Data Crying

Few if any consumers who fell behind on their credit card payments in the early 2000s thought that half a decade later employers would use their credit report to determine their job worthiness. Few avid social media users must have realized that insurance companies, the IRS, law enforcement, and credit agencies would soon use their their data to investigate fraud, determine creditworthiness, and monitor other potentially illegal activity. History suggests they should have.

This pattern is repeating itself, with countless consumers today casually sharing highly personal health data through wearable computing hardware, cloud-based quantified self platforms, and even retail loyalty programs without so much as a thought to the potential implications. My argument isn’t one against the quantified self movement. But if history is any guide naive, blind participation without considering the implications of your data being recorded and shared with third parties is reckless.

As we document and share more of where we go, what we do, who we spend time with, what we eat, what we buy, how hard we exert ourselves, and so on, we create more data that companies can and will use to evaluate our worthiness – or lack thereof – for their products, services, and opportunities. For those of us who don’t measure up compared to the rest of the population, the outcome won’t be pretty.

It will also be our own fault. Consumers are signing up to collect and share personal data at an alarming rate via sleep monitors, pedometers and activity trackers, dietary logs, brainwave monitors, grocery and restaurant loyalty cards, credit cards, Foursquare and Facebook check-ins, and photo geotagging, among other means. As insurers, lenders, and others attempt to manage risk, they will inevitably turn alternative data sources to round out the picture of each consumer applicant – in fact, they already are.

According to a sales rep for a midwest data co-location and analytics startup who asked to remain anonymous, regional hospitals, insurers, and grocery retailers are already investigating ways to work together to translate consumer purchase data into health risk profiling insights. Kevin Pledge, CEO of underwriting-technology consultancy Insight Decision Solutions told the Economist last year that he has forgone the use of supermarket loyalty-cards and begun paying cash for his burgers to avoid this very type of profiling. The same article mentions a life-settlements firm declining to purchase an insurance policy based on social media activity that contradicted the supposed poor health of the policy-holder.

These are far from the only example of companies reaching further into our personal data – consumer reports has a rundown of many others – but they should be enough to make us all rethink that package of bacon, those dozen Krispy Kremes, or those Marlboros. One day, the same analysis is likely to be applied to how often we exercise, the length and quality of sleep we get, our eating habits, and possibly even the health of our sex lives.

CVS, for example, has started to require its employees to submit their weight, body fat, glucose levels, and other vitals monthly or pay a fine to cover increased health insurance premiums. If that data was available for the majority of its employees via a quantified self company (or several), CVS and other employers might not even have to ask – and the seemingly fit employee with a secret pound of bacon a day habit may never know why his health insurance premiums are double those of co-workers.

For the last year, State Farm Insurance has been taking a similar approach by offering auto insurance customers discounts for installing real-time monitoring devices into their vehicles coupled with safe driving. Again, if a real-time location smartphone app – or GPS and accelerometer enabled wristband or glasses – is already tracking this data, the insurance carriers might skip the asking, and the discount, and go straight to the database to pass judgment.

One of the most frightening companies in the entire sector is LexisNexis, whose ambition, if I were to paraphrase it, is to have a comprehensive record of every piece of available information on every person in the world – including their current and past residence, spending history, banking information, health information, etc., after scary, etc. And they’re not as far away from this goal as you might think.

Perhaps most troubling was the 2009 merger between VeriChip and Steel Vault (now PositiveID), which combined the first ever human-implantable RFID microchip and the credit-scoring and identity-theft-protection website NationalCreditReport.com. We haven’t heard much from the company since and its website indicates that PositiveID has shifted its focus toward medical applications, but the concept behind the merger remains frightening yet entirely possible.

Many expect the government to protect consumers from this type of potential privacy invasions, but the legislature has demonstrated a pattern of ignoring the ethics of bleeding edge technological issues until the line has been crossed, and then typically bungling things badly on the first few attempts, before, in some cases, arriving at a generally-tenable solution. Peer-to-peer file-sharing, net neutrality, software patents, stem cell research, and the recent SOPA, CIPA debates are all areas where Congress has appeared badly out of step with the world of technology. As such, it’s foolish to leave such matters in the hands of the government.

Really, it all comes down to each individual protecting his own data by virtue of the Terms of Service, Terms of Use, and Privacy Policies that he agrees to with each application. In general, the hardware manufacturers and service providers in the quantified self space seem to have taken a fairly consumer-friendly stance initially (see select highlights below), but it’s not unheard of for company’s privacy policies and terms of use to change – see Instagram. Also, it’s rare to see a pitch from quantified self startup that doesn’t point to data monetization as part of its long term business roadmap. As consumers grow more comfortable with the idea of sharing personal information online, it’s likely these ethical boundaries will be eased.

It’s not only just the first tier company that has the potential to share consumer data, but every dashboard, analytics platform, gamification service, social sharing tool, and other related product that is granted access to the underlying service. Your personal data security is only as strong as the weakest link in your quantified self ecosystem.

It’s easy to come off sounding paranoid, and many would argue that the value received from quantified self devices and services justifies the risk. But it’s not those who consciously make that decision I’m worried about. It’s those who buy a Jawbone Up because it’s sold at the Apple Store then connect it to several Web apps because their trainer recommends them without considering long-term implications. Data is powerful, and just as it has the power to enhance our lives, in the wrong hands it can also harm us.

Below are select excerpts from the privacy policies of several popular quantified self platforms.

Jawbone Up’s TOU read:

We may share your Information with third parties to provide services on our behalf such as to process payments, or to store information collected through our site, app, and services. We may share information with a parent company, subsidiaries, joint ventures, or other companies under common control with us. We may share your personal information for the purposes of a business deal (or negotiation of a business deal) involving sale or transfer of all or a part of our business or assets. These deals can include any merger, financing, acquisition, or bankruptcy transaction or proceeding. We may disclose your personal information to (a) comply with relevant laws, regulartory (sic) requirements and to respond to lawful requests, court orders, and legal process…Even though we have taken steps to protect your personal information, you should know that neither we nor any company can fully eliminate security risks.

Nike’s Digital Privacy Policy reads:

We may transfer your information to NIKE Family service providers to conduct our business. For example, they may handle credit card processing,shipping, data management, email distribution, market research, information analysis, and promotions management. We may also share your information to administer features (e.g. music download, race registration, or workout routine)…Information that is publicly shared may be used by Nike for promotional purposes….However, like other companies, NIKE cannot guarantee 100% the security or confidentiality of the information you provide to us.

FitBit’s Privacy Policy reads:

Fitbit may disclose non-personally identifiable aggregated user data, such as aggregated gender, age, height, weight, and usage data gathered from Fitbit devices (without the inclusion of a user’s name or other identifying information) to:

    • Organizations approved by Fitbit that conduct consumer research into health and wellness;
    • Users of the Service for purposes of comparison of their personal health and wellness situation relative to the broader community; and
    • Advertisers and other third parties for their marketing and promotional purposes.

WellnessFX’s Privacy Policy reads:

We share your information with third parties when we believe the sharing is permitted by you, reasonably necessary to offer our services, or when legally required to do so. For example, we may disclose certain Member Information, Health Provider Information and Visitor Information:

    • To third party vendors who help us provide the Service or the Site or who provide additional goods and services through the Site, including without limitation, testing laboratories, phlebotomists, billing providers and benefits administrators;

RunKeeper’s Privacy Policy reads:

There are certain circumstances in which we may share your Personal Data with certain third parties without further notice to you, including as set forth below:

    • Business Transfers: As we develop our business, we might sell or buy businesses or assets. In the event of a sale, merger, reorganization, dissolution or similar event relating to all or a portion of our business or assets, Personal Data may be part of the transferred assets.
    • Service Providers, Agents and Related Third Parties: We sometimes hire other companies to perform certain business-related functions. Examples include mailing information, maintaining databases and processing payments. When we employ another company to perform a function of this nature, we may need to provide them with access to certain Personal Data. However, we only provide them with the information that they need to perform their specific function, and these third party service providers will only use your Personal Data to perform the services requested by us.
    • Legal Requirements: We may also disclose your Personal Data if required to do so by law or in the good faith belief that such action is necessary to (i) comply with a legal obligation, (ii) protect and defend our rights or property, (iii) act in urgent circumstances to protect the personal safety of users of the Services or the public, or (iv) protect against legal liability.

Safeway’s loyalty program Privacy Policy reads:

Safeway Club Card information and other personal information may be used to help make Safeway’s products, services and programs more useful to its customers. Additionally, Safeway may use personal information to provide you with newsletters, articles, product or service alerts, new product or service announcements, saving awards, event invitations, personally tailored coupons, program and promotional information and offers, and other information, which may be provided to Safeway by other companies.

[Image courtesy sinor favela / fotos voladoras]