IoT (II): From The Internet Of Things To The Internet Of Bodies
The Internet of Things’ or ‘ Internet of Things ‘ (IoT) in 1999, Kevin Ashton performed the miracle of digital communication between the physical world and the Internet. More and more connected devices that we can use to control aspects related to well-being and health by taking them with us have given rise to the concept of the Internet of Bodies (IoB) or connected body. The use of these devices to monitor different parameters of our body results in the treatment of biometric and health data with undoubted advantages. Still, it also implies risks for privacy and, in certain circumstances, can compromise the person’s physical integrity.
The Internet of the Bodies can be conceptually defined as using Internet-connected devices to control and access all or some of our vital signals. Other biometric information and other health indicators include physical activity, sleep quality, sports activity, or sedentary lifestyle. All this is personal data that will be analyzed, exploited, stored, and ultimately processed in very different ways by different people responsible and in charge of the treatment.
This conceptual change allows us to understand that in certain circumstances, sensors and devices, despite belonging to the IoT field, do not monitor ‘things’ but rather quantify people.
There are three levels of implementation or generations of IoB, depending on the degree of attachment to the body:
- First-Generation: Devices Outside The Body. People continuously carry accessories that can send a multitude of personal data to different entities through the Internet. Some examples of this generation are mobile mirrors or smartwatches with similar functionalities. Other types of devices also belong to this generation, such as headbands with electroencephalogram (EEG) sensors to interpret brain activity and detect various situations such as focus, direction, rest, anxiety, and more. This first generation has been a reality for many years.
- Second Generation: Devices Internal To The Body. Devices found within the person’s body, including those implanted, belong to this generation. Devices for medical purposes (Medical IoT or MIoT) stand out: pacemakers, cochlear implants, or, in the future, organs developed using 3D printing (such as bioprinting of the pancreas that will allow regulating the use of insulin for people with some types of diabetes). Also, part of this generation would be the ‘digital pills’ (ingestible) that, after being ingested, can transmit data from inside the person’s digestive system through sensors. Related to this generation, the existence of biohacker communities stands out, who seek to modify and alter their body by implanting different types of technological components to improve human capabilities. Although the medical use of implants is not new, its Internet connection has been significantly boosted in the framework of the Covid-19 pandemic by trying to replace the collection of clinical data with a specialist.
- Third Generation: Body-Fused Devices: This generation, still in development, requires the integration of the technology of the human body to create a communication interface that allows the interpretation of biological elements. An example is brain enhancement, which can help people with neurodegenerative problems such as Alzheimer’s or Parkinson’s. This type of generation is related to the brain-computer interface or ‘Brain-Computer Interface’ (BCI), The technology used in cognitive learning to prevent the effects of aging, because a car interprets brain waves.
The use of this technology can be medical (also known as MIoT or Medical IoT) or self-identified. In the latter case, and given the inherent connectivity of IoT systems, the General Data Protection Regulation also applies to the persons responsible or in charge of the treatment who provide the means to process personal data related to such individual or domestic activities (Considering 18). The IRB, especially in the third generation, raises specific questions that, although they are not unrelated to the risks to data protection inherent to the IoT, can be enhanced:
- An attack on such devices can seriously endanger people’s health, including their lives. In such a case, the loss of privacy directly affects the person’s life. For example, in 2017, the FDA (the United States Food and Drug Administration) issued a statement alerting patients with a particular pacemaker to urgently see their doctor for a firmware update, given that a Detected vulnerability could make it easier for an attacker to compromise your pacemaker and physically damage you.
- The reliability, robustness against cyberattacks, and the resilience of all the treatments in which the devices are framed must be the maximum possible. In particular, when they are aimed at vulnerable groups. It is essential to apply the principles of data protection by design and by default, as well as security measures. To avoid vulnerabilities, it is convenient to prevent incorporating features that are not necessary.
- Relying excessively on using devices for data collection and analysis and using it as a substitute for a human specialist, rather than a compliment, leads patients to be subjected to automated decisions that significantly affect them.
- Connectivity through the Internet incorporates the generation of metadata, including geolocation data, which could lead to the profiling of people, obtaining data on emotional reactions, cognitive abilities, mental health, preferences, tastes of all kinds, consumption, or filtering this information to third parties.
- The transfer of devices between people, if they are shared, sold, or reassigned by the health authority, could compromise private data of citizens.
- The use of systems with disclaimer clauses, in which the quality of the service in their operation is not guaranteed. Their function in networks that do not guarantee response times or compatibility problems may lead to a failure in the availability of the data. at critical moments.
- It is necessary to incorporate audit protocols of the treatments in which these devices are incorporated, not only of the devices themselves. While, in addition, the data obtained with these devices is widely linked to the use of Artificial Intelligence solutions with their associated risks.
- It is possible to reach scenarios in which third parties access the data collected by said devices for different purposes, for example, in the case of insurance companies when contracting policies, contracts, or border controls, which could lead to, in turn, suppose discrimination towards people who do not have habits that in the opinion of the devices are healthy, or towards those who refuse to give access or use them.
- The risks associated with direct human-machine interaction, especially in BCI applications, can lead to unprecedented scenarios of social manipulation, modification, and influence on human behavior.
- Finally, we find the possible problem of lack of knowledge in civil society about the associated risks, which must be resolved by those responsible for processing to comply with the right to information of the interested persons and the principle of transparency, an element of proactive accountability essential.