Connected insurance: reliability of connected wristbands and hacking

In today’s article, we will talk about the reliability of connected Fitbit wristbands and how they are being hacked. The phenomenon is still not very widespread in Europe, but in the United States, it has become a real problem. It is the owners of these connected bracelets who try to hack them. Why are they trying to hack them? We explain everything in this article. We take this opportunity to give you an analysis of the connected health insurance sector.

Only for our subscribers: exclusive analyses and marketing advice

Email address  *

Subscribe

By signing up, you agree to our Terms of use and privacy policy.

"I thought the blog was good. But the newsletter is even better!"

Esteban Hendrickx, art director

Summary

• Introduction
• Connected bracelets generate very personal data
• Examples of insurance companies who use connected bracelets
• The principle of mutualisation is becoming less and less probable
• High-risk behaviour detectable with a connected wristband
• Why wearing a connected bracelet puts you in a vulnerable position
• Conclusions

Introduction

To fully understand the phenomenon of hacking connected bracelets, we must first understand how these devices are positioned in the data universe.  We will, therefore, in the first part, focus on the types of information collected by the connected bracelets. In the second part, we will explain how this data gives an excessive amount of power to insurance companies and constitutes an essential risk for our societies. The reason why owners “hack” their connected bracelets will then become apparent.

The connected bracelets, generating very personal data

The connected bracelets are the origin of non-medical devices that allow an individual to follow his daily activity: the number of steps in the day, distance travelled. However, the pedometers of our childhood have improved and now include various sensors to measure your cardiac activity, for example. It remains approximate, but the volume of data collected has become a selling point for companies like Fitbit.

Approximate data

The manufacturers of connected bracelets tell you over and over again: they are not medical devices, and therefore the data may not be reliable. If you read between the lines, you will understand that the data collected is in fact, unreliable. You will find all kinds of tests on the internet comparing the accuracy of these connected bracelets to each other and devices with proven reliability (pedometers, electrocardiogram). Scientists are also interested in the accuracy of the different models on the market. Errors in step counting (one of the most common features) ranged from 1.85% to 58%.
As far as sleep monitoring is concerned, a study conducted by NUY doctors, for example, showed that sleep quality measurements were unreliable. The American Academy of Medicine has taken a stand on this issue and has pointed out the lack of accuracy of these devices.
Another study showed that monitoring heart rate over time was indicative of changes in physical activity.
In conclusion, beyond the playful aspect, it can, therefore, be said that these devices do not present an undoubted medical interest even if the technology is improving. However, they have been able to convince other types of customers: the corporate sector.

Quelles sont les données personnelles collectées par les bracelets connectés ?

In a world where data is the new Eldorado, connected bracelets represent an inexhaustible resource. The information that is collected by both the bracelet and the application is numerous:

• Physical activity (number of steps, automatic detection of sports activity, stairs)
• Rest (via alarms for waking up, measurement of sleep phases)
• Biometric indicators (heartbeat)
• Localisation (collection of GPS data via the application)

The Sanitas application is linked to your connected bracelet and captures additional information that you are prompted to enter yourself.

And all this can be linked to the identity of the bearer and sometimes even to financial data when a subscription is paid. Look at the example of Sanitas or Vitality below. By linking your Apple Watch to their respective apps, you are prompted to provide a range of other information (such as what you eat).

In short, under the guise of playful monitoring of your activity, you are, in fact, the product. Some companies were quick to take an interest in this new class of products: Insurance companies.

Some examples of insurance companies offering bracelets or connected products to their clients

We’re not going to advertise for them, but there are many examples of insurance companies using these connected bracelets in the United States and the United Kingdom. They include

• John Hancock Financial
• Vitality, a company we wrote about as early as 2016. Today it is difficult to have precise information
• about the membership program, but in our article, at the time we documented the discounts that were given to connected bracelet wearers.
• Virgin Pulse well-being program (Verizon Media)
• Sanitas (Swiss company)

Risk pooling, an increasingly utopian model

One principle governs insurance: risk pooling. People who are healthier pay for those who are less fortunate. But this model is undermined by the search for profit. This is not just about health insurance.

In the business model of an insurance company profit can only come in two ways:

• deny compensation to those already insured
• refuse admission to those who are most at risk

The connected bracelet is a device that will ultimately provide insurers with an incredible advantage over policyholders. The connected bracelet is a device that generates asymmetry of information as never before to the benefit of the insurance industry. Indeed, access to your data allows in theory to model a large number of behaviours. Even if the authorities do not allow everything in terms of data collection (see the GDPR), let us remember that in the absence of sector-specific regulation, the principle of sacrosanct consent reigns supreme. Checking the boxes gives potentially pervasive rights to the data controller.

The data collected by the connected bracelets potentially allows insurers to refuse compensation or deny their services to those most at risk.

What high-risk behaviours can be detected via a connected bracelet?

The connected bracelet allows the person who accesses the data (the insurer) to exert an excessive amount of power over his client (the insured). This power is enabled by the data and its ability to reveal behaviour or predict risk. Here are several examples:

• risk of sedentarisation linked to a change in the insured’s mobility
• Sleep-related risks (by measurement or simply by waking up)
• Weight gain related risks
• risk related to heart rate characteristics
• stress risk (some connected bracelets offer you a measure)
• risks linked to the countries visited (via the application’s GPS)
• risks related to driving (instantaneous speed calculation via the GPS chip)

The connected bracelet generates an asymmetry of information

As you can see, the possibilities for using the data are immense. By giving access to his data, the policyholder lays himself bare. Soon, one can even imagine that the bracelet can be used in risk assessment procedures: to assess your premium, the insurer asks you to wear a connected bracelet for a time t. In a premonitory article from 2017, Andrew Boyd anticipated a scenario in which an insurance company could refuse to insure you based on your connected data.

The question is, therefore, whether it is possible to “hack” the system as the video at the beginning of this article shows. By doing so, policyholders only manage to “hack” one sensor. But as we have seen, changes in behaviour, risks, can be detected in different ways. Walking, for example, can be measured in the number of steps, but can also be detected by a change in heart rate. It is, therefore, naïve to think that an insurer can be fooled in this way.

Conclusions

Now more than ever, it is crucial to understand what personal data means to businesses. For some of them, such as insurance companies, personal data will become a way to be more competitive by better appreciating the risk represented by their policyholders or not their prospects. By voluntarily agreeing to wear a connected bracelet, you allow insurance companies to access data that can help them reduce costs (by detecting possible payment discrepancies) or increase revenues (by adjusting premiums based on a risk assessment based on observed elements). Individuals need to realise that wearing a connected bracelet leads to an increase in the bargaining power of insurance companies by inducing information asymmetry. A word to the wise!

Images d’illustration : shutterstock

By Pierre-Nicolas Schwab Pierre-Nicolas est Docteur en Marketing et dirige l'agence d'études de marché IntoTheMinds. Ses domaines de prédilection sont le BigData l'e-commerce, le commerce de proximité, l'HoReCa et la logistique. Il est également chercheur en marketing à l'Université Libre de Bruxelles et sert de coach et formateur à plusieurs organisations et institutions publiques. Il peut être contacté par email, Linkedin ou par téléphone (+32 486 42 79 42)