The secretive Defense Advanced Research Projects Agency (DARPA) has recently funded a program aimed at tracking the health of soldiers on the battlefield using sensors inherent in all smartphones. In addition to tracking sudden injury, the app will also monitor evolving health for early detection of disease.
As part of the government’s Warfighter Analytics using Smartphones for Health (WASH) program, the technology — developed for both Android and iOs- — will access the onboard motion sensor, camera, and microphone of each soldier’s smartphone to gauge signs of illness. In addition, WASH will compile comprehensive personal data using the fingerprint sensor, gyroscope, magnetometer, pedometer, proximity, and light sensors on each phone.
Besides tracking usual biomarkers like heartrate and blood pressure, WASH will look for poor-decision making, a shaking voice and hands, decreased attention or concentration, impulsive actions, diminished reasoning, and other detailed behavioral characteristics. It will monitor these characteristics on an ongoing basis, day or night.
As Dr. Angelos Keromytis explains in a DARPA fact sheet, “It is the union of personal behavior/characteristics, smartphone sensor collection, context of smartphone use, and disease biomarkers that will define the preclinical health determination of the WASH program.”
An article in Daily Mail stated the technology, while scheduled to be tested on soldiers, would eventually be available publicly. This begs the question of who would use this technology — and how. The American Civil Liberties Union (ACLU) is justifiably concerned about the privacy implications of collecting people’s personal physiological and behavioral data.
WASH is arguably an insidious and invasive tracking app that will probe personal life and habits as well as behavior. If applied to the population at large, this analytical technology represents a threat to privacy unlike any other so far, since it has round-the-clock access to intimate personal information.
Jay Stanley, a senior policy analyst with the ACLU, recognizes the invasive nature of this technology and the probability that it will infringe on privacy rights. “People don’t want to feel like someone is listening in on their private life. That’s going to have to be subject to tight controls.”
But how will these controls be implemented? Far from minimizing its use, Kryptowire, the company in receipt of the $5.1 million dollars in funding to develop this program, already has bigger plans for its new spyware.
Tom Karygiannis, Kryptowire’s Vice President of Product Development, is already discussing ways the app can be used outside of the military. He believes it can help detect early illness that will lead to, “. . . better treatment, cost savings and making treatment available to more people,” which indicates the company is already strategizing their next marketing move.
Kryptowire, a cyber-security company whose landmark product is software that detects vulnerabilities in mobile apps, already works closely with the Justice Department and the Department of Homeland Security as well as privately-owned companies. In fact, the WASH project grew out of an earlier endeavor designed to give secure smartphone access to users by zeroing in on unique ways individuals interact with their phones.
Through work on this previous project, the company unexpectedly discovered that user-to-phone interaction changed significantly when the user was impaired. And, says Karygiannis, “. . . If you can do that (detect impairment using smartphone data), the question is, what else can you do?”
Apparently, a whole lot of other things.
Kryptowire is already reaching out to medical researchers and hospitals to decide how to use some of the information they’ll collect from WASH for early disease detection. Company officials said they’re looking at Alzheimer’s, Parkinson’s, and post-traumatic stress disorder (PTSD) as first-line targets for detection. And here’s where the web of privacy invasion begins to tangle.
At first glance, early detection seems like a good thing. But Kryptowire’s CEO, Angelos Stavrou, goes on to say, “Our strategy is to leverage the full power of mobile to collect health metrics in all patient settings, for continuous monitoring, from clinic to home, and to build the ground truth from all available data, including smartphone sensors, clinical studies, medical examinations, etc. for a better-informed, real-time approach to disease detection and biomarker identification.”
Based on that statement, there’s no doubt this tech will be tracking your every move, every text, every phone conversation, every breath — around the clock. If good legislation isn’t put into place up front, there’s no limit to how this app can be used once it escapes the boundaries of experimental science.
That raises the issue of who is going to collect this information, how they will use it, and how they aim to keep it safe.
Who’s Interested in Collecting WASH-generated Data?
There’s no end to the number of companies interested in your health and personal statistics. For many employers, insurers, doctors, and third-party marketers, access to WASH data would represent an information bonanza with endless uses.
In fact, data like this is already being used, albeit in a much more scaled-down state. For example, employers concerned about keeping their insurance premiums down have taken steps to ensure their employees stay healthy.
They do this by tracking personal data by requiring employees to wear Fitbits or other health trackers on a daily basis, with data being sent to a data bank at a central location. There’s already a trend for these measurable health results to be incentivized. Risk management company Willis Towers Watson calculates that 48 percent of employers are considering quantifying employee health in this way — by tying cash incentives to health.
How can that go wrong?
Look at the furor caused by Penn State University threatening to dock employees’ pay $100 if they didn’t submit to biometric testing. Thankfully, the program came under investigation and was shut down before employees were forced to participate.
The idea that your company wants to track your health — and that your paycheck could fluctuate based on results that might be beyond your control — is frightening enough, but what else could happen as a result of your personal health information being shared?
It’s not inconceivable that at some point your health data might figure into whether or not you’re hired, or you may be discriminated against when it comes to job promotions or other incentives.
Another problem is figuring out who owns the data collected from health trackers. By law, the device given to an employee remains the property of the employer, meaning that the employer can access its data at any time, without permission from the employee. This unimpeded access to employee health information threatens worker privacy and puts the employer at greater risk for employment discrimination lawsuits based on disability.
Currently, there’s evidence that the makers of wearables are already collecting your health data and selling it to third-party organizations. Loose language in written privacy policies that allow this kind of free-form bartering of personal information, coupled with poor-quality security can leave your data up for grabs.
DARPA Backing Means Commercial Use is a Given
Think this is all a conspiracy theory?
You should know there is a tendency for DARPA-sponsored technology to go mainstream. Here’s a brief list of some innovations that began with DARPA and are now in everyday public use.
The Deep Web
If WASH technology follows suit, it’s just a matter of time before health-tracking is mainstream.
Accuracy of the Data
There is no publicly available accuracy information for DARPA’s WASH program. But studies conducted using typical consumer fitness trackers found inconsistencies in data accuracy, dependent on various factors.
If these trackers are error-prone, but the data is used to determine payouts, benefit levels, or even employment candidacy, their use calls to light a number of ethical and legal considerations.
Consider the person who is inaccurately flagged for being at risk of a disorder or disease who is then subjected to unnecessary, stressful, and even harmful tests or treatments. Or what if an incorrect diagnosis leads to issues with incentives or opportunities tied to this data, such as insurance premiums, employment opportunities, or pay incentives?
Until smartphone-generated and wearables data is determined to provide a high level of statistical accuracy, it should not be used by anyone other than a consumer. Even then, it should be used only with the caveat that the data may not represent a true and accurate picture of one’s health.
Where Does the Data Go?
The WASH technology will turn your smartphone into a wearable — much like a Fitbit or Garmin fitness tracker with superpowers. But who will be receiving that information and how will they keep it safe?
Since we don’t know how this will be used commercially, it’s hard to speculate.
But we do have real-life experience with health data being stored, pirated, sold, and manipulated from today’s current crop of wearables. Unprotected data can be hacked by organizations who want to sell it to unscrupulous third parties, it could be used to deny health or life insurance, or increase the cost of your current policies.
In our imperfect world, this information could eventually be used to deny employment altogether by companies wanting to manage their bottom line through risk avoidance.
Personal data protection regarding wearables is such a hot-button topic that many companies are protecting themselves through data-breach insurance. While insurance covers the manufacturers and the companies requiring the wearable, it does nothing to protect the end user — the consumer or private individual.
As mentioned above, some companies use poorly-written privacy policies to exploit data and sell it to “interested parties” while others’ poor security and encryption practices leave data vulnerable to hackers.
Yet, even the tightest cyber-security measures can be hacked. In an ironic turnabout, the National Security Agency (NSA) and the Central Intelligence Agency (CIA) had their security compromised when hackers appropriated hacking technology from both agencies in the past few years.
Time to Hang Up Your Smartphone?
There’s myriad issues associated with government-sponsored data collection efforts like those proposed in the WASH program.
Taking a look at the government’s handling of their own data gives us a litmus test for how a public application of WASH technology might be handled. The NSA and CIA are in possession of the most powerful encryption and cyber-protection technology, yet they remain vulnerable to attack.
If the government can’t protect their own data, it’s unlikely they will be able to protect yours.
And let’s face it, it’s downright creepy for the government (or any entity) to have the ability to track and record every moment of your day and every infinitesimal change in the status of your health. But no matter whether you find the idea of smartphone health trackers brilliant or frightening, real laws need to be in place before the public deployment of invasive predictive software like WASH.
Developers and other companies should not be able to hide behind data-breach insurance. They should face real-world consequences for misuse or misdiagnoses stemming from faulty data and poor security.
Strict laws regarding smartphone data-collection efforts like those proposed in WASH need to be in place before the technology goes public. At the very least, forced participation in any such program by any employer, third-party, or government entity should be illegal.
Most importantly, regulations must be put in place now, before a WASH-type app goes mainstream. Once the app reaches the public domain, privacy and consumer advocates will be fighting an uphill battle to limit access, specify usage parameters, and provide the level of protection necessary to keep your biological and mental health details private.