May Alhajri
ABSTRACT
The rapid advances in fitness wearable devices are redefining privacy around interactions. Fitness wearables devices record a considerable amount of sensitive and private details about exercise, blood oxygen level, and heart rate. Privacy concerns have emerged about the interactions between an individual’s raw fitness data and data analysis by the providers of fitness apps and wearable devices. This paper describes the importance of adopting and applying legal frameworks within the fitness tracker ecosystem. In this review, we describe the studies on the current privacy policies of fitness app providers, heuristically evaluate the methods for consent management by fitness providers, summarize the gaps identified in our review of these studies, and discuss potential solutions for filling the gaps identified. We have identified four main problems related to preserving the privacy of users of fitness apps: lack of system transparency, lack of privacy policy legibility, concerns regarding one-time consent, and issues of noncompliance regarding consent management. After discussing feasible solutions, we conclude by describing how blockchain is suitable for solving these privacy issues.
- Regulation (EU) 2016/679. 2016. The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Official Journal of the European Union. 119 (2016), 1–88. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:02016R0679-20160504&from=ENGoogle Scholar
- Javed Ahmed, Sule Yildirim, Mariusz Nowostaki, Raghvendra Ramachandra, Ogerta Elezaj, and Mohamad Abomohara. 2020. GDPR Compliant Consent Driven Data Protection in Online Social Networks: A Blockchain-Based Approach. In 2020 3rd International Conference on Information and Computer Technologies (ICICT). IEEE, San Jose, CA, USA, 307–312. https://doi.org/10.1109/ICICT50521.2020.00054Google Scholar
- Apple. 2020. Apple Privacy Policy. Apple. https://www.apple.com/legal/privacy/en-ww/Google Scholar
- Apple. 2021. Healthcare. Apple. https://www.apple.com/healthcare/health-records/Google Scholar
- Asaph Azaria, Ariel Ekblaw, Thiago Vieira, and Andrew Lippman. 2016. Medrec: Using blockchain for medical data access and permission management. In 2016 2nd International Conference on Open and Big Data (OBD). IEEE, Vienna, Austria, 25–30. https://doi.org/10.1109/OBD.2016.11Google ScholarCross Ref
- Abel Bradley Saed Bacchus. 2017. Towards secure and privacy preserving e-health data exchanges through consent based access control. Ph. D. Dissertation. University of Ontario Institute of Technology (Canada).Google Scholar
- Kumar Bhaskaran, Peter Ilfrich, Dain Liffman, Christian Vecchiola, Praveen Jayachandran, Apurva Kumar, Fabian Lim, Karthik Nandakumar, Zhengquan Qin, Venkatraman Ramakrishna, 2018. Double-blind consent-driven data sharing on blockchain. In 2018 IEEE International Conference on Cloud Engineering (IC2E). IEEE, Orlando, FL, USA, 385–391.Google ScholarCross Ref
- Stephen Breen, Karim Ouazzane, and Preeti Patel. 2020. GDPR: Is your consent valid?Business Information Review 37, 1 (2020), 19–24. https://doi.org/10.1177/0266382120903254Google Scholar
- Elizabeth A Brown. 2016. The Fitbit fault line: two proposals to protect health and fitness data at work. Yale J. Health Pol’y L. & Ethics 16 (2016), 1.Google Scholar
- Barbara Carminati, Pietro Colombo, Elena Ferrari, and Gokhan Sagirlar. 2016. Enhancing user control on personal data usage in internet of things ecosystems. In 2016 IEEE International Conference on Services Computing (SCC). IEEE, San Francisco, CA, USA, 291–298. https://doi.org/10.1109/SCC.2016.45Google ScholarCross Ref
- Ana C Carvalho, Rolando Martins, and Luís Antunes. 2018. How-to express explicit and auditable consent. In 2018 16th Annual Conference on Privacy, Security and Trust (PST). IEEE, Belfast, Ireland, 1–5. https://doi.org/10.1109/PST.2018.8514204Google ScholarCross Ref
- Mads Christophersen, Peter Mørck, Tue Odd Langhoff, and Pernille Bjørn. 2015. Unforeseen Challenges. In Universal Access in Human-Computer Interaction. Access to Learning, Health and Well-Being, Margherita Antona and Constantine Stephanidis (Eds.). Springer International Publishing, Cham, 288–299.Google Scholar
- Chia-Fang Chung, Nanna Gorm, Irina A Shklovski, and Sean Munson. 2017. Finding the right fit: understanding health tracking in workplace wellness programs. In Proceedings of the 2017 CHI conference on human factors in computing systems. Association for Computing Machinery, Colorado, Denver, USA, 4875–4886.Google ScholarDigital Library
- Pietro Colombo and Elena Ferrari. 2015. Efficient enforcement of action-aware purpose-based access control within relational database management systems. IEEE Transactions on Knowledge and Data Engineering 27, 8(2015), 2134–2147. https://doi.org/10.1109/TKDE.2015.2411595Google ScholarDigital Library
- A Cortez, P Hsii, E Mitchell, V Riehl, and P Smith. 2018. Conceptualizing a data infrastructure for the capture, use, and sharing of patient-generated health data in care delivery and research through 2024. Technical Report. the Office of the National Coordinator for Health Information Technology. https://www.healthit.gov/sites/default/files/onc_pghd_final_white_paper.pdfGoogle Scholar
- Gaby G Dagher, Jordan Mohler, Matea Milojkovic, and Praneeth Babu Marella. 2018. Ancile: Privacy-preserving framework for access control and interoperability of electronic health records using blockchain technology. Sustainable cities and society 39 (2018), 283–297. https://doi.org/10.1016/j.scs.2018.02.014Google Scholar
- Catherine Dinh-Le, Rachel Chuang, Sara Chokshi, and Devin Mann. 2019. Wearable health technology and electronic health record integration: scoping review and future directions. JMIR mHealth and uHealth 7, 9 (2019), e12861. https://doi.org/10.2196/12861Google Scholar
- fitbit. 2020. Fitbit Privacy Policy. fitbit. https://www.fitbit.com/global/au/legal/privacy-policy#your-rights-to-accessGoogle Scholar
- Batya Friedman, Edward Felten, and Lynette I Millett. 2000. Informed consent online: A conceptual model and design principles. University of Washington Computer Science & Engineering Technical Report 00–12–2 8(2000), 00–12–2. https://dada.cs.washington.edu/research/tr/2000/12/UW-CSE-00-12-02.pdfGoogle Scholar
- Valerie Gay and Peter Leijdekkers. 2015. Bringing health and fitness data together for connected health care: mobile apps as enablers of interoperability. Journal of medical Internet research 17, 11 (2015), e260. https://doi.org/10.2196/jmir.5094Google ScholarCross Ref
- Philippe Genestier, Sajida Zouarhi, Pascal Limeux, David Excoffier, Alain Prola, Stephane Sandon, and Jean-Marc Temerson. 2017. Blockchain for consent management in the ehealth environment: A nugget for privacy and security challenges. Journal of the International Society for Telemedicine and eHealth 5 (2017), GKR–e24(1–4). https://journals.ukzn.ac.za/index.php/JISfTeH/article/view/269Google Scholar
- Shlok Gilda and Maanav Mehrotra. 2018. Blockchain for student data privacy and consent. In 2018 International Conference on Computer Communication and Informatics (ICCCI). IEEE, Coimbatore, India, 1–5.Google ScholarCross Ref
- Quinn Grundy, Fabian P Held, and Lisa A Bero. 2017. Tracing the potential flow of consumer data: a network analysis of prominent health and fitness apps. Journal of medical Internet research 19, 6 (2017), e233. https://doi.org/10.2196/jmir.7347Google ScholarCross Ref
- Majid Hatamian, Jetzabel Serna, and Kai Rannenberg. 2019. Revealing the unrevealed: Mining smartphone users privacy perception on app markets. Computers & Security 83(2019), 332–353. https://doi.org/10.1016/j.cose.2019.02.010Google ScholarDigital Library
- Luke Hutton, Blaine A Price, Ryan Kelly, Ciaran McCormick, Arosha K Bandara, Tally Hatzakis, Maureen Meadows, and Bashar Nuseibeh. 2018. Assessing the privacy of mhealth apps for self-tracking: heuristic evaluation approach. JMIR mHealth and uHealth 6, 10 (2018), e185. https://doi.org/10.2196/mhealth.9217Google Scholar
- Dawei Jiang and Guoquan Shi. 2021. Research on Data Security and Privacy Protection of Wearable Equipment in Healthcare. Journal of Healthcare Engineering 2021 (2021), 1–97. https://doi.org/10.1155/2021/6656204Google Scholar
- Harleen Kaur, M Afshar Alam, Roshan Jameel, Ashish Kumar Mourya, and Victor Chang. 2018. A proposed solution and future direction for blockchain-based heterogeneous medicare data in cloud environment. Journal of medical systems 42, 8 (2018), 1–11. https://doi.org/10.1007/s10916-018-1007-5Google ScholarDigital Library
- Xueping Liang, Juan Zhao, Sachin Shetty, Jihong Liu, and Danyi Li. 2017. Integrating blockchain for data sharing and collaboration in mobile healthcare applications. In 2017 IEEE 28th annual international symposium on personal, indoor, and mobile radio communications (PIMRC). IEEE, Montreal, QC, Canada, 1–5.Google Scholar
- Anna Mizzi. 2020. Profiting on Your Pulse: Modernizing HIPAA to Regulate Companies’ Use of Patient-Consumer Health Information. Geo. Wash. L. Rev. 88(2020), 481.Google Scholar
- Nurul Momen, Majid Hatamian, and Lothar Fritsch. 2019. Did App privacy improve after the GDPR?IEEE Security & Privacy 17, 6 (2019), 10–20. https://doi.org/10.1109/MSEC.2019.2938445Google ScholarDigital Library
- Trix Mulder. 2019. Health apps, their privacy policies and the GDPR. European Journal of Law and Technology 10, 1 (2019), 1–20. https://ssrn.com/abstract=3506805Google Scholar
- Ricardo Neisse, Gianmarco Baldini, Gary Steri, Yutaka Miyake, Shinsaku Kiyomoto, and Abdur Rahim Biswas. 2015. An agent-based framework for informed consent in the internet of things. In 2015 IEEE 2nd World Forum on Internet of Things (WF-IoT). IEEE, Milan, Italy, 789–794. https://doi.org/10.1109/WF-IoT.2015.7389154Google ScholarDigital Library
- US Department of Health, Human Services, 2016. Examining oversight of the privacy & security of health data collected by entities not regulated by HIPAA. https://www.healthit.gov/sites/default/files/non-covered_entities_report_june_17_2016.pdfGoogle Scholar
- Office of the Australian Information Commissioner(OAIC). 2018. Australian entities and the EU General Data Protection Regulation (GDPR). Office of the Australian Information Commissioner(OAIC). https://www.oaic.gov.au/privacy/guidance-and-advice/australian-entities-and-the-eu-general-data-protection-regulationGoogle Scholar
- Dijana Peras. 2018. Guidelines for GDPR Compliant Consent and Data Management Model in ICT Businesses. In Central European Conference on Information and Intelligent Systems. Faculty of Organization and Informatics Varazdin, CECIIS, Varaždin, Croatia, 113–121.Google Scholar
- Andreas Pfitzmann and Marit Hansen. 2010. A terminology for talking about privacy by data minimization: Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management. http://dud.inf.tu-dresden.de/literatur/Anon_Terminology_v0.34.pdf v0.34.Google Scholar
- Roberto Reda, Filippo Piccinini, and Antonella Carbonaro. 2018. Towards consistent data representation in the IoT healthcare landscape. In Proceedings of the 2018 International Conference on Digital Health. Association for Computing Machinery, Lyon, France, 5–10. https://doi.org/10.1145/3194658.3194668Google ScholarDigital Library
- Tharuka Rupasinghe, Frada Burstein, and Carsten Rudolph. 2019. Blockchain based Dynamic Patient Consent: A Privacy-Preserving Data Acquisition Architecture for Clinical Data Analytics.. In ICIS 2019 Proceedings. AIS Electronic, Munich, 1–9. https://icis2019.aisconferences.org/Google Scholar
- Ahmad Salehi, Carsten Rudolph, and Marthie Grobler. 2020. Attribute-Based Data Access Control for Multi-Authority System. In 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom). IEEE, Guangzhou, China, 1834–1841.Google Scholar
- Ahmad S Salehi, Carsten Rudolph, and Marthie Grobler. 2019. A dynamic cross-domain access control model for collaborative healthcare application. In 2019 IFIP/IEEE Symposium on Integrated Network and Service Management (IM). IEEE, Arlington, VA, USA, 643–648.Google Scholar
- Robert Sallis. 2011. Developing healthcare systems to support exercise: exercise as the fifth vital sign. British Association of Sport and Excercise Medicine 45 (2011), 473–474. https://doi.org/10.1136/bjsm.2010.083469Google ScholarCross Ref
- Rishi Kanth Saripalle. 2019. Leveraging FHIR to integrate activity data with electronic health record. Health and Technology 2020, 10 (2019), 1–12. https://doi.org/10.1007/s12553-019-00316-5Google Scholar
- Oshani Seneviratne and Lalana Kagal. 2014. Enabling privacy through transparency. In 2014 Twelfth Annual International Conference on Privacy, Security and Trust. IEEE, Toronto, ON, Canada, 121–128. https://doi.org/10.1109/PST.2014.6890931Google ScholarCross Ref
- Ahmad Salehi Shahraki, Carsten Rudolph, and Marthie Grobler. 2019. A dynamic access control policy model for sharing of healthcare data in multiple domains. In 2019 18th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/13th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE). IEEE, Rotorua, New Zealand, 618–625.Google ScholarCross Ref
- Anastasia Shuba, Anh Le, Minas Gjoka, Janus Varmarken, Simon Langhoff, and Athina Markopoulou. 2015. Antmonitor: Network traffic monitoring and real-time prevention of privacy leaks in mobile devices. In Proceedings of the 2015 Workshop on Wireless of the Students, by the Students, & for the Students. Association for Computing Machinery, Paris, France, 25–27. https://doi.org/10.1145/2801694.2801707Google ScholarDigital Library
- Strava. 2020. Strava Privacy Policy. StravaPP. https://www.strava.com/legal/privacy#full_policyGoogle Scholar
- Ali Sunyaev, Tobias Dehling, Patrick L Taylor, and Kenneth D Mandl. 2015. Availability and quality of mobile health app privacy policies. Journal of the American Medical Informatics Association 22, e1(2015), e28–e33. https://doi.org/10.1136/amiajnl-2013-002605Google ScholarCross Ref
- Latanya Sweeney. 2002. k-anonymity: A model for protecting privacy. International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems 10, 05 (2002), 557–570. https://doi.org/10.1142/S0218488502001648Google ScholarDigital Library
- Colin Tankard. 2016. What the GDPR means for businesses. Network Security 2016, 6 (2016), 5–8. https://doi.org/10.1016/S1353-4858(16)30056-3Google ScholarCross Ref
- Alexandra Troiano. 2016. Wearables and personal health data: putting a premium on your privacy. Brooklyn Law Review 82, 4 (2016), 1715. https://heinonline.org/HOL/P?h=hein.journals/brklr82&i=1759Google Scholar
- Hanqing Wu, Jiannong Cao, Shan Jiang, Ruosong Yang, Yanni Yang, and Jianfei Hey. 2018. TSAR: a fully-distributed Trustless data ShARing platform. In 2018 IEEE International Conference on Smart Computing (SMARTCOMP). IEEE, Taormina, Italy, 350–355. https://doi.org/10.1109/SMARTCOMP.2018.00028Google ScholarCross Ref
Index Terms
- Privacy of Fitness Applications and Consent Management in Blockchain
Index terms have been assigned to the content through auto-classification.
Recommendations
The crisis of consent: how stronger legal protection may lead to weaker consent in data protection
In this article we examine the effectiveness of consent in data protection legislation. We argue that the current legal framework for consent, which has its basis in the idea of autonomous authorisation, does not work in practice. In practice the legal ...
Privacy-enhancing technologies: approaches and development
In this paper, we discuss privacy threats on the Internet and possible solutions to this problem. Examples of privacy threats in the communication networks are identity disclosure, linking data traffic with identity, location disclosure in connection ...
A Formal Framework for Consent Management
Formal Techniques for Distributed Objects, Components, and SystemsAbstractThe aim of this work is to design a formal framework for consent management in line with EU’s General Data Protection Regulation (GDPR). To make a general solution, we consider a high-level modeling language for distributed service-oriented ...
Comments