Severalof the most popular fitness wearable makers have been criticized for having obscure and asymmetricalterms and conditions that impingeon Europeans consumer and privacy rights.
In an analysis of the privacy policies and T&Cs of fourwearable makers, Fitbit, Garmin, Jawbone and Mio, the Norwegian Consumer Council found reasons to becritical about the varioustrade-offs all require consumers to sign up to in order to use their services.
The wristbands are useful tools for monitoring and motivating fitness activities. Simultaneously we are giving up personal information about our health, activities, and location under asymmetrical and obscure terms, saidFinn Myrstad, director of digital services in the Consumer Council, in a statement.
We fear that this information can be exploited for direct marketing and price-discrimination purposes, and that basic privacy principles are being neglected.
The Councilsreportexamines the T&Cs and privacy policies of the Fitbit Charge HR, Garmin VivoSmart HR, Mio Fuse, and Jawbone UP3 and flagsup a range of failures, as the body sees it, including that:
- None of the companies will give users proper notice about changes in their terms
- All of the wristbands collect more data than what is necessary to provide the service
- None of the companies fully explain who they may share user data with
- None of the companies state how long they will retain user data
Its also unhappy about the lack of data portability offered; by procedures for deleting data being inadequately explained; and user agreements giving narrow and vague definitions of what constitutes personal data, among other criticisms.
The Council saysit intends to filea joint complaintagainst all four companies withthe national DPA and the Consumer Ombudsman for breaching the European Data Protection Directive and the Unfair Contract Terms Directive.
It is important that we dont give up basic rights in order to use the products and services of the future, Myrstad adds, pointing to general trend of more and more connected devices beingpacked with data-collecting sensors.
Consumers have little access to information about where their personal data are being sent, and how this is used.
LengthyT&Cs, vague definitions, data-sharing question marks
The report is critical of how wordy and impenetrable the fitness wearables T&Cs and privacy polices can be something the Council has previously called out app makers for.
When terms and conditions are too long and complicated for anyone who may wish to read them, it is relevant to ask whether informed consent can truly be given, it notes.
The NCC deems it unreasonable to expect consumers to read 22 pages of terms before making use of their product, which makes the implication of informed consent problematic, it adds.
When it comes tohard to understandlanguage, the NCC says all four services employ liberal use of what it dubs vague language, but it calls outGarmin and Mio asthe worst offenders here.
[I]n the use of easily understandable language (e.g. not overly legalistic or technical), Fitbit and Mio use laymans terms where possible, while Garmin and Jawbone have terms of service that are quite difficult to parse for the average consumer, it notes.
Fitbit also gets a plus for structuring its T&Cs in a formatthats easier for consumers to understand, and for not writing terms in caps locks (as all others do) although its terms are still the longest of the lot.
Whereas Garmin does not regard location data as personal data, according to the analysis, and Jawbone does not specify what they mean by personal data at all.
In practice, this means that these two services can process some data regarded as personal by European standards, without regarding or treating this information as sensitive, the report argues.
The NCCalso calls out all the services for failing to give clear indication of who they share personal data with with only Fitbit mentioning some analytics third parties by name.
Garmin and Fitbit send a call to graph.facebook.com upon starting the app, regardless of whether the user actively attempts to connect to Facebook.
Regarding the question of who user data may be shared with, Garmin redirects users to Garmins publicly available filings with the U.S. Securities and Exchange Commission website to see the current list of Garmins affiliates, writes the Council, adding: This is an obscure and complicated way of informing consumers, and neither the NCC nor The Citizen Lab were able to actually discern who these affiliates are.
The NCC also commissioned a technical test of the device makers apps by a third party consultancy firm, and says this unearthed several instances of data going to unlisted third parties:
Garmin and Fitbit send a call to graph.facebook.com upon starting the app, regardless of whether the user actively attempts to connect to Facebook. If the user also has the Facebook-app installed on their phone, this allows Facebook to link the wristband to the phones device ID.
The Garmin Connect app also notifies the ad-trackers Tags.tiqcdn.com and Gigya while using the app, transmitting the devices IP-address. Although the tests have not shown any clear indication that this data is transmitted for marketing purposes, the information that is transmitted could be used to display targeted advertising on different platforms. None of the relevant terms or privacy policies state that data is being passively sent to these third parties when using the apps.
When it comes to obtaining consent to share user data with third parties, the NCC deemsJawbone and Garmin best in class for having policies that state they will not do so without obtaining prior consent.
While,on the issue of whether user dataisdeleted when a user deletes their account, all of the services are criticized for failing to explicitly state they will do this.
Unfortunately, none of the analyzed fitness trackers explicitly state that they will delete user data when the account is deleted. Fitbit is probably the least worst on this point, stating that when the user account is deleted data that can identify you will be removed from the Service, the reportnotes.
However, they continue by saying, Backup copies of this data will be removed from our server based upon an automated schedule, which means it may persist in our archive for a short period. Fitbit may continue to use your de-identified data.
None of the fitness trackers analyzed make any mention of data retention periods either which the NCC concludes meanthey do not delete inactive users data.
This is problematic, since many users might delete the apps and assume that their information will not be put to further use. If inactive users data is not deleted, it could potentially be re-used for other purposes long after the user left the service, it writes.
All the services are also criticized for making it difficult for users to delete anaccount.
Summing up its conclusions,the Councilcallsfor anoverhaul of the way fitness trackers treat consumers data.
Health data is, as seen over the course of this report, very sensitive information, and should not be treated lightly, it writes. Since app-operated fitness wearables is a still evolving technology, there is still time to implement consumer-protective measures and standards.
It also warns of the looming impact of the new General Data Protection Regulation (GDPR), which comes into force in the European Union in 2018, saying that many of the issues it is flagging will become easier to address as a result of the new directive.
By implementing principles such as privacy by design, these service providers will be ready for the new regulation, and also enhance consumer trust, which is good for both users and for businesses, it adds.
We reached out to Fitbit, Garmin, Jawbone and Mio to ask for their response to the report. At the time of publishingonly Fitbit and Jawbone had responded.Well update this story with any additional statements.
We share the Norwegian Consumer Councils commitment to protecting consumer privacy, and we look forward to working with them and regulators to continue to ensure strong privacy practices are in place.
Fitbit also noted that on September 29 it signed up for the European Commissions new EU-US personal data transfer framework aka the Privacy Shield arguing thatitsrapid adoption of the data transfermechanism affirms our ongoing commitment to data security for our customers.
Although its worth noting thatthe EU-US Privacy Shieldis itself now facing a legal challenge,with Digital Rights Ireland arguing the frameworkdoes not provide adequate safeguards for Europeans data to comply with regional data protection law.
Jawbone provided the following statement in response to the NCC report:
We are currently reviewing the report from the NCC.
We want to reassure our users and let them know that we only share their data if they ask us to for example to integrate with a 3rd party app. We are custodians of the users data. We collect it, analyze it, and present it back to the user with meaning. The user may give us permission to share that data. They can download their data and take it somewhere else. And they can ask us to delete it (which we will do).
Update:Mio has now also provided the following statement:
Read more: https://techcrunch.com