How to Read (and Actually Understand) a Wearable Tech Privacy Policy

Privacy experts share tips on how to read a wearable-tech privacy policy and highlight a set of red flags consumers should look out for.

When was the last time you read a privacy policy? Any kind of privacy policy? Be honest.

Yeah, that's what I thought. Nobody reads privacy policies. They're not really meant for the users, anyway -- they're meant to protect companies from potential lawsuits. As such, they're long, complicated and often packed with enough legalese to make even an eager litigator's eyes glaze over.

Some CEOs of companies that make products to collect endless mountains of data don't even read privacy policies.

"It's almost impossible for users to read and understand privacy policies. All of the [services] I use, it doesn't matter if it's Netflix or whatever, I don't read privacy policies. I wouldn't understand it without a lawyer," says Florian Gschwandtner, CEO of Runtastic, which makes a number of fitness tracking devices, including the new Orbit fitness band, as well as a collection of fitness apps for iOS, Android, Windows Phone and BlackBerry.

The reality is that privacy policies have never been more important. (For details on why, read: "Fitness Trackers are Changing Online Privacy -- and It's Time to Pay Attention.") Many of the latest gadgets are designed to collect all kinds of user data, and much of their value is in the analysis of that information. But how do you know what happens to your information after you hand it over to that fitness tracker or smartwatch? Do you want a company secretly selling your data to your insurance company, for example, so it can track your exercise habits, weight gain (or loss), alcohol intake or whatever other stats you decide to track, and then adjust your premium accordingly?

Today, lots of device and app makers sneak all kinds of protections into privacy policies that let them do just about whatever they want with your data, assuming you're willing to accept the terms of service (ToS).

I spoke with a few notable privacy experts for advice on how to dissect a privacy policy, what specifically to look for and some potential red flags that should make you wary if you spot them in a privacy policy.

Jeremy Gillula, Staff Technologist, Electronic Frontier Foundation (EFF)

Gillula says wearable device users should look for two main things when reading a privacy policy: What specific kinds of data are being collected and what the company is doing with that data.

"Somewhere in there they should be explicitly listing what they collect from you, or what you're providing," Gillula says. "It could be anything from a user name or an email address to 'We log your IP address and the unique identifier of your smartphone when you sync you device'."

If you're not clear on why a device, app or service needs a certain kind of information, be wary. The company isn't necessary doing anything suspect with the information, but it should make it clear why they're collecting certain types of data.

"The bigger concern is who they will share [your data] with," Gillula says. "Usually they will either say, 'We share it with third parties but only when they agree to protect your data in the same way that we do,' or they'll say they share it with third parties in the course of 'normal business operations.'"

Gillula says you should beware of companies that state they may share your data with third parties or "partners" so that they can deliver ads or to help develop new products and services. "That is usually a red flag. They're giving the information to other parties. From there, who knows where it goes?"

If a company sells or exchanges data that's not directly connected to anything you have specifically requested, or that's not specific to the service you're getting, you may want to be wary, according to Gillula.

Ruby Zefo, Vice President, Legal and Corporate Affairs and Associate General Counsel, Chief Privacy and Security Counsel, Intel

Like Gillula, Zefo suggests scanning a privacy policy in search of the specific kinds of data being collected and then looking for whether the devices or services share your data with third parties.

"If you're just relying on the band itself and you never really take a close look at the app or the reports, you may miss what some of the sensors are catching," Zefo says. "You want to be clear on the information being collected. You also want to see if the information is being transferred somewhere else."

Zefo suggests looking for statements on how the company protects your data after it is collected.

"I have chosen to allow the device to collect information that I know it's collecting. That was a decision I made. I know how it's being analyzed," Zefo says. "That's OK with me, but I don't want someone else getting that data that shouldn't have it."

If you see a company trying to reserve its rights to share data very broadly, be wary.

"It doesn't mean they're doing anything nefarious with it," Zefo says. "But it makes it harder to determine what exactly they're doing with it. It may be worth an email to customer service to ask for the details, if it seems like it's overly broad."

Kevin Haley, Director, Symantec Security Response

Haley recognizes that today's privacy policies aren't user friendly -- but, at this point, it's the user's responsibility to protect his own privacy by reading the policies. "Companies have a responsibility to make clear what they're doing," he says. "It shouldn't be on the user to have to go through those polices. We're not all lawyers."

Haley says the No. 1 thing to look for in a privacy policy is whether your data is going to be sold to third parties. "Is [my data] going to be given to other people? Is it protected [when stored]? Is this company going to use my data by selling it?"

Haley also says that free apps often pose a more significant risk than paid software: "There's often a hidden price."

If you can't easily find a company's privacy policy, or if you have to request it, you should be cautious sharing your data, Haley says.

If a company doesn't make a privacy policy readily available, he adds, "You have to ask 'What else didn't they think of?' I'd be very concerned."


Join the CSO newsletter!

Error: Please check your email address.

Tags BlackberrysecurityRuntasticTrackernetflixprivacy

More about BlackBerryCounselEFFElectronic Frontier FoundationNetflixSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Al Sacco

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts