Who’s tracking your fitness tracker? We asked an expert

whos tracking your fitness tracker fitbit charge hr
If you wear a fitness tracker, are you confident that the data it collects about you is private? You may not care if everyone knows how many steps you took yesterday, in fact, you might be proudly posting your total on social media, but as fitness wearables grow more sophisticated, they collect more and more information about our health and our movements. Can your data can be bought or stolen?

More than 274 million wearables will be sold worldwide this year, according to Gartner, and many of them are collecting data on our activity, our movements, and even our heart rates and sleeping patterns. Because fitness wearables tend to be simpler than smartphones, they also tend to have weaker security. So is all your personal fitness data really safe? We asked the experts.

Is your personal activity data being bought and sold?

A number of popular fitness tracking devices transmit your data in a way that’s open to interception or tampering, and the devices themselves can potentially be used to track your movements and profile you, according to a recent report entitled Every Step you Fake: A Comparative Analysis of Fitness Tracker Privacy and Security. The report was published by a Canadian not-for-profit group called Open Effect, with help from Citizen Lab at the Munk School of Global Affairs and the University of Toronto.

The non-profit tested the Apple Watch, Basis Peak, Fitbit Charge HR, Garmin Vivosmart, Jawbone Up 2, Mio Fuse, Withings Pulse O2, and Xiaomi Mi Band. Every single one of them, except for the Apple Watch, emitted a unique code at regular intervals, transmitted over Bluetooth, which could be captured and associated with a location and a time. Tracking your movements in big stores via Bluetooth and Wi-Fi is fast-becoming a common practice.

“We are unclear how fitness data is being used by a variety of fitness tracking companies.”

“Imagine all this tracking is done by only a handful of companies, and retailers across the nation all use these companies for tracking services,” Andrew Hilts, Executive Director of Open Effect, told Digital Trends. “These companies could have incredibly detailed records of where you were at a given time and place. Now, law enforcement or hackers could potentially get access to this data and suddenly have a very valuable source of intelligence about individuals’ whereabouts.”

There are also risks that your data itself is accessible or, in some cases, may be actively sold to interested parties. Many of the privacy policies attached to these devices and services lack clarity about how data is being used or whom it might be shared with.

“We are unclear about how fitness data is being used by a variety of fitness tracking companies. Jawbone, for instance, in its policy, claims that your data might be transferred to third parties for the purposes of a ‘business deal,’” explains Hilts. “We do know that insurance companies are often partnering with fitness tracking companies, or utilizing their APIs, to develop programs to give people different insurance policies depending on their fitness data. We’ve also seen cases of fitness data being used in court.”

What are companies doing with your data?

It’s easy to see why insurance companies might want to get their hands on your fitness data when deciding on your life insurance premiums. That data could also potentially be used to deny claims or even disability benefits. Some may argue that this kind of enforced honesty would be a good thing — but what if unknown parties can access the data or even alter it?

The researchers were able to create proof-of-concept applications that tricked Jawbone and Withings servers into accepting false fitness band information. If this kind of data is going be admissible in court cases or be analyzed to determine insurance premiums, then its integrity needs to verified.

vivofit-2-gcm

There’s also a risk that criminals could steal your data and sell it to the highest bidder.

“Garmin Connect had the most worrying security issue, in that fitness data transmissions over the Internet did not employ transit-level encryption,” explained Hilts. “Anyone operating a mobile hotspot at a cafe or your IT department at work could potentially have scooped that up.”

Thankfully, Garmin has since updated its Connect app to use HTTPS for all transmissions, closing that particular loophole. But many of the issues exposed by the report remain.

It’s not a major surprise that Apple came out of the report unscathed; its commitment to user privacy is clear for all to see in the current battle with the FBI. But there’s a serious question about how seriously many other fitness-tracking companies are taking user security and privacy.

“We heard multiple cases where fitness tracking companies said, ‘Oh, this is the first we’re hearing about these concerns.’ I highly doubt that’s the case, but it’s important for tracking companies to realize that privacy and security are high priorities for consumers,” says Hilts. “If there’s a problem with the design of a model of a car, you wouldn’t expect drivers to fix the problem; there’d be a recall and companies would be expected to fix the issue. Fitness tracking companies can do this by issuing firmware and software updates in response to consumer demands.”

How is this legal?

The legal implications of these security flaws are unclear. In Europe, a new law has been proposed that would subject the data being collected by fitness trackers to the same regulations as medical records. Unsurprisingly, there’s a lot of resistance to that idea.

In the States, the FTC weighed in on data collection via the wider Internet of Things trend, with some pertinent warnings about fitness wearables and recommendations for manufacturers, but concluded that “IoT-specific legislation at this stage would be premature.”

Privacy advocates are adamant that it’s the thin end of the wedge, and action must be taken now.

“It’s important for tracking companies to realize that privacy and security are high priorities.”

“The industry should consider forming a cross-organizational security and privacy working group, where they can share best practices and stories to help cultivate a strong community of practice when it comes to privacy and security, and advance the entire industry forward,” suggests Hilts. “Governments should consider whether or not fitness tracking data constitutes health information, and therefore is subject to more stringent requirements when it comes to security measures. We’re of the opinion that it should be categorized as health information.”

This is still a relatively new area, and the full extent of the risks is unknown. Many users of fitness trackers will feel the current risk is small, and possibly outweighed by the benefits. But put this data together with the data that advertisers are collecting about our browsing habits, and then apply some of the techniques they’ve been using to group our personal devices and identify us as individuals, and you end up with frighteningly detailed profiles of our movements and habits.

It only takes a single hack or leak to de-anonymize those profiles. With such a lack of transparency about what’s happening to our data behind the scenes and how it’s being shared, complacency now could really come back to bite us in the future.

Wearables

Lack of regulation means wearables aren’t held accountable for health claims

As fitness trackers become more like health monitors, some physicians are concerned they can lead to over-diagnosis of non-existent problems. It’s already happening with wearable baby monitors.
Deals

REI slashes prices on Suunto, Garmin, and Fitbit Versa smartwatches

Though fitness trackers and smartwatches can get pretty pricey, REI is offering some sweet discounts on top brands. Right now, you can get a new smartwatch from Fitbit, Suunto, and Garmin for up to 35 percent off its normal price.
Home Theater

How much are the initials ‘LV’ worth? $700 if you put them on your earphones

If you're looking for truly wireless earbuds that make as much of a statement about the state of your finances as they do about your high-tech street cred, Louis Vuitton's Horizon earbuds fit the $995 bill.
Wearables

Omron HeartGuide brings blood pressure monitoring to your wrist

High blood pressure leads to heart attacks, strokes, and many other health problems, so it's important to keep an eye on. Omron's HeartGuide is a fitness tracking watch that can also monitor your blood pressure from your wrist.
Wearables

Check out the four cool Swatch watches you can use for mobile payments

Swatch has announced its Swatchpay technology is now available in Switzerland, enabling mobile payments from your Swatch watch. It works in a similar way to Apple Pay and Google Pay. Here's everything about it.
Business

Google is buying mysterious smartwatch tech from The Fossil Group for $40 million

Google is about to step up its smartwatch game. The company has agreed to buy an unnamed smartwatch technology from The Fossil Group for a hefty $40 million. Considering the acquisition, it's clear Google is serious about smartwatches.
Emerging Tech

Awesome Tech You Can’t Buy Yet: camera with A.I. director, robot arm assistant

Check out our roundup of the best new crowdfunding projects and product announcements that hit the web this week. You may not be able to buy this stuff yet, but it sure is fun to gawk!
Home Theater

Here are some common AirPods problems, and how to fix them

Apple’s AirPods are among the best fully wireless earbuds we’ve seen, but they’re not perfect. If you’re having trouble, take a look at our guide to the most common problems and what you can do to fix them.
Wearables

Alphabet’s health watch monitors your heart health, is approved by the FDA

A health monitoring watch being developed by Alphabet, Google's parent company, has received clearance from the FDA as a medical device. This means that the device has been found to be safe and can legally be sold in the U.S.
Wearables

The best Apple Watch bands and straps to stylize your timepiece

If you have an Apple Watch, you know how easy it is to take off the strap it came with, so why not buy yourself another one? Here, we've gathered the best Apple Watch bands we've seen so far. There's something for everyone.
Mobile

Tizen 4 arriving on Samsung’s Gear S3 and Gear Sport smartwatches

Samsung is updating the Gear S3 Classic, Gear S3 Frontier, and the Gear Sport to the newest version of Tizen 4. Along with of some little tweaks to usability and quality-of-life, Samsung has added some new features.
Product Review

It may be basic, but the TicWatch E2 is all the smartwatch you need

Want a smartwatch that can track heart rate, has GPS, and interact with notifications — for cheap? Mobvoi’s Google Wear OS-based TicWatch E2 can do it all, for just $160.
Mobile

Mobvoi’s TicWatch E2 and S2 are the most affordable Wear OS smartwatches yet

Quality smartwatches don't have to be expensive, and Mobvoi's TicWatch is the proud paladin of that philosophy. Mobvoi's new TicWatch S2 and are both available for low prices from Amazon and Mobvoi's website.
Product Review

At $180, you won’t care about the TicWatch S2’s utilitarian looks

The Mobvoi TicWatch S2 is not the best-looking smartwatch you’ll strap on your wrist, but it may be the toughest, and it’ll almost certainly be the cheapest. We’ve been wearing it to see what it’s like.