In today’s article, we will talk about the reliability of connected Fitbit wristbands and how they are being hacked. The phenomenon is still not very widespread in Europe, but in the United States, it has become a real problem. It is the owners of these connected bracelets who try to hack them. Why are they trying to hack them? We explain everything in this article. We take this opportunity to give you an analysis of the connected health insurance sector.
Some insurance companies offer contracts at more attractive rates if you agree to wear a connected bracelet, and to share with them the data thus collected. The phenomena of hacking connected bracelets started to appear several years ago. The underlying reason is that these devices create an asymmetry of information that gives insurance companies unprecedented power over the insured. However, the hacking of these bracelets will not withstand a sophisticated analysis of the collected data. Before sharing your data, you should, therefore, think twice.
- Connected bracelets generate very personal data
- Examples of insurance companies who use connected bracelets
- The principle of mutualisation is becoming less and less probable
- High-risk behaviour detectable with a connected wristband
- Why wearing a connected bracelet puts you in a vulnerable position
To fully understand the phenomenon of hacking connected bracelets, we must first understand how these devices are positioned in the data universe. We will, therefore, in the first part, focus on the types of information collected by the connected bracelets. In the second part, we will explain how this data gives an excessive amount of power to insurance companies and constitutes an essential risk for our societies. The reason why owners “hack” their connected bracelets will then become apparent.
The connected bracelets are the origin of non-medical devices that allow an individual to follow his daily activity: the number of steps in the day, distance travelled. However, the pedometers of our childhood have improved and now include various sensors to measure your cardiac activity, for example. It remains approximate, but the volume of data collected has become a selling point for companies like Fitbit.
The manufacturers of connected bracelets tell you over and over again: they are not medical devices, and therefore the data may not be reliable. If you read between the lines, you will understand that the data collected is in fact, unreliable. You will find all kinds of tests on the internet comparing the accuracy of these connected bracelets to each other and devices with proven reliability (pedometers, electrocardiogram). Scientists are also interested in the accuracy of the different models on the market. Errors in step counting (one of the most common features) ranged from 1.85% to 58%.
As far as sleep monitoring is concerned, a study conducted by NUY doctors, for example, showed that sleep quality measurements were unreliable. The American Academy of Medicine has taken a stand on this issue and has pointed out the lack of accuracy of these devices.
Another study showed that monitoring heart rate over time was indicative of changes in physical activity.
In conclusion, beyond the playful aspect, it can, therefore, be said that these devices do not present an undoubted medical interest even if the technology is improving. However, they have been able to convince other types of customers: the corporate sector.
Quelles sont les données personnelles collectées par les bracelets connectés ?
In a world where data is the new Eldorado, connected bracelets represent an inexhaustible resource. The information that is collected by both the bracelet and the application is numerous:
- Physical activity (number of steps, automatic detection of sports activity, stairs)
- Rest (via alarms for waking up, measurement of sleep phases)
- Biometric indicators (heartbeat)
- Localisation (collection of GPS data via the application)
And all this can be linked to the identity of the bearer and sometimes even to financial data when a subscription is paid. Look at the example of Sanitas or Vitality below. By linking your Apple Watch to their respective apps, you are prompted to provide a range of other information (such as what you eat).
In short, under the guise of playful monitoring of your activity, you are, in fact, the product. Some companies were quick to take an interest in this new class of products: Insurance companies.
We’re not going to advertise for them, but there are many examples of insurance companies using these connected bracelets in the United States and the United Kingdom. They include
- John Hancock Financial
- Vitality, a company we wrote about as early as 2016. Today it is difficult to have precise information
- about the membership program, but in our article, at the time we documented the discounts that were given to connected bracelet wearers.
- Virgin Pulse well-being program (Verizon Media)
- Sanitas (Swiss company)
Some statistics concerning the connected bracelets
- 50 million Americans participate in a wellness program in which they are “invited” to wear a connected bracelet.
- £300: the annual savings that Vitality UK promised to its connected bracelet customers in 2016
- +1.85%: the precision of the TomTom Go bracelet in terms of step counting
- +57.65%: the error of the connected Healbe GoBe bracelet in counting steps
One principle governs insurance: risk pooling. People who are healthier pay for those who are less fortunate. But this model is undermined by the search for profit. This is not just about health insurance.
In the business model of an insurance company profit can only come in two ways:
- deny compensation to those already insured
- refuse admission to those who are most at risk
The connected bracelet is a device that will ultimately provide insurers with an incredible advantage over policyholders. The connected bracelet is a device that generates asymmetry of information as never before to the benefit of the insurance industry. Indeed, access to your data allows in theory to model a large number of behaviours. Even if the authorities do not allow everything in terms of data collection (see the GDPR), let us remember that in the absence of sector-specific regulation, the principle of sacrosanct consent reigns supreme. Checking the boxes gives potentially pervasive rights to the data controller.
The data collected by the connected bracelets potentially allows insurers to refuse compensation or deny their services to those most at risk.
The connected bracelet allows the person who accesses the data (the insurer) to exert an excessive amount of power over his client (the insured). This power is enabled by the data and its ability to reveal behaviour or predict risk. Here are several examples:
- risk of sedentarisation linked to a change in the insured’s mobility
- Sleep-related risks (by measurement or simply by waking up)
- Weight gain related risks
- risk related to heart rate characteristics
- stress risk (some connected bracelets offer you a measure)
- risks linked to the countries visited (via the application’s GPS)
- risks related to driving (instantaneous speed calculation via the GPS chip)
As you can see, the possibilities for using the data are immense. By giving access to his data, the policyholder lays himself bare. Soon, one can even imagine that the bracelet can be used in risk assessment procedures: to assess your premium, the insurer asks you to wear a connected bracelet for a time t. In a premonitory article from 2017, Andrew Boyd anticipated a scenario in which an insurance company could refuse to insure you based on your connected data.
The question is, therefore, whether it is possible to “hack” the system as the video at the beginning of this article shows. By doing so, policyholders only manage to “hack” one sensor. But as we have seen, changes in behaviour, risks, can be detected in different ways. Walking, for example, can be measured in the number of steps, but can also be detected by a change in heart rate. It is, therefore, naïve to think that an insurer can be fooled in this way.
Now more than ever, it is crucial to understand what personal data means to businesses. For some of them, such as insurance companies, personal data will become a way to be more competitive by better appreciating the risk represented by their policyholders or not their prospects. By voluntarily agreeing to wear a connected bracelet, you allow insurance companies to access data that can help them reduce costs (by detecting possible payment discrepancies) or increase revenues (by adjusting premiums based on a risk assessment based on observed elements). Individuals need to realise that wearing a connected bracelet leads to an increase in the bargaining power of insurance companies by inducing information asymmetry. A word to the wise!
Images d’illustration : shutterstockTags: bank and insurance