Technology: ‘smart’ glasses and similar wearables pose privacy and security challenges
Social networking company Meta and luxury eyewear brand Ray-Ban announced in April an artificial intelligence (AI) upgrade for their smart glasses product, which will enable users to ask an AI interface questions in real-time. Launching the smart glasses at the end of 2023, Meta detailed how the device would enable users to record moments such as ‘music festivals and birthday parties to first steps, graduations, and beyond’ without being constrained by ‘your smartphone’s lock screen’.
The concept is not dissimilar to that of other ‘wearable’ technologies, a field that includes smart watches, wristbands and rings produced by various brands and manufacturers. The technology continues to excite – as well as giving pause for thought in terms of the legal challenges involved.
Discussing smart glasses specifically, Callum Sinclair, Head of Technology and Commercial at Scottish law firm Burness Paull, highlights that one concern people may hold is that a user ‘could be recording people or floating their personal details above their heads without them knowing. There are serious challenges from that.’
Neither Meta nor Ray-Ban responded to Global Insight’s request for comment. However, the product’s website promotes the glasses as being ‘built for your privacy and others’ too’. It details the device’s approach to privacy and security and explains that ‘the capture LED light lets people know when you’re using the camera to capture content or going live. If the LED is covered, you will not be able to start recording, and you’ll be notified to clear it.’ It also provides recommendations on how to use the product responsibly, including by powering off the device in private spaces and ceasing to record ‘if anyone expresses that they would rather opt out’.
Related links
- News analysis: Human rights: advances in neurotechnology lead to calls for protection against abuse of ‘brain data’
- News analysis: Technology: lawyers urged to remain vigilant of legal risks from digital twinning projects
- News analysis: A new era for medical wearables
- Feature: An interview with Zack Kass, AI business strategist
How do you provide for the rights of the data subject? If you film someone without authorisation to what extent is that legal?
Larissa Galimberti
Chair, IBA Cybersecurity Subcommittee
While wearable devices offer positive solutions, there are also legal implications to consider around data security and privacy. Larissa Galimberti, Chair of the IBA Cybersecurity Subcommittee and a partner at Brazilian firm Pinheiro Neto Advogados, says that wearables such as ‘smart rings’ are popular among athletes due to the way they track sleep patterns and physical activity levels, but warns that users need to be fully aware of how their data is being collected and used. ‘These rings monitor everything – your heart rate, your overnight oxygen levels’, she says, noting that they’re very popular with runners and that doctors say they work very well. ‘They’re different from smart glasses because you’re not taking pictures or making movies of third parties, but at the same time they are tracking your information. That [raises questions about] privacy and data protection among users.’
There’s an expectation that those who buy such products will be reasonably tech-savvy and will probably have some awareness of how their data will be used, for example to offer tailored coaching advice. However, Sinclair warns that manufacturers may also use data for other, less clearly evident, purposes – such as to sell targeted ads – and that, while consumers sign legal disclaimers before they can begin using these products, it’s by no means certain whether anyone pays attention to the small print.
Given the wide-reaching nature of laws such as the EU’s General Data Protection Regulation and the UK’s Product Security and Telecommunications Infrastructure Act, which takes effect at the end of April, the onus is on manufacturers to ensure their customers’ data is entirely safe, says Sinclair. ‘The cyber risk is significant’, he adds. ‘Wearables don’t just collect data, they also aggregate it on an anonymised basis to provide things like coaching and optimised performance advice, but the challenge is that security is often an afterthought.’
‘These products are, by their nature, collecting a lot of data and sharing data, whether that’s with the manufacturer of the wearable or with a partner that delivers ads’, explains Sinclair. ‘Some of that data will have special category status and manufacturers need to get explicit consent for that. They have to be very upfront about what data is being collected and how it’s being used. Health data and location data, which can be collected by users that are tracking a run route, would be special category.’
Medical devices such as closed-loop systems, which continually monitor glucose levels in type-1 diabetics and administer insulin as required, or pacemakers, which collect data on cardiac activity, clearly fall into the healthcare category.
However, Cécile Théard-Jallu, Co-Chair of the IBA Healthcare and Life Sciences Law Committee and a partner at French firm De Gaulle Fleurance, warns that when it comes to other tracking devices that make health-related claims, such as smart watches, the situation isn’t so clear cut. ‘They can be deemed medical devices and so all the related regulations would apply’, she says. ‘Not all connected tools will be medical devices, though, and it’s important to distinguish the processing of health data from the existence of a medical device as different legislation would apply.’
While the legal landscape around wearables is already complicated, the fact that smart glasses allow for covert recording and data collection means it’s probably going to become even more complex. ‘How do you provide for the rights of the data subject?’ asks Galimberti. ‘That will be complicated but it’s something different to what we have now. If you film someone without authorisation to what extent is that legal? You have the right to do that at a public event but if it’s not a public event maybe you are just invading someone’s privacy.’
Image credit: Tada Images/AdobeStock.com