Maybe don't give Google access to all of your health data

Maybe don't give Google access to all of your health data

Google. You may have heard of them. But you may be less familiar with all of Google’s sister companies.

In 2015, Google reorganized itself into Alphabet, Inc—a company of which Google is only one subsidiary—and other companies were spun off into their own entities. For instance, Waymo is Alphabet’s self-driving car arm, DeepMind focuses on artificial intelligence, and Verily researches healthcare and life sciences.

They’re all distinct subsidiaries, but people still tend to use "Google" as a catchall for the companies. That’s normally inoffensive – does it really matter if Google Fiber is technically part of Alphabet and not Google? – but it can cause problems when it comes to things like the recently announced Project Baseline from Verily.

Project Baseline aims to be one of the most comprehensive health studies in history. But Google is a company known for making off of advertising, thanks to the wealth of knowledge it has about its users. Can Verily escape the stigma and privacy concerns of its sister company? And is it a good idea to give a Google-adjacent company so much access to your health data?

What is Project Baseline?

Project Baseline is a study from Verily, in conjunction with Duke University and Stanford Medicine. Its stated mission is to:

"develop a well-defined reference, or "baseline," of good health as well as a rich data platform that may be used to better understand the transition from health to disease and identify additional risk factors for disease"

Project Baseline will be a four-year study of 10,000 participants, collecting such data as "clinical, imaging, self-reported, physical, environmental, and molecular and genetic measurements," along with blood, tears, and saliva. They’ll also have access to your medical records.

Participants will be required to make annual site visits and quarterly appointments to medical centers that are part of the study. Participants also get an "investigational wristwatch" – essentially a super smartwatch/Fitbit – a sleep monitor that goes under the mattress, and a hub to securely send gathered data to Verily.

If that sounds like a lot of personal data...well, that’s because it is. But we give up a lot of data about ourselves, sometimes willingly and sometimes without realizing it. It’s how companies like Google (sorry, Alphabet) and Facebook have grown so big. But is it a good idea to throw your health information into the cache of data we’re already providing to companies?

Can I trust Verily with my health data?

It feels like it’s been a while since we had a good data breach story, so it’s nice to see Chipotle coming through in the clutch. It highlights something we already knew: companies really aren’t good at keeping our private data private.

The data in the Project Baseline study is anonymized and securely transmitted through the provided hub. But as Wired points out, "overlaps among big databases, like voter registration or census data alongside personal health information, mean that a good coder can often de-anonymize that stuff." And Bloomberg has shown examples of how, depending on how dedicated someone is, linking bits of information to create a complete profile isn’t too difficult.

Between that, hacks, and accidental disclosures of health information, it’s not hard to imagine a scenario where this secure, anonymous information is a little less secure and a little less anonymous.

Then there’s the elephant in the room: Verily, even if technically autonomous, is still kinda, sorta, enough-to-be-concerning connected to Google.

To be fair, Verily seems to be heading this concern off at the pass. The online consent form for people looking to sign up lists Google as one of the parties information will be shared with, but notes that "While Google provides computing, analytics, and data handling power, Google will not use the information you provide in your Baseline Profile for advertising."

That’s...only a partial relief.

First, a Google account is required to sign up for the study. While there’s ostensibly no overlap between your Google account and Project Baseline profile, that requirement might raise some eyebrows right off the bat.

Second, another part of the consent form states that, "In the future, the Baseline Team may allow the data to be used by researchers outside of the Baseline Team. If this happens, the Baseline Team will not include direct identifiers." Who are these other researchers? What will they do with the information? It’s unknown, and as discussed earlier, putting together a profile puzzle isn’t always that difficult.

Finally, as Techcrunch points out, the fact is that while Google won’t sell your information to third parties, they don’t actually need to do that in order to make money:

...the company is in the business of ad targeting, so does not need to sell users’ personal information to advertisers — it sells ad targeting based on its data holdings.

(Also in the consent form: the consent has no expiration, and your ability to access your own health data is limited.)

Another point of concern is past history of Google Alphabet companies. Besides privacy issues with Google, DeepMind got into a bit of hot water last year when it got access to a number of medical records and patient data in a study with the UK’s National Health Service, and questions arose around the scope of the data the company had and the consent (or lack thereof) given by participants.

So should you join Project Baseline? That’s really up to you. Yes, there could be groundbreaking health information to come out of the study. Yes, you can get a (really, really) nice smartwatch.

But if you’re the type of person who has concerns about Big Brother – or would just prefer that you keep even a little of your privacy in today’s age of always-connectedness – know what you’re getting yourself into.

And if you start seeing ads for very specific medical conditions, well, you know who to point a finger at.