Your Peace of Mind is our Commitment

Contact Us English Recent Articles

Privacy: Who Cares? A Quick Look at the BOC Smart Bracelet

First published: 27th October 2018

Would you give access to all your emails in order to track your fitness? I was recently passed a "BOC Life" branded Smart Bracelet, but I was shocked by the User Agreement of the required App.

The Smart Bracelet was apparently given to BOC Life customers as a sign-up gift, I was given it by a friend who declined to be identified. The Smart Bracelet needs to be paired with a smartphone and an App, called "Veryfit 2.0" must be installed. I downloaded Veryfit 2.0 from the Google Play Store, it is also available for the iPhone, and via a QR code printed on the box.

On installation, it asks for a long list of permissions (see screenshots). Some appear necessary for the declared functions of the device (Camera for the remote camera function, location and sensor data for the fitness function), but others are excessive:

To be clear, the App is asking to access all the details of your friends, when you called them and all of the files that are held on your phone!

On starting the App, there is a "Warm tips" screen (see screenshot) that instructs the user to read and understand the linked "Related user agreements" and "Privacy Policy", but the user can click past without reading them or even scrolling through them.

Section 5.1.1 of the User Agreement is particularly worrying. It states, "We may collect and use emails, avatars, nicknames, genders, birthdays, heights, weights, time zones, languages, and regions." The collection of email messages far exceeds any reasonable requirement for the device functionality. The use of the plural for "genders, birthdays," strongly implies that the data will be collected for multiple people, i.e., the user's contacts as well as the user.

It may be that the User Agreement is poorly worded, but the facts are that the app requires excessive data access when it is installed, and the agreement requires permission to use excessive data access. This is in violation of DPP1:

DPP1 - Data Collection Principle

Personal data must be collected in a lawful and fair way, for a purpose directly related to a function /activity of the data user.

Data subjects must be notified of the purpose and the classes of persons to whom the data may be transferred.

Data collected should be necessary but not excessive.

It seemed unwise to accept the user agreement and therefore it was impossible to evaluate what the Smart Bracelet actually does.

Who is responsible for this egregious user agreement? The developer of the App is only identified by the App name, "Veryfit 2.0", in the user agreement. Maybe there are more contact details within the App, but they cannot be accessed without accepting the agreement. However, BOC Life made the decision to put their brand on the device and offer it to their customers, so they should take some responsibility for the software necessary to use the device.

BOC Life has been contacted and asked to:

  1. Immediately cease distribution of the device and app.
  2. Contact all their customers who received the device to recall it.
  3. Consider whether to issue an updated version of the device and app that addresses the privacy concerns
  4. Update their procedures to properly vet future promotional gifts for privacy concerns.
  5. Make a full, public report to the Privacy Commissioner for Personal Data (PCPD).

The PCPD has also been contacted with the same details. I await developments.

Allan Dyer

Updated: 07th November 2018

The Office of the Privacy Commissioner for Personal Data has initiated a compliance check to look into the matter, case no. 201815015


Gallery

The BOC Life Smart Bracelet in its boxThe BOC Life Smart Bracelet in its box hi-res
Rear of Smart Bracelet box, listing the device functionality and the App QR codeRear of Smart Bracelet box, listing the device functionality and the App QR code hi-res
Veryfit 2.0 required permissionsVeryfit 2.0 required permissions hi-res
More Veryfit 2.0 required permissionsMore Veryfit 2.0 required permissions hi-res
Veryfit 2.0 Veryfit 2.0 "Warn Tips" and user agreement acceptance hi-res
Section 5, Privacy Policy of Veryfit 2.0 User AgreementSection 5, Privacy Policy of Veryfit 2.0 User Agreement hi-res
Section 6.5 of the Veryfit 2.0 User Agreement is very strangeSection 6.5 of the Veryfit 2.0 User Agreement is very strange hi-res

Related Articles