You are your data: The scary future of the quantified self movement
Few if any consumers who fell behind on their credit card payments in the early 2000s thought that half a decade later employers would use their credit report to determine their job worthiness. Few avid social media users must have realized that insurance companies, the IRS, law enforcement, and credit agencies would soon use their their data to investigate fraud, determine creditworthiness, and monitor other potentially illegal activity. History suggests they should have.
This pattern is repeating itself, with countless consumers today casually sharing highly personal health data through wearable computing hardware, cloud-based quantified self platforms, and even retail loyalty programs without so much as a thought to the potential implications. My argument isn’t one against the quantified self movement. But if history is any guide naive, blind participation without considering the implications of your data being recorded and shared with third parties is reckless.
As we document and share more of where we go, what we do, who we spend time with, what we eat, what we buy, how hard we exert ourselves, and so on, we create more data that companies can and will use to evaluate our worthiness – or lack thereof – for their products, services, and opportunities. For those of us who don’t measure up compared to the rest of the population, the outcome won’t be pretty.
It will also be our own fault. Consumers are signing up to collect and share personal data at an alarming rate via sleep monitors, pedometers and activity trackers, dietary logs, brainwave monitors, grocery and restaurant loyalty cards, credit cards, Foursquare and Facebook check-ins, and photo geotagging, among other means. As insurers, lenders, and others attempt to manage risk, they will inevitably turn alternative data sources to round out the picture of each consumer applicant – in fact, they already are.
According to a sales rep for a midwest data co-location and analytics startup who asked to remain anonymous, regional hospitals, insurers, and grocery retailers are already investigating ways to work together to translate consumer purchase data into health risk profiling insights. Kevin Pledge, CEO of underwriting-technology consultancy Insight Decision Solutions told the Economist last year that he has forgone the use of supermarket loyalty-cards and begun paying cash for his burgers to avoid this very type of profiling. The same article mentions a life-settlements firm declining to purchase an insurance policy based on social media activity that contradicted the supposed poor health of the policy-holder.
These are far from the only example of companies reaching further into our personal data – consumer reports has a rundown of many others – but they should be enough to make us all rethink that package of bacon, those dozen Krispy Kremes, or those Marlboros. One day, the same analysis is likely to be applied to how often we exercise, the length and quality of sleep we get, our eating habits, and possibly even the health of our sex lives.
CVS, for example, has started to require its employees to submit their weight, body fat, glucose levels, and other vitals monthly or pay a fine to cover increased health insurance premiums. If that data was available for the majority of its employees via a quantified self company (or several), CVS and other employers might not even have to ask – and the seemingly fit employee with a secret pound of bacon a day habit may never know why his health insurance premiums are double those of co-workers.
For the last year, State Farm Insurance has been taking a similar approach by offering auto insurance customers discounts for installing real-time monitoring devices into their vehicles coupled with safe driving. Again, if a real-time location smartphone app – or GPS and accelerometer enabled wristband or glasses – is already tracking this data, the insurance carriers might skip the asking, and the discount, and go straight to the database to pass judgment.
One of the most frightening companies in the entire sector is LexisNexis, whose ambition, if I were to paraphrase it, is to have a comprehensive record of every piece of available information on every person in the world – including their current and past residence, spending history, banking information, health information, etc., after scary, etc. And they’re not as far away from this goal as you might think.
Perhaps most troubling was the 2009 merger between VeriChip and Steel Vault (now PositiveID), which combined the first ever human-implantable RFID microchip and the credit-scoring and identity-theft-protection website NationalCreditReport.com. We haven’t heard much from the company since and its website indicates that PositiveID has shifted its focus toward medical applications, but the concept behind the merger remains frightening yet entirely possible.
Many expect the government to protect consumers from this type of potential privacy invasions, but the legislature has demonstrated a pattern of ignoring the ethics of bleeding edge technological issues until the line has been crossed, and then typically bungling things badly on the first few attempts, before, in some cases, arriving at a generally-tenable solution. Peer-to-peer file-sharing, net neutrality, software patents, stem cell research, and the recent SOPA, CIPA debates are all areas where Congress has appeared badly out of step with the world of technology. As such, it’s foolish to leave such matters in the hands of the government.
Really, it all comes down to each individual protecting his own data by virtue of the Terms of Service, Terms of Use, and Privacy Policies that he agrees to with each application. In general, the hardware manufacturers and service providers in the quantified self space seem to have taken a fairly consumer-friendly stance initially (see select highlights below), but it’s not unheard of for company’s privacy policies and terms of use to change – see Instagram. Also, it’s rare to see a pitch from quantified self startup that doesn’t point to data monetization as part of its long term business roadmap. As consumers grow more comfortable with the idea of sharing personal information online, it’s likely these ethical boundaries will be eased.
It’s not only just the first tier company that has the potential to share consumer data, but every dashboard, analytics platform, gamification service, social sharing tool, and other related product that is granted access to the underlying service. Your personal data security is only as strong as the weakest link in your quantified self ecosystem.
It’s easy to come off sounding paranoid, and many would argue that the value received from quantified self devices and services justifies the risk. But it’s not those who consciously make that decision I’m worried about. It’s those who buy a Jawbone Up because it’s sold at the Apple Store then connect it to several Web apps because their trainer recommends them without considering long-term implications. Data is powerful, and just as it has the power to enhance our lives, in the wrong hands it can also harm us.
Below are select excerpts from the privacy policies of several popular quantified self platforms.
Jawbone Up’s TOU read:
We may share your Information with third parties to provide services on our behalf such as to process payments, or to store information collected through our site, app, and services. We may share information with a parent company, subsidiaries, joint ventures, or other companies under common control with us. We may share your personal information for the purposes of a business deal (or negotiation of a business deal) involving sale or transfer of all or a part of our business or assets. These deals can include any merger, financing, acquisition, or bankruptcy transaction or proceeding. We may disclose your personal information to (a) comply with relevant laws, regulartory (sic) requirements and to respond to lawful requests, court orders, and legal process…Even though we have taken steps to protect your personal information, you should know that neither we nor any company can fully eliminate security risks.
Nike’s Digital Privacy Policy reads:
We may transfer your information to NIKE Family service providers to conduct our business. For example, they may handle credit card processing,shipping, data management, email distribution, market research, information analysis, and promotions management. We may also share your information to administer features (e.g. music download, race registration, or workout routine)…Information that is publicly shared may be used by Nike for promotional purposes….However, like other companies, NIKE cannot guarantee 100% the security or confidentiality of the information you provide to us.
FitBit’s Privacy Policy reads:
Fitbit may disclose non-personally identifiable aggregated user data, such as aggregated gender, age, height, weight, and usage data gathered from Fitbit devices (without the inclusion of a user’s name or other identifying information) to:
- Organizations approved by Fitbit that conduct consumer research into health and wellness;
- Users of the Service for purposes of comparison of their personal health and wellness situation relative to the broader community; and
- Advertisers and other third parties for their marketing and promotional purposes.
WellnessFX’s Privacy Policy reads:
We share your information with third parties when we believe the sharing is permitted by you, reasonably necessary to offer our services, or when legally required to do so. For example, we may disclose certain Member Information, Health Provider Information and Visitor Information:
- To third party vendors who help us provide the Service or the Site or who provide additional goods and services through the Site, including without limitation, testing laboratories, phlebotomists, billing providers and benefits administrators;
RunKeeper’s Privacy Policy reads:
There are certain circumstances in which we may share your Personal Data with certain third parties without further notice to you, including as set forth below:
- Business Transfers: As we develop our business, we might sell or buy businesses or assets. In the event of a sale, merger, reorganization, dissolution or similar event relating to all or a portion of our business or assets, Personal Data may be part of the transferred assets.
- Service Providers, Agents and Related Third Parties: We sometimes hire other companies to perform certain business-related functions. Examples include mailing information, maintaining databases and processing payments. When we employ another company to perform a function of this nature, we may need to provide them with access to certain Personal Data. However, we only provide them with the information that they need to perform their specific function, and these third party service providers will only use your Personal Data to perform the services requested by us.
- Legal Requirements: We may also disclose your Personal Data if required to do so by law or in the good faith belief that such action is necessary to (i) comply with a legal obligation, (ii) protect and defend our rights or property, (iii) act in urgent circumstances to protect the personal safety of users of the Services or the public, or (iv) protect against legal liability.
Safeway’s loyalty program Privacy Policy reads:
Safeway Club Card information and other personal information may be used to help make Safeway’s products, services and programs more useful to its customers. Additionally, Safeway may use personal information to provide you with newsletters, articles, product or service alerts, new product or service announcements, saving awards, event invitations, personally tailored coupons, program and promotional information and offers, and other information, which may be provided to Safeway by other companies.
[Image courtesy sinor favela / fotos voladoras]
Michael Carney
     |
The more uproars over terms of service we see, the less any of them matter
There was a time early in the Web 2.0 era when a flap over terms of service could strike legitimate fear in the hearts of founders. The whole user-generated content thing was new, and with it the idea that our thoughts, feelings, pictures, and friendships could be the commercial property of a website.
There was a sense that users owned these sites in a way that typical users did not in the Web 1.0 era. Without users, after all, what would YouTube play? Who would Digg anything? What would be on Flickr? We could all just walk, right?
Digg, for one, was renowned for caving to user revolts. Facebook on the other hand, perfected the art of pretending to hear users, but ultimately doing what it wanted anyway. Indeed, it was hard to know which was the better strategy back then, because it was all so new. Om Malik described one Digg revolt, as he watched it play out with “morbid fascination.”
As someone who has been the subject of a mass social media mob before, I can attest that these things feel huge when you’re in the middle of them. But the truth is they rarely amount to much of anything, and they pass. What’s more: The more frequently they occur, the more everyone realizes that no one will really be forced to change anything.
Take the blogger and alpha user uproar a few weeks ago that Instagram was pulling its features from Twitter. Plenty of digital ink was spilled on how anti-user it was. I was practically alone in saying that the bulk of users wouldn’t actually care. Those who primarily use Twitter would keep using Twitter and use its photo filters. Those who primarily use Instagram or Facebook’s social networks for sharing would continue to use those. Neither side would particularly care about the inconvenience.
Sure enough, according to some numbers reported on TechCrunch yesterday, the whole to-do hasn’t effected the traffic of either site.
Yesterday’s uproar over Instagram’s change in Terms of Service has once again incited an angry mob around the photosharing site. What’s really freaking people out is a section that says your images and name could be used in an advertisement without compensation, much as Facebook already does. And the only way to opt out is to close your account.
Sure, this is bigger than the anti-user uproar over photos getting pulled from Twitter, but it’s no bigger than other uproars Facebook has seen over changes in Terms of Service. It’s nothing compared to the revolt over the introduction of the Newsfeed back when Facebook was a much more fledgling company, that could have well been still crushed by a scandal.
Organize as many boycotts as you want, post as many passive-aggressive Instagram photos on Facebook as you want, comment on as many blog posts as you want. Quit your account and go to the new Flickr. Facebook/Instagram, and every other Web 2.0 company, won’t climb down one iota, because each user revolt has proven they don’t have to. It doesn’t matter how loud or frequent they are. In fact, the louder and more frequent they get, the harder it is to actually galvanize people to leave a service — which is the only thing that could actually spark change. “What are we mad about this time?”
Remember the great alternative open source social network Diaspora? Despite hundreds of thousands in donations and favorable mainstream press at the time, enthusiasm petered out, and it was handed back to the users earlier this year.
As Erin Griffith pointed out in her excellent post on Amazon’s ad ambitions yesterday, there can be very real repercussions in terms of customer trust that build up over time with each uproar. That may have real implications when it comes to what users opt into. Facebook may have won each of its battles, but it’s known as sleazy and sneaky and has to walk a very fine line whenever it comes to anything related to privacy.
But I’d argue even that is limited. We live in a bubble of people who read and parse and obsess over what these sites are doing. Most social media users simply do not.
As everyone has realized that these uproars amount to nothing, it’s become trendy to lament the loss of mob influence. Whether it’s the uproar that surrounded the launch of App.net or dramatic posts like these, there’s a rash of “What happened to our Web 2.0 paradise?” going around.
It reminds me of the transition when real celebrities started to eclipse nerd celebrities on Twitter. Suddenly Robert Scoble’s hard fought 300,000 followers didn’t look so impressive next to Ashton Kutcher yawning, rolling out of bed, and getting 13 million followers. The balance of power and what Twitter was all about inexorably shifted. And guess what? The company welcomed it, because it represented mainstream growth. Whether bloggers want to face it or not, mainstream growth is the Holy Grail each of these services has always worked for since the earliest Web 2.0 days. What happened to “our” Web 2.0? Simple: It achieved its goals.
The truth is it wasn’t ever “our” Web 2.0, as bloggers and early adopters. It was always something owned by entrepreneurs and VCs and meant to belong to the world. If it didn’t get that big, these companies wouldn’t have survived. And the vast, vast majority of users care about the free, serendipitous utility of sharing photos, connecting with friends, watching silly videos, and all the other bigger promises that Web 2.0 has actually upheld and made mainstream.
[Image courtesy Thomas Hawk]
Sarah Lacy
Do You Read Privacy Policies (and Do You Understand Them)?
Do You Read Privacy Policies (and Do You Understand Them)?
Some Terms May Not Apply: Learn to Skim a Terms of Service Contract, Pay Less for Apps, and Work Better with White Noise [Video]
How Can I Stop Someone Impersonating Me Online? [Ask Lifehacker]
Posted by Lifehacker.com