By Ganesh Chakravarthi (@crg_takshashila)
A buzz on my wrist wakes me. I open my smartphone and see the status of my smart band synchronising my sleep schedule. My first cup of coffee and breakfast, the smart band takes readings. I go for a run, my smart band goes on overdrive. My ride to work takes me through peak hour traffic and my bike manoeuvres spike up my adrenalin.
Few weeks of the same routine and I observe subtle changes that my body has undergone. All these data points that allow me to alter my lifestyle are recorded on my watch – on the cloud, to be precise. My smart band’s readings give me a fairly good idea of where things stand. I can access this data whenever I want, monitor my eating and update the same data on my smartphone. The question arises, am I the only one seeing this data? Do I have a say if someone wants to pry or sell this data?
Wearable technology has altered the way we interface with the world. With increasing demand, it is important for consumers to be aware of potential security and privacy breaches. With vague regulations and lack of enforcement, data gathered by smart wearables can be used without the consumer’s knowledge, and it wouldn’t even be illegal.
The issue is considerably more serious since consumer-grade wearables currently possess little to no patching. The devices interface with smartphones however they come with their own operating system and applications. Although there are some smartphone antivirus programs that pair with a smartwatch, the lack of timely updates or indigenous security features increases vulnerability.
Poor data management can be exploited by third parties and sold to unscrupulous corporations for gross misuse. The lack of strong encryption with wearables and data in transit before synchronisation leaves it vulnerable to hacks. Additionally, companies would be willing to pay a fortune to get their hands on such personalised inputs.
There is also a big issue of continuity with a company that chooses to comply with privacy regulations. Say you choose to share your data with a manufacturer, there is no guarantee that the company will still be in existence a few years from now on. What happens to a company that goes bankrupt? What happens to all the data if the company is bought by a bigger corporation? The rules of the parent company could allow them to use this data at their own discretion. Additionally, there could be a new law which could allow access to data that you chose to share willingly.
As wearables are slowly entering corporate networks, they bring with them a slew of cybersecurity challenges. At a time where companies are auctioning collected data, how can anyone prevent companies from redistributing it? Will consumers retain any right to restrict access to their own private information?
Part of the problem can be attributed to the stiff competition in the wearables market. Everyone wants to roll their products out first causing manufacturers to cut back on data security in favour of faster roll out. The increased demand is prompting the creation of new editions almost every quarter, a process by which older devices are not getting any upgrades.
Companies have a potential copout with data breach insurance however insurance companies have begun to resist this in recent times. Consider the case of Columbia Casualty, the first insurance company to challenge liability after its client, Cottage Health System, had a data breach which released confidential patient information on the internet. The company paid about $4 million to settle the client’s filing but has now filed to recoup the funds, citing misrepresentation of control.
Cases like these serve to prove that financial institutions are realising the problems of bad data management and shielding themselves from liabilities.
A significant part of the data security debate with wearables is whether manufacturers should regulate the flow of data themselves or whether there should be government intervention.
Consumers should be able to understand the risks they are exposed to for the mere benefit of wearing a trendy electronic cosmetic. For now, there haven’t been any major public data breaches, a fact that has resulted in very little public discussion. However, certain corporations will find that personal fitness and health data is much more valuable than credit cards and payment information.
Security solutions for wearables are still in their infancy. For now, most wearables are left to self-regulatory practices which conversely may ensure bare minimum of compliance with privacy regulations. There is a heightened need to put regulations in place either via private industry or government intervention, maybe a combination of the two. Until these are in place, privacy and data security will always remain an inherent risk.
Ganesh Chakravarthi is the Web Editor at Takshashila and tweets at (@crg_takshashila)