Apple just announced the details of the new open source software framework that will make it easier for medical researchers to access data about millions of potential subjects. ResearchKit sounds amazing—and potentially riddled with security concerns. Will Apple make it easier for adversaries to access your health data, too?
It's hard to tell. On the new ResearchKit webpage, Apple touts the software's privacy features but conspicuously leaves out any mention of security. We can only assume that ResearchKit will use a system similar to HealthKit, Apple's older development kit for health apps, where a "user's health information is stored in a centralised and secure location and the user decides which data should be shared with your app." On privacy, the page for ResearchKit says:
We know how much you value the privacy of your information, and ResearchKit has been designed with that in mind. You choose what studies you want to join, you are in control of what information you provide to which apps, and you can see the data you're sharing.
What kind of data? A little bit of digging into the software's technical overview for developers reveals the specific kind of data ResearchKit will collect. For now, it's biometric data specific to the areas of research where the software is currently being used: asthma, Parkinson's, diabetes, breast cancer, and cardiovascular disease. Here's the full table of the personal data ResearchKit collects:
So far, this sounds fine. You agree to share your data with researchers trying to cure cancer and heart disease and whatnot. Researchers get a wealth of new data, especially with everybody clamouring to buy those (expensive) health-tracking Apple Watches.
It gets more complicated when HealthKit comes into play, however. ResearchKit is designed to tap into HealthKit and the 900-plus apps that have been built on top of that framework. So depending on the study, researchers could tap into a much longer list of data, like calorie use. It's unclear who exactly has access to this data. HealthKit works seamlessly with the electronic health records database maintained by Epic, the makers of database software for all kinds of hospitals and healthcare organisations.
This is all to say that it's not just researchers and Apple databases handling your health data when you use these new products. Based on what we know, the databases plug into other databases that plug into other databases. And as we learned from the massive iCloud hack last year, Apple's security is not impregnable.
Does this mean that ResearchKit is a bad thing? Of course not. It does mean that Apple's collecting an increasing amount of deeply personal biometric data about you and your health. And it seems like they're putting it to good use with ResearchKit. However, it's always important to remember: Just because your data is private does not mean it's secure.
Illustration via Apple / Gizmodo