, read those privacy policies, and as a privacy professional, make sure your clients in the IoB arena are providing adequate, accurate and reassuring privacy disclosures.
Photo by Jenny Hill on Unsplash