An introduction to this article appeared in the monthly Creating Connections newsletter put together by the women of The CyberWire. This is a guest-written article. The views and opinions expressed in this article are those of the authors, not necessarily the CyberWire, Inc.
How much privacy are you willing to sacrifice for safety?
It’s 2021. We’ve been through a pandemic, witnessed a Benadryl challenge, watched people eat Tide Pods, experienced the rise of TikTok, and apparently, skinny jeans going out of style. There are many ways to define today’s era—but one of the most prevalent aspects of today is how our data is constantly being tracked and collected. Our health tracking devices constantly monitor our health data, our cell phones track our locations, and smart home assistants record more of our conversations than we often realize. Because of this phenomenon, privacy and security are in a delicate balance. We need both privacy and security for a better world.
Working in the client industry, when I say the word “privacy,” my clients often immediately think of the GDPR. Even though the GDPR only applies to organizations established in the EU or who offer goods or services to or monitor the behavior of EU data subjects, it is arguably the closest thing we have to an existing global adequacy standard. And while GDPR provides privacy solutions to some, those of us in the United States still find ourselves asking: who really owns our data, anyway?
The “true crime” theme that is so popular in today’s media can serve as a lens to examine this issue. More than once, I’ve found myself watching a true crime television show and thought to myself: why do people take their smart phones or wear health tracking devices to the place where they know they’re going to commit a crime? The data collected from smart devices can reveal all of the information that police may need to solve an investigation.
Although the Fourth Amendment protects us from illegal search and seizure, a provision of the Electronic Communications Privacy Act of 1986 (ECPA) dictates when and how law enforcement can obtain our data. When all it takes is a subpoena, court order, or warrant, it can be alarming to realize how much of our highly sensitive data sits in the hands of private companies and can be readily accessed.
Police have solved a number of violent crimes using data collected from our smart devices. Fitbit and other health tracking devices in particular have provided police with evidence central to advancing investigations since they track users’ exact steps and heart rate. After Fitbit user Karen Navarra was tragically murdered in San Jose in 2018, police used her Fitbit data to pinpoint her exact time of death based on her heart rate. Once they had that information, they were able to determine the most likely suspect. In 2017, another murder case relied on the victim’s Fitbit data to dispute a suspect’s story.
It’s not just health tracking devices, either—nearly every smart device, such as our cell phones and smart home assistants, record and collect our data. Earlier this year, police used recordings taken by Amazon Alexa, in which a murder victim asked Alexa to dial 911, to advance their investigation. While devices like Alexa are only supposed to record statements made after the word “Alexa,” it’s been reported that the device records more private conversations than consumers may realize.
There are some obvious concerns that arise from law enforcement accessing and using our sensitive data. Not only can smart devices record data inaccurately, this practice is also a major privacy concern. People have a right to safety, and we want crimes to be solved. However, it can be startling to consider the amount of highly sensitive data that private companies have collected and can release to law enforcement. How can we live in privacy if our own personal data, like our daily heart rate or private conversations, is recorded and owned by private companies? For the sake of our safety—is it worth it?
Because everyone might have a different answer to that question, it comes down to making personal decisions about your own privacy. For those concerned with privacy, you may choose to not use devices known for recording your highly sensitive data. If you opt to use health tracking devices such as Fitbit, know what kinds of data they collect, and how to manage or delete it. There’s a similar option to delete your Alexa voice recordings.
Companies that can collect our personal data almost always will. By keeping that in mind, consumers should make choices about how much privacy they are willing to sacrifice, especially in the name of safety.