 Good morning everybody morning y'all awake all hung over just kidding So anyways, I'd like to welcome DC 217's very own Wendy Edwards a little bit about her She's a developer interested in data science She is a sans 2017 recipient in women's Academy NASA data not and she's also a recipient of the Dan initiative scholarship and One of the scholarship I think for the period summer con summer con sorry summer con Anyways, round of applause to introduce our speaker Sorry about that Okay, so the title of the my talk is who's tracking your body and we're talking about health apps and Health and possibilities in medical devices and your privacy So let's start with your the health app. So health apps There's a lot of them. How many of you have ever used a health app? Are you guys still using it? Okay So how the apps can really encompass a whole lot of things. I mean fitness Fitness diet and nutrition. You're like your calorie counters stuff that reminds you to take your medication Basically period trackers are a big one way back. We looked at the at some of those for summer con And there are a whole lot of those and those are so those are actually some of the most popular health apps And there are also things related to specific medical conditions and devices such as CPAP, which we're going to talk about a little bit later And they're also mood and mental health trackers. So what kind of data is I'm going to give you it's going to maybe give you your Diet and exercise habits your weight in your BMI Stuff for example like Women's ovulation their periods are they trying are they trying to conceive? you look what medication is somebody taking and Maybe maybe also like certain kinds of health conditions like for example if you're using a CPAP app, you probably have apnea So question has anybody ever shared information with an app that you maybe wouldn't want to talk about with a person sitting next to you Okay, cuz like yeah, cuz like if you think about it would I like to announce my weight right here? No But people are pretty comfortable putting into it's not unusual for people to be willing to put it into an app So you might think so okay, so apps have privacy policies, right? so Great, they have privacy policies, but how has anybody ever actually tried to read an apps privacy policy? Yeah, okay How many people have found it easy to understand an apps privacy policy? Okay, like not So the in the New York Times did this really interesting study They used something called a lexile framework that measures our reading levels And they found that the privacy policy policies They were very dense not very readable and they were pretty much above the reading level that you would expect of an average college student So it's interesting enough the GDPR they use GDPR requires Concise transparent and intelligible form using clear and plain language And that's that's in a sense kind of interesting. So what is what should readable mean? I mean I Mean has any how many of you have looked at say an internet comments comment section? And you see a bunch of adults who seem to read at a fifth grade level Like so does readable mean that the that Those people should be able to understand it. Does it mean that like an average college grad should be able to understand it? What does it mean? That's and that's still pretty unclear So basically where does the data go and these are these are a couple of examples So for our summer cron project we took a look at ten popular period tracker apps and All of them were communicating with at least one tracker one of them was one of them actually was Communicating with I think up to 19 sites identified as track as tracking sites that one kind of won our price And there was another well-published Study by a granny was published in the BMJ journal They looked at 24 health apps, which were mostly not period trackers and they found that 19 of them shared user data with it with Entities that would be considered trackers. Yeah So generally talking about like advertising or something that Like in analytics thing that tracks user behavior in a site So I have basically whether it's specifically add or whether it's something go whether they talk about it being analytics I believe those are both considered trackers If you all have a question, please use the microphones to sort of cordon the talk And there have been and those are those are just a couple of them But there have been a number of privacy studies compared on on these apps that confirm the same thing Maybe there's been like for example, there's this year There's been a number of articles in the media talking about the the behavior the period trackers that pretty much came to the same conclusion We did so One important concept and privacy is that you want the ability to keep different facets of your life separate like for example You maybe wouldn't want to share with your employer the same thing as you share with your doctor And perhaps you wouldn't bring your work performance reviews into your doctor to share with your doctor either So it's just keep it be able to keep separate aspects of your life separate and so one of the issues with these trackers is they tend to Identify they tend to identify users in a way that so that it can be tracked across different apps It's so it's not just like this one app is creating an ID for you They're creating an identifier that can be used across apps to start to aggregate your data and that's what people care about So just these are just a couple of examples of how it's done. You've got a device fingerprint. I mean they can use Your history or a device type Information about your device some days. I've heard them even using the the fonts that somebody has installed on their computer And then there's also like for example an Android They have something called an advertising ID, which is actually specific to the Android system. Not necessarily individual app So Mostly familiar with what an I am yeah, I is on a cell phone. It's something that uniquely identify your phone That is for example Google prohibits that being used as an identifier But a study idea another study determined that some apps were still doing it So actually another way so what if you want to just send your data? directly to the big big data warehouses I bring you single sign-on So like I'm like my but most of you have signed up to something through Google and Facebook, right? And so like the apps the apps can ask Facebook to send a whole lot of data I don't know if your your when you sign on through Facebook They say you get a bunch of permissions from Facebook asking you to send certain kinds of data Like they want it and they want your profile photo. They want your email address They want all your friends so you that they can connect you to them Perhaps they want your firstborn child And it is written users when at least we're looking at they're usually like yes. Yes. Yes. Yes. Yes. I mean Users don't very often seem to say no And so when you when you do that it's like Google and Facebook I mean they're in the business of Aggregating data is a way they make money. So it's like your data is going right to them Like so for example a period tracker app It's like you're so you're telling Google that you're Probably that you're a you're a female. You're probably within a certain age range You might be interested in having a child and they could tell that just for just from the fact that you're using this app So basically where does that where does the data go upstream? So basically sales and marketing is a very big thing they want they want to to be able to target advertising Analytics so with analytics Basically, I mean stuff that's measuring user behavior in a site and trying to figure out how well a site is working And the thing of it is the data All this data could be combined to create to Create kind of a bigger to create a bigger picture of you when you start putting stuff together from across apps Like you could say somebody who's They've got they've they've got a period tracker or they downloaded a Coran app And they're hanging on at a job search site. They're probably a younger Muslim woman looking for a job, right? So so put all this stuff together. I am sometimes the data can go even further upstream because they see these things called data brokers So one of the things about the analytics the analytics Sites they're kind of freemium sites and they'll say they will provide the developers free metrics on how their sites is Performing in exchange for access to the data So so basically so on Valentine's Day There was a pretty good treat tweet that said roses are red violets are blue when the product is free the product is you So I'm using when there's a free free product. They are collecting some kind of data on you So let's go and let's say let's have a question because I'd like you've heard from me long enough Okay, let's say buying data to help target individual is common in higher budget campaigns and it is Let's say Carla candidate knows that her opponent's campaign is likely to be doing this Should she like for example, she could for example Maybe she wants to target people who are likely care about certain health care issues. So Should Carla buy and use this data data to target likely voters ethical or unethical Okay, does it matter that her opponent is going to be doing the same thing and she's likely to be at a disadvantage if she doesn't You know, so okay, so it very likely comes back to issues related to the privacy policies I mean that they use her technically gave it and gave that permission But could they could they read and understand the privacy policy probably not So usually so so like for example like a user Let's say so you have a fairly incomprehensible privacy policy the user couldn't quite understand it Does that count as concerns or not? Sorry, it's just a comment more than anything else in a lot of states the The driver license information and the voter rolls are made available by the state. Oh, yeah Yeah, so the information and again I put up on ethical because To some extent it is unethical to be using the data, but it's not illegal to be using the data Yeah, and that's a very and that's a very important distinction and it's it's actually true At least for example in Illinois, you're a you're a candidate or you're a party or whatever you can go buy people's voting records But what if you wanted to cut what if you wanted to Take this step beyond their voting records Whatever you wanted to you to take some of these personal data from the data brokers and combine it with their voting records to try to get A sense of what they cared about and how likely they were to vote for your candidate Is does that okay? No Okay, so we just we got to know so next question a Company wants to target bronies for a my little pony band-aid marketing campaign Is it okay to buy personal data to do this? Oh, okay, Roni So bronies are like Very often like young adult males who like my little pony So for example, like let's say you wanted to see you wanted to find these Young adult males that were likely to need band-aids that had also expressed an interest in my little pony or Brony groups to target for advertising. So I'm taking that as a no So I think it all comes down to the conditions under which people are sharing their data, right? So if they've joined a my little pony band club for bronies and they're Excited about the product line of the my little pony They might be thrilled to receive an ad like this And so I think it's really coming back to your central point Which is what are the terms and conditions under which these data have been collected? So if they've been collected Under ethical terms and conditions then it would of course be ethical to redistribute them as well as legal Yeah, that's a good point So we have a couple of scenarios in which it might at least like some people think that they're that it might in some cases be ethical To use targeted data In effect, let's say if anybody can buy data from these data brokers How about an insurance company like if you can get this all this big data that includes data from your health apps Should an insurance company be able to buy it? Okay, so no any comments on that Yeah, I think the problem that you have if is if they can access this kind of data then it will probably directly influence What your insurance rates are going to be are they going to target you for? Either known or unknown pre-existing conditions, etc. So I think that Gives them more knowledge than than they're entitled to yes I mean, I or at least I would personally agree with you Yeah, I mean like the fdc at some level regulates data brokers, but like for example so that is so they are In the you've got the big data broker sites that they're aggregating a hillbunch of information about people from different sites Who can they sell it to who can buy it? I don't think that's covered at all This is this is assuming that PHI is being exchanged To be able to target individuals so most of the data if not all the data coming out of the health apps It's a world I've lived in as a VC for the last eight years Is all an aggregate so you can't really actually break it down granularly to actually because PHI can't be can't be exposed It has been in a few instances and that is illegal But I guess that for this to actually target and affect and it's great comment about previous in condition You have to actually exchange PHI So what's the basis here? What are we getting at? You're talking about PHI And PHI is like a term under HIPAA right and so the thing of it is like an app developer Somebody sitting in their garage writing a health app is not actually a covered entity covered under PHI Uncovered under HIPAA so it's like whether they are makes so it's like They're they're handling of health information is just not covered under HIPAA. They can do whatever they want So it's basically like there's this completely unregulated Sorts of data that could include health health sensitive health data should insurance companies be able to buy it Especially if anybody else can yeah, so Isn't it incumbent though if in this case across the insurance company? Recognize the information they're buying is actually something under another standard would be HIPAA It's the same information in a different category But that being coming upon them to follow the legal mandate that they're aware of even though that app itself might not fall under that category I That's an excellent question And unfortunately, I am not an attorney and I don't play one on TV So he's right. So the talk space example from New York about 18 months ago is a good example They're not a covered entity if you compare them to like doctor on demand or ginger IO or one of those other companies who have actually a separate medical PC that's a covered entity that clearly falls on the HIPAA, but It was pretty clear that as you said even the ones that aren't covered entity is actually still a fall under under HIPAA in general If you're if you're holding people's individual PHI it's still it still falls under that I would say Insurance companies are covered under HIPAA your developer Your your amateur developer Writing at writing an app is not And I would say that your data brokers are probably not So it's like so you're talking about like an insurance company potentially buying data that does contain PHI from something That's not covered And that's that seems to be in fact pretty uncharted territory. It's not very well defined legally It's one knows my doctor With something that I don't recognize. What's the first thing I do? I Google search it I'm gonna look it up that Google search history is in the is in that history here From other sources, right, but it's not really gonna end up in a PHI bucket But I can identify the user and his past history of somewhat right I mean using analytics and enough data Yeah, I can find figure out what that user's past history of illnesses before I judge him for allowing to Ensure Okay, so let's Let's jump to jump topics So sometimes so basically with Android apps, there are ways you can basically reverse engineer them and modify them like for example, you can Okay, so maybe okay, like so somebody could conceivably like decompile The code change it to do what they wanted recompile it and resign it just with Android studio Or they can even if they if you're talking about specific libraries, you can swap those out if you want so So what if somebody wanted to They like the functionality of an app and they wanted to take it and modify it to enhance it to Improve your privacy like they wanted to just cut out all the stuff that was talking to trackers so Good question So is it ethical to modify an existing app to increase your privacy? Like you want to just take the some of the tracker stuff out What about what if you wanted to take this modified app that you'd this app you'd modified to take out some of the Stuff that you felt compromised your privacy. You wanted to release that app to the public Okay, not ethical Maybe maybe ethical So to me it goes down to the basis of the research side So if you're taking the code and you're making it available But not really re-releasing it as an app Then you're placing the ethics in the hands of anybody who may utilize later That's a that's it off of it would be wrong in my book to put down. Hey, I modified it to do this Your mileage may vary. So so like what if you're not profiting off? But you're just putting an Audi version of the app that you without the problematic privacy The stuff that you felt was an invasion of privacy. You're not profiting it off it at all I personally don't see an issue with that. Okay Comes back to terms and agreements again, it's this thing of people clicking through the agreement most most software agreements have No reverse engineering clause in it. Well, if you download the product You are specifically prohibited from reverse engineering it and if you do if you do release the code You're effectively it's it's plagiarism But where do you whether you're profiting from it or not to some extent is irrelevant if you're using if you're publishing somebody else's copyright It works. You're also breaking those copyright laws. So again, it's it's it's the difference between ethical and and the legality Another question is you could say so the developer spends a lot of their time there a lot of hours of their time writing this code and these In connecting it to these trackers is how they monetize it So would you say do they deserve compensation for their for their effort? Yeah, I think the line on this Really becomes a personal use issue as opposed to impact. It's a it's an intellectual property issue at this point if you are tampering with The person who developed the app if you're tampering with their perceived intent to make money or otherwise Propagate the app then that's unethical because it's an impact to somebody else Okay to put it in simpler terms Okay, if I know that if I know how to make the recipe for Heinz ketchup and I use it for myself Nothing wrong with that. I'm just using it for myself. If I go ahead and put it out on the market Then there's a problem with that or alter it in some way now what I think is probably Similarly ethical would be if you want to get out on a forum or something like that and be able to state so that people have A better understanding of what they're downloading when they download that app then I would consider it consider that also to be ethical Maybe a little bit curious. So like what do you came up? What if you came up with a recipe something to taste it it was based on the Heinz recipe that tasted exactly like it But it was maybe better for diabetics that had limited sugar tolerance. Could you put that out there? Then I think you better talk to your attorney to make sure you're not going to infringe on their patents Okay, well, thank you very much. I think I'm not gonna get into the ketchup making business just So this is a lot. This is very similar to what Dana Lewis has done with the open APS project So she is a diabetes activist who hacked her insulin pump and then Released the code of what she had done Publicly, but didn't then say to people. Oh, if you'd like to hang, you know hack your pancreas Here's how you can do it. So it was a an of one activity But with a large impact Broadly that sounds that sounds actually really interesting Does the releasing the code invalidate the entire privacy? agreement But how does how does that affect like just so I even meant I hadn't even meant releasing a code I had actually meant releasing in a format that people could vary That would make it very easy for people to install on their own devices because it's like like a lot of your Smartphone users out there. Most of them are not developers Let's say you just put out the APK you you modify it You take the privacy you take the things out that you think are an invasion of privacy and you put the and you just put the APK out there So that yeah, okay the that might get kicked out of the Google Play Store pretty fast But you put the APK out there. So pretty much anybody with a smartphone couldn't install it Okay, but I haven't even meant yet. Okay. Yeah, I guess all agreements are off at that point and people are just okay Yeah Thank you for the great comments I feel like I feel like these are making these I feel like these are making this talk. Okay so basically So, um, is anybody is anybody who's comfortable sharing is anybody familiar with the ACPAP machine? So basically it's called a It's called a continuous positive airway pressure and it helps people with sleep apnea by delivering this Pressurized air And so like the CPAP devices they're pretty high-tech and they collect a whole lot of data like your usage your mass leakage your sleep interruptions And so so the thing with the CPAP the CPAP things is that is that that takes Surveillance from optional like with you with putting some of these apps on your phone to mandatory like as in You will be sharing this data So how they share it varies like for example There's one like there's a resmed air mini that uses a Bluetooth connection and a smartphone app to manage the data But a lot of them now have these cellular wireless modems that automatically transmit data And so they get basically sent to the device manufacturer Facturists sites and they're shared with not just your doctor, but your insurance company And so I went ahead I got curious and took a look at a couple of the apps Resmis the red med res med air mini APK had at least a code signature in it indicating it was talking to flurry, which is kind of an analytics site considered a tracker So and Phillips dream hacker dream mapper which works with their side I think they actually had a Phillips machine at a Phillips CPAP machine at the biohacking village yesterday And that is talking to app tentative, which looks which also looks a lot like a tracker So those so those are just the smart mode smart phone apps So here's how it works So pro-publica did a very interesting study on the CPAP machines and so they're so a lot of times we have insurance You don't just buy the device outright you're required to rent it And the rental cost is a whole lot more than the outright cost of the machine and then these insurance companies I don't know if anybody dealt with insurance companies to have these compliance standards That you need to use to get paid So medicare initially came up with the idea that they're going to They get to use it for Four hours 70% of the nights in any three-day period and so then the insurance sure as followed suit And the pro-publica made a case that this compliance monitoring was a tactic to shed ship the Cost on the patients like for example the in a story There's a the pro-publica reporter needed a new mask And so he couldn't use his device because he didn't have the mask he needed So the insurance company refused to pay because they claimed he wasn't meeting his uses standards So there are some issues with bad faith denials so Interestingly enough some people have gotten into hacking their CPAP machines. It started with something called sleepy head which was Written by an open sort with by an Australian guy named Mark Watkins That allows users to read their own CPAP data and and even somebody's modified machine settings and That that project is no longer active and Oscar as the open source successor So here's a question Shouldn't insurer have the right to monitor compliance and deny payments if Requirements are not met like if they're okay, so we're getting like pretty much a universal though So my next question So would it be ethical for a patient to modify the device on the software to to improve their privacy and Maybe maybe circumvent some of the compliance monitoring. Yes. Okay. We got to know Now you go get your nose. Okay, so we got mostly yeses, but but a couple of nose. Do we get it? Okay? great Just want to firstly say first up I actually work for resmed one of these companies So everything we're talking about is fairly US centric in this presentation. We do actually have other regions like They you and Japan that have very strict privacy requirements You actually don't need to modify the software We actually require patient consent to opt-in in Europe the devices do not monitor until the patient gives their consent and For some of the apps such as a mini. There's an app as a feature in the app. You can say disable don't Send my data to the cloud So we're on board with the being ethical for the patient to control their own privacy And actually I've been told by somebody else that resmed does a very very good job with the security of their devices Yeah, and I in fact like I read I actually read your documentation about how you secured your communications and That sounded very good and then another security researcher who'd looked into it. So that you've done an impressive job So let's say you but you're in the US and if you turn off the monitoring You're insured your insurance company can stop your insurance company can force you to turn on the monitoring In that case is it ethical to met to mess with the device or the code so that it Maybe to say that so that it just gives gives your insurance company the compliance data It requires that it that it says is required Okay, maybe yes, maybe no Any comments? I think it's a great question. I think here we're talking about regulated devices So there are all kinds of different implications for regulated devices if it was unregulated I would answer probably very differently. I think it's it's more very very loose In regulation if you play with your pacemaker for example and and affect the the bluetooth connectivity to turn it on and off Only when you want to and you end up shorting the unit it burns you what happens in that case Right, so I think there's other implications when you start affecting the code in meta and truly regulated devices Typically because they're in categories in which are lifesaving or or they have other more serious consequences if you actually affect the code adversely Well, yeah, I think that's an excellent point. Like say you want to you want to modify something to increase your privacy Do you do you maybe? inadvertently screw something up or introduce another problems to it And I have no good answers to that Oh, sorry, you were no, no, I Yeah, so I think that I think fundamentally there's a difference between what's Whether we have an ethical or a moral right to privacy And whether we have a legal right to privacy and those are two very different questions So in the case of highly regulated devices, there's obviously a legal there's legal statutes around that But that doesn't infringe upon people's ethical right to privacy So something might be ethical but not legal or You know unethical but legal. Oh, yeah, I mean, I think that there's definitely a difference between like law and ethics And in fact that that actually I mean that raises some interesting questions because like there's an ongoing CPAP hacking project going on called oscar. It's like well Um So you've got somebody so you've got somebody who is a volunteer open source developer who is trying to help them Um, are they responsible if what they're doing to try to help cause is a problem for the patient? I mean I'd be like to what extent should they be responsible for that And that might that might be going into a completely different domain So let's talk about just the idea of making things better There's a few there's a few ideas that occurred to me. Um, so So one thing is maybe increasing some of the legal regulations An issue with that is that dealing with the government can be a little bit slow like for example I'm getting a like getting a device or getting some software through fda approval takes a very long time And and that's and that could be kind of tough because the product the product of product development cycle and stuff with software could be pretty fast Um, and then we talked about like do-it-yourself hacks like you see like an app or something and you and it it's You it's something you consider a privacy um A privacy problem probably say a lot of people attending def con here would have the skills to do something about it But that could that could be a little bit time consuming and possibly fraught with some other risks And then another idea would be maybe a voluntary compliance certification program And so basically how would that so it's there's just an open question is about how that might work So just turning it over to you, um Like so what what do people think? How could we how could we make the privacy situation better? Notakers I'm not going to strictly say how do we make the privacy situation better But I do want to pose a related question Which is is there a balance between privacy needs and health needs When we talk about you know the insurers having the ability to see patient data It feels a bit wrong that they're you know spying on you But if the ultimate goal is to help the patient if the patient isn't using their device It's a good thing if their doctor can call them up on the phone and say hey, you need some help So are we just saying that like the doctor can see the data, but we're not okay with the insurer Is it based on whether it's in the patient's interest versus a financial interest? Is that kind of how we're trying to weigh up privacy versus patient health in this scenario? um, yeah, it's it's a tough situation because like um like I think for example when talking about a CPAP machine There's there are very good reasons for the doctor to be able to see the data The issue in the us that the pro-public article talked about was that there's a there is at least a suspicion that's that um The insurance being able to see the data is part of a known playbook of trying to Intentionally trying to shift the cost back onto the The patient like for example in the exam the with the case that the guy needed a new mask and the insurance The insurance company wouldn't pay because he Couldn't use a device because he needed a new mask That was kind of a bad-faith denial And I think the implication of the article was that there are a few more other bad-faith denials So I think it's a matter of I think the insurance provider being maybe viewed as less trustworthy than in the physician So make oh sir I think a lot of these products a lot of these health tracking products are free apps, right? And so one way to change the system is to ask people to pay up front for an app that has excellent privacy And I think the issue there and the reason why we haven't seen more of it is The public is used to getting these products for free and not understanding the the consequences or what they're giving away, right? Oh, yeah, I think they have no they mostly have no idea Yeah, so I think there's a question of if we want these Products to be more ethically made then we need to educate consumers and get them used to paying for the product up front And then expecting security in return That's that's an excellent point. I mean like And you know like I'm guilty myself that I'll I'll be like, oh, yeah free app. I'll install this And it's exactly what you said And I think it's it comes back to uh Some of the incomprehensible privacy policies too like technically there's a privacy policy, but people can't read it And one of the things that article at the article that talked about it said would be interesting is if the privacy policy Actually gave gave customers a list of companies that might be buying their data Would that make them think So it's related to this One of the things that I think about this space is that really the only The really from a regulatory perspective or a policy perspective the only thing that will really shift the market is sunshine laws so requiring companies to Um disclose exactly what they're doing, you know to whom they're selling the data for example Um that said and even if even with all of the work that's being done to make privacy policies more readable Which is my job? There's still too many of them for people to read um, and so I think that what we need to get to is um machine readable digestible privacy policies that then flag you can set your preferences and then flag for you The sketchy stuff Where you would be downloading an app and it would you know your privacy policy Reader would read the privacy policy for you and say oh, you've agreed to all of these sorts of things before you're good with this stuff Here's something that's outside of that norm Um that you wouldn't want to be involved with does that make sense? Yeah, that's a really interesting idea because it seems like um natural language processing has really been getting a lot Stronger yeah in last few years in it and So like 10 years ago, I would have thought that was impossible and now I'm like, you know that actually that actually could very well be uh Be possible. Yeah. Yeah given that one in five Americans can't read at the fifth grade reading level I think that we really need to shift to making adaptive tools just like we make adaptive tools for people with mobility issues or or other Other differences in the way that they interact with the world. Yeah, I mean to be very honest I just I haven't taken a look at some of the privacy policies Um, I cannot imagine like somebody visually impaired trying to cope with that Yeah, exactly. So the adaptive technology would would benefit not only people with difficulty with You know with low reading ability, but people who have low reading ability for myriad other reasons. Yeah So I I love the direction of this. Um When I've seen patients and I'm a surgeon by training when I've seen patients in clinic Like it's super frustrating that you know, you have things designed that As a physician you can't understand you're having your patients understand Then you you extrapolate to the app world For this community The the the kind of extension of that I'd love to see especially because you mentioned And rightfully so we talk about the number regulated or unregulated apps and trackers we can name Multiply that by like a thousand of the homegrown ones are all out there. And so I think a growing um Uh a thing that a number of of kind of innovators have talked about is the gatekeeper probably should happen on the app store level So if you think about applying some of these technologies and actually taking the powers of this larger community Not so much the app developer But to the actual gatekeeper before the app can actually get out there If you look at where they actually have to go in they all funnel through a single store typically either on apple or android or All these different means right now There's no gatekeeper there to actually say like you have to meet this bar when you're collecting this level of information And that you have to actually consent or have people actually go through this level of understanding so much It's somewhat loose But to be able to kind of firm that up. It's kind of tough because So we're talking about um android and and so like play store is where you get android apps. Um, Who creates um android google? Um, what business is like in one of the biggest ad marketing? Um This this is the country these same people who were created android and are running the play store So yeah, it's I mean so like what you said was a really good idea. It's just um It it's hard to imagine google maybe seeing that as being completely in its best interest Yeah, so when when my organization partnered with apple to develop um health research kit the research app platform for ios And research stack, which is the analogous platform on um android they fought us tooth and nail about requiring Informed consent as part of those apps the research apps So these are apps specifically designed for research studies a platform specifically designed to conduct research studies And they fought us on the requirement for informed consent And then fought us on the requirement for ethical board review approval And so I don't think I mean it's a nice idea, but I don't think there's going to be any attraction in the general stores for those Yeah, like so I'm supposedly the newer version. They are the newer version of android q is coming out And that it's going to be a little bit better with on privacy, but eff Uh, eff wrote an article. I believe there are still some shortcomings related to that I think something that's not really talked about is is the idea of maybe presenting it to the user and giving them an option Right, um, you can buy this app for five dollars or we can use your data Um, actually, that's a really good point because I think I think a lot of times Users think that You can spend five dollars on this app or you will occasionally be annoyed by ads They don't think about it in terms of their data. They just think about being annoyed by about having to Put up with ads to do it right they'd have to list Hey, we're going to share this information But you know that that's probably the harder part is knowing who and what they're sharing They don't want that information to go out to the to the consumer But the idea that you could purchase something Or give your data to get that service for free. You're still purchasing it But that value is is in that bottom line, right? You're saying my personal data is worth five dollars to this That's that's true absolutely so Or or at least or at least make sure people are aware of it I mean one of the things that recently came out was vizio said we couldn't sell smart TVs this cheap If they were if they weren't smart TVs and tracking users data So, you know put that in there somewhere it says you paid five hundred dollars for this tv We are giving you a hundred dollar discount because we're tracking your data Just for what it is worth If you have an app that's charging you you're paying the money and they are promising that they're not sharing their data And they actually are there are some ways to to catch them doing it Like for example with the period tracker app I set up I basically set up a bunch of emulators and installed certificates and ran them through like an inter intercepting proxy To see to see who they were talking to and often what they were saying and so it's like Yeah, you can catch you can I mean like you have control of the device and there are ways to find out what it what it's doing It doesn't mean necessarily everybody will always bother to catch them, but they they can get caught So any any any other thoughts? I wasn't fast enough when we were talking about HIPAA, but I think it's a generally a pretty misunderstood thing it's First and foremost for healthcare or health record portability And the privacy stuff pretty much just falls under how that is taken account taken account for So it doesn't fall into a lot of things that people just people see health things and they just say HIPAA Those things just don't happen and I that's just something I didn't learn until I actually worked at a hospital All right, so I think it's just a really big misunderstood thing One thing there was right with that somebody else raised a rather interesting question is that Like for example, if you have a doctor that's maybe encouraging a patient to use a health app Um, does the doctor bear any legal or ethical responsibility for the privacy of the app? Like if a doctor is encouraging a patient to use an app that's loaded with trackers Does the doctor bear any responsibility for that? I mean are they should the doctor be expected to know or have any responsibility for that? I I don't know If there's money coming back from the company because and and so he's pushing it right similar to what happens with drug reps things like that and in a doctor's perspective if that App company is going to the doctor. It's a question of you know, really You know, is it is it malicious or not malicious? It's probably the wrong word, but you know, are you are you? Telling your patients to use this for your own monetary reward and actually I believe that there's an online um database with doctors that will tell you It will tell you um, how much money a doctor has taken and from who so it's like there's I mean like there would be a way to look that up. I believe But it's it's very interesting. I mean like when I look through records, I have not seen any app makers in that But I guess that's I mean that's a possible scenario that could happen in the future Okay, um, okay. Do we have anything else or no? We've talked a lot about systemic change and and different models or approaches to this but I'm curious to hear what you believe is a first step to making these health tracking apps safer or better It like does that do you see that starting with the companies? Do you see that starting with consumer education? Like are there any quick wins? I'm thinking to be honest, um Probably your quickest approach is going to be your quickest approach. You're probably going to be consumer ed I mean because like right now there. I mean, it's legally unregulated. It's you can't really make You can't really make custom The app developers do better one thing though that's interesting though is that there's been some news coverage and like so like these uh newspapers have investigated some of this and they've kind of named and shamed the companies and Like for example, there was a news article about the flow period tracker that was a period tracker that was Basically sharing a whole lot of user information and they got it some very high profile news reporting about it and flow Significantly cleaned up their app and at least if nothing else stops sharing a bunch of data with facebook So I think consumer ed and to be honest just continuing to investigate and maybe uh, maybe shame the companies into doing a little better Is practically speaking the best I can think of Have you seen any evidence that suggests that these app writers and companies that are utilizing this Are doing this privacy infringement on the front end knowing that at some point somebody's going to push back Well, and they take that for us to let's gain what we can monetarily now And then we'll clean it up later because this is all stuff that Is not rocket science Things have been exposed out there for a long time and yet consumers and I agree totally consumers have to be educated but How often do consumers listen? um uh It varies by consumer, but let's say on average probably not very often And so it's like what a lot of times it was software that was like especially with apps and stuff It's like It seems like they you got a fairly short cycle on them like they get developed rapidly and they uh And sometimes they can they can go away rapidly anyhow when the developer gets tired of maintaining them So yeah throwing something up and making as much as they can and then just deciding it'll go away when it goes away Yeah, that's very realistic And especially it's like when you look at the app developer there, you're usually not saying an individual's name You're seeing this company whose name Doesn't mean anything to you at all So so it's like um, yeah, I I think it's very likely I think the other interesting kind of provocative thing to think about is there's a lot of consolidation happening in this space And a lot of the managed care companies are actually buying apps to become innovative Oh, yeah, and they actually then assume the data on many levels And if the company doesn't have the right project of protections and or can censor the patients the question is what's happening to that data And then is there still a wall between it? Yeah, actually, that's interesting. I think one of the better. I remember reading about one of the better Uh period tracker apps getting acquired that way So, uh, yeah, I yeah, that sounds very familiar Will you run any other questions?