Sunday, January 25, 2015

Abbott - it's amazing...


Apparently, Abbott keeps denying it uploads anything to its servers, even when talking to professional audiences. Either this perpetuates intentional deception on a large scale or, Abbott's executives are themselves very poorly informed.

They could be counting on the fact that medical audiences are usually not very comfortable with IT security mechanisms. Let me give you another view of the upload.

Here is a traffic dump of what happens on my own computer when the Abbott reader is connected. Again, let me stress that no kind of fancy "hacking" is involved. I just look at the packets transiting through my computer, just as you would look at people coming in and out of your house.
It consists of fairly normal traffic: I have a connection open to Google's services, some packets going to the Amazon cloud services (serving lots of third parties), my Dropbox is checking if it is synchronized and my anti-virus queries its cloud database from time to time.

On the left pane, you can clearly see that the Abbot software connects to two distinct servers, one called "update.freestyleinsulinx.com" and one called "libreupload.freestyleserver.com". Which company would call one of its servers "productname.upload.brandnameupload.com" if its purpose was not to upload something from its product...

On the right pane, you can see what is actually uploaded (a small part of it actually) and that clearly includes unique identifiers and, among other things, real time glucose data.

Frankly, I am a really amazed by their denial. Maybe this should be more widely publicized...


There are tons of possible scenario usage for that amount of data.

  • Abbott could be using it to improve its products. That's the reasonable scenario.
  • In the nightmare scenario (which I think is very unlikely, at least for now), Abbott could for example sell the data to insurance companies.
  • Since the behavior doesn't seem to change when multiple meters/patients are connected to the Abbott software (as they would in an endocrinology practice), Abbott could use data to optimize the appointments of its sales force or, even, to evaluate the levels of controls the practices achieve with their patient base. "You should go there: they aren't using the Libre much" or "Jeez, this practice gets awful results"
  • If you are running a clinical trial and have asked your patients to track their treatments and habits on the Libre during the trial, Abbott could be in a position to analyze the progress of your trial before you even get to see the data. Think about it for a minute: if you are running an artificial pancreas project and equip your patients with a Libre to have additional glucose tracking, Abbott could very well be in a position to evaluate your results before you do... and, why not, make a business move towards a promising project while ignoring others. Without your informed consent of course.
The possibilities are endless...

I like the Libre a lot. I would share most of the data if asked.


No comments:

Post a Comment