October 12, 2014

Privacy and Security Concerns for the Smart Watch Age

(photo credit Kārlis Dambrāns)

The Internet of Things (IoT) is quickly expanding the next big product in its interconnected family – the smart watch. While these high-tech watches are not necessarily new, recent releases from companies like Samsung, LG and Apple have given them a more mainstream public appeal and market share. In welcoming the watches to the Internet of Things, customers  are also introduced to the various privacy and security questions that researchers and governments have scrutinized in IoT. This past month Tech Policy Lab members participated in the Workshop on Usable Privacy & Security for wearable and domestic ubIquitous DEvices (UPSIDE). The workshop brought academics from around the country to discuss various IoT privacy issues. The FTC addressed these issues on a larger stage last fall, hosting an IoT-focused workshop to identify and address privacy and security problems. As the smart watch maneuvers its way onto the wrists of customers, wearers should  take note these problems.

The health and fitness craze that inspired products like FitBit and Garmin’s Connect has strongly impacted the design of recent smart watches. Products like the Samsung Gear Fit and the Apple smart watch have incorporated pedometers and heart rate monitors to allow users to measure their daily activity. With the increasing prevalence of health monitoring in everyday technology, it was no surprise that the FTC devoted one of their four workshop panels to the topic last fall. The “Connected Health and Fitness” panel brought in business and academic experts to discuss the benefits as well as the data privacy and security risks involved. As the smart watch’s popularity increases, preventing these risks will become imperative. Data theft could lead to location data and activity patterns being extracted from the pedometer or heart rate readings. Risks could even come from the company itself. What would happen if a health insurance provider was being sold health data collected from a prospective candidate’s smart watch? Protecting this data from both unwanted collection and use will be a necessary measure to ensure privacy in the age of the internet-enabled watch.

One of the papers presented at UPSIDE was on the hunt for privacy flaws in IoT products like Google Glass and the smart watch. Titled, “When Everyone’s A Cyborg: Musings on Privacy and Security in The Age of Wearable Computing,” the paper by Serge Egelman highlighted one of the major issues – “the continuous capture of audio and video.” While UPSIDE only provides the abstract for the paper, extrapolating where audio and video recording could breach a smart watch user’s privacy is easy. A user wants their watch to listen while giving it  instructions, but unwarranted recording would present a security risk. The same is true for the camera. Unchecked recording devices could leak the  extremely personal data of  an unknowing user. Similar to the health and fitness privacy risk, this data could be misused by a thief or third-party company by way of reconnaissance, blackmail or harassment.

Privacy in the land of smart watches is not entirely hopeless, however, as it may fare better than other IoT devices in some instances. Specifically, updates and patches to address security issues could be much more common on a watch than a product like an electrical grid monitor. The issue is something the FTC addressed in its questions to the public for their conference. Two of the questions identified the FTC’s attention to the issue: “How can companies update device software for security purposes or patch security vulnerabilities in connected devices, particularly if they do not have an ongoing relationship with the consumer?” as well as “Do companies have adequate incentives to provide updates or patches over products’ lifecycles?”

In both cases the smart watch poses an optimistic answer. For the first question, the smart watch is likely to be exempt, as it will engage any user enough to form an ongoing relationship with them. By delivering notifications, sounding morning alarms, and even telling the user the time, it directly impacts and interacts with a user’s life on a daily or even hourly basis. Adequate incentives to provide updates are present as well. The smart watch is one of the newest hardware endeavors among competing companies like Apple, Samsung and Google. For one of these companies or even a smaller one to have their product succeed, they must convince the customer it is better than the rest and that it is something worth buying in the first place. A product that has unpatched security threats would do neither.

The smart watch fits into the privacy and security discussions of the IoT just as well as it fits onto a wrist. Prevalent issues such as health monitoring and audio or video capture could cause serious risks to consumers. Eliminating these risks and providing a safe product will be vital to the product’s success, bringing a great new addition to the Internet of Things family.