General security

Privacy Risks of Sleep-Tracking Devices

Daniel Dimov
September 12, 2014 by
Daniel Dimov

1. Introduction

According to the technology market intelligence company "ABI Research", there are currently more than 10 billion wirelessly connected devices. In 2030, the number of these devices will reach 30 billion. Some of these 30 billion will fall within the category of sleep-tracking devices.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

A clear indication for the potential of sleep-tracking devices is the success of the project "Sense." On July 23rd 2014, James Proud launched his project "Sense" on Kickstarter's crowdfunding platform. The project refers to "a simple system that tracks your sleep behavior, monitors the environment of your bedroom and reinvents the alarm." The 22-year old entrepreneur collected USD 1,300,000 during the first week of the crowdfunding campaign. At the end of the campaign, Mr. Proud collected USD 2,410,741.

One of the reasons for the investors' interest in sleep-tracking devices such as "Sense" is the importance of sleep for human health. In this context, David Cloud, chief executive of the US National Sleep Foundation stated: "We know that getting enough sleep and getting quality sleep have amazing health benefits, including improved mood, concentration, memory and productivity, and the ability to maintain a healthy weight."

Sleep-tracking devices allow the users to measure their heart rate and movements. Some devices use the collected information for waking up the user in a moment when she is in a phase of light sleep. This will make the process of waking up more pleasant.

While the sleep-tracking devices may have helpful practical applications, they impose serious privacy risks, because the users will be in a private atmosphere or in an unconscious state during the operation of the devices. For example, the sleep-tracking devices may record data of sleep talking, snoring sounds, and sexual activities. If such data is made publicly available, it may have a serious impact on individuals' reputation.

The purpose of this article is to provide the reader with an overview of the existing sleep-tracking devices (Section 2) and examine the privacy risks posed by such devices (Section 3). Finally, a conclusion is drawn (Section 4).

2. Overview of existing sleep-tracking devices

Current sleep-tracking devices can be classified in three main groups, namely, smartphone apps (Section 2.1), smart wristbands (Section 2.2), and devices located on the bed (Section 2.3).

2.1 Smartphone apps

At present, there are many apps that perform various functions, including measuring the average time in bed, calculating the shortest night of sleep occurred, recording sound level, monitoring sleep phases, analyzing sleep circles, and sharing sleep data on social networks.

2.2 Smart wristbands

The wrist-borne smartbands are currently commercially available. They work on the same principle as the smartphone sleep-tracking apps. However, the smartbands are more accurate because the user carries them all the time.

2.3 Devices located on the bed

In order to allow users to automatically track their data without wearing wristbands or turning on smartphones, several companies started selling market devices collecting data from sensors installed on the bed. They are in the form of a strip that is attached to the mattress. Such devices use a technique called ballistocardiography (BCG). The technique allows the devices to measure the heartbeat, respiration, and movements of the users.

3. Privacy risks posed by sleep-tracking devices

Sleep-tracking devices pose at least three risks, namely, risk of unlawful surveillance (Section 3.1), risk of an active intrusion in private life (Section 3.2), and risk of data profiling (Section 3.3).

3.1 Unlawful surveillance

Most sleep-tracking devices are connected to the Internet. Consequently, criminals are able to remotely hack sleep-tracking devices and, as a result, obtain data about the sleeping habits of the users of such devices. For example, criminals may be able to record the sounds produced during sleep talking and/or sexual activities.

It should be noted that there are already cases when computer devices unlawfully monitored the bedrooms of their users. In 2012, BBC noted that computers rented from seven different companies secretly took photographs of the renters. These companies used software called PC Rental Agent. The software enabled rent-to-own stores to track the location of rented computers without consumers' knowledge. The data collected through PC Rental Agent include webcam pictures of children, partially undressed individuals, and intimate activities at home.

In relation to the unlawful collection of personal data through PC Rental Agent, Jon Leibowitz, chairman of the Federal Trade Commission (FTC) said: "An agreement to rent a computer doesn't give a company license to access consumers' private emails, bank account information, and medical records, or, even worse, webcam photos of people in the privacy of their own homes."

The seven rental companies and the software design company agreed to settle FTC's charges that they conducted unlawful surveillance. The settlements prohibit the companies from: (1) any further unlawful surveillance; (2) activating location-tracking software without the consent of the renters of the computers; and (3) deceptively collecting and disclosing information about individuals.

3.2 Risk of an active intrusion in private life

The Internet-connected sleep-tracking devices will allow criminals not only to passively monitor their victims, but also to actively intrude in their private lives. For example, a criminal may be able to connect to a sleep-tracking device and disturb the sleep of the users of the devices by speaking or producing other sounds. In this regard, it is worth mentioning a case when a hacker hacked a baby monitor and started speaking in the bedroom of a 2-year-old girl. When the parents entered the room, the hacker began shouting swear words towards them. The father of the baby said that "It's quite possible that this had been going on more than one day."

Criminals may use sleep-tracking devices not only to wake up the users, but also to affect them subconsciously. For instance, the criminals may repeat certain messages until the users are in a phase of deep sleep. When the devices send information that the users are in a phase of light sleep, the criminal can stop the repetition of messages. Scientific studies conclude that information from the sense organs normally reaches the highest centers of the brain even during sleep. In particular, the studies found that electrical responses to stimuli can be recorded in the brains of sleeping or anesthetized men and animals. As J.D. Miller, an expert in hearing, points out, "…the apparent indifference to stimulation during sleep is not a simple "shutting out" of the neural messages at or near the periphery of the nervous system close to the sense organ. Rather, this apparent indifference to external stimulation is due to a complicated reorganization of brain processes during sleeping as opposed to waking states."

3.3 Risk of data profiling

K. Belgium, a U.S. attorney, defines data profiling as "the gathering, assembling, and collating of data about individuals in databases which can be used to identify, segregate, categorize and generally make decisions about individuals known to the decision maker only through their computerized profile." The anonymized information submitted by the sleep-tracking devices can be used for a creation of detailed profiles of the users of those devices. In turn, the profiles can be used for targeted advertising.

"Targeted advertising" can be defined as placing of advertisements in such a way as to reach consumers based on various behavioral, demographic, and psychographic attributes. For example, individuals who cannot sleep well in a room where a sleep-tracking device is installed may receive advertising about pillows and mattresses. Similarly, individuals who have sex many times a week may receive advertising about condoms and other contraceptives.

Targeted advertising constitutes a threat to personal autonomy. This is because consumers often do not want to receive ads related to their preferences. For instance, an individual living with his parents may not want to receive online advertisements related to contraceptives. Nevertheless, the company collecting data from the sleep-tracking device used by that user may decide that the user has a high potential to buy contraceptives and will, therefore, send her many advertisements related to contraceptives.

In most cases, profiling is based on anonymized data. For instance, a company may collect non-personally-identifiable data from all users of sleep-tracking devices, such as statistics related to the sleeping habits of the users. In this connection, it should be noted that most data protection legislation does not apply to anonymized data. Consequently, a person whose anonymized data is collected for profiling may not have any means to find out the profiles created on the basis of his/her data.

4. Conclusion

Sleep-tracking devices may help people to sleep better. However, such devices may be also used by hackers to monitor the users of such devices and wake them up during the night. Moreover, companies may legally use anonymized data collected from sleep-tracking devices to send targeted advertising to the users, which will infringe on their personal autonomy.

The aforementioned privacy threats indicate the need for regulating the sleep-tracking devices. In particular, regulatory measures are necessary for ensuring that (1) sleep-tracking devices are well protected against information security attacks and (2) consumers are aware of the possible use of their data for data profiling. By decreasing the privacy risks, such a regulation will establish trust in the sleep-tracking devices which, in turn, will increase the sale of such devices. As Elgar Fleisch, deputy dean of ETH Zurich, stated: "People will use a technology if the perceived benefit is larger than the perceived risk."

Too much regulation, however, may hinder innovation. In this context, Philip Reitinger stated: "…even light handed regulation imposes costs on a technology that can decrease its development, and these costs increase if the regulation lags behind technology." Consequently, the success of the sleep-tracking devices will depend on finding the right balance between regulation and innovation.

* The author would like to thank Rasa Juzenaite for her invaluable contribution to this article.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

References

  1. Abramson, A., "Baby Monitor Hacking Alarms Houston Parents", ABC News, 13 August 2013. Available on http://abcnews.go.com/blogs/headlines/2013/08/baby-monitor-hacking-alarms-houston-parents/ .
  2. Belgum, K., "Who Leads at Half Time? Three Conflicting Versions of Internet Privacy Policy," Richmond Journal of Law and Technology 6 (1999): 8.
  3. Bernal, P., "Internet Privacy Rights: Rights to Protect Autonomy", Cambridge University Press, 2014.
  4. Brandeis, L., Warren, S., "The Right to Privacy", The Vancouver Day Press, 2013.
  5. Brenner, J., "Glass Houses: Privacy, Secrecy, and Cyber Insecurity in a Transparent World", Penguin, 2013.
  6. Duff, K., "The Secret Life of Sleep", Oneworld Publications, 2014.
  7. "FTC Halts Computer Spying", Federal Trade Commission, September 25, 2012. Available on http://www.ftc.gov/news-events/press-releases/2012/09/ftc-halts-computer-spying .
  8. Herold, R., "Managing an Information Security and Privacy Awareness and Training Program, Second Edition", CRC Press, 2010.
  9. Holtzman, D., "Privacy Lost: How Technology is Endangering Your Privacy", John Wiley & Sons, 2006.
  10. Miller, J.D., "General Psychological and Sociological Effects of Noise", in "Hearing", Carterette, E., (Ed.) and Friedman, M., (Ed.), Academic Press, Inc., 1978.
  11. Norwood, B., "Balancing Liberty, Privacy, and Security With Intelligence Capabilities: Analyses and Recommendations", Nova Science Pub Incorporated, 2014.
  12. Painter, K., "Sleep-tracking gadgets raise awareness - and skepticism", USA today, 24 March 2013.
  13. Peng, K., "Anonymous Communication Networks: Protecting Privacy on the Web", CRC Press, 2014.
  14. Reitinger, P., "Encryption, anonymity and markets: law enforcement and technology in a free market virtual world", In: "Cybercrime: Security and Surveillance in the Information Age", Brian, D.(Ed.), Thomas, D., (Ed.), Routledge, 2013.
  15. "Rented computers secretly photographed users having sex", BBC News, 26 September 2012. Available on http://www.bbc.com/news/technology-19726954 .
  16. "Sense: Know More. Sleep Better," Kickstarter.com. Available on https://www.kickstarter.com/projects/hello/sense-know-more-sleep-better .
  17. "Sleep sensor breaks through $1m on Kickstarter", BBC News 29 July 2014. Available on http://www.bbc.com/news/technology-28550061 .
Daniel Dimov
Daniel Dimov

Dr. Daniel Dimov is the founder of Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. Daniel is a fellow of the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Society (ISOC). He did traineeships with the European Commission (Brussels), European Digital Rights (Brussels), and the Institute for EU and International law “T.M.C. Asser Institute” (The Hague). Daniel received a Ph.D. in law from the Center for Law in the Information Society at Leiden University, the Netherlands. He has a Master's Degree in European law (The Netherlands), a Master's Degree in Bulgarian Law (Bulgaria), and a certificate in Public International Law from The Hague Academy of International law.