IoT (II): from the internet of things to the internet of bodies

“The Internet of Things” or “Internet de las Cosas” (IoT) is a concept proposed in 1999 by Kevin Ashton to describe the phenomenon of digital interconnection between the objects of the physical world and the Internet. The increasing surge of connected devices that can be used to control aspects regarding well-being and health by wearing them has given rise to the concept of the Internet of Bodies, IoB, or connected body.  The use of these devices to monitor several parameters in our body results in the processing of biometric data and health data with doubtless advantages, but also with risks for privacy and, in certain circumstances, a compromise of the user’s physical integrity.

The Internet of Bodies can be defined from a conceptual point of view as the use of devices connected to the Internet that monitor and/or act on all or some of our vital signs and other biometric data, as well as other health indicators such as the physical activity, the sleep quality, the sport activity or a sedentary lifestyle. All these are personal data that will be analysed, exploited, stored and, in sum, processed in several ways by several data controllers and data processors.

This change in the conception makes it possible to understand that, in certain circumstances, sensors and devices, even when pertaining to the IoT, do not monitor “things”, but rather quantify individuals.

There are three levels of implementation or IoB generations depending on the level of attachment to the body:

• First Generation: devices external to the body Individuals are always wearing accessories that can send many personal data to several entities through the Internet. Some examples of this generation are physical activity monitoring devices or smartwatches with similar functionalities. Another type of devices also belongs to this generation, such as Electroencephalogram headband to analyse brain activity and detect several situations such as the level of attention, concentration, rest, stress, etc. This first generation has been a reality for several years now.
• Second Generation: devices internal to the body Devices located within the human body, included those implanted, pertain to this generation. We can mention devices with a medical purpose (Medical IoT or MIoT): pacemakers, cochlear implants, or, in the future, organs developed through 3D printing (such as the bioprinting of a pancreas, which will allow the regular use of insulin for individuals with some types of diabetes). “Digital pills” also pertain to this generation (ingestible pills) that can convey data from the inside of the digestive system of a person through sensors once ingested. In relation to this generation, the existence of communities of biohackers can be highlighted that seek to modify and alter their body through the implanting of many technological components for the purposes of improving human skills. Although the medical use of implantable devices is not a novelty, what is new is the fact that they may be connected to the Internet, a fact that has been specifically enhanced within the frame of the Covid-19 pandemic, while seeking to substitute the collection of clinical data by a specialist.
• Third generation: devises that are merged with the body This generation, still under development, seeks the merger between the human body and technology in order to achieve an interface of communication that allows to interpret and to act on the very biological elements. An example is brain improvement, which can help people with neuro degeneration problems such as Alzheimer or Parkinson. This type of generation is related to the Brain Computer Interface (BCI), which is a technology applied to cognitive training to prevent the effects of ageing where brain waves are interpreted by a machine.

The use of these technologies can be framed within a medical treatment (also called MIoT or Medical IoT) or at the user’s initiative. In this last case, and given the connectivity inherent to IoB systems, the GDPR also applies to processors or controllers who provide means to process personal data through such personal or domestic activities (Recital 18). The IoB, specifically in the third generation, poses certain doubts that, if not external to the risks for data protection inherent to the IoT, can be enhanced:

• An attack to devices of this type can jeopardise people’s health and even their lives. In such an event, the loss of privacy directly affects the life of a person. For example, in 2017 the FDA released a note alerting patients with a specific pacemaker to urgently go see their doctor for an update on the firmware, given that the vulnerability detected could allow for an attacker to compromise their pacemaker and cause physical harm.
• The reliability, robustness in the light of cyberattacks and resilience of all processing activities where devices are framed must be the maximum possible. More precisely, if oriented towards vulnerable collectives. It is of essence to apply data protection principles by design and by default apart from security measures, and the incorporation of unnecessary features needs to be avoided so as to avoid vulnerabilities.
• An excess of confidence on the use of devices both for the collection and for the analysis of data, as well as the use of devices as a substitute of a human specialist, instead of as a complement, leaves patients to the possibility of being subjected to automated decisions that affect them significantly.
• Connectivity through the Internet involves the generation of metadata and even geolocation data that could result in the profiling of individuals, the collection on data on emotional reactions, cognitive capabilities, mental health, preferences, tastes of all types, consumption, or the leak of this information to third parties.
• The transfer of devices among individuals, in case such devices are shared, sold or reassigned by a health authority, could compromise private data pertaining to citizens.
• The use of systems with liability waiver clauses where the quality of the service in their operations is not guaranteed, operation in networks that do not guarantee either response times or the compatibility problems that may involve a failure in the availability of the data at critical moments.
• The incorporation of audit protocols is needed with regard to the processing activities where such devices are incorporated, and not only of the devices themselves. On another note, the data obtained with these devices are largely linked to the use of solutions of Artificial Intelligence together with its associated risks.
•  IT is possible to reach scenarios where access to data collected by such data occurs, for insuring companies at the time to underwrite policies, hirings, or border controls, which could also entail a discrimination towards individuals that do not have the habits that are considered healthy by the devices or towards which access is denied or use is denied.
• The risks associated to a direct machine-man interaction, namely in BCI applications, could lead to scenarios of social manipulation, modification and influence on human behaviour never seen before.
• Finally, we are facing the possibility of a problem of absence of knowledge in the civil society on the associated risks, which could be solved by data controllers in order to fulfil the duty of the right of information for data subject and the transparency principle, an essential element of proactive responsibility.

You may find further information about data protection and privacy on the Innovation and Technology website of this Agency, as well as on our blog:

• IoT (I): What is IoT and which risks does it entail
• Connected cars
• Group privacy
• Data protection and security
• Processing of personal data in emergency situations