This blog is part of our series examining the invasion of Internet services into our lives. An earlier blog gave an overview of the service providers’ legalistic straightjackets we’re putting on by signing the terms of service. We’ve also looked at the tremendous value the service providers are extracting from us by using our data. This blog explores how, after the initial purchase, we’re continuing to pay for IoT devices with our data. That is, our data are a hidden part of the price we pay for our Internet connected devices.
To work and provide us with value, many innovative IoT devices generate data about us and about the environment in which we’re using them. Data are the foundation of much of their value. However, a close look at their privacy statements and terms of service shows that the service providers collect far more data than the devices needed to function. Most of them collect the greatest amount of data they can get, give little control over the collection, and use them for purposes other than needed to provide the device function. That is, the flow of personal data is a continuous payment flow.
A look at the “services” associated with two of my personal devices illustrates the expansive approach.
Technically, the mug that keeps my coffee at a temperature that I can control with my phone requires only a WiFi connection between the mug and my phone. They can communicate without going on the Internet access. However, to set up the app, the manufacturer insists that I register my email address which they sometimes provide to service providers “who may “match” this information in de-identified form to cookies (or mobile ad identifiers) and other proprietary IDs, in order to provide you with more relevant ads when you visit other websites and mobile apps.” As we know, mobile ad identifiers can be de-anonymized with a little effort.
Having set up the app, there are two sources from which the company can collect data: through their web site and with the app. It is possible to avoid their extensive collection of web site data (browser characteristics, device ids and characteristics, browsing behavior, etc.) by simply not visiting their web site. It isn’t necessary to enjoy hot coffee. However, it’s impossible to avoid the use of the app, which results in the collection of IP address, device id, caffein intake(!), location information and use of other devices, sites or apps if such services use the same vendors. Combining device id and location with other data creates powerful insights into people’s lives, and also very valuable data for advertisers!
And all of this data collection for a mug that, to work properly, does not need an Internet connection at all! Users have no choice. If they want to use the mug, they’ll have to expose their data. That is, the ongoing data collection is part of the mug’s price, hidden in the privacy statement most people won’t read.
My blood pressure cuff is another example of excessive data collection without control. The cuff can use Bluetooth to send its measurement data to an app on the phone. That would be enough for me. I can take the data recording and analysis from there. However, even that simple data transfer requires registration with e-mail address and other personal data such as age, gender, height, etc. to start the personal profile at the supplier.
When using the app, the provider collects not only the data measured – blood pressure and pulse -, but also records device ids, accelerometer data, location, time zone etc. I wonder how time zones relate to the blood pressure! As if that were not enough, if there are other health apps on the phone, e.g., from Google or from Apple, the provider will also pull data from those apps, such as step count, glucose, oxygen saturation, active / resting energy levels, sleep analysis, and workout history.
What do they do with all that data? Among others, they provide these data to a number of unspecified service providers and affiliates. By signing up, users are consenting to the engagement of third parties to perform, or support the performance of, all or any portion of the service that is rather vaguely defined. One such 3rd party service wants to interpret the collected health data. By agreeing to the terms of the device (no way to opt out!), users agree to enrollment in that service, whether they want to actually use it or not.
With all that, neither the terms of service nor the privacy statement contains a reference to HIPAA! Disclaiming any responsibility, the device terms point out that any diagnosis can only be made by a physician!
The lack of transparency about where the data goes and what they do with should be a brightly blinking warning signal. What are the risks of health data used inappropriately? They start with inappropriate advertising and can extend to denying or overpricing insurance, affecting employment decisions, and similar impacts, all based on data of unclear provenance and accuracy.
After reading all this, I decided not to use the app at all, but to read the data directly off the cuff and transfer it manually onto a spreadsheet. While this is not the most convenient way to do this, at least I am in control of my data.
These two stories illustrate just the tip of the iceberg. Unfortunately, we have expect that most IoT devices operate this way. The explosion of wearables collecting medical data will only increase the problem.
The mandatory data extraction is a mostly hidden part of the price consumers pay for their IoT devices and is a foundational part of the associated business models. The data collection should be stated as part of the IoT device along with the $$ cost.