Privacy & Wearables - What Your Health Devices Are Doing With Your Data

Wearables, smart devices, sleep trackers.. whatever you want to call them they are extremely popular.

These revolutionary devices empower the user to learn more about their health, sleep, recovery and activity. And in turn make adjustments to improve their health and performance.

Personally I have been using my Oura Ring for many years now, I have even written about the profound benefits that these smart devices have on my health.

But in a hyper-connected world, where all your gadgets, phones and wearables are interconnected, what actually happens with all this data?

Can anyone access it? What can they do with it if so?

I wanted to find out the answers to this questions. So I reached out to a privacy expert who also has a great passion for biohacking!

Below Joel Latto has shared a guest blog on wearables and privacy. I hope you enjoy it as much as I did and feel free to leave any questions for Joel in the comments section below.

Joel Latto - Biohacker and privacy advocate from Finland. Personal goal is to make security and privacy enough to be a topic of discussion at grandma's coffee table. Read his blog at www.JoelLatto.com.

Wearables & Privacy - What You Need To Know

In the heart of the self-quantification movement is the collection and analyzing of data.

When it comes to data in general, there’s next to nothing that comes even close to how personal and private our health data is. Great news is that the selection and technological capabilities of wearables and other self-quantification gadgets have increased rapidly in the recent years.

But unfortunately, it seems that neither us biohackers nor the companies making these wearables have properly considered the privacy implications of this type of health data collection that’s happening on an unprecedented scale.

I’m not here to lecture you about the importance of privacy, but let’s just say that “I have nothing to hide” is not even a relevant argument.

What our community and companies in this space are lacking is the basic education and knowledge sharing about health data privacy, most importantly about data collection and handling practices. To start the discussion on this important topic, Alex gave me the opportunity to dig into the privacy policies of wearables companies favored by the biohacking community, and to present you the findings on his platform.

To make this comparison plausible, I narrowed it down to two rings

Oura (May 17, 2019)
Motiv (November 14, 2018)

and three wristbands

I've also included a link to their privacy policy and the dated version.

Despite different form-factors, when it comes to privacy, this should still be an apples to apples comparison. My intention was also to include Garmin, as they provide an impressive line-up of fitness focused smartwatches, but it seems like their privacy policies are bit different depending on the device, so comparison would’ve been extremely hard.

Regardless of the specific device you own or are thinking about purchasing, the learnings presented in this article should still provide a good baseline for what to look out for.

What Data Do These Wearables Collect?

Generally speaking, all these companies collect the same four types of data:

data from your purchase and account creation,
data of your use of the service,
data you provide indirectly,
and finally data about you from third parties.

Two first categories are give up by the user. As for any sleep, wellness or fitness tracker to work, you have to input your health data either manually or automatically.

However, most folks don’t realize that these devices also collect data that you provide indirectly. For example, this can include information about your mobile device, access logs, location information (even when not tracking workouts with GPS function of the wearable) and other type of metadata. To provide some context, here’s one interesting sentence from Biostrap’s policy:

“We may also share your device’s physical location, combined with information about what advertisements you viewed and other information we collect, with our marketing service providers to enable them to provide you with more localized content and to study the effectiveness of advertising campaigns.”

Important thing here to take in consideration is that all other manufacturers except Oura are combining their device, service and website privacy policies into one document. Depending on the terminology they use, it can be difficult or impossible at times to specify which of the three components the policy is addressing with certain sections. I did try my best to filter out website specific paragraphs to make the comparison as fair as possible.

Also, out of all these companies, Oura seems to be the only company that doesn’t pull data from third parties to build a more detailed profile of you.

An example of what this third party data pull can be seen in Motiv's policy:

“…if you create or log into your account through a social media site, we will have access to certain information from that site, such as your name, account information and friends lists, in accordance with the authorization procedures determined by such social media site.”

Same is true for every service that you login with your social media account. Only Whoop seems to receive some data from third parties that’s directly related to marketing:

“We receive information about you from some of our service providers who assist us with marketing or promotional services related to how you interact with our websites, applications, products, services, advertisements or communications.”

On the other hand, Fitbit collects data from employers and insurance companies, who in turn offer Fitbit’s services to their employees and customers. Biostrap operates similarly with their Remote Monitoring Program, as is expected.

So, in an essence, you shouldn’t worry too much about these wearables companies using third party data about you, but instead be more focused on whether or not these same companies are sharing your health data with third parties.

Are They Selling or Exchanging Data With Third Parties?

There are three main reasons why these companies might want to share your data to third parties:

For legal reasons or to prevent harm. Depending on the laws and regulations of the country they are operating in, companies have to share data in order to comply with search warrants, court orders, subpoenas or other government request.
In case of merger or acquisition of the company, all data that they have – including your personal data – will be shared with third parties. Here’s a fun thought exercise: what happens to your personal data if the company you’ve been sharing it with goes out of business?
All of them except Whoop share aggregated data - so not Personally Identifiable Information (PII) - for research purposes and such. If the data is properly anonymised and aggregated, I’m all for this type of sharing! Here’s how it’s disclosed:

Biostrap & Fitbit (word-for-word with exactly the same phrasing):

“We may share non-personal information that is aggregated or de-identified so that it cannot reasonably be used to identify an individual. We may disclose such information publicly and to third parties, for example, in public reports about exercise and activity, to partners under agreement with us, or as part of the community benchmarking information we provide to users of our subscription services.”

Motiv:
“We may also share aggregated or anonymized information that does not directly identify you, including to provide research, reports and analytics about health and fitness, for marketing and promotional use, for providing premium services, and for sale to interested audiences.”

Oura:
“We may aggregate and anonymize data collected via the application. Such data will be anonymous and cannot be connected to an individual User, therefore no longer qualifying as personal data. We may use this type of anonymous data for analytics, statistics, research, communications and PR purposes as well as for trend detection and for benchmark data.”

All of these companies share data with third parties if you choose to log in with a social media account or otherwise share data to social media platforms. This should go without saying, but perhaps it’s good to remind you of the fact that tech giants such as Facebook do collect quite a bit of your data in exchange for providing you the option to log in with your Facebook account.

There weren’t a lot of red flags in terms of third-party sharing in these privacy policies, but this paragraph from Biostrap, found under “For external processing”, caught my eye:

“When you submit your Personal Information, you also provide us permission to use your Personal Information to contact you by email, telephone, cell phone, direct mail, or text message about certain offers made available by us or third parties that we believe you might be interested in based on information you have provided to us.”

Whoop also mentions sharing your personal data with “ad networks”, but my guess is that this is related to website cookies and not actual health data from their devices. Impossible to say for sure, as their website and device privacy policies are one and the same. Same is true for Motiv as well.

Data Retention - How Long Are They Storing Your Data

In the age of GDPR, I was surprised to see quite a bit of differences in data retention policies between these companies. It’s best to provide just a short summary of each:

Biostrap and Fitbit delete your data within 30-60 days after request, but they also “keep information about you and your use of the Services for as long as necessary for our legitimate business interests”.

Motiv doesn’t disclose this information at all.

Oura doesn’t store personal data “longer than is legally permitted” and they delete backups within 6 months.

Whoop will store data after account deletion, but “not in a way that would identify you personally”. They use this apparently to improve their algorithms.

If you’re a citizen of the EU or the EEA, you do have some additional rights regarding data erasure, thanks to GDPR. I've shared a few words about that at the end of this article.

Other Things Worth Noting

Biostrap has two privacy policies, one on their US site (which is what I have used for this article) and one on EU site. However, it seems that the EU version covers mostly just their website, NOT the products or associated services at all. This might be confusing for European customers. Worse yet, they don’t even mention GDPR on their European policy. In their US privacy policy, they go on to underline that

“No matter where you live, whether in the European Economic Area, United Kingdom, Switzerland, or United States, Biostrap USA, LLC. controls your personal data and provides you with the Services.”

I also noted that these companies treat children in a bit different manner. Biostrap even has a completely separate privacy policy for children. Under 13-year-olds need parent’s permission to create an account for Biostrap, Fitbit or Whoop. Oura doesn’t at all process data of children under the age of 18, and even reserve the right to delete such accounts. Once again though, Motiv’s privacy policy falls short and doesn’t cover this area at all.

On an unrelated note, generally speaking I still find Oura’s privacy policy to be among the best in the field, however, this paragraph is in rather stark contrast to the rest of their policy:

“We will ask your explicit consent if we wish to send you push notifications or to use any health-related data for marketing purposes.”

I have not seen or heard of any such cases happening, but I’m not a fan of the idea that my personal health data would be used for marketing – even if it would be Oura’s own marketing.

What Can You Do?

By reading this article, you’ve already taken a good step towards becoming more privacy conscious.

It’s important to understand that privacy isn’t a binary choice or some setting that you could just turn on in your device. Instead, it’s a behavior adjustment: think what kind of data (and what level of detail) are you willing to share with these companies or with other users of the same wearables? In information security, we’d call this threat modelling, but in layman’s terms it’s all about weighing the pros and cons.

We need to give out health data in exchange to gain health insights from these wearables, but do we really want to share our workout locations publicly to gain ranking in some weekly top list?

Do we really want to save the trouble of creating and memorizing new password for these services and instead login with our social media account, leaking who knows how much of our private data in the process? Do we really want to give these apps access to our phone’s contact list, microphone or more?

Often these apps have hidden somewhere in the settings more detailed options about data sharing. Usually there’s pre-selected the option of sending data for “diagnostics purposes”, or something else like that. None of those are required for apps or wearables to function. So one simple step you can make is to disable this function.

Another good thing to remember is that a) you don’t have to fill out all information these services ask from you and b) it’s okay to lie! Of course, it doesn’t make sense to input disinformation to fields that contribute to the personalized health insights, but most of web services don’t need your real name, your real phone number or address and such.

How about legislation then? Biostrap, Fitbit and Whoop all work within the framework of EU-US and Swiss-US Privacy Shield. Motiv is also based in USA, but they don’t mention any Privacy Shield commitments, only that they have an external company appointed as their GDPR representative. If GDPR applies to you, it grants you the following rights:

The right to be informed

The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object

Rights in relation to automated decision making and profiling.

If you want to know what these rights mean and how to exercise them, visit UK’s ICO site.

Note that I’ve only compared the privacy policies of these companies, but in many cases, there’s also a lot of eye-opening information available in Terms of Services / Terms of Use as well.

There’s no clear-cut line what kind of information is disclosed in privacy policies compared to Terms. If you’d like to get more information about these policies and how companies handle your data, here are their relevant contact details for your convenience:

Biostrap - [email protected] (their GDPR Subject Data Form link is broken)

Fitbit - [email protected] or [email protected]

Motiv - [email protected]

Oura - [email protected]

Whoop - [email protected] or [email protected]

I hope this little inside look into the privacy policies and the health data handling practices of these wearables provided you with new and beneficial knowledge. If anything, perhaps next time some service – for self-quantification or not – asks your personal information, you pause for a moment and think how much do you trust that service, do they really need all that information, and what might they do with it?