The privacy and security questions we must ask about the Apple Watch

By Kashmir Hill | March 9, 2015 | 9:44pm

Latest

Next month, the Apple Watch will become the must-have gadget for early adopters. Like Google Glass, the Watch needs to pair with a heavier-duty operating system provided by a smartphone. But instead of putting something ugly on your face, Apple is putting an elegant device on your wrist so you can read texts and emails discreetly, and take phone calls Dick Tracy-style. Where Glass had a camera to record the world around you as you saw it, the Apple Watch has a sensor to see what’s going on inside you. Its pulse oximeter will keep track of your heart rate.

Apple is signaling with this that it wants to move seriously into the health-tracking space. At the same event where he went into detail about the Watch, Apple CEO Tim Cook announced the launch of ResearchKit, a platform for medical researchers, which will let them pull in data from the many sensors on the Watch and iPhone from willing iGuinea Pigs: in addition to heart rate, that would include the accelerometer revealing level of activity and gait, temperature readings and any iAdd-ons such as a glucose reader. Apple wants to be your iDoctor. Even if its devices aren’t actually FDA-approved, the apps it makes available that could offer up diagnoses and treatment will be.

1. Is it this easy to hack the Apple Watch?

While Tim Cook had a lot to say about how well the Apple Watch tells time and how it can ping us discreetly with intimate vibrations against our skin, he said nothing about how this thing is locked down. Does it have a passcode, or a pin, or fingerprint authentication? If it has direct access to everything on our phone, it could be used to circumvent the privacy protections we’ve put on our iPhone such as a passcode and encryption of the contents. If it’s not locked down, all your jealous significant other has to do to read your texts and emails is to wait until you take it off to shower…. unless you can just wear it in there.

At the very least, let’s hope a hacker can’t listen in on the iPhone and the Watch talking to one another. “Presumably the communication between the watch and the phone will be encrypted,” says Alvaro Bedoya, executive director of Georgetown Law’s Center on Privacy and Technology. We are left to presume because Cook didn’t say today.

2. Is your heartbeat going to be used to spy on you?

One of the features the technorati are most excited about with the Apple Watch is a heartrate sharing feature. We’ll now all be able to take the literal pulse of the room. Of course, like Apple’s “Find My Friends” location tracking feature, this could become a tool for the obsessive loved one in your life to track you.

Who else might use it? During the event, Tim Cook said Apple itself will never see your health data — which led to a round of applause from the audience. Presumably, it’ll be stored on your device or your iCloud, but people won’t get access unless you grant it. “The sensors in the Apple Watch are pretty sophisticated,” says Pam Dixon, head of the Privacy Rights Clearinghouse. “It’s a leap forward from the Fitbit and allows for a lot more data to be collected and used.”

But Dixon, who is a fierce critic of data collectors, said she was pleased with how Apple is handling this. “They’ve set the defaults correctly,” she said. “Their backend use agreement [for app develops] forbids people from taking this data off users’ devices and selling it. They showed it to me in advance and asked if there was more they could do. They were really attentive. I was really relieved.”

Of course, this is Apple’s standard developer policy: apps aren’t supposed to take intel off people’s smartphone and sell it to third parties without users’ consent or they’ll get booted from the App store. “But we don’t know they’re abiding by the rules they are supposed to be abiding by,” says Bedoya.In 2011, Apple VP Bud Tribble said no one had ever actually gotten booted.

Dixon says the onus is on the user not to give out access to their heartbeat willy-nilly to apps — after all, it’s a great way to judge how healthy someone is, or how often they’re getting, um, exercise. “If you grant access, the app is not supposed to do anything bad with it, but there are always bad actors. Make sure you read privacy agreements,” said Dixon.

Somehow, I doubt people are going to start actually reading privacy policies, especially off their Apple Watch screen.

3. The device that is always on and always on you

Yes, we are addicted to our iPhones and they are almost always around us, but the Watch will take it to a new level. I’m sure there will be people who will never take their Watch off. It will be there, collecting heart beats and location, and pinging us with messages, all the time. Right up, nestled against our bare bodies. This is the gateway drug to inserting technology under the skin.

“I don’t want an Apple Watch for the same reason I don’t put the phone on the table when out and about,” says Internet sociologist Nathan Jurgenson. “I love being able to put it away.”

Bedoya’s concern is the normalization of constant monitoring of what we’re doing, without a truly effective way to control how that information is later used. “What I am really worried about this move to constant passive collection and wearing down the rules around consent for collection,” he said. “The privacy bill presented by the Obama administration is all about controlling use of data, not about preventing it from being collected in the first place, which is a shoddy way to protect privacy. It creates a black box.”

4. Seriously, be careful which apps you download

There are data brokers interested in how often you work out and how healthy you are. In a Federal Trade Commission study from last year, the agency found one fitness app that was selling information about people’s diet and runs to 18 different third parties.

They’d certainly love real-time access to your pulse. “Apple has done a lot to prevent data brokers from sucking in the data automatically which is really good. But a secondary party can get the data if the user allows it,” says Dixon. “I think there’s a lot of people who wouldn’t want that sold to an insurance company.”

5. Can your heartbeat be subpoenaed?

Last year, everyone got very excited that data from a Fitbit was being used in a courtroom for the first time. The coverage was actually a little misleading, with headlines like “Data from wearable devices could soon land you in jail.” The data wasn’t being used against the Fitbit wearer but to help bolster her case; the fitness trainer wanted to prove to her insurance company that a car accident had changed her lifestyle dramatically.

Still, you could imagine ways in which having your heartbeat on file could be used against you. In the exaggerated sci-fi context, you could imagine cops getting access to it in real time to see who is running away from the scene of a crime or who is lying. That’s probably far-fetched. The first time it will actually be used against someone will probably be in a divorce case, because divorce attorneys are experts at finding ways to track people and uncover things people don’t want known. They were among the first to start mining Facebook data for evidence of infidelity and bad parenting skills, and FastTrak data to prove spouses were traveling out of town to have affairs.

We don’t know how the Apple Watch will log heart rate information or how long it will store it, but I’m sure that sometime soon an enterprising divorce attorney will look for a raised heart rate late at night during out-of-town travel as evidence to take to court.

Luckily for Apple Watch, it doesn’t look nearly as creepy as Google Glass. So all these privacy concerns will likely be forgotten quickly.