Privacy Controls for Fitness Devices?

N.Y. Senator Asks FTC to Push Health, Fitness Vendors on Privacy
Privacy Controls for Fitness Devices?
Sen. Charles Schumer, D-NY

With the explosion of consumer fitness devices and health-related mobile apps that track everything from individuals' sleep to their exercise and location, Sen. Charles Schumer, D-N.Y., wants the Federal Trade Commission to push the vendors of those products to adopt new privacy safeguards.

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

In an Aug. 10 letter to the FTC, Schumer asks the agency to help ensure that companies "clearly explain to users how their data is being used, and allow consumers to opt-out of data sharing."

Schumer also urges the FTC to require that fitness devices and app companies adopt new privacy measures to help conceal the identity of individuals, and develop policies to protect consumer information in the event of a security breach."

In a statement released from Schumer's office, the senator notes that personal data from devices such as fitness bracelets like FitBit "is so rich that an individual can be identified by their gait," and that the information being gathered and stored by these products could be sold to third parties - such as employers, insurance providers and other companies - without the users' knowledge or consent.

"This creates a privacy nightmare, given that these fitness trackers gather highly personal information on steps per day, sleep patterns, calories burned and GPS locations," Schumer says. He also notes that users often input private health information such as blood pressure, weight and more. The data is then uploaded for analysis and feedback for the user.

There are currently no federal protections to prevent product or app developers from selling that data to a third party without the consumer's consent, Schumer says. So, he urges the FTC to push for fitness device and app companies "to provide a clear and obvious opportunity to 'opt-out' before any personal health data is provided to third parties, who could discriminate against the user based on that sensitive and private health information."

In a statement to ISMG, FitBit says, "we support companies getting user consent before they sell any personal data. It has always been our policy not to sell user data; we have never sold personal data and we do not share personal data unless a user specifically directs us to do so, or under the limited exceptions described in our privacy policy. We are committed to our users' privacy in our policies and our practices."

An FTC spokesman confirms that the agency received Schumer's letter, but declined to comment on his requests.

Schumer's office did not respond to ISMG's request for comment on the senator's letter.

Support for Schumer

Deborah Peel, M.D., founder of privacy advocacy group Patient Privacy Rights, agrees with Schumer's push.

"Any company on earth can buy your health, fitness or medical information - literally any company," says Peel in a statement to Information Security Media Group. "The sale and trade of the nation's most intimate personal information - data about our minds and bodies - is well-known by U.S. businesses," she says. Peel says it's difficult for consumers to know how their personal health data is used "because there are over 100,000 health data brokers covering 780,000 daily health data feeds -- there is no list, there is no data map of them. And unlike bank accounts, we cannot check and see a list of 'transactions' of who used our data when and for what purpose."

Greg Brown, vice president and chief technology officer of cloud and Internet of Things at Intel Security, formerly McAfee, says it's important consumers be aware of the privacy risks of data that's collected by these devices and apps. Consumer-class devices, such as GPS-enabled fitness trackers, "have access to our daily activities, potentially where we are in the world...and rich information about our daily activities," he notes. Often, consumers choose to share that information via social media sites and consumer cloud services that enables information to be shared broadly with an individual's community of friends, family and others.

Another privacy and security concern is that the data on those sites is typically accessed through a user name and password, Brown says.

"We've had problems with management of traditional username and password systems in cloud environments," he says. "And one of the issues that really concerns me is that if you make the decision that you are going to put some sensitive information out into the cloud, be aware the information is only as secure as the access controls you put around them."

On a positive note, "we have the benefit that most of this [fitness and health] information isn't broadly commericializable," Brown says. "It's hard to monetize someone's heart rate if you're a criminal."

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.