What wearable technology could mean for your privacy

When Mike Sarow quit his day job to become an entrepreneur, he had no idea the invention he helped create would cause some to liken him to the surveillance-happy National Security Agency.

"There were a lot of knee-jerk reactions," said Sarow, 38, who lives in downtown Cincinnati. "I heard, 'You're the NSA's ugly stepchild!' We definitely didn't do something benign. We did something provocative."

It's a sentiment shared by developers of a lot of wearable devices, of which there are dozens and counting: Fitness trackers keep tabs on how active you are, recording devices – like Sarow's audio-collecting Kapture – chronicle your daily interactions, sleep monitors gauge when you're catching your best shuteye.

Wearables are in huge demand: Research firm Markets and Markets predicts the industry will grow to $11.61 billion by the end of 2020. But as the technology becomes more ubiquitous, security experts say the companies creating these products can't always ensure the data collected won't end up in unintended hands, or be used for unauthorized purposes.

"We have really reached an inflection point in 2015," said Adam Towvim, president, CEO and co-founder of TrustLayers Inc., a Massachusetts-based security company. "Even if someone's data stays properly secured inside of someone's four walls, the risk of misuse of data is as great as data leakage."

Symantec Corp., a tech security company headquartered in California, recently analyzed a variety of wearables and found that all hardware-based devices it examined were 100 percent trackable. One in five tracking apps also transmitted user-generated data, such as names, email addresses and passwords, without encryption.

Consumers using wearables could be putting themselves at risk for:

• Identity theft. Fraudsters could use data to better fake official documents, set up false bank accounts or file fraudulent tax returns.

• Profiling. Details given by users could provide organizations data used to discriminate against certain groups or minorities.

• Stalking. Some wearables contain location-based personally identifiable information, allowing outsiders who gain access to see where you are in real time. Burglars also could use that info to target your home when you're away.

• Extortion. Health-monitoring devices are among the hottest new wearables, capable of tracking blood glucose in diabetics, measuring heart rates and mapping sleeping habits. Some invite users to also self-track their moods, their toilet use and their sexual activity, and none of the info is protected by the federal Health Insurance Portability and Accountability Act (HIPAA) the way that info you share with your doctor is.

• Misuse. While some businesses are encouraging use of activity trackers such as the Fitbit to improve workers' health, some employees balk, saying that their bosses could use the data to inappropriately track their productivity and even target them for firing.

And those are just the risks we know about today, experts warned. "In the future, who knows what is possible," said Arturas Vaitaitis, creator of Monbaby, the first-ever button monitor for newborns. His device will track your baby's breathing rate, movement and sleep positions, transmitting vital signs and alerts to your smartphone via Bluetooth.

"It's like when electricity came out, people were warned that it could be dangerous, it could kill people," Vaitaitis said. "There will be positives and negatives (with wearables), and people will weigh their privacy against value."

Big data is big business

Big data is such big business that last year, the Federal Trade Commission urged lawmakers to push for transparency and accountability among so-called data brokers – entities that buy and sell information about people, often without consumers' knowledge.

Marketers can use the data collected to tailor ads to users: For example, a fitness buff using an activity tracker might get a targeted ad for new running shoes, or a pharmaceutical company might try to buy information to help find people likely to buy sleeping or weight-loss aids.

Symantec warns of more sinister uses, however: Could a burglar use your sleep monitor to tell when you're in your deepest sleep? Or a stalker learn your daily patterns through your location tracker?

Candid Wueest, Symantec's threat researcher based in Switzerland, said that such concerns might seem outlandish, but they're not. Just as burglars have used social media posts to target vulnerable homes, they could easily shift focus to so-called quantified-self data.

"The main concern should be around the lack of privacy with such devices," Wueest told The Enquirer on Wednesday. "The issue of stalkers using this information might only concern a smaller group of people, but for them it can be really tragic."

Sarow faces a different set of privacy questions. He co-created Kapture Audio, which constantly records and buffers the latest 60 seconds of sound surrounding its wearer and stores those minute-long snippets when the wearer double-taps it.

The Cincinnati startup made headlines when its 2013 fundraising campaign on the crowdsourcing site Kickstarter raised more than $160,000. So far, Kapture has pre-sold 2,000 devices, delivery of which are expected to begin next month.

Kapture predictably generated some controversy, but the NSA comparison was jolting.

"We're the exact opposite of the NSA," Sarow said. "The NSA records everything and saves it on the off-chance they might need to extract something later."

Kapture, on the other hand, is curated by the wearer, because while the device buffers everything, it only saves 60 seconds of sound, and only when the wearer instructs it to.

Sarow said that he and co-creator Matthew Dooley didn't design the device to be surreptitious. They encourage users to tell people around them what the device is, even though most states legally have "one-party consent" laws, meaning that only one person in a conversation needs to know that it's being recorded. (Eleven states, including Pennsylvania and Illinois, require that every party to a conversation give consent for a recording to be considered lawful.)

The saved sound bytes are stored in a cloud server maintained by Kapture. The company is doing its best to ensure safe storage, but Sarow acknowledged that nothing is 100 percent secure.

"If the CIA can be breached, I'm sure Kapture can be breached," he said.

Hagai Bar-El, chief technology officer for California-based Sansa Security, said the data collected by wearables is only as protected as the network that holds it – and it's likely to be stored indefinitely.

"The trend today, given the ever-decreasing cost of storage, is to store data forever," he said in an email to The Enquirer. "A CIO will prefer to pay a bit more for a little more disk space than risk his job and company prosperity by deciding to discard data that is one day determined to have been useful."

Millennials swap privacy for products

While Sarow endured some Big Brother-inspired jabs, a lot of consumers aren't yet demanding that the data collected by their wearables be heavily protected.

The Symantec analysis found that 52 percent of the self-tracking applications they weighed didn't make public any privacy policies. That means users weren't told who was collecting the data, what was being collected, how it would be used, how long it would be kept and whether the data would be shared with outside parties.

Jenna Wolf, 25, who lives Downtown, got a Fitbit to monitor her activity levels for her birthday last July. She didn't think much about what would happen to her data once collected, and seven months later, she's still not worried about it.

"Personally, I am not concerned about my whereabouts being tracked," she said. "I feel like phones and other devices can do the same thing."

It's a sentiment shared by a lot of Millennials, according to a study by the University of Southern California's Annenberg Center for the Digital Future and Bovitz Inc., which found that people ages 18 to 34 don't have much expectation of privacy.

That's not to say they don't value it: Another study, by Contagious Communications and Flamingo, found that Millennials view their privacy as a commodity, and that they're more likely than other generations to boycott companies they feel have violated their trust. In other words, if you're collecting their information, you'd better give them something they value in return.

So what's someone's privacy worth? Towvim, the TrustLayers CEO, predicts that 2015 will be the year we learn the limits.

"This is going to be the year of privacy by disaster," he said. "Instead of everything being designed properly, it's going to be the year where we see quantified-self data leak, and that's when the data-gathering companies are going to realize they need to care for the misuse of the data they collect at the same scale that they analyze the data."