A round white medical sensor installed on the back of the upper arm. The sensor is descrete even though it’s installed just below the T-shirt line. The sensor is about the size of a chunky coin. 🅭

Bluetooth privacy and the FreeStyle Libre 2 glucose monitoring system

I’ve been using the Abbott FreeStyle Libre 2 flash-glucose monitoring system for the last two months. The system consists of a glucose sensor attached to the back of the upper arm; which lasts for up to 14 days before needing replacement. You can then scan the sensor using a dedicated reader or an NFC-capable smartphone app to get current and up to 8-hours of glucose-trend readings.

The sensor can also notify you over Bluetooth about critical glucose levels that require urgent intervention. This last feature is new in Libre 2 and it enables me to sleep better at night knowing my phone will wake me if there’s a problem.

The system is a huge improvement over the traditional dozen or so daily finger-prick blood tests most diabetics need to perform. The Libre 2 isn’t a full continuous glucose monitoring (CGM) system as it only provides data when scanned. However, the automatic alerts when you’re outside your target glucose range gives you the most important feature of a CGM.

Unfortunately, patient privacy wasn’t a guiding product development principle over at Abbott when making the Libre 2. Depending on your choice of clothing, no one can tell that you’re wearing the sensor just by looking at you.

However, the sensor itself broadcasts every three-minutes to anyone within Bluetooth range that you’re wearing a glucose monitoring device. Thereby revealing personal information about a chronic medical condition to anyone nearby.

The Bluetooth broadcasts also contain a persistent unique identifier that only changes when the sensor is replaced (normally every 14 days). This identifier can be used to track the wearer’s physical location and movement habits. Tracking Bluetooth devices is increasingly common in retail locations, public transit hubs, and other public spaces.

Here is an example of the sensor’s Bluetooth announcement data that makes it uniquely trackable:

Device name:
ABBOTT<SERIAL-NUMBER>

Device address:
<48BIT-UNIQUE-ADDRESS>

Service UUID:
0xFDE3 Abbott Diabetes Care

Vendor UUID:
0x03BB Abbott Diabetes Care

Abbott should have implemented the Bluetooth Low-Energy (BLE) Privacy extension to help protect their customer’s privacy. The BLE Privacy system randomizes the unique address used in Bluetooth announcements every couple of minutes; making it a lot more difficult to track your location over a prolonged period.

Abbott ideally shouldn’t even have included their own vendor UUID, service UUID, or the device name. These data points reveal information about your chronical medical condition.

Abbott isn’t alone when it comes to not supporting BLE Privacy. Many popular activity trackers and wireless headsets don’t support the feature either. For these types of devices, consumers have more choice and can opt to use models that do support it. However, consumers don’t have anywhere near the same level of choice when it comes to specialized medical devices.

You can ask people to disable Bluetooth on their smartphones and peripherals in locations where they don’t want to be tracked. It’s a bit inconvenient that you can’t listen to music while on your way to visit a secret lover, but it’s not going to shorten your lifespan.

You can’t tell people not to use these types of medical devices, however. (The sensor can’t even be turned off temporarily once it’s installed.) The Libre 2 can lead to an improved quality of life and better long-term health outcomes for diabetics. The cost of this technology may be to make us trackable, but the cost/benefit calculation still comes out in favor of using it.

The only thing that can protect FreeStyle Libre 2 customer’s privacy is strong privacy regulation and enforcement. Europeans should be fine as the General Data Protection Regulation (GDPR) doesn’t allow businesses to collect unique identifiers such as those broadcast with Bluetooth and Wi-Fi without first obtaining explicit consent.

European data protection authorities were wary of this type of tracking even before the GDPR went into effect. This is, of course, of little comfort to Abbott customers outside the European Economic Area (EEA).