Data from wearable devices could soon land you in jail

Data from a Fitbit wristband is being used in an insurance civil litigation case, but the ramifications of the legal fight are clear: A judge can subpoena data from a wearable device.

While that fitness band or smartwatch you own may help you get in shape or never miss an appointment, the data it collects is now also fodder for criminal or civil litigation.

In what's thought to be a first-of-its-kind civil lawsuit, a personal injury lawyer in Canada used data from a Fitbit wristband in an insurance fraud case to support his client's claims.

Previously, insurance civil suits relied on physician examinations and not historical data collected from a wearable.

Simon Muller, a partner in the Personal Injury Group of McLeod Law in Calgary, Alberta pushed his client's Fitbit data through an analytics platform from Vivametrica, a startup company. Vivametrica's Functional Activity Assessment tool compares activity data against that of the general population, offering a way to benchmark the results. (Muller's client voluntarily shared several months of Fitbit data with Vivametrica so  it could be compared with data from other Fitbit users. His client, a former personal trainer, had been in an accident that affected her ability to work; the data was used to back up her claim.)

Cloud aggregation services for wearable data

Rick Hu, an orthopedic surgeon and CEO of Vivametrica, said the analytics software can currently only be used with activity trackers, but the company is in the process of expanding it to work with other wearable devices.

"One of the shortcomings right now is that each of the device manufacturers collects their own information," Hu said. "So it's hard to compare that data with other people's data who are not using that particular device. There is no standardization in terms of the activity data."

The company hopes to collect data using APIs from multiple wearable brands and anonymize it for research purposes.

Vivametrica's software will also be able to use APIs from health tracking platforms such as Google Fit, Apple HealthKit, Samsung Sammy and Microsoft HealthVault to aggregate data from wearable devices for comparison.

With that in mind, Hu sees the day coming when prosecutors and defense attorneys alike could use data collected from wearable devices.

"I think there are many hurdles to make it routine," he said. "But in my discussions with legal colleagues...they're quite willing to do this. I think it's better to have an open discussion...rather than have a serendipitous kind of surveillance and all of a sudden you realize your entire day has been charted on someone's computer, like Uber for instance."

"Police use social media accounts like Facebook and, going forward, will police find some way to use this data? Sure they will. That seems pretty clear," said Scott Valentine, president of Vivametrica.

Wearables are a perfect fit for litigation, according to Neda Shakoori, an attorney who leads an eDiscovery initiative with the law firm of McManis Faulkner.

Wearables not only track physical activity, but they can transmit geolocation information, and more sophisticated wearables, like Google Glass, can also take photos and videos and perform web searches.

Shakoori said she is not aware of any other civil case where data from wearables is being used to prove or disprove a claim, but "I do think that's coming down the pike. It's just a matter of time."

There are clear obstacles to gathering and using wearable data in a case where the user isn't willingly sharing it with the courts to buttress their own case. For one, the accuracy of the data could be called into question.

"I could be sitting at desk shuffling my feet and the device could track that as me walking for three hours or walking three miles a day," she said.

There are also privacy and evidentiary rules. And the cost of retrieving electronic data through legal avenues could be prohibitive, Shakoori said.

Privacy obstacles are easily circumvented

Rainey Reitman, activism director for privacy advocacy group Electronic Frontier Foundation, said wearable device companies that collect data from users in cloud services can be subpoenaed -- just as Google and Microsoft have been for years.

In just the first half of 2013, Google received requests from the U.S. Foreign Intelligence Surveillance (FISA) court for information on between 9,000 and 10,000 user accounts; that was up from requests for info affecting between 7,000 and 8,000  accounts in the first half of 2011.

The FISA court hit up Microsoft for data related to between 15,000 and 16,000 accounts during the same period, up from requests affecting 11,000 to 12,000 accounts in the second half of 2011.

There is a clause in the privacy policies of most service providers that states they will release data in response to valid legal requests, Reitman said.

For example, Fitbit's privacy policy states it will release data "necessary to comply with a law, regulation, or valid legal process."

Another misperception about personal data is that if it contains health-related information, it is protected under the Health Insurance Portability and Accountability Act (HIPAA).

"Health privacy laws generally only cover certain, specific medical entities -- and wearable technology manufacturers aren't one of them," Reitman said.

Even if medical privacy laws did cover data recorded by a Fitbit band, it wouldn't matter, Reitman said, because there's an exception to HIPAA for law enforcement queries, national security and many other legal requests.

"To be clear, Fitbit and other companies could choose to challenge the subpoena. That could be a way for Fitbit to prove it's willing to stand up for the privacy of its users," Reitman said.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitydata privacymobileprivacy

More about AppleElectronic Frontier FoundationFacebookGoogleMicrosoftSamsungTechnologyUber

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucas Mearian

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place