Wearables in Court: How Your Electronic Data Becomes Evidence

Expert TestimonyOver the past two decades, a large body of case law has developed concerning the admissibility of computer dataor, as its called in legal parlance, electronically stored informationas evidence. Records of e-mails and text messages have become a driving force behind many court decisions in the United States. But American courts have not yet had to deal with one form of data that is growing increasingly common: information collected by wearable technology.

A recent case in the Canadian courts has stimulated public discussion around the topicand raised more questions about electronic surveillance and common law jurisprudence.A young woman in Calgary, Alberta was working as a personal trainer when she was injured in a car accident; she filed a personal injury lawsuit, and was tasked with proving that she should be awarded compensation. Typically, a physician is asked to perform a physical examination and testify in courtbut Richard Hu, a Calgary-based surgeon who was often called as an expert witness in these cases, devised a novel legal tactic.

Hu is the founder and CEO of Vivametrica, a firm that aggregates information collected from thousands of activity trackers to do population-level behavioral analysis. He approached the lawyers representing the personal trainer, and suggested that they ask their client to wear a Fitbit for several months, and compare the data to the benchmarks set by Vivametricas algorithms. If her recorded activity was below the average for her demographic, her injury claim would be justified.

It was a brilliant marketing move that generated a lot of press coverage for Hus companybut it was also a cunning legal maneuver. Whereas in the past the defendants attorney may have hired a private investigator to follow the plaintiff and collect evidence contradicting her claim (or follow their social media presence, as in one medical malpractice suit that was settled quickly after the patient uploaded a photo of themselves at a bull-riding event), the plaintiff was now placing herself under continuous surveillance. Prior to this, all we really had to put forth to the insurance companies was what our client was saying to her doctors, one of the attorneys representing the personal trainer told Macleans.

If we have actual evidence to show that her activity levels are lower for somebody her age, then that backs up what shes saying. Its all about evidence, at the end of the day.Vivametrica and other population health management firms, like Welltok and Staywell, are part of a massive (and growing) health surveillance industry.

It is now common understanding that public health care costs are rising rapidly around the worldat the same time, the United States alone will face a shortage of nearly 100,000 physicians by 2025. But aside from the macro-level problems of public health, there is a lot of money at stake: venture capitalists poured seven billion dollars into health technology last year, as the mantra we need algorithms, not doctors begins to take hold in Silicon Now: Is Obamacare Enough?In a previous post, we discussed in some detail the complex relationship between insurance companies and health technology manufacturersone of the major issues we investigated was the incorporation of fitness trackers into corporate wellness programs, to monitor employees health and determine insurance rates.

A significant question emerged: Who defines what positive (or healthy) behavior is? Whats at stake when black box hardware and trade secret algorithms become our functional representatives in the eyes of courts and corporations? Its an abstract problem, and were only beginning to scratch the surface here.

The Calgary lawsuit is an example of wearable-generated data being used to support a claimant in an injury casebut a related lawsuit in Nova Scotia hints at some hidden costs and dangers of our technological progress. In December 2005, Peter Laushway, a Canadian businessman who sold health products on commission over the internet, suffered serious injuries in a motor vehicle accident. Laushway filed an insurance claim for lost income: he argued that the accident prevented him from completing sedentary tasks like sitting for long periods of time in front of his computer that were necessary to do his job.

The insurance company demanded that he prove his claim by turning over his computer hard drive to a forensic expert for analysis, and their request was approved by the chambers judge.Laushway filed an appeal, arguing that the request was a breach of his privacy; the appeals court in Nova Scotia was tasked with determining how to balance Laushways reasonable expectation of privacy with his duty to provide the court with relevant information about his ability to work. Eight years later, the court finally reached a decision: There was a clear, direct link between the hours he said he spent at his computer, and his income as a salesman.

The information was relevant, and the respondents should be entitled to access that information. So long as it was restricted to metadata relevant to the facts of the case how much time Laushway spent on his computer, rather than the actual contents of his hard drive the insurance company was allowed to see Laushways data. The parallels between the Calgary and Nova Scotia cases are clear they both involve attempts to prove to an insurance company that ones health and ability to earn income have been diminished.

But whereas the woman in Calgary volunteered to wear an activity tracker with the specific intention of collecting evidence to support her claim, Laushways data was taken from him without his consent, under the effective coercion of a court order. Laushways case raises the possibility of a court or any government agency filing a subpoena compelling a wearable manufacturer to release a users data, without that users knowledge or permission. Furthermore, it illustrates the scope of the problem of passively-collected data: wearables are just one pole of the Internet of Things.

What happens when all your stuff is connected to the internetand your car (or your shirt, or shoes, or television, let alone your phone) is snitching on you?Quantified Self-IncriminationAlthough weve only discussed civil litigation so far, the scope of the problem far exceeds insurance claims and personal injury lawsuits. The wearables cases illustrate the fuzzy boundaries between corporate surveillance (data collection from consumer electronics) and the more general regime of government surveillance.

The privacy policies of wearable devices all anticipate the possibility that their information will be requested by courts; for example, Fitbits terms of service state that the company will surrender a users data if disclosure is reasonably necessary to comply with law, regulation, valid legal process (e.g. subpoenas or warrants served on us), or governmental or regulatory request.

These kinds of phrases are commonplace in nearly every terms of service you have agreed toand its often up to the internet companies attorneys to decide what constitutes reasonably necessary compliance. In the United States, the right to privacy of electronic data is limited by the so-called third-party doctrine. In 1976, Michael Lee Smith robbed a woman in Baltimore, and began making threatening phone calls to her home.

Later, the police spotted a man matching the robbers profile driving near the scene of the crime; they took down his license plate number and learned Smiths identity. Without a warrant, the police asked the phone company to install a pen register to record the numbers Smith was dialing; once they discovered Smith was calling the victim, they got a warrant to search his home and arrested him for the robbery. In 1979, the Supreme Court ruled that the police did not need a warrant to install the pen register: This Court consistently has held that a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.

The Electronic Communications Privacy Act (ECPA) regulates how companies must respond to government requests for electronic data. The ECPA was passed in 1986 and, like much of the statutory law around electronic privacy, it is poorly equipped to handle the realities of todays internet. A clear case of the ECPAs shortcomings is the process for filing a subpoena.

In most jurisdictions, there is no requirement for a judge to review a subpoena before it is issued even the SEC or the IRS can make these requests, and they often do. Under the ECPA, any communications held by a third-party for more than 180 days are considered abandoned by the original owner. The Justice Department has argued that an email or text message, once opened by its recipient, can be obtained with a subpoena alonethese arguments have been rejected by some federal courts, but the issue remains unresolved in other parts of the country.

To a certain extent, its up to each companys discretion how to respond to requests under the ECPA; for example, Googles policy is to require a search warrant for any requests pertaining to the actual content of a users data. For subpoenas targeted at Gmail accounts, Google will restrict the surrendered data to subscriber information (e.g.

, name, associated email addresses, phone number, etc.) and a list of IP addresses indicating where a user has logged in (with their associated timestamps). With a court order (which requires proof that the requested information is relevant to a criminal investigation), Google will provide more detailed metadatalike a list of a users emails, with all content stripped except their IP addresses, timestamps, and to and from fields.

Only once served with a warrant (where a judge has established probable cause) will Google turn over a users search history, Gmail messages, documents, photos, and so Google responds to U. S. search warrantsWe only know about Googles practices because their legal team produces a detailed Transparency Report every year, something the vast majority of internet companies dont (or cant) do.

And in spite of its considerable legal resources, Google doesnt always succeed in defying the courts: last year, after Google refused to hand over a mans emails to his (former) employer without the mans explicit consent, a California judge ruled that courts can order a litigant to consent, allowing the court to obtain those emails using a subpoena alone. In another important case (still ongoing) Microsoft is mounting its own challenge to the Justice Departments attempts to obtain users emails without warrants. Unfortunately, in many cases, the mere threat of contempt of court sanctions is enough to secure compliance from internet companieseven if a subpoena has been filed improperly or illegally.

And we still havent even mentioned the Foreign Intelligence Surveillance Courts. The Foreign Intelligence Surveillance Act was passed in 1978, in response to revelations that the executive branch had been spying on political and activist groups. It created a court to oversee the surveillance activities of executive agencies; today, the court is effectively a rubber stamp for those agencies.

If you have been profiled as a suspect in a national security investigation for example, by encrypting your emails, searching for suspicious stuff, attending a protest, or practicing Islam your electronic information might be obtained from an internet company, cloned, and stored in a government data center somewhere, under the same legal precedents outlined above. And you may never learn whos been looking at your informationbecause FISA requests are secret, and compliance is secured through National Security Letters that prohibit the internet companies from talking. There are mounting legal challenges to the U.

S. governments dragnet surveillance programs, with mixed results. In one case, a federal judge ruled that collection of telephone metadata en masse was constitutional according to the third-party doctrine; in another case, a different judge reached the opposite conclusion.

Thanks to Edward Snowden, the attitudes of big internet companies toward government surveillance appear to be changing (if only because their cooperation with the government has been really bad PR). Google and other major internet companies have put their resources behind the Digital Due Process Coalition, which seeks updates to the ECPA including a clear search warrant requirement for all private communications, documents, and location data, and some protections against certain bulk information requests. Thankfully, there have also been some renewed Congressional efforts to revise large portions of the bill.

Fight for the FutureWe are not far from a future in which a constant stream of your biometric information is being recorded and uploaded to the internet: Apple wants its watch to monitor diabetics blood sugar levels throughout the day, Google plans to release medical-grade consumer devices that track things like skin temperature and light exposure, future smart homes may passively analyze your breathing and heart rate all this, on top of the enormous amount of information your phones sensors have already gathered about you. And although all this information is intimately related to your health, data collected by consumer electronics are not considered healthcare information under the Health Insurance Portability and Accountability Act, and therefore dont receive the same protections as your medical records. Its not difficult to imagine why an insurance agent, loan officer, or potential employer might be interested in this type of data.

The law is changing quickly and so are the practices of the internet companies that depend on it. When we started Sherbit, we wanted to build an interface that broke down each applications privacy policy, so you wouldnt have to read through pages and pages of arcane legal jargon to understand how your data is being used, and how it is handled by legal institutions. Our plan was to push updates to your phone whenever a privacy policy was changed, with an explanation of these changes in simple English.

Our plan was far more ambitious than wed realizedweve had to suspend that project for now, so we can focus all our efforts on completing our iPhone application. But the tools were building are just attempts to blunt the effects of the massive surveillance apparatus that is springing up around us. We need an active and engaged public, and comprehensive legislative solutions, or things will quickly get out of hand.

There are a few promising signs, but the future is foggy. Stay tuned.Ill put the cell phone privacy stuff in later by Jack Ohman.

Learn more about our app at published at