If you wear a fitness tracker, are you confident that the data it collects about you is private? You may not care if everyone knows how many steps you took yesterday, in fact, you might be proudly posting your total on social media, but as fitness wearables grow more sophisticated, they collect more and more information about our health and our movements. Can your data can be bought or stolen?
More than 274 million wearables will be sold worldwide this year, according to Gartner, and many of them are collecting data on our activity, our movements, and even our heart rates and sleeping patterns. Because fitness wearables tend to be simpler than smartphones, they also tend to have weaker security. So is all your personal fitness data really safe? We asked the experts.
Is your personal activity data being bought and sold?
A number of popular fitness tracking devices transmit your data in a way that’s open to interception or tampering, and the devices themselves can potentially be used to track your movements and profile you, according to a recent report entitled Every Step you Fake: A Comparative Analysis of Fitness Tracker Privacy and Security. The report was published by a Canadian not-for-profit group called Open Effect, with help from Citizen Lab at the Munk School of Global Affairs and the University of Toronto.
The non-profit tested the Apple Watch, Basis Peak, Fitbit Charge HR, Garmin Vivosmart, Jawbone Up 2, Mio Fuse, Withings Pulse O2, and Xiaomi Mi Band. Every single one of them, except for the Apple Watch, emitted a unique code at regular intervals, transmitted over Bluetooth, which could be captured and associated with a location and a time. Tracking your movements in big stores via Bluetooth and Wi-Fi is fast-becoming a common practice.
“We are unclear how fitness data is being used by a variety of fitness tracking companies.”
“Imagine all this tracking is done by only a handful of companies, and retailers across the nation all use these companies for tracking services,” Andrew Hilts, Executive Director of Open Effect, told Digital Trends. “These companies could have incredibly detailed records of where you were at a given time and place. Now, law enforcement or hackers could potentially get access to this data and suddenly have a very valuable source of intelligence about individuals’ whereabouts.”
There are also risks that your data itself is accessible or, in some cases, may be actively sold to interested parties. Many of the privacy policies attached to these devices and services lack clarity about how data is being used or whom it might be shared with.
“We are unclear about how fitness data is being used by a variety of fitness tracking companies. Jawbone, for instance, in its policy, claims that your data might be transferred to third parties for the purposes of a ‘business deal,’” explains Hilts. “We do know that insurance companies are often partnering with fitness tracking companies, or utilizing their APIs, to develop programs to give people different insurance policies depending on their fitness data. We’ve also seen cases of fitness data being used in court.”
What are companies doing with your data?
It’s easy to see why insurance companies might want to get their hands on your fitness data when deciding on your life insurance premiums. That data could also potentially be used to deny claims or even disability benefits. Some may argue that this kind of enforced honesty would be a good thing — but what if unknown parties can access the data or even alter it?
The researchers were able to create proof-of-concept applications that tricked Jawbone and Withings servers into accepting false fitness band information. If this kind of data is going be admissible in court cases or be analyzed to determine insurance premiums, then its integrity needs to verified.
There’s also a risk that criminals could steal your data and sell it to the highest bidder.
“Garmin Connect had the most worrying security issue, in that fitness data transmissions over the Internet did not employ transit-level encryption,” explained Hilts. “Anyone operating a mobile hotspot at a cafe or your IT department at work could potentially have scooped that up.”
Thankfully, Garmin has since updated its Connect app to use HTTPS for all transmissions, closing that particular loophole. But many of the issues exposed by the report remain.
It’s not a major surprise that Apple came out of the report unscathed; its commitment to user privacy is clear for all to see in the current battle with the FBI. But there’s a serious question about how seriously many other fitness-tracking companies are taking user security and privacy.
“We heard multiple cases where fitness tracking companies said, ‘Oh, this is the first we’re hearing about these concerns.’ I highly doubt that’s the case, but it’s important for tracking companies to realize that privacy and security are high priorities for consumers,” says Hilts. “If there’s a problem with the design of a model of a car, you wouldn’t expect drivers to fix the problem; there’d be a recall and companies would be expected to fix the issue. Fitness tracking companies can do this by issuing firmware and software updates in response to consumer demands.”
How is this legal?
The legal implications of these security flaws are unclear. In Europe, a new law has been proposed that would subject the data being collected by fitness trackers to the same regulations as medical records. Unsurprisingly, there’s a lot of resistance to that idea.
In the States, the FTC weighed in on data collection via the wider Internet of Things trend, with some pertinent warnings about fitness wearables and recommendations for manufacturers, but concluded that “IoT-specific legislation at this stage would be premature.”
Privacy advocates are adamant that it’s the thin end of the wedge, and action must be taken now.
“It’s important for tracking companies to realize that privacy and security are high priorities.”
“The industry should consider forming a cross-organizational security and privacy working group, where they can share best practices and stories to help cultivate a strong community of practice when it comes to privacy and security, and advance the entire industry forward,” suggests Hilts. “Governments should consider whether or not fitness tracking data constitutes health information, and therefore is subject to more stringent requirements when it comes to security measures. We’re of the opinion that it should be categorized as health information.”
This is still a relatively new area, and the full extent of the risks is unknown. Many users of fitness trackers will feel the current risk is small, and possibly outweighed by the benefits. But put this data together with the data that advertisers are collecting about our browsing habits, and then apply some of the techniques they’ve been using to group our personal devices and identify us as individuals, and you end up with frighteningly detailed profiles of our movements and habits.
It only takes a single hack or leak to de-anonymize those profiles. With such a lack of transparency about what’s happening to our data behind the scenes and how it’s being shared, complacency now could really come back to bite us in the future.