Whether you’re a type-A kind of person who feels a need to monitor her every heartbeat or you simply need a little extra help getting healthy, fitness trackers can seem like the perfect tech trend to buy into. But did you know your fitness tracker may actually be spying on you? It turns out you’re not the only one who cares how many steps it’s going to take you to burn off last night’s poutine.
A new study by the University of Toronto shows that some fitness-tracking companies are using users’ data in ways that compromise their privacy.
Fitness trackers keep a record of everything ranging from how many floors you climb in a day to how well you sleep, your heart rate and caloric consumption. Study authors Andrew Hilts, Dr. Christopher Parsons and Jeffrey Knockel explain that a wide range of people are very interested in getting their hands on this data about your body. These include “companies interested in mining and selling collected fitness data, to insurance companies, to authorities and courts of law, and even potentially to criminals motivated to steal or access data retained by fitness companies.”
One of the most alarming findings was that some fitness trackers used Bluetooth technology in a way that allowed users’ locations to be tracked over time. Your fitness tracker emits a unique signal, or address, that identifies it from others’ devices.
Users wearing Apple watches have their location information more protected, as their smartwatch changes this identifying address periodically, so outside parties will have a much tougher time tracking your whereabouts over time. But most Fitbit watches keep the same identifying address all the time.
The researchers found that several leading fitness trackers — Basis Peak, Fitbit Charge, Garmin Vivosmart, Jawbone UP2, Mio Fuse, Withings Pulse O2, Xiaomi Mi Band — did not protect the unique ID of users.
And what’s so bad about this? This “can leave their wearers exposed to long-term tracking of their location,” explain the study authors. A user of a Fitbit Charge HR, for example, could be happily walking through a shopping mall, clueless to the fact that their every move is being recorded by outside parties scanning their unique Bluetooth address, ranging from the company who owns the shopping mall to advertisers or other groups who’ve partnered with the mall. “The shopping centre could record all this location data for future study,” explain the study authors. And if the mall is part of a bigger network of shopping centers, you could actually have your movements tracked between different malls.
The research team also found that in some cases your private health data was not protected, as fitness trackers like Garmin Connect are transmitting numbers collected about heart rate and information about how much you move during your day-to-day activities and while working up a sweat without encrypting them first. And they found that Withing’s Health Mate app only partially encrypted data.
“Garmin Connect’s lack of HTTPS encryption exposes its customers to the risk that their sensitive fitness data is being collected or tampered by unauthorized third parties, as does a security vulnerability in the Withings Health Mate application,” they explain.
But as consumers demand more protection, some companies are taking note. After CBC News confronted Withings about its failure to fully protect users’ data, the company took quick action, shutting down the compromised social sharing function on its Health Mate app. “An updated version of the Android app will be available in the coming week and will feature enhanced encryption,” company spokesman Ian Twinn promised CBC News in an email.
Right now, plenty of Canadians are cashing out on fitness trackers. “The fitness wearable industry is booming,” write the study authors. “Analysts valued the market at approximately $2 billion in 2014 and predicted it would increase to as much as $5.4 billion by 2019.” But maybe you should think before you buy. Find a tracker that protects your right to privacy. Right now the Apple Watch seems like the best bet, but as companies like Withings get up to speed, you may have even more options soon. Because what went on between you and that poutine last night is nobody’s business but yours.