CIO

How to Read (and Actually Understand) a Wearable Tech Privacy Policy

Privacy experts share tips on how to read a wearable-tech privacy policy and highlight a set of red flags consumers should look out for.
  • Al Sacco (CIO (US))
  • 15 August, 2014 01:44

When was the last time you read a privacy policy? Any kind of privacy policy? Be honest.

Yeah, that's what I thought. Nobody reads privacy policies. They're not really meant for the users, anyway -- they're meant to protect companies from potential lawsuits. As such, they're long, complicated and often packed with enough legalese to make even an eager litigator's eyes glaze over.

Some CEOs of companies that make products to collect endless mountains of data don't even read privacy policies.

"It's almost impossible for users to read and understand privacy policies. All of the [services] I use, it doesn't matter if it's Netflix or whatever, I don't read privacy policies. I wouldn't understand it without a lawyer," says Florian Gschwandtner, CEO of Runtastic, which makes a number of fitness tracking devices, including the new Orbit fitness band, as well as a collection of fitness apps for iOS, Android, Windows Phone and BlackBerry.

The reality is that privacy policies have never been more important. (For details on why, read: "Fitness Trackers are Changing Online Privacy -- and It's Time to Pay Attention.") Many of the latest gadgets are designed to collect all kinds of user data, and much of their value is in the analysis of that information. But how do you know what happens to your information after you hand it over to that fitness tracker or smartwatch? Do you want a company secretly selling your data to your insurance company, for example, so it can track your exercise habits, weight gain (or loss), alcohol intake or whatever other stats you decide to track, and then adjust your premium accordingly?

Today, lots of device and app makers sneak all kinds of protections into privacy policies that let them do just about whatever they want with your data, assuming you're willing to accept the terms of service (ToS).

I spoke with a few notable privacy experts for advice on how to dissect a privacy policy, what specifically to look for and some potential red flags that should make you wary if you spot them in a privacy policy.

Jeremy Gillula, Staff Technologist, Electronic Frontier Foundation (EFF)

Gillula says wearable device users should look for two main things when reading a privacy policy: What specific kinds of data are being collected and what the company is doing with that data.

"Somewhere in there they should be explicitly listing what they collect from you, or what you're providing," Gillula says. "It could be anything from a user name or an email address to 'We log your IP address and the unique identifier of your smartphone when you sync you device'."

If you're not clear on why a device, app or service needs a certain kind of information, be wary. The company isn't necessary doing anything suspect with the information, but it should make it clear why they're collecting certain types of data.

"The bigger concern is who they will share [your data] with," Gillula says. "Usually they will either say, 'We share it with third parties but only when they agree to protect your data in the same way that we do,' or they'll say they share it with third parties in the course of 'normal business operations.'"

Gillula says you should beware of companies that state they may share your data with third parties or "partners" so that they can deliver ads or to help develop new products and services. "That is usually a red flag. They're giving the information to other parties. From there, who knows where it goes?"

If a company sells or exchanges data that's not directly connected to anything you have specifically requested, or that's not specific to the service you're getting, you may want to be wary, according to Gillula.

Ruby Zefo, Vice President, Legal and Corporate Affairs and Associate General Counsel, Chief Privacy and Security Counsel, Intel

Like Gillula, Zefo suggests scanning a privacy policy in search of the specific kinds of data being collected and then looking for whether the devices or services share your data with third parties.

"If you're just relying on the band itself and you never really take a close look at the app or the reports, you may miss what some of the sensors are catching," Zefo says. "You want to be clear on the information being collected. You also want to see if the information is being transferred somewhere else."

Zefo suggests looking for statements on how the company protects your data after it is collected.

"I have chosen to allow the device to collect information that I know it's collecting. That was a decision I made. I know how it's being analyzed," Zefo says. "That's OK with me, but I don't want someone else getting that data that shouldn't have it."

If you see a company trying to reserve its rights to share data very broadly, be wary.

"It doesn't mean they're doing anything nefarious with it," Zefo says. "But it makes it harder to determine what exactly they're doing with it. It may be worth an email to customer service to ask for the details, if it seems like it's overly broad."

Kevin Haley, Director, Symantec Security Response

Haley recognizes that today's privacy policies aren't user friendly -- but, at this point, it's the user's responsibility to protect his own privacy by reading the policies. "Companies have a responsibility to make clear what they're doing," he says. "It shouldn't be on the user to have to go through those polices. We're not all lawyers."

Haley says the No. 1 thing to look for in a privacy policy is whether your data is going to be sold to third parties. "Is [my data] going to be given to other people? Is it protected [when stored]? Is this company going to use my data by selling it?"

Haley also says that free apps often pose a more significant risk than paid software: "There's often a hidden price."

If you can't easily find a company's privacy policy, or if you have to request it, you should be cautious sharing your data, Haley says.

If a company doesn't make a privacy policy readily available, he adds, "You have to ask 'What else didn't they think of?' I'd be very concerned."

AS