Samsung Health app threatens data deletion if users opt out AI training

302 pointsposted 10 hours ago
by bundie

72 Comments

rdtsc

9 hours ago

> The company plans to grab four categories: your sleep, your medications, your medical records, and your cycle tracking details

So you buy a device but you can't effectively use half of its features because you'd also have to agree to send them your medical records? Ok then if I refuse, will they refund 50% of the device price since now it's not usable any more?

benjiro29

9 hours ago

If your in EU, you contact the local EU consumer group where you buy the device.

https://www.europe-consommateurs.eu/en/who-we-are/about-us/e...

And file a complaint... As that breaches a dozen or more EU laws. If a lot of people do it in all the countries, it becomes a national issue.

That is the only way you fix things, and yes, we have had multiple successes with companies taking the piss. Even Samsung can not escape as their have officies in the EU and sell products there.

For the folks outside the EU, ... Its a harder fight and you need to look up your local agencies.

andy99

8 hours ago

I had a ~2008 vintage Samsung phone with a fingerprint sensor that gave your blood oxygen level (SpO2). One day it told me something similar, I had to agree to send them data or I couldn’t use it. So I never used it again, but yeah they have been abusing their costumers a long time.

This is they same company whose tvs take pictures of what you are watching and send them back to Samsung.

wolvoleo

7 hours ago

Every TV does that unfortunately. It's called automatic content recognition but every manufacturer has a different euphemism for it.

It's definitely not just Samsung. As bad as this is. The problem is bigger than just them.

imoverclocked

3 hours ago

I have a projector that I just leave off the network. Do TVs require a network connection now? What happens when they don't have one?

phil21

2 hours ago

At the moment usually just a nag popup on power on.

Annoying but not a huge deal. I imagine this will slowly get worse as more people learn to not connect it to WiFi.

Also of course all the smart tv features don’t work, and a lot more folks than I ever imagined actually use the built in controller (usually some form of Android or Roku) to watch Netflix and whatnot. And a lot of folks actually do watch the built in TV “channels” a lot of vendors ship with.

It seems very few people buy an additional device like an Apple TV or Nvidia Shield.

subscribed

4 hours ago

Every TV might do this, not every single one does. Buy TVs which allow you to opt out (at least in one case it was several opt-ins, no opt out per SE).

globalnode

7 hours ago

ah so thats where microsoft got the idea for recall from.

nubinetwork

2 hours ago

At least yours still works, they took out the ability to use the sensor on my s5 some years ago... one random app upgrade and they just decided nope.

skeledrew

7 hours ago

Buying a device doesn't mean vendor-hosted services are included, unless explicitly stated. This is the kind of thing why they can get away with taking unsolicited actions on people's devices whenever they want. CUT THAT CORD!

ethin

6 hours ago

Also, doesn't them having your medical records subject them to laws like HIPAA? I would think so even if they aren't a medical institution.

sunaookami

9 hours ago

Bought a Galaxy Watch 7 two years ago, the hardware is good and One UI on the watch itself is also quite good (and the last major update improved it) but Samsung Health is such a shit app. Constant ads for some "courses" or videos and things I don't care about. Downloading my personal data doesn't even work, it sends me right to the browser with an error message that I'm "not logged in correctly" and it wants access to all my pictures & videos (seems like a wrong permission prompt there but when I decline it it also fails with "we need access to all your photos & videos". Why? Just send me a download link via email or use SAF and let me pick a download location).

Thanks to this article I also noticed the UI was redesigned. At least I could keep my layout but it didn't work like it should, it added some useless cards. It also asked about new "optional" data sharing which I of course declined. There is now a notice that my data wasn't backupped to my Samsung account the last 3 days (???) and the data synchronization doesn't work, the buttons do nothing, it just says "disabled" even though everything is enabled... typical Samsung shitware. Haven't noticed anything with AI training (there is no option) but I'm also in the EU.

aleph_minus_one

9 hours ago

Where is the catch? You rather get two good things if you don't agree:

- Samsung deletes your sensitive health data

- Samsung does not use this data to train some AI

:-)

orbital-decay

9 hours ago

The catch could be they actually do neither of that and train on it silently.

delduca

9 hours ago

I was thinking exactly the same…

gmuslera

9 hours ago

In some way they are telling that they respect your privacy. Or they have your data (and then do something with it, now or later), or no one will.

They could provide some Google-style takeout to get your data before deletion, but that may not have any meaning or practical use without their devices and software.

vitally3643

7 hours ago

They don't respect your privacy, they value your private data. Two very different things.

sam1r

9 hours ago

Completely agree. Or maybe, just like most products in tech -- they are currently en route to "take out" style data deletion... and it's being released shortly.

subscribed

4 hours ago

Well, as per GDPR they must provide data export ("takeout").

gardnr

9 hours ago

This is like Google Ultra for personal accounts. I signed up to see what it was like and then assumed I would be able to disable training on my data as a paid customer. The only way to disable training on paid personal accounts is to disable history (no chat logs) which makes the service much less useful for me.

For Google Workspace accounts that use the Ultra plan you can disable training while retaining history. I didn't bother signing up again. It is user-hostile.

cute_boi

9 hours ago

Yes, you will have to pay lot of money and you will have to surrender data too.

datadrivenangel

9 hours ago

shouldn't this get them turbo obliterated in europe?

seydor

9 hours ago

no, in fact gdpr requires that they get consent before they process the data.

They are not preventing people from accessing the data, only indefinite storage as i understand. They may claim that storage is needed for the processing (which might make sense, they want to train on the whole time series).

ptx

9 hours ago

Recital 11 of the GDPR says that consent must be "freely given", and recital 43 says (in part):

"Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance."

subscribed

4 hours ago

This is coercion and change of contract post-factum.

I don't think they have any chance of surviving regulator looking at it. Of course regulators never do it unprompted.

wolvoleo

9 hours ago

Yes but that consent must be given freely. There can't be undue pressure. Unfortunately this part is not well defined but it looks like the AI training part is not required to deliver the service to the specific user so I do think that if challenged it will be ruled afoul of GDPR.

abroszka33

9 hours ago

I think Facebook lost a similar lawsuit recently where you had to accept that they can use your data or pay to access the site. And it was found illegal in the EU.

The problem is that it takes years and users don't wait for years. There should be a way to harm these companies more on the EU level.

kivle

6 hours ago

I'm in Norway, and I never consented in that dialog box, so my Facebook account is in limbo. The dialog still appears when I go to Facebook, years later, so I don't think anything has changed?

antalis

8 hours ago

They can get fined for up to 2 or 4% of their global annual revenue depending on the violation severity.

varispeed

9 hours ago

Indeed, gdpr was created for corporations to have legal basis to process and sell data. Before gdpr it was a gray area. It was never about privacy.

germandiago

5 hours ago

Samsung has been banned from my choices. There are many brands to choose from.

aizk

5 hours ago

I use Sparky Fitness for all my fitness / health tracking. So, so happy I have everything stored locally, where I can do whatever I want with the data, and I know it's mine and it's private. Very easily to interface with your favorite llm of choice. https://github.com/CodeWithCJ/SparkyFitness/

SoftTalker

4 hours ago

Ummm once you give your data to an LLM it's no longer private.

SirMadam

3 hours ago

Gave the repo a once over: Self hosting [of the whole application in general] is a first-class citizen of the project, and the AI features are both:

a. completely optional/disable-able and

b. Self hosted llm friendly, with specific instructions given on how to use it with things like Ollama

gdulli

9 hours ago

Something I appreciate about Samsung phones is that having a Samsung account is completely optional. I've never had one. If I accidentally click on one of the dumb AI features I'm not even allowed to use it without an account.

chrismartin

3 hours ago

The endearing angle: refusing to keep cookies in the house, because you admit an inability to merely store them.

qmarchi

7 hours ago

I use a Watch 6 Classic, just went in to find this toggle. Doesn't seem to exist in the Japanese market at least.

kklisura

9 hours ago

One day we will perhaps be able to forgive these companies for mismanaging our data, but we will never forgive them for making us regulate them.

sam1r

9 hours ago

I was under the assumption that because of GDPR (which is in effect..).. or current "end-user metadata storage" best practices.. if you (a website/or app) didn't immediately disclose to the user what data is being used,stored, and why it is -- then you shouldn't store it at all.

If you agree that the world needs better examples today, then Samsung has definitely showed one.

makeramen

7 hours ago

Gemini does the same (though not with health data). The only way to opt out of training on your data is to disable all Gemini chat history.

luciana1u

4 hours ago

your step count is now a training data point. next they'll hold your resting heart rate hostage until you agree to let the AI analyze your grocery receipts.

vcryan

9 hours ago

Yes, please - delete my health data. I want my health data - I didn't want Samsung or anyone else to have it unless I provide it. And even then, you can't keep it - you can look at it. It's mine.

garbagewoman

8 hours ago

You’re hoping that they will do what they say

zelphirkalt

9 hours ago

That reminds me of a story by a former coworker of mine, who had a xing account and repeatedly asked them to not send me him ads and spam e-mails. They ultimately closed his account.

Some companies are so dead set on doing this shit, that they don't even have mechanism in place that would enable them to act upon you opting out. It is a sign of dysfunctional companies. You can also observe this, when you send companies a GDPR request for deletion and they do eeeeverything to not have to go into their shitty system and delete the data, because that would require them to do manual work.

Madmallard

7 hours ago

How does this not violate HIPAA?

codingdave

7 hours ago

Because HIPAA only applies to specific people and organizations who have a formal role in your health care. It is not a universal law applicable to everyone, and Samsung is not your healthcare provider, insurer, nor part of any related entity.

Madmallard

6 hours ago

It probably should apply. The spirit of HIPAA is the protection of health information.

arjie

7 hours ago

How is HIPAA relevant here? Samsung isn't a covered entity. HIPAA is not just "I have some health data" freebie. Might as well ask why it doesn't violate Sarbanes-Oxley or Jim Crow.

gyoridavid

6 hours ago

I mean, Gemini does the same: if you want the history of your chats, there's no way to opt out from the AI training..

varispeed

9 hours ago

Samsung should be fined out of existence for this.

cute_boi

9 hours ago

Well there is no incentive for government to keep citizen data private.

kelseyfrog

9 hours ago

Am I reading this wrong? It sounds like, short of self-hosting your health data, this is the best of both worlds. Avoiding zombie data retention and avoiding AI? Where do I sign?

ribosometronome

9 hours ago

Blocking backups and consequently reducing data portability doesn't really sound like the best of both worlds.

stackghost

9 hours ago

>You will not be able to sync health data with your Samsung account and your health data will be deleted unless retained pursuant to applicable law. If retention is required, we will erase it as soon as the required retention period ends.

Don't threaten me with a good time.

I'm so tired of tech companies shoving AI into everything, everywhere.

exabrial

9 hours ago

I'd doubt this is legal under HIPAA law in the US, but good luck

Hugsbox

9 hours ago

I'm not an expert on the matter, but to my knowledge Samsung aren't health practitioners and aren't beholden to HIPAA laws for data that was (presumably) voluntarily provided to them. Is this scummy? Abso-fucking-lutely. But as far as I'm aware they have a lot of freedom when it comes with data collected with permission from users. Obviously this is something that should be addressed/regulated.

fwip

9 hours ago

It certainly is. HIPAA binds healthcare providers and those entities who get data from them. Samsung is not bound by either of these, unless it is sourcing the health information from, like, your doctor, and not from your watch.

SoftTalker

4 hours ago

But it should be. They are actively collecting it with software and devices designed to collect it and giving you medical advice based on it. They should be considered a provider.

josefritzishere

9 hours ago

You shouldn't trust them with your health data anyway.

tamimio

8 hours ago

I actually don’t know why people are always surprised when this happens, it’s not your data anymore no matter whatever regulations are there. The other day I reactivated my apple music to get a specific shazam song (I don’t use it anymore or any SaaS for that matter, have my navidrome server for years), but little to my surprise, all my playlists and songs are gone, deleted, everything as if it’s a new account! I thought it’s a glitch and googled it, turned out there are a LOT of people who had all their years of music wiped out for not having the subscription for two weeks only.. so yeah, always own your stuff, especially if you pay for it.

swiftcoder

9 hours ago

Are we sure this isn’t the text for the “consent to process health data” toggle that is on the same screen? I don’t have a Samsung phone handy to check

skeledrew

7 hours ago

This actually seems kinda OK. Consent to train is payment for hosting that data. Find another health app/service with more preferable terms if you don't like it. My only beef is if they do an immediate delete without providing a reasonable method for users to export that data first, which is how it reads.

anonymars

4 hours ago

> Find another health app/service with more preferable terms if you don't like it

It never ceases to amaze me how many people defend the Darth Vader style of buying a product: "I am altering the deal; pray I don't alter it any further"

I assume it must be rooted in the just-world fallacy: "Clearly anyone affected must not have been careful enough or did something else wrong. Since I'm careful with my purchases, negative consequences couldn't happen to me."

Related reading: https://blog.codinghorror.com/they-have-to-be-monsters/

Cider9986

9 hours ago

Apple has default E2EE on health data, which I respect. But they need to take iMessage backup out of Advanced Data Protection and make it default E2EE. Messages are just as sensitive, iMessage is effectively not E2EE if most users are using it with server-side encrypted backups to iCloud. Apple of all companies should be able to make a reliable E2EE that wont cause data loss.