First published: 27th October 2018
Would you give access to all your emails in order to track your fitness? I was recently passed a "BOC Life" branded Smart Bracelet, but I was shocked by the User Agreement of the required App.
The Smart Bracelet was apparently given to BOC Life customers as a sign-up gift, I was given it by a friend who declined to be identified. The Smart Bracelet needs to be paired with a smartphone and an App, called "Veryfit 2.0" must be installed. I downloaded Veryfit 2.0 from the Google Play Store, it is also available for the iPhone, and via a QR code printed on the box.
On installation, it asks for a long list of permissions (see screenshots). Some appear necessary for the declared functions of the device (Camera for the remote camera function, location and sensor data for the fitness function), but others are excessive:
- Call logs
To be clear, the App is asking to access all the details of your friends, when you called them and all of the files that are held on your phone!
Section 5.1.1 of the User Agreement is particularly worrying. It states, "We may collect and use emails, avatars, nicknames, genders, birthdays, heights, weights, time zones, languages, and regions." The collection of email messages far exceeds any reasonable requirement for the device functionality. The use of the plural for "genders, birthdays," strongly implies that the data will be collected for multiple people, i.e., the user's contacts as well as the user.
It may be that the User Agreement is poorly worded, but the facts are that the app requires excessive data access when it is installed, and the agreement requires permission to use excessive data access. This is in violation of DPP1:
DPP1 - Data Collection Principle
Personal data must be collected in a lawful and fair way, for a purpose directly related to a function /activity of the data user.
Data subjects must be notified of the purpose and the classes of persons to whom the data may be transferred.
Data collected should be necessary but not excessive.
It seemed unwise to accept the user agreement and therefore it was impossible to evaluate what the Smart Bracelet actually does.
Who is responsible for this egregious user agreement? The developer of the App is only identified by the App name, "Veryfit 2.0", in the user agreement. Maybe there are more contact details within the App, but they cannot be accessed without accepting the agreement. However, BOC Life made the decision to put their brand on the device and offer it to their customers, so they should take some responsibility for the software necessary to use the device.
BOC Life has been contacted and asked to:
- Immediately cease distribution of the device and app.
- Contact all their customers who received the device to recall it.
- Consider whether to issue an updated version of the device and app that addresses the privacy concerns
- Update their procedures to properly vet future promotional gifts for privacy concerns.
- Make a full, public report to the Privacy Commissioner for Personal Data (PCPD).
The PCPD has also been contacted with the same details. I await developments.
Updated: 07th November 2018
The Office of the Privacy Commissioner for Personal Data has initiated a compliance check to look into the matter, case no. 201815015