“Wearables” are all around us. From fitness trackers to smart watches, many people are using these devices to monitor their health. Of course, we’ve had other types of portable health devices for quite a while including automated insulin pumps and pacemakers. These devices use various communication methods… but do we know what personal data is being communicated and how it’s shared? We will look at the current state of health and fitness wearables and portables and discuss where things are going.
Discuss the current state of health and fitness wearables.
Review privacy and security considerations for wearables and fitness apps.
Consider the implications and futures for health and fitness devices.
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Wearing Your Heart On Your Sleeve - Literally!
1. Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Wearing My Heart on My Sleeve…
Literally!
Barry Caplin
Tues. May 12, 2015, 11A
2. Wearing My Heart On
My Sleeve…
Literally!
Secure360
Tues. May 12, 2015
bcaplin1@fairview.org
bc@bjb.org @bcaplin
http://about.me/barrycaplin
http://securityandcoffee.blogspot.com
Barry Caplin
VP, Chief Information Security Officer
Fairview Health Services
20. Example TOS/Privacy – Fitness device
• 13 or older
• Account with valid email
• Rules about posting content
• You own your content
• Use at your own risk
• Consult doctor before exercising
• “Use Common Sense”/Wear & Care – skin
• 3rd
party disclaimer
• Indemnity
• Limitation of Liability/Dispute Resolution
21. Example TOS/Privacy – Fitness device
• Only collect data useful to improving products, services,
experience
• Transparency
• Never sell PII (can opt-in)
• Take security seriously
• Info:
• Email address, pw, nickname, dob
• Oauth: name, profile pic, friend list, phone contact list (friend id – not saved)
• Web logs incl. IP
• Cookies – don’t honor DNT – AppNexus, DataXu, DblClick, Google AdWords,
AdRoll, Twitter, LiveRamp, Advertising.com, Bidswitch, Facebook, Genome,
SearchForce
• Analytics – Mixpanel, Google Analytics, New Relic, KissInsights, Optimizely
• Friends’ contact info
• Location – GPS, WiFi APs, cell tower IDs
22. Example TOS/Privacy – Fitness device
• De-Identified data -> health community, marketing,
for sale
• PII shared with:
• Order fulfillment, email mgmt., CC processing firms
• Legal or Gov’t request
• Merger, sale or reorg
• Anyone user specifies (third party apps)
23.
24. Who’s Watching?
2014 FTC report on Data Brokers
•Combine online & offline – often without consent
- Purchases
- Social Media
- Warranty info
- Subscriptions
- Affiliations
•They share
•Analysis creates Inference
•Regulation proposed
25. Data Brokers collect
• Basic ID data – name, address
• ++ – ssn, license #
• Demographics – A/S/L, race, employment, religion
• Court records – bankruptcy, criminal, domestic
• Home/Neighborhood – rent/loan info
• Interests
• Financial – credit, income, net
• Vehicle – brand, new/used
• Travel – preferences
• Purchase behaviors
• Health – tobacco, allergies, glasses, supplements
26. De-Identi-what?
• 2000 study – 87% census ID’d using: zip, d.o.b., gender
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1450006
• 2013 – 40% of genome participants ID’d
• 2008 – 80% ID’d using when/how for 3 Netflix ratings
http://ieeexplore.ieee.org/xpl/articleDetails.jsp?reload=true&arnumber=4531148
• Feb deal between Facebook, Acxiom and other data
brokers
−Acxiom data linked to 90% of US social profiles
• MIT – 4 phone position samples to link to specific person
http://www.technologyreview.com/news/513016/how-wireless-carriers-are-monetizing-your-
movements/
https://epic.org/privacy/reidentification/ + MIT + UCLA
28. Data Exfil
• Data explicitly given
• Implicitly but known (phone, Google Now)
• Implicitly but unknown
• Transitive Consent
29. Is Privacy Dead?
• Just the definition!
• Privacy is about control
• You must have the ability to decide:
− What
− When
− How, and
− With whom
You share your personal data
• What’s in it for you
30. “Magic Quadrant” of Data Leak Pain
No/Yes Huh?
Unknown
Choice
Known
How
Much
31. Future Shock
• Msoft/U of Rochester (NY)
• GPS + vehicle data
• Where you will be 80 weeks from now – 80%
confidence
http://www.cs.rochester.edu/~sadilek/publications/Sadilek-Krumm_Far-Out_AAAI-12.pdf
32. Security Challenges
Exposure of data
Leakage of data – sold, donated, tossed,
repaired drives
Poor Design/Protocols
Malware
Integrity
Availability
But don’t we have all this now???
35. At Work
• Wearable = portable = stealable
• What data
• How stored – device, phone, computer, component,
cloud
• How backed up (cloud)
• Encryption available?
• Location
• Medical, health info on staff
• Additional info exposure – opportunities for social
engineering
36. For Work?
• BYOW?
• Employer-provided?
− Badge
− Smartphone
− Glass?
− RTLS?
− Health/fitness monitoring?
− Time – Desk, Meetings, Bathroom, Break, Lunch or
Coffee time?
44. CISOs are from Mars
CIOs are from Venus
Secure360
Tues. May 12, 2015 1:30P
bcaplin1@fairview.org
bc@bjb.org @bcaplin
http://about.me/barrycaplin
http://securityandcoffee.blogspot.com
Barry Caplin
VP, Chief Information Security Officer
Fairview Health Services
Notas do Editor
Talk based on 7 parts of 5 part blog series (blog link, twitter link)
Check out my about.me, with links to twitter feed and Security and Coffee blog.
AppleWatch 2015; iPad 2010; iPhone 2007; Android/Youtube 2005
In 2004, the ACLU produced a satiric video called “Ordering Pizza in 2015” that has become the single most-downloaded piece of content we’ve ever produced (at least we believe in the absence of complete stats). I won’t describe it—you can watch it here if you haven’t seen it—but like many successful viral products, it combined humor with a biting commentary on an all-too-real set of trends.
https://www.aclu.org/blog/aclus-pizza-video-10-years-later
http://thedatamap.org/
http://thedatamap.org/
https://www.fitbit.com/terms
https://www.fitbit.com/privacy
https://www.fitbit.com/privacy
2.8 zettabytes in 2012; predicted >5.6zb in 2015
http://www.technologyreview.com/news/514351/has-big-data-made-anonymity-impossible/
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1450006
Latanya Sweeney, Uniqueness of Simple Demographics in the U.S. Population (Laboratory for
Int’l Data Privacy, Working Paper LIDAP-WP4, 2000). For more on this study, see infra Part I.B.1.b. More recently, Philippe Golle revisited Dr. Sweeney’s study, and recalculated the statistics based on year 2000 census data. Dr. Golle could not replicate the earlier 87 percent statistic, but he did calculate that 61 percent of the population in 1990 and 63 percent in 2000 were uniquely identified by ZIP, birth date, and sex. Philippe Golle, Revisiting the Uniqueness of Simple Demographics in the US Population, 5 ACM W ORKSHOP ON P RIVACY IN THE E LEC . S OC ’ Y 77, 78 (2006)
http://ieeexplore.ieee.org/xpl/articleDetails.jsp?reload=true&arnumber=4531148
We apply our de-anonymization methodology to the Netflix Prize dataset, which contains anonymous movie ratings of 500,000 subscribers of Netflix, the world's largest online movie rental service. We demonstrate that an adversary who knows only a little bit about an individual subscriber can easily identify this subscriber's record in the dataset.
Arvind Narayanan & Vitaly Shmatikov, Robust De-Anonymization of Large Sparse Datasets, in PROC. OF THE 2008 IEEE SYMP. ON SECURITY AND PRIVACY 111, 121 [hereinafter Netflix Prize Study]. For more on this study, see infra Part I.B.1.c.
MIT researchers Yves-Alexandre de Montjoye and César A. Hidalgo
http://www.technologyreview.com/news/514351/has-big-data-made-anonymity-impossible/
http://aboutmyinfo.org/index.html
Analyzed 32K days worth of GPS data
http://www.cs.rochester.edu/~sadilek/publications/Sadilek-Krumm_Far-Out_AAAI-12.pdf
Real-Time Location Service
http://blog.ioactive.com/2013/02/broken-hearts-how-plausible-was.html
http://www.secure-medicine.org/public/publications/icd-study.pdf
http://www.forbes.com/sites/singularity/2012/12/06/yes-you-can-hack-a-pacemaker-and-other-medical-devices-too/
Before 2006, all pacemaker programming and interrogation was performed using inductive telemetry. Programming using inductive telemetry requires very close skin contact. The programming wand is held up to the chest, a magnetic reed switch is opened on the implant, and the device is then open for programming and/or interrogation. Communication is near field (sub 1MHZ), and data rates are less than 50KHZ.The obvious drawback to inductive telemetry is the extremely close range required. To remedy this, manufacturers began implementing radiofrequency (RF) communication on their devices and utilized the MICS (Medical Implant Communication Service) frequency band. MICS operates in the 402-405MHZ band and offers interrogation and programming from greater distances, with faster transfer speeds. In 2006, the FDA began approving fully wireless-5based pacemakers and ICDs.Recent remote monitors/bedside transmitters and pacemaker/ICD programmers support both inductive telemetry as well as RF communication. When communicating with RF implantable devices, the devices typically pair with the programmer or transmitter by using the serial number, or the serial number and model number. It's important to note that currently the bedside transmitters do not allow a physician to dial into the devices and reprogram the devices. The transmitter can only dial out.
http://arstechnica.com/security/2012/08/medical-device-hack-attacks/
http://www.telegraph.co.uk/news/science/science-news/11212777/Terrorists-could-hack-pacemakers-like-in-Homeland-say-security-experts.html