Your personal information is targeted not only by benevolent or malevolent espionage agencies. Insurance companies have launched a real race in attempting to collect as much information as possible about your lifestyle. Social networks, the “Internet of Things” [a proposed development of the internet in which everyday objects have network connectivity, allowing them to send and receive data] and leisure applications on smartphones are sources of information about the state of your health and diet – and a gold mine for evaluating the risks insurance companies and cooperatives would run – as well as about the premium you should pay. In the future, will your insurer dictate the way you have to live in order for you to pay less?
“Bravo, you’ve walked more than 90 kilometers this month; we’ll reimburse your gym membership;”
“You’ve exceeded your fats quota this week; you don’t adhere to your dietary goals; your insurance premium will rise;”
“You’ve exceeded the speed limit twice this week; stay vigilant; look out for a premium increase;”
“Weather alert in your region: a violent storm is forecast. Think about putting away your garden furniture …”
Your insurer could soon be sending you these kinds of text messages in order to avert a risk to your house, your car or your own body. Science fiction? To organize these personalized controls, insurers could rely on the precious – and numerous – details that we already strew as soon as we use an internet search engine, social media, mobile applications and even, from now on, the Internet of Things (internet-enabled wearables and appliances). In order to not have to systematically buy these data from third parties, insurers are also considering creating their own databases. In either case, the collected information is processed by powerful algorithms. “For all insurers, the massive collection and processing of data – Big Data – is already an undeniable catalyst for growth,” said Louis de Broglie, founder of insurance start-up Inspeer.
A Race to Collect Our Data
“Big Data” is a fearsome weapon for insurers. It amps up their core business, which consists of collecting information in order to price risk (car accident, long illness, burglary), the premium that the insured person pays to be covered. Within the profession, that’s called “the risk-return ratio.” Behind this technical term, the goal is simple: make money. For that to happen, the total premium that each person pays to be insured must exceed the payouts to clients for claims.
Insurers try to better grease this mechanism by gathering ever more data on the nature of risk and its probability of occurrence. “The first to manage the collection and analysis of the data will be able to ensure having good risks only,” said Eric Froidefond, a manager in the insurance sector and author of a 2014 memoir on Big Data in the insurance industry. In plain language, that insurer would be able to select the clients least exposed to the probability of a claim ahead of the competition. In consequence, insurers are engaged in a veritable race to collect our data.
“Now, We Can Have Information in Real Time”
Technology changes the situation. “Insurers will have access to dynamic data: Up until now, we could only collect data at the time a policy was issued. Now, we can have the data in real time,” said Stéphane Chappellier, CEO of solvINS, a consulting and service firm to companies specializing in the utilization of the Internet of Things and their data. That reduces the uncertainty insurers have lived with once the policy is signed.
“The Internet of Things, mobile applications, Big Data will remove the asymmetry of information which historically was in the insured’s favor,” said Antoinette Rouvroy, a researcher at the University of Namur (Belgium) Center for Information, Law and Social Research (CRIDS). What’s the risk? It could increase insurers’ control over our lives, and, thanks to this framework, individualize insurance as much on the level of prevention as on that of premiums.
Concretely, for the insured, premiums could not only develop at the level of each client, but also, over time, as a function of each person’s behavior. Today, that’s already somewhat the case: a smoker knows that he pays twice for his cigarettes, once at the tobacconist and once to his insurer with a higher premium. This practice will just be refined and extended to all aspects of everyday life. For example, an insurer could know you are rarely at home on the basis of an online electric meter. Then, the company could ask you to secure your home with an alarm, without which your premium would go up.
An insurer could even drop a client who does not follow its recommendations. Such a client’s sole recourse would be to turn to more expensive insurance, as is now already the case after repeated car accidents. “Those who don’t want to share their data could quickly be suspected of constituting poor risks,” de Broglie said. The difference is that choice will be based on a statistical anticipation and not on facts, such as car accidents.
“Insurers will have so much information that prices will become individualized and very progressive,” Froidefond said. “It would be necessary to find other ways to pool risk, perhaps with new coinsurance services for people.”
Social Acceptance at Stake
Given the long-term stakes, why would insured people agree to hand over their data? Because they could profit in the short term. “In the hyper-competitive insurance market, consumers will agree to transmit their data if that goes along with a reduction in prices,” said Thierry Vallaud, the person in charge of data mining at BVA. This assessment is shared by insurers that already offer to reduce premiums in exchange for proof of virtuous behavior. These attempts are becoming very concrete, although they affect the least invasive sector of insurance: the car.
In this regard, a new concept has evolved in the United States, then in Great Britain and Italy before arriving in France: An insured person pays as a function of the care with which they drive. It’s called “pay how you drive.” One insurance heavyweight, the German company Allianz, has launched a new offer along these lines, with a ton of advertising broadcast on television and shown at the movies. In concrete terms, the driver agrees to connect a box to his car. The box is able to detect speed limit excesses as well as the incidence and force of breaking and the way curves are approached. If the insured adopts a compliant driving style, he can get a refund of up to 30 percent of the premium at the one-year anniversary of the policy. Direct Assurance, a subsidiary of the French giant Axa, has, for its part, launched a similar offer – by which the premium may be reduced up to 50 percent.
In terms of social acceptance, the climate is also favorable: 70 percent of consumers polled by the consulting firm PwC declare themselves ready to install a sensor in their car or their home if that would allow them to obtain a reduction in their insurance premium (PwC study on the Internet of Things, “The Wearable Future”). “Our priorities remain concentrated on the car and the home, since we have certainties about these markets that we don’t have for online health, where the legislation is restrictive and limiting,” said Michael de Toldi, data director for BNP Paribas Cardif (BNP Paribas’ insurance company).
Connecting the Body; Opening Pandora’s Box
In terms of health, the issue is, in fact, complicated for insurers. “All insurers don’t have the same vision,” said Serge Abiteboul, a programmer, professor at ENS Cachan and director of research at the French National Institute for Information Technology and Automation (Inria). “When I meet with these professionals, I truly heard two different discourses: an ultra-neoliberal one that fantasizes about Big Data utilization, for example, by dicing and slicing health risks; and the one, often tendered by mutual insurers, which sees possibilities of offering new services and prefers to maintain the pooling of risk.”
As is so often the case, it’s in the Anglo-Saxon world that the first steps toward individualization – and surveillance – have been taken. In this respect, insurance company John Hancock offers its customers internet-enabled bracelets, the activity sensors developed by the US company Fitbit. If they achieve the level of physical exercise stipulated in the policy, the customer benefits from a series of perks, like Amazon gift certificates, reduced rates at hotels or reimbursement for gym membership. “Social acceptance is much more advanced in the United States, or, to a lesser extent, in the United Kingdom, for a simple reason: In those countries, a health problem may connote a personal failure,” said Alexis Normand, director of the health department at the French company Withings, a manufacturer of internet-connected objects.
In France, insurers are more cautious. The first to have proposed an offer to the general public is the Pasteur Mutualité group. It has integrated internet-connected health gadgets into its policy by offering to reimburse any purchase of that kind up to 150 euros. The ostensible goal is to offer preventative solutions by encouraging physical activity with a pedometer (to measure the daily number of steps taken) or physiological monitoring with a blood pressure gauge or a glucometer (to measure the glucose level in the blood), all internet-connected. The group carefully clarifies that there will be no data collection. Nonetheless, the offer allows the company to test whether insured people are receptive to this type of practice.
Health Applications, the Internet of Things: So Many Snitches?
Offering you an internet-connected gadget for apparently playful purposes is not necessarily indispensable for collecting your health data. In fact, insurers can already buy that data from Google, social networks such as Facebook and even from companies developing existing applications on our smartphones, such as an app indicating or measuring jogging or bicycle paths. “Citizens are ambivalent: They’re aware of the risks for the security of their data, but they abandon their vigilance when services at hand – on their smartphone or computer – facilitate their lives,” said Christian Saout, executive secretary general of the Interassociated Health Collective (Ciss), who himself uses a free app that counts his steps.
Many of us have already – whether consciously or not – agreed to hand over our data to third parties, such as companies developing footrace, nutritional advice or sleep management apps. The My Fitness Pal application, for example, which counts daily calories and steps, has been downloaded more than 1 million times on Android. This health data may be resold. It has value: The start-up that developed that program was sold for no less than 475 million euros last February.
European Citizens’ Rights Bolstered, but …
“We’re in the era of responsibility: To protect themselves, users must read the general usage conditions (GUC),” said Normand from Withings, which already offers an ecosystem of 150 applications interacting with internet-connected objects. Who really takes the time to read through the GUC before checking the box confirming they have?
“I myself read them only rarely because they are often long and tedious,” said Sophie Nerbonne, director of legal compliance for the French National Commission on Information Technology and Freedoms (Cnil). “We need to think about a more accessible consent mechanism at the European level to allow informed consent and citizens’ real control of their personal data.”
Concurrently there is good news to point out. French citizens will soon have more ways to defend their rights to protect sensitive data. A European regulation, which is supposed to be voted on and adopted in the beginning of 2016 and applied in 2018, provides for national laws taking into account customers’ rights – and not those of companies. Moreover, European law is very protective. For example, a French citizen may demand that a website communicate all the data it has concerning her and correct the data if it’s wrong. She may at any time veto the dissemination, sale or storage of that information.
As for health data, it is specifically protected and may be accessed only by a doctor. Moreover, while these rights have existed for decades, the European regulation finally makes sanctions credible. The maximum fine up until now was 150,000 euros. “The proposed regulation now provides for sanctions up to 4 percent of the gross global turnover of the group involved – which could become a true deterrent,” Nerbonne said.
Diet, Exercise, Sleep: Strategic Information
Vigilance remains appropriate. First, because this regulation does not go into effect for two years. Then, because two loopholes remain. First of all, while so-called “sensitive” health data is very protected, the health data about our well-being that we transmit is still governed by contract law and the famous GUC. Yet that information – diet, exercise, sleep – still allows insurers to assess our health risk in real time.
Finally, insurers may access our health data indirectly: Insurance companies own health-care subsidiaries that employ doctors. While those doctors may not communicate our health file, they can very well communicate an assessment – from A to F, for example – that evolves as a function of our behavior. A doctor could, for example, suggest that an insured person in the “senior” category or a patient just out of the hospital follow a “well-being contract” to reduce their risk and improve their score. Then the contract would include goals in the framework of a program involving taking medication, staying physically active or maintaining a healthy diet. Accepting those goals, set by the doctor, would allow the client to improve their score. Rejecting them would incur the risk of being assessed a penalty.