Data from wearable devices could soon land you in jail

Health privacy laws don’t cover your wearable and information it's collecting

While that fitness band or smartwatch you own may help you get in shape or never miss an appointment, the data it collects is now also fodder for criminal or civil litigation.

In what's thought to be a first-of-its-kind civil lawsuit, a personal injury lawyer in Canada used data from a Fitbit wristband in an insurance fraud case to support his client's claims.

Previously, insurance civil suits relied on physician examinations and not historical data collected from a wearable.

Simon Muller, a partner in the Personal Injury Group of McLeod Law in Calgary, Alberta pushed his client's Fitbit data through an analytics platform from Vivametrica, a startup company. Vivametrica's Functional Activity Assessment tool compares activity data against that of the general population, offering a way to benchmark the results. (Muller's client voluntarily shared several months of Fitbit data with Vivametrica so  it could be compared with data from other Fitbit users. His client, a former personal trainer, had been in an accident that affected her ability to work; the data was used to back up her claim.)

Cloud aggregation services for wearable data

Rick Hu, an orthopedic surgeon and CEO of Vivametrica, said the analytics software can currently only be used with activity trackers, but the company is in the process of expanding it to work with other wearable devices.

"One of the shortcomings right now is that each of the device manufacturers collects their own information," Hu said. "So it's hard to compare that data with other people's data who are not using that particular device. There is no standardization in terms of the activity data."

The company hopes to collect data using APIs from multiple wearable brands and anonymize it for research purposes.

Vivametrica's software will also be able to use APIs from health tracking platforms such as Google Fit, Apple HealthKit, Samsung Sammy and Microsoft HealthVault to aggregate data from wearable devices for comparison.

With that in mind, Hu sees the day coming when prosecutors and defense attorneys alike could use data collected from wearable devices.

"I think there are many hurdles to make it routine," he said. "But in my discussions with legal colleagues...they're quite willing to do this. I think it's better to have an open discussion...rather than have a serendipitous kind of surveillance and all of a sudden you realize your entire day has been charted on someone's computer, like Uber for instance."

"Police use social media accounts like Facebook and, going forward, will police find some way to use this data? Sure they will. That seems pretty clear," said Scott Valentine, president of Vivametrica.

Wearables are a perfect fit for litigation, according to Neda Shakoori, an attorney who leads an eDiscovery initiative with the law firm of McManis Faulkner.

Wearables not only track physical activity, but they can transmit geolocation information, and more sophisticated wearables, like Google Glass, can also take photos and videos and perform web searches.

Shakoori said she is not aware of any other civil case where data from wearables is being used to prove or disprove a claim, but "I do think that's coming down the pike. It's just a matter of time."

There are clear obstacles to gathering and using wearable data in a case where the user isn't willingly sharing it with the courts to buttress their own case. For one, the accuracy of the data could be called into question.

"I could be sitting at desk shuffling my feet and the device could track that as me walking for three hours or walking three miles a day," she said.

There are also privacy and evidentiary rules. And the cost of retrieving electronic data through legal avenues could be prohibitive, Shakoori said.

Privacy obstacles are easily circumvented

Rainey Reitman, activism director for privacy advocacy group Electronic Frontier Foundation, said wearable device companies that collect data from users in cloud services can be subpoenaed -- just as Google and Microsoft have been for years.

In just the first half of 2013, Google received requests from the U.S. Foreign Intelligence Surveillance (FISA) court for information on between 9,000 and 10,000 user accounts; that was up from requests for info affecting between 7,000 and 8,000  accounts in the first half of 2011.

pebble watch email 1 Wikimedia Commons

Like smart phones, smart watches have geolocation and metadata about communications and web searches.

The FISA court hit up Microsoft for data related to between 15,000 and 16,000 accounts during the same period, up from requests affecting 11,000 to 12,000 accounts in the second half of 2011.

There is a clause in the privacy policies of most service providers that states they will release data in response to valid legal requests, Reitman said.

For example, Fitbit's privacy policy states it will release data "necessary to comply with a law, regulation, or valid legal process."

Another misperception about personal data is that if it contains health-related information, it is protected under the Health Insurance Portability and Accountability Act (HIPAA).

"Health privacy laws generally only cover certain, specific medical entities -- and wearable technology manufacturers aren't one of them," Reitman said.

Even if medical privacy laws did cover data recorded by a Fitbit band, it wouldn't matter, Reitman said, because there's an exception to HIPAA for law enforcement queries, national security and many other legal requests.

"To be clear, Fitbit and other companies could choose to challenge the subpoena. That could be a way for Fitbit to prove it's willing to stand up for the privacy of its users," Reitman said.

This story, "Data from wearable devices could soon land you in jail" was originally published by Computerworld.

Copyright © 2014 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)