Law in the Internet Society

View   r2  >  r1  ...
OnaMunozRuscalledaFirstEssay 2 - 29 Oct 2023 - Main.EbenMoglen
Line: 1 to 1
 
META TOPICPARENT name="FirstEssay"

Who knew tracking your 10.000 daily steps could lead to disastrous data breaches?

Added:
>
>
The answer is: Every Single Knowledgeable Person Who Ever Gave A Moment's Thought To It. A more pertinent question would be, Why Didn't Anybody Tell Us?

 -- By OnaMunozRuscalleda - 13 Oct 2023
Line: 13 to 17
 It sounds too good to be true: you put on a watch, and it can help you design a meal plan, a workout plan and a daily routine that will reduce your risk of disease and your risk of mortality and increase your health and well-being. All this, with just a watch! Unfortunately, it is too good to be true: the privacy risks that these data-collecting wearable devices pose is not explored in The Economist’s articles, despite being a real threat to consumer’s privacy. This essay will thus examine the issues that arise from wearing such devices and having them collect all your data. It will start by presenting the case of Fitbit and Apple’s data breach, and continue by analysing the legal aspect of the issue. The essay will conclude with an overview of the problems that this issue poses for current and future legislation, highlighting why this issue is so difficult to regulate.
Added:
>
>
To say that The Economist was ten years late in not noticing the negative social externalities of technology it was promoting is not newsworthy. What they had to say is, as you point out, discredited by its failure to ask the real questions. So why did you spend just short of 20% of your draft on this?

 

The problem: The data breach

Line: 20 to 28
 This was the case for FitBit? and Apple: in 2021, an unsecured database containing more than 61 million records was hacked into, leaking all the information collected from fitness tracking and wearable devices. The information leaked included names, birthdares, weight, height, gender and geolocation. The main reason for the data breach was the fact that the database was not password-protected and the data was not encrypted.
Added:
>
>
No, the main reason was that the service was designed to centralize the information collected, rather than leaving it with the people it was collected from. That a centralized data store exists is the primary reason it is compromised. The secondary details of how a compromise was effected is less important than the existence of an inherently unsafe design. You could compare, for example, everything Mishi Choudhary and I have ever written about the Government of India's Aadhar digital identity scheme with the same "who could have known?" bullshit after the initial occasions of compromise.

 

What can the current law do about it?

Facing a situation such as Fitbit and Apple’s data breach, the question arises: what can the law do about this, if anything? The question is particularly problematic because these wearable devices lie at the intersection of several areas: health, data protection and personal fashion accessories.

Line: 28 to 40
 Secondly, the FDA has a Medical Device Tracking Regulation, the purpose of which is to ensure that manufacturers and importers of certain medical devices receive approval for these devices and are later able to locate them in the distribution chain. Again, the main issue is that more often than not fitness trackers are not considered to be medical devices. The FDA also released guidance and voiced its support for medical device cybersecurity, but this hardly amounts to proper legislation. Thus, with the current legislation there is no comprehensive data protection which covers fitness devices and their data.
Added:
>
>
There's no one law that covers all the legal problems of automobiles, but that's neither a problem nor a significant analytical observation. Actually describing the texture of the various tangentially-relevant schemes is more work than you could do in 10,000 words, and you have about 150 at most. Because there isn't any point to the point, anyway.

 

What should the law do about it?: Problems with this case

After reading this essay, most people will reach the conclusion that the way forward is very easy: there just needs to be a piece of legislation passed which tackles smart devices and protects the data of the consumers. However, the answer is not as straightforward as it may seem. Firstly, these smart devices are considerably hard to define: is it a medical device? Is it just an accessory? Is it a learning tool? Every person that buys a smart watch, for example, has their reasons to do it, and they’re not always for health or medical reasons. The question thus arises whether the law should encompass every single device that has the potential to track health data, or only devices that are specifically designed to do so, leaving a big potential gap in the legislation.

Added:
>
>
No, the problem isn't finding the right words. The problem is that this the wrong scope of legislation. Are we trying to prevent poorly-designed technologies from causing environmental harm in the privacy environment? Are we trying to make businesses liable for inadequate security when criminals cause harm to them and their customers? Are we trying to engineer an insurance system against inevitable privacy damages, so as to spread the lesses across society rather than leaving them to lie where they fall?

We are not mere bureaucrats: we don't make laws about devices. We are trying to understand the large contours of social change resulting from the political consequences of technological design and implementation. If we do that we can make law that shapes technological development rather than responding to it.

 Secondly, these devices evolve so fast that as soon as a potential piece of legislation is passed, it will likely already be obsolete. Very soon there will no longer be smart watches tracking our movements, but there will be implants on our bodies which will do that function. What then? Should we pass a new piece of legislation? Should we predict the future developments already and include them all in this potential piece of legislation? What about what we cannot predict?
Added:
>
>
Precisely.

 As can be observed, this issue poses certain problems which are hard to overcome. The bottom line is, however, that we should all be aware of how our fitness data is tracked and the problems it may cause. The law should take into consideration that these devices go way beyond a mere fashion accessory, and it should look ahead into the future when regulating the potential data breaches these devices may cause.

Added:
>
>
A good first draft. It clears the brush away and locates the real questions. The next draft won't look much like this one, but it will have improved upon it mightily.

 
You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable.

OnaMunozRuscalledaFirstEssay 1 - 13 Oct 2023 - Main.OnaMunozRuscalleda
Line: 1 to 1
Added:
>
>
META TOPICPARENT name="FirstEssay"

Who knew tracking your 10.000 daily steps could lead to disastrous data breaches?

-- By OnaMunozRuscalleda - 13 Oct 2023

Introduction: The quantified self

In May 2022, The Economist issued a series of articles named "The quantified self". The main premise of these articles is that humans can now measure all sorts of health data through their smart wristbands, watches or other devices, and enhance their health using that information. These devices can track all sorts of data: daily steps, sleeping habits, blood pressure, heart rate, and respiration, among others. The articles claim that there’s several benefits to measuring your health data with wearable devices, for example: increasing daily movement among sedentary people, reducing spikes in blood sugar after meals and thus helping people with diabetes, and helping design AI-personalised diets, among others. It sounds too good to be true: you put on a watch, and it can help you design a meal plan, a workout plan and a daily routine that will reduce your risk of disease and your risk of mortality and increase your health and well-being. All this, with just a watch! Unfortunately, it is too good to be true: the privacy risks that these data-collecting wearable devices pose is not explored in The Economist’s articles, despite being a real threat to consumer’s privacy. This essay will thus examine the issues that arise from wearing such devices and having them collect all your data. It will start by presenting the case of Fitbit and Apple’s data breach, and continue by analysing the legal aspect of the issue. The essay will conclude with an overview of the problems that this issue poses for current and future legislation, highlighting why this issue is so difficult to regulate.

The problem: The data breach

The situation that these wearable devices create is that almost all this data, which includes information about virtually all your physical information, your habits, your overall health, and even your location, is now bundled together in one of these devices and their respective databases. And problems arise when there’s a data breach, and all this information is not private anymore (was it ever?). This was the case for FitBit? and Apple: in 2021, an unsecured database containing more than 61 million records was hacked into, leaking all the information collected from fitness tracking and wearable devices. The information leaked included names, birthdares, weight, height, gender and geolocation. The main reason for the data breach was the fact that the database was not password-protected and the data was not encrypted.

What can the current law do about it?

Facing a situation such as Fitbit and Apple’s data breach, the question arises: what can the law do about this, if anything? The question is particularly problematic because these wearable devices lie at the intersection of several areas: health, data protection and personal fashion accessories. There are many laws that partially apply to this issue, but none that fully covers the whole legal issue. Firstly, the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This act created a series of national standards to protect sensitive patient health information from being disclosed without the patient’s consent. Specifically, the HIPAA applies to “health care providers”, defined in section 1171 of the aforementioned as “a provider of medical health services”. Asserting that a wearable watch is a “health care provider” seems like a far-reaching conclusion, but it does nonetheless provide databases with health information about the consumer. The main issue with the HIPAA is that the data collected in these devices is beyond the context of insurance reimbursement claims and that fitness trackers are not generally considered medical devices per se, which makes it harder for the HIPAA to apply to these kinds of devices. Secondly, the FDA has a Medical Device Tracking Regulation, the purpose of which is to ensure that manufacturers and importers of certain medical devices receive approval for these devices and are later able to locate them in the distribution chain. Again, the main issue is that more often than not fitness trackers are not considered to be medical devices. The FDA also released guidance and voiced its support for medical device cybersecurity, but this hardly amounts to proper legislation. Thus, with the current legislation there is no comprehensive data protection which covers fitness devices and their data.

What should the law do about it?: Problems with this case

After reading this essay, most people will reach the conclusion that the way forward is very easy: there just needs to be a piece of legislation passed which tackles smart devices and protects the data of the consumers. However, the answer is not as straightforward as it may seem. Firstly, these smart devices are considerably hard to define: is it a medical device? Is it just an accessory? Is it a learning tool? Every person that buys a smart watch, for example, has their reasons to do it, and they’re not always for health or medical reasons. The question thus arises whether the law should encompass every single device that has the potential to track health data, or only devices that are specifically designed to do so, leaving a big potential gap in the legislation. Secondly, these devices evolve so fast that as soon as a potential piece of legislation is passed, it will likely already be obsolete. Very soon there will no longer be smart watches tracking our movements, but there will be implants on our bodies which will do that function. What then? Should we pass a new piece of legislation? Should we predict the future developments already and include them all in this potential piece of legislation? What about what we cannot predict? As can be observed, this issue poses certain problems which are hard to overcome. The bottom line is, however, that we should all be aware of how our fitness data is tracked and the problems it may cause. The law should take into consideration that these devices go way beyond a mere fashion accessory, and it should look ahead into the future when regulating the potential data breaches these devices may cause.


You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.


Revision 2r2 - 29 Oct 2023 - 14:23:40 - EbenMoglen
Revision 1r1 - 13 Oct 2023 - 15:32:02 - OnaMunozRuscalleda
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM