Privacy advocates warn of ‘nightmare’ scenario as tech giants consider fitness tracking


The Federal Trade Commission building is seen in Washington on March 4, 2012. (REUTERS/Gary Cameron)

Fitness tracking apps and devices have gone from an early adopter novelty to a staple of many users' exercise routines during the past few years  -- helping users set goals and measure progress over time. Some employers even offer incentives, including insurance discounts, when workers sign up.

"There's been a tremendous amount of evolution in the app space, both generally and in the fitness app," since she joined the Federal Trade Commission six years ago, Senior Staff Attorney Cora Han acknowledges. "It's a completely different landscape."

But as several major tech companies appear poised to disrupt that landscape, privacy advocates warn that consumers aren't always aware of how sensitive the data the apps collect can be or what privacy protections exist. And changes in the privacy policy of Moves, a fitness tracking app recently acquired by Facebook, have only amplified those fears.

"This is really, really a privacy nightmare," says Deborah Peel, the executive director of Patient Privacy Rights, who claims that the vast majority, if not all, of the health data collected by these types of apps have effectively "zero" protections, but is increasingly prized by online data mining and advertising firms.

Both the Food and Drug Administration and the FTC regulate some aspects of the fitness tracking device and app market, but not everyone thinks the government has kept pace with the rapidly changing fitness tracking market.

"The FTC and even the FDA have not done enough," says Jeffrey Chester, the executive director of the Center for Digital Democracy, who says the lack of concrete safeguards to protect data in this new space leaves consumers at risk. "Health information is sensitive information and it should be tightly regulated."

Tech giants turn their eyes to fitness tracking

Moves changed its privacy policy within weeks of its acquisition by Facebook.  The app uses motion sensors built into smartphones and GPS information to keep a record of users' locations and activities. Algorithms developed for the app are able to tell the difference between different types of exercise -- like biking, or running -- and calculate distances traveled and calories burned.

The app's privacy policy went from stating the company would not "disclose an individual user’s data to third parties" without consent to "we may share information, including personally identifying information, with our Affiliates (companies that are part of our corporate groups of companies, including but not limited to Facebook) to help provide, understand, and improve our Services," as first reported by the Wall Street Journal.

Facebook spokesperson Jodi Seth said the company had "no plans" to connect Moves data with Facebook users. The language was changed because Facebook will be providing support and services to the app, she said.

"In order to support the provision and operation of the Moves app, Facebook will need to have access to the Moves data," she told the Post in a statement via e-mail. She further said that Moves would continue as a "standalone experience" rather than being directly integrated into the larger Facebook platform.

But a person familiar with the matter told the Post the acquisition is "about talent and tech," suggesting that Facebook may be planning to use Moves to make a bigger splash in the health and fitness space.

And Facebook wouldn't be the only tech giant  interested in the fitness and health tracking business. Reuters recently reported that Apple is on a "medical tech hiring spree" -- possibly in anticipation of the long rumored iWatch. The company also met with FDA officials about mobile medical apps last December, as reported by the New York Times.

With its foray into wearable tech with Google Glass, Google also appears in a good position to do more work on health tracking. And elsewhere in the company's experimental lab, Google has been working on other medical related products like contacts that tell diabetics their glucose levels. (Oh, and there is that whole other company Google CEO Larry Page created to work on combating death.)

Peel says there's an obvious reason these companies are interested in having a hand in health data: "It's the most valuable information in the digital age, bar none." Chester echoed that sentiment, but also says the tech industry's pivot to health and fitness tracking "is all part of a much wider system of data collection."

"The next frontier is local, and they know that health apps and other kind of apps related to recreation and lifestyle will be an economic bonanza," he says. "They literally want to know your movements in a much more granular way and they've created business models based on this kind of intrusive hyper-local data tracking."

Data mining and advertising companies already have access to vast amounts of information related to consumers health -- companies can glean a lot from users Web browsing behavior, or the pharmacy purchases made while using consumer loyalty cards. But fitness tracking apps have the potential to provide more direct and reliable information in greater detail.  And that, Chester says, could have truly devastating consequences as the information is monetized.

"Information about consumers most intimate health conditions is going to be sold to the highest bidder," he says. "Employers might get access to it, insurers might get access to it, or mortgage lenders -- which could lead to a vast array of negative discriminatory practices."

What about HIPAA?

Privacy advocates worry that regulators aren't prepared to handle the consumer privacy challenges that will come with this explosion in health data.

Part of the issue is that while fitness apps and wearable devices can create and transmit data that most consumers would consider health related, it does not have the same level of protection as data created consumers interactions with actual health care professionals.

Health Insurance Portability and Accountability Act of 1996 created a regulatory framework for digital health information and privacy protections to go along with it, but it does not apply to many casual health and fitness tracking apps because the data it collects was created by consumers themselves, rather than an entity covered by HIPAA like a doctor or a hospital.

Because of that, "there may be sharing of sensitive health information that's collected by these health or fitness apps that consumers may not reasonably expect or anticipate -- particularly since they are used to sharing that information in a traditional provider context," says Han.

The FDA issued guidance on mobile medical apps last fall, choosing to focus on apps that directly transform the smartphones or tablets into devices it already regulates and exercise "enforcement discretion" on others it says pose minimal risks to consumers. Basically, that means there are a bunch of health related apps the FDA reserves to right to regulate, but it isn't planning to actively engage with unless they see a clear and present medical danger to consumers.

A list of examples of types of apps that fall into this category on the FDA Web site appears to encompass features commonly found in fitness tracking apps, but a footnote includes a potential loophole -- saying that when these type of apps "are not marketed, promoted or intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, or do not otherwise meet the definition of medical device, FDA does not regulate them."

Moves describes itself as an "activity diary," but its Web site does use vague health related language to promote the app usage, including urging visitors to "start with small changes that can lead to healthy habits and losing weight naturally."

However, a Food and Drug Administration spokesperson said the agency could not comment on if specific apps like Moves fell under its jurisdiction. And the word "privacy" did not show up in its mobile medical app guidance even once.

The FTC's role

But elsewhere in the government, the FTC has been working hard to figure out where they fit in that landscape -- even hosting a public conference about consumer generated health data earlier this month.  Under Title V of the Federal Trade Commission Act, the agency has a pretty broad authority to engage with product creators on behalf of consumers, but only if companies are engaging in deceptive or "unfair" practices.

"In the health and fitness app space, we have authority to enforce against, for example, connected device manufacturers, app developers or others that may be engaging in deceptive practices or failing to live up to their promises to users about the collection and use of their data," Han says.

But there are some additional limits to that authority: In general, the FTC doesn't have the ability to level fines against companies who break promises to consumers on the first offense. Plus, even if consumers aren't comfortable with the way their information is shared, they may have already agreed to it.

"Consumers may not always read the privacy policies of some of these apps," Han says, "and even if they do some of them might be worded in legalese so consumers might not understand the choices they are making with their information."Peel warns even if apps say they don't sell user data, they might get around the restrictions on a technicality like trading it -- and that there's no real auditing of privacy promises beyond the FTC's investigative role.

But Han also says it's worth considering the upside to the explosion in fitness tracking: "There are a lot of benefits that these new technologies provide," she says, referring to the potential power and knowledge fitness tracking devices and apps give to consumers. But those benefits don't give developers a free pass on other consumer protection issues, she says.

"I do think that the companies developing these products and services should incorporate privacy and security considerations from the start and they should also be very clear to users about what information they are collecting and how they are sharing that information," Han argues. 

Andrea Peterson covers technology policy for The Washington Post, with an emphasis on cybersecurity, consumer privacy, transparency, surveillance and open government.
Comments
Show Comments
Most Read Business
Next Story
Hayley Tsukayama · May 19