Ross Compton was there when a fire ravaged his $400,000 home in Middletown, Ohio, in September 2016. Fortunately, Compton told investigators, he was able to stuff a few bags with several possessions—including the charger for an external heart pump he needed to survive—before shattering a window with his cane and escaping.
But as the smoke cleared, police began to suspect that Compton's story was a fabrication.
His statements were inconsistent. The rubble smelled of gasoline. And it seemed implausible that someone fleeing a burning house—especially someone with a medical condition like Compton's—could execute such a complex escape plan.
Eventually, investigators were able to indict Compton on felony charges of aggravated arson and insurance fraud. Their star witness? His pacemaker.
Police obtained a warrant to retrieve data on Compton's heart activity before, during, and after the fire. After reviewing this information, a cardiologist concluded that it was “highly improbable” Compton would've been able to escape the flames so quickly, while lugging so many belongings.
Compton pleaded not guilty. His attorney argued that the pacemaker data should be thrown out; including it would violate doctor-patient privilege and Compton's constitutional right to privacy, the lawyer said.
The case was strange, arguably sad, and fraught with difficult questions. Regardless of whether Compton really torched his house, should a life-saving device inside someone's body be part of a case that might put them behind bars?
We may not know the answer for some time. Compton passed away in July at the age of 62, leaving his case—and whatever precedent it might have set—unresolved.
This may seem like a one-of-a-kind chain of events, an aberration. But as industries usher in a new era of devices that track personal information by leveraging the internet and the human body in equal measure, it won't be the last.
When it comes to regulating the Internet of Bodies, it's the Wild West.Share on Twitter
This type of technology, appropriately dubbed the Internet of Bodies (IoB), has the potential to improve our lives in countless ways. But the risks are just as legion. A new RAND study explores the Internet of Bodies, identifying implications for policy that could help maximize the IoB's upside while mitigating these risks.
“When it comes to regulating IoB, it's the Wild West,” said Mary Lee, a mathematician at RAND and lead author of the study.
“There are many benefits to these technologies that some consider too great to be slowed down by policy. But we need to have a larger discussion about what those benefits will cost us—and how we might avoid some of the risk altogether.”
What Is the Internet of Bodies?
Internet-connected devices like smart thermostats, voice-activated assistants, and web-enabled refrigerators have become ubiquitous in American homes. These technologies are part of the Internet of Things (IoT), which has flourished in recent years as consumers and businesses flock to smart devices for convenience, efficiency, and, in many cases, fun.
Internet of Bodies technologies fall under the broader IoT umbrella. But as the name suggests, IoB devices introduce an even more intimate interplay between humans and gadgets. IoB devices monitor the human body, collect health metrics and other personal information, and transmit those data over the internet. Many devices, such as fitness trackers, are already in use.
Torrents of data on everything from diets to social interactions could help improve preventative health care, increase employee productivity, and encourage people to become active participants in their health.
Artificial pancreases could automate insulin dosing for diabetics. Brain-computer interfaces could allow amputees to control prosthetic limbs with their minds. And smart diapers could alert parents via Bluetooth app when their baby needs to be changed.
But despite its potential to revolutionize just about everything in ways that could be helpful, the Internet of Bodies could jeopardize our most intimate personal information.
“There are vast amounts of data being collected, and the regulations about that data are really murky,” Lee said. “There's not a lot of clarity about who owns the data, how it's being used, and even who it can be sold to.”
Lee and her colleagues examined the risks that IoB devices could pose across three areas: data privacy, cybersecurity, and ethics. The team also identified recommendations that could help policymakers balance the IoB's many risks and rewards.
IoB Privacy Risks
IoB devices already in use and those in development can track, record, and store users' whereabouts, bodily functions, and what they see, hear, and even think. According to the RAND researchers, there are many unresolved questions about who has the authority to access these data—and how they can use it.
The data collection process can pose an inherent risk to privacy, depending on what's being collected, how often, whether users provided informed consent beforehand, and whether they can easily opt out of collection or forbid companies to sell their data.
“There's a patchwork of regulations in the U.S. that makes it unclear how safe it is to use these devices,” Lee said. “There is no national regulation on data brokers, so, depending on which state you live in, data brokers may be able to sell your information to third parties, who can then build a profile on you based on that sold data.”
Implantable Cardiac Devices
Newer cardiac pacemakers and implantable cardioverter defibrillators can provide real-time and continuous information about a patient's cardiac fluctuations. These devices can also regulate heart rates in patients whose hearts beat too fast or too slowly, and can help treat heart failure.
The benefits of implantable cardiac devices are clearly documented—they can improve a patient's quality of life and, in many cases, sustain their life. But as the case of Ross Compton illustrates, it's unclear whether law enforcement use of IoB data violates constitutional protections against self-incrimination and unreasonable search and seizure.
How they work:
The device is implanted in the chest, with insulated wires that connect to the heart. A transmitter located in the patient's home wirelessly transfers the recorded data to their physician.
Internet connectivity introduces the potential for these devices to be hacked and the data they transmit to be compromised.
Amazon has patented technologies for a wristband designed to track and record workers' locations and hand movements. If the wristband senses a lull in productivity, then it would vibrate to nudge the employee to focus.
While it's unclear whether Amazon will ever manufacture this device, such productivity technology could help businesses become more efficient and less prone to error. But because this would give employers highly personal information about their workers, such as information about their bathroom breaks, there's concern about whether the technology described in Amazon's patents might violate employees' right to privacy.
How it works:
The wristband would send ultrasonic pulses at predetermined intervals to track hand movements and the relative positions of employees' hands and warehouse bins.
Employees may view this technology as intrusive, which could harm retention.
How Policy Could Mitigate IoB Privacy Risks
- Congress should consider establishing data transparency and protection standards for data collected by IoB devices.
- Congress could draw lessons from the successes and failures of recent privacy laws established in Europe and California. Lawmakers could also consider ways to ensure that IoB users have control over their personal information, including the right to opt out of data collection.
- Federal and state governments should consider regulations for data brokers and restrictions on who can collect data, how those data are used, and whether data may be sold to third parties.
- Policymakers should consider regulations on how insurers, employers, and others are permitted to use IoB data.
IoB Security Risks
IoB devices can be prone to the same security flaws of IoT devices, or any other technology that stores information in the cloud. But, given the nature of IoB devices and the data they collect, the stakes are particularly high. Vulnerabilities could allow unauthorized parties to leak private information, tamper with data, or lock users out of their accounts.
In the case of some implanted medical devices, hackers could potentially manipulate the devices to cause physical injury or even death. National security is also a concern, because any IoB-collected data have the potential to reveal sensitive information, such as the location of U.S. service members.
IoB bracelets, watches, rings, and smartphone apps can track steps, heart rate, sleep patterns, and other physical data, such as alcohol consumption. Many devices also offer user-friendly analytics, giving individuals greater visibility into their own health. They may help users identify and seek care for potential health issues earlier on. And they encourage better preventative health measures, such as a healthy diet and exercise.
Still, the volume of personal data that these devices collect, security vulnerabilities, and the potential for user error have created a perfect storm. Companies, hackers, and even foreign adversaries can exploit user data for financial or political gain.
How they work:
These devices operate by using advanced accelerometers and other sensors that can translate movement into digital measurements.
Some studies have shown that constant tracking of biometric activity through health apps such as sleep trackers can increase users' anxiety and worsen insomnia and other conditions.
In 2017, the Food and Drug Administration (FDA) approved the first digital pill with embedded sensors that record that the medication was taken. The pill has been successful at treating schizophrenia and some forms of bipolar disorder and depression—conditions for which patients' adherence to treatment is critical to preventing relapse.
Patients can grant caregivers and physicians access to this information through a web-based portal. This can help health care providers confirm whether patients are following their treatment plans. But this comes at the cost of potentially exposing health care provider networks to cyberattacks.
How they work:
The pill's sensor sends a message to a wearable patch that transmits the information to a mobile app so that patients can track the ingestion of the medication on their smartphones.
Data gathered by digital pills could introduce the potential for insurance companies to monitor whether and when a patient is taking their medication—and deny coverage for those who do not follow their prescribed regimen.
How Policy Could Mitigate IoB Security Risks
- Although the FDA has led efforts to promote cybersecurity best practices for parts of the IoB ecosystem, not all IoB devices fall within FDA oversight. Federal agencies could model an IoB-specific framework after the National Institute of Standards and Technology's cybersecurity framework.
- Existing FDA efforts could expand to include consumer health devices and electronic health records.
- Policymakers could establish cybersecurity certifications that are similar to the Energy Star label developed by the Environmental Protection Agency. This could incentivize the use of secure devices and increase consumer awareness.
IoB Ethical Concerns
Privacy and security risks are inherently ethical issues for the individuals whose data are compromised. But the IoB raises further ethical concerns, including inequity and threats to personal autonomy.
Without insurance coverage, internet access, or a certain level of tech-savviness, some groups could miss out on the IoB's immediate benefits, as well as its influence on public health initiatives in the long run. And because the IoB is in its infancy, there are still basic questions about whether individuals have ownership over their personal data or have the right to opt out of data collection.
“There are devices parents can give to their children to help keep track of them, usually with some sort of microphone and camera,” Lee said. “So even though a parent has the right to keep an eye on their child, if the child is at school or on a playdate, other children are unknowingly being monitored as well.”
Direct-to-Consumer Genetic Testing
Genetic testing kits can provide interesting ancestry information and even personalized insights on health and disease risks. But with little oversight, these services could unknowingly create challenges for individuals' future descendants—long before they've even been conceived.
For example, results from a genetic testing kit or the use of a particular IoB medical device might identify someone as a carrier of a genetic disease that could be passed on to their children. This could one day result in those children being denied insurance coverage or other benefits.
How it works:
A consumer purchases a testing kit and provides a sample of saliva or blood via mail. A lab analyzes the sample to look for genetic variations, and the results are communicated via a web portal.
Without regulation, companies that administer these kits could sell the information they gather to third parties. There's also a question about whether ancestry information generated from these tests is accurate.
Artificial intelligence (AI) software companies are developing systems that can detect and collect data on human emotions by analyzing facial expressions, voice intonations, and other audio and visual signals.
Some argue these technologies could help reduce car accidents, show companies how consumers feel about their content, and even teach children about empathy. Although these emotional perception technologies are still very new, other facial recognition technologies have been found to be inaccurate when identifying women and minorities, which could potentially put these groups at risk of bias.
How they work:
AI uses machine learning techniques to analyze millions of videos then uses those data points to measure and analyze brow furrows, eyelash movements, nose wrinkles, and other facial reactions.
The increasing complexity of gathered facial and voice recognition data raises concerns about potential surveillance and privacy violations.
How Policy Could Mitigate Ethical Concerns
- Policymakers should consider regulating the terms and conditions under which IoB technologies can be used. They should also consider protections for vulnerable groups, especially to ensure that users have rights over technologies implanted in their bodies.
- Federal agencies and foundations could fund research related to IoB data collection and health care disparities.
- As the IoB becomes more mainstream, medical providers, consumer groups, and IoB developers will need to conduct research and spread information about the realistic and pragmatic benefits, as well as the likely harms.
- The Federal Trade Commission could play a larger role to ensure that IoB marketing claims about improved well-being or specific health treatments are backed by appropriate evidence.
Maria Gardner (Story) and Alyson Youngblood (Design, illustration, and development)
Illustration of man based on photo by PeopleImages/Getty