Are your Fitness Trackers Spying on You???
Guest Post by Sheryl Lim
Quantifying and tracking our physical activity, lifestyle, and habits is increasingly conveniently today. Gary Wolf termed this rise in self-tracking the “quantified self” movement [1], where people turn towards numbers to measure and interpret their lives. As wearable fitness trackers such as Fitbits and Apple Watches have become more affordable, they have also become popular tools for those hoping to attain better physical and mental health. With their ability to tell you how many steps you’ve taken, how many calories you’ve burnt, how well you’ve slept, and even how stressed you are, fitness trackers collect large amounts of data while they sit innocuously on your wrist. Do we know how much data they collect, and are we aware of how the data is used?
How do fitness trackers work?
Fitness trackers are increasingly powerful today. Pedometers, accelerometers, altimeters, heart rate monitors and other sensors built into the device work together to paint a picture of your physical activity. These sensors are combined to detect when you start a workout, what type of workout you’ve begun, and how hard your body is working throughout the activity. While some devices are standalone, others are designed to work best when paired with your smartphone. The data that these sensors collect is aggregated to produce interpretations of how physically fit you are. Personal information such as your gender, date of birth, weight, and height are required to increase the reliability of these metrics. Some key features require access to your location data. The device may also prompt you to connect social media accounts.
So what if they have this data?
The data saved about your usual biking route may not only reveal where you are frequently spotted, but even where you live. Back in 2018, the locations of classified US Army bases were revealed through Strava, a popular fitness application that was aimed at tracking exercise routes [2] You were also able to see the names and age groups of people who had run that route, as long as they had not changed their default privacy settings to restrict access to that data.
Recently, health insurance companies have started using fitness tracker data to price their plans, offering discounts to those who transmit their fitness tracker data to them. Large companies like IBM and TimeWarner offered discounted or complimentary fitness trackers to employees as part of corporate wellness programs [3, 9]. Without proper regulation, this could mean that your personal fitness information is shared with your employers, creating the potential for privacy breaches and even discrimination in the workplace
The security features on your tracker are also important. Most trackers use Bluetooth to transmit data between the device and your mobile phone. However, a 2016 report found that seven out of eight fitness tracking devices continue to emit unique identifiers that can make users vulnerable to long-term location tracking even if their tracker is not paired to a mobile device [4]. The same report stated that vulnerabilities have been found in the security protocols that allow for hackers to fake records and read user data, meaning that hackers could have access to intimate health data that you thought was entirely private.
Apart from the security of your tracking device, it may also be wise to consider how vulnerable your fitness tracker’s company is to hacking. In 2020, 2 million FitBit accounts had their personal information exposed by hackers [5]. Meanwhile, Garmin was the target of a ransomware attack that cost them $10 million that same year, although they state that no personal identifiable information was compromised [6]. These breaches show how fitness data is increasingly valuable to hackers.
Protecting Yourself
The most important question to ask yourself before using a fitness tracker is whether you are comfortable with the potential risks of your data being collected, transmitted, sold and reused in ways that may be difficult to imagine today. Like most things in our increasingly interconnected world, using a fitness tracker is a trade-off between your privacy and convenience. For many users, the most valuable functions of a fitness tracker are going to be those that collect the most amounts of personal data. It is nearly impossible to use a fitness tracker without giving up some of your data in exchange.
If you do decide that the benefits of using such a device outweigh risks, here are some steps you can take to ensure that you protect yourself:
- Be aware of the privacy policies of your fitness tracker’s provider and any associated applications. This is undoubtedly a tedious task and parsing corporate privacy policy is far from easy. Some media outlets such as have created guides that summarizes key findings, which are a good resource if you are starting to consider your privacy [7].
- Ensure that you disable any unnecessary data collection and make use of the privacy settings for any smartphone applications you use. Before enabling location data collection, consider how this information being public could impact you now or in the future. Wired has a guide to common fitness applications and how to manage your data on them [8].
Further Questions
What do you think makes the use of a fitness tracker attractive to you or those around you? How important do you think data security and privacy is as a consideration when purchasing a fitness tracker? For those who do own a fitness tracker, would you change anything about the way you use one in light of privacy concerns?
References
[1] Wolf, G. (2009, June 22). Know thyself: Tracking every facet of life, from sleep to mood to pain, 24/7/365. Wired. https://www.wired.com/2009/06/lbnp-knowthyself/
[2] Burgess, M. (2018, January 30). Strava’s data lets anyone see the names (and heart rates) of people exercising on military bases. Wired UK. https://www.wired.co.uk/article/strava-military-bases-area-51-map-afghanistan-gchq-military
[3] Farr, C. (2016, April 18). How Fitbit Became The Next Big Thing In Corporate Wellness. Fast Company. https://www.fastcompany.com/3058462/how-fitbit-became-the-next-big-thing-in-corporate-wellness
[4] Hilts, A., Parsons, C., & Knockel, J. (2016). Every step you fake: A comparative analysis of fitness tracker privacy and security. Open Effect. https://openeffect.ca/reports/Every_Step_You_Fake.pdf
[5] Mirus, A. (2020, February 11). 2 Million Fitbit Accounts Were Exposed by Cybercriminals | Hacker Noon. https://hackernoon.com/2-million-fitbit-accounts-was-exposed-by-cybercriminals-aa7u36pj
[6] Adler, S. (2020, August 14). Incident Of The Week: Garmin Pays $10 Million To Ransomware Hackers Who Rendered Systems Useless. Cyber Security Hub. https://www.cshub.com/attacks/articles/incident-of-the-week-garmin-pays-10-million-to-ransomware-hackers-who-rendered-systems-useless
[7] Charara, S., & Sumra, H. (2018, May 25). We read your wearable tech’s privacy policy so you don’t have to. Wareable. https://www.wareable.com/wearable-tech/terms-and-conditions-privacy-policy-765
[8] Nield, D. (2019, November 17). How to Lock Down Your Health and Fitness Data. Wired. https://www.wired.com/story/health-fitness-data-privacy/
[9] Ajunwa, I. (2017, January 19). Workplace wellness programs could be putting your health data at risk. Harvard Business Review. https://hbr.org/2017/01/workplace-wellness-programs-could-be-putting-your-health-data-at-risk
Written By: Sheryl Lim, UBC, School of Information
Edited By: Brittanny Dzioba & Kathleen Scheaffer
People said…