• Health

A Wake-Up Call On Smart Beds And Sleep Apps That Collect Your Data

8 minute read

Your bed could be watching you.

OK, so not with a camera. At least not yet.

But if you have any of a variety of “smart beds,” mattress pads or sleep apps, it knows when you go to sleep. It knows when you toss and turn. It may even be able to tell when you’re having sex.

Sleep Number, one company that makes beds that can track heart rate, respiration and movement, says it collects more than 8 billion biometric data points every night, gathered each second and sent via an app through the internet to the company’s servers.

“This gives us the intelligence to be able to continue to feed our algorithms,” CEO Shelly Ibach told attendees at a Fortune Brainstorm Health conference in San Diego last month.

Analyzing all that personal data, Ibach continued, not only helps Sleep Number inform consumers who use one of their 360 models about their health, but also aids the company’s efforts to make a better product.

Still, consumer-privacy advocates are increasingly raising concerns about the fate of personal health information, which is potentially valuable to companies that collect and sell it, gathered through a growing number of internet-connected devices.

“We don’t know what happens to all that data,” says Burcu Kilic, director of the digital rights program at Public Citizen, an advocacy group in Washington, D.C.

The information “is also relevant and important to pharmaceutical companies and those that make hospital-related technology,” Kilic says.

Nonetheless, consumers are flocking to mattresses, sleep tracking devices and under-mattress sensors that claim to quantify sleep. Sleep apps are among the most popular downloads on Apple and Android smartphones.

Sleep number is one of the most heavily marketed of such products, with press releases and ads often equating good sleep with better a better life. Sales of the beds grew 6% year-over-year to $1.5 billion in 2018, company filings show. Early this year, it signed a partnership with Ariana Huffington’s Thrive Global (a corporate wellness firm she launched after leaving the Huffington Post in 2016). Last year, Sleep Number began a multi-year partnership with the NFL, in which the company gives its beds to players.

The company says it goes to great lengths to protect its customers’ data.

“To be clear, Sleep Number does not share any SleepIQ or biometric” data outside the company, said Sleep Number spokeswoman Julie Elepano in email exchanges.

However, that differs from the company’s privacy notice, which clearly states that personal information—potentially including biometric data—“may” be shared with marketing companies or business partners. They, in turn, could send out pitches for Sleep Number or offers to participate in partner product loyalty programs. The policy also says personal information could be given to partners for “research, analysis or administering surveys.”

Finally, the privacy policy says Sleep Number can “exploit, share and use for any purpose” personal information with names or addresses withheld or stripped out, known as “de-identified” data.

When asked about the seeming difference between what the privacy policy states and her comments, Elepano did not address that directly, but reiterated that the company does not share even de-identified biometric data.

Details From Dreamland

From when you turn in to when you wake up, these beds know a lot, thanks to a range of potential sensors. Some, for example, use microphones to track snoring; typically, these devices and apps are marketed for that purpose.

Late last year, there was a collective social media freakout when bloggers noticed a quirk in the Sleep Number bed privacy policy that seemed to indicate those beds had a microphone.

But they don’t, the company was quick to note.

Instead, Sleep Number beds gather data through tiny changes in the mattress’s air pressure—the beds have sensors that can inflate, deflate or otherwise adjust the mattress for comfort—says Pete Bils, Sleep Number’s vice president of sleep science and research. Those data, along with goals each consumer sets for sleep, go into creating what the firm calls a Sleep IQ Score, designed to assess how well a consumer slept (and used heavily in the company’s marketing). Over time, the score purports to show if a person is deviating from their averages.

If consumers don’t want to track what’s going on in bed, they can flip on a “privacy mode” setting, which halts transmission, but also limits what a consumer can learn about their sleep patterns—presumably one reason they bought the bed in the first place.

“The more you use the bed, the more it knows you,” says Bils.

From what is spelled out in privacy policies for these bed and apps, it’s clear the data could be useful in other ways, too.

For example, the French company Withings, which makes an under-mattress monitor that can track movement, heart rate, snoring and other factors, says it shares anonymous and aggregated data “with partners such as hospitals, researchers or companies, as well as to the public in blog posts and data studies.”

According to the Sleep Number privacy policy, it collects personal information, which can include names and information about a consumer’s age, weight, height and gender. If a consumer creates a user profile on the bed’s app, that personal information is expanded to include specifics about movement, positions, respiration and heart rate.

That is also true for children if parents create a user profile for them.

The policy also notes that personal data might be stored indefinitely, even “after you cancel or deactivate” user accounts.

It’s More Than Just Z’s

The privacy policies of many devices that track and transmit personal information allow for the sharing of data that has been stripped of personal identifiers.

But privacy experts have shown it’s not terribly difficult to use or combine such information to “re-identify” people.

“You are left with the impression that, ‘Don’t worry, no one will be able to point to you,’ but they don’t actually say that,” says Lee Tien, senior staff attorney at the Electronic Frontier Foundation. “I don’t know how they actually could say that.”

Unlike personal data collected in a doctor’s office or a sleep clinic, the information gathered by sleep trackers is not protected by federal privacy rules.

Some sleep trackers or apps can connect with other “smart” devices in your home, such as a thermostat or coffee maker.

Nifty, for sure, because as you wake up, your heater can kick on and the coffee maker can start doing its thing. But it also can mean those devices are sharing your information. Sleep Number says its beds can import information from other devices but does not share customer information with them.

Still, the interconnectedness exposes more vulnerabilities.

“We connect all these devices to each other,” notes Kilic at Public Citizen. “If hackers want to get into the system, [they] can easily do so and collect all this info from you: How do you use your bed? How often do you have sex? This is very sensitive information.”

Privacy experts recommend encryption and the use of strong passwords and additional authentication whenever possible. Some trackers and sensors allow for such protections; Sleep Number’s Bils says the data transmitted is encrypted.

The goal of the data gathering, Sleep Number and other companies say, is helping sleep-deprived Americans do a better job at, well, sleeping.

But do consumers really need an app—or a bed that can costs thousands of dollars—to tell them how rested they feel in the morning?

Such tools are “great because it makes people more aware of sleep, but it’s a slippery slope,” says Dr. Seema Khosla, a pulmonologist and medical director of the North Dakota Center for Sleep, a sleep study facility in Fargo. Khosla, who uses a few trackers herself, is also the lead author of the American Academy of Sleep Medicine’s position paper on sleep apps.

One unexpected consequence: people who become too attuned to their data may experience anxiety—and an inability to sleep.

“We call it orthosomnia,” she says. “They get all this data and get upset about having a perfect number. We tell them to put it away for a couple of weeks.”

Kaiser Health News (KHN) is a nonprofit news service covering health issues. It is an editorially independent program of the Kaiser Family Foundation that is not affiliated with Kaiser Permanente.

More Must-Reads from TIME

Contact us at letters@time.com