Does deidentification of data from wearable devices give us a false sense of security? A systematic review

Wearable devices have made it easier to generate and share data collected on individuals. This systematic review seeks to investigate whether deidentifying data from wearable devices is sufficient to protect the privacy of individuals in datasets. We searched Web of Science, IEEE Xplore Digital Library, PubMed, Scopus, and the ACM Digital Library on Dec 6, 2021 (PROSPERO registration number CRD42022312922). We also performed manual searches in journals of interest until April 12, 2022. Although our search strategy had no language restrictions, all retrieved studies were in English. We included studies showing reidentification, identification, or authentication with data from wearable devices. Our search retrieved 17 625 studies, and 72 studies met our inclusion criteria. We designed a custom assessment tool for study quality and risk of bias assessments. 64 studies were classified as high quality and eight as moderate quality, and we did not detect any bias in any of the included studies. Correct identification rates were typically 86–100%, indicating a high risk of reidentification. Additionally, as little as 1–300 s of recording were required to enable reidentification from sensors that are generally not thought to generate identifiable information, such as electrocardiograms. These findings call for concerted efforts to rethink methods for data sharing to promote advances in research innovation while preventing the loss of individual privacy.