Is Your Fitness Tracker Data Safe?

What is wearable technology?

Wearable technology refers to electronic devices that can be worn on the body, typically in the form of accessories or clothing. They have integrated sensors and functionalities that track, analyze, and transmit various aspects of an individual's activities, health, or environment.

Although wearable technology includes things like VR headsets, smart glasses, and hearing aids, the most popular by far, is wearable fitness technology like smartwatches or fitness trackers. With more than a quarter of people in the US wearing some sort of “smart” device, the industry continues to boom.

Image source: Insider Intelligence

Wearable fitness devices are designed to collect biometric data and provide users with real-time insights about their physical well-being, exercise routines, sleep quality, menstrual cycles, and more.

Falling under the umbrella of the “Internet of Things”, these devices can be synced with smartphone applications or other digital platforms. Their connectivity allows users to not only conveniently monitor their health and activities but also make informed health decisions based on the information.

There's no doubt that wearable technology offers numerous benefits in terms of health monitoring and lifestyle management, but it also raises concerns about the privacy and security of the data it collects.

What type of personal data do fitness trackers collect?

Fitness trackers collect a wide range of personal data but the exact details of what they collect will vary depending on the brand, model, and features included.

However, here are some common types of fitness tracker data:

Movement and activity data: Fitness trackers use built-in accelerometers and gyroscopes to track metrics and various aspects of physical movements, such as steps taken, distance traveled, and calories burned.

Heart rate and cardiovascular data: Optical sensors monitor the wearer's heart rate continuously or periodically throughout the day. This data provides info about heart rate zones, resting heart rate, and changes in heart rate during exercise.

Sleep patterns: Most fitness wearables include a sleep-tracking functionality that monitors the duration and quality of sleep. They track total sleep time, time spent in different sleep stages (light, deep, REM), and interruptions during sleep.

GPS and location data: Some fitness trackers and almost all smartwatches incorporate GPS technology to track outdoor activities. This can provide detailed route maps and information on distance, speed, and elevation. This feature collects location data during workouts.

Menstrual cycles: Period tracking features can be enabled on some fitness trackers which will allow the wearer to input details about their cycles, such as flow intensity, symptoms, and moods. This data is used to help individuals better understand and manage their menstrual cycles, fertility windows, and overall reproductive health.

Personal profiles and settings: Fitness trackers typically require users to create profiles and input personal information such as age, gender, height, and weight. This data helps to provide accurate calculations and personalized insights.

Other metrics: Advanced trackers may collect additional data like blood sugar levels, blood pressure, skin temperature, stress levels, or even blood oxygen saturation (SpO2).

What are the privacy risks of using fitness trackers?

Using fitness trackers poses several risks to privacy. Here are some common risks associated with the use of fitness trackers:

Data breaches

Fitness tracker manufacturers and associated apps may store user data on servers or in the cloud. In the event of a data breach or hacking incident, personal information collected by the fitness tracker could be compromised, potentially leading to identity theft, fraud, or other malicious activities.

In 2021, a research team discovered an unsecured database containing over 61 million user records of health and fitness tracking devices, including Apple and Fitbit. The exposed data included sensitive information such as first and last names, display names, dates of birth, weight, height, gender, geo-location, and more.

The information could easily have been used in a targeted phishing attack or could also have been used to gain access to additional health information about specific users.

Hacking

Fitness tracker data includes very private and sensitive data. Not just our name, age, height, and weight but also what time we go to bed, what time we get up, when we start walking (leave home), and even the route we take. Users tend to blindly trust this information to devices, with the hope that they will capture and store this information safely.

But the majority of fitness trackers connect to your smartphone via Bluetooth, which can easily be hacked by someone with the know-how. Plus, no fitness tracker app is immune to attacks. Apps will have security vulnerabilities and these holes could allow hackers to gain access to your most personal information. It puts users at risk of stalking, harassment, and identity theft.

Third-party data sharing

Many fitness trackers and their accompanying apps share data with third-party service providers, advertisers, or researchers. While some sharing may be for legitimate purposes such as improving the user experience or conducting health research, it's not always the case. In 2019, 11 popular apps, including a heart rate monitor and a period tracker were found to have shared user data with Facebook.

Location tracking

Fitness trackers with GPS functionality can track and record the wearer's location during activities. If this data is not properly secured or handled, it could be used by stalkers or other bad actors to track an individual's movements. It not only compromises personal privacy but can pose serious safety risks.

For example, in 2018, a 20-year-old Australian student brought a security breach to the attention of the US Pentagon.

Nathan Ruser had been looking at a Strava map showing two years' worth of satellite tracking data from fitness devices when he realized it clearly showed US military bases in warzones such as Syria and Afghanistan.

The GPS data collected by Strava could also reveal how many soldiers are stationed where, how they move, the pattern of activity and patrols, and even the identity of individual soldiers.

More recently, the same app has also been implicated in the killing of a Russian ex-navy commander. It has been suggested that Stanislav Rzhitsky was tracked via his Strava profile which synced with his fitness tracker, mapping the route of his morning runs.

Aggregation and profiling

Fitness tracker data, when combined with other sources of personal information, such as social media networks, can be used to create detailed profiles of individuals. This profiling can lead to targeted advertising, personalized offers, or even discrimination based on health or lifestyle choices.

For example, insurance company John Hancock was the first to require fitness tracker data for all of its policyholders. Its so-called “Vitality” program would reward policyholders who record and share their fitness tracker data with them. Customers can choose to withhold the data, but then they just won't qualify for discounts and other perks. Basically, they're penalized for valuing their privacy.

Lack of transparency and control

Some fitness trackers and apps may not provide clear information on how data is collected, used, and shared. With limited control over your data, it's difficult to make informed choices about your own privacy.

Mozilla's “Privacy Not Included” product reviews have a page dedicated to wearable technology and fitness trackers. They rate them in terms of how “creepy” they are and they also sum up the privacy policies to make them easier to understand and what settings you can adjust to ensure more privacy.

Is fitness data protected by HIPAA?

No, but sometimes yes. Let's explain!

HIPAA stands for the Health Insurance Portability and Accountability Act. It's a US federal law that protects the privacy and security of individuals' personal health information (PHI).

One of the main rules of HIPAA is the Privacy Rule which sets standards for the use and disclosure of PHI. It gives individuals certain rights over their health information, such as the right to access, amend, and request an accounting of any disclosures.

Even though the information collected by fitness trackers is very much related to a person's health, the data doesn't always fall under the HIPAA focus. Why?

Well, because generally, trackers and apps don't qualify as patient care organizations, and the health data is freely provided/collected, and for the wearer's own personal use.

But it's a gray area...

If the wearable technology is interfacing with a healthcare organization as part of the patient's treatment or diagnosis, then that data must be stored and dealt with in a way that meets HIPAA standards.

How to secure your fitness tracker data

Using fitness trackers can be a great way to monitor your health and fitness progress, but it's essential to take precautions to secure your personal data. Here are some tips to help you keep your information safe when using fitness trackers:

Read the fine print: Before purchasing a fitness tracker, carefully review the manufacturer's privacy policy. Ensure that they have strong data protection measures in place and are committed to safeguarding your personal information.

Review app permissions: When installing the companion app for your fitness tracker, be sure to carefully review the permissions it requests. Only grant the necessary permissions and avoid providing access to unnecessary personal data or features.

Be mindful of sharing data: As always be mindful of what fitness tracker data you share on social media. Recording your run is one thing, but do you really need to share the route with strangers?

Adjust privacy settings: Explore the privacy settings within your fitness tracker's companion app and adjust them according to your preferences. For example, you may choose to limit data sharing, opt out of targeted advertising, or make your profile private.

Secure your mobile device: Since fitness trackers typically sync with a mobile device, ensure your smartphone or tablet is also secure. Use strong passcodes or biometric authentication, install security updates promptly, and consider using encryption and anti-malware apps.

Disconnect when not in use: When you're not actively using your fitness tracker, consider disconnecting it from your device or turning off Bluetooth. This minimizes the potential for unauthorized access or data interception.

Dispose of old devices responsibly: If you upgrade to a new fitness tracker, make sure to wipe the data from your old device. Follow the manufacturer's instructions or perform a factory reset to remove any personal information stored on the device.

Update firmware and software: Regularly check for firmware and software updates for your fitness tracker and its companion app. These updates often include security patches that address vulnerabilities, keeping your device and data more secure.

Keep an eye on your fitness tracker data

Wearable technology and fitness trackers have undoubtedly revolutionized the way we monitor and manage our own health.

With real-time insights and invaluable data, they help us make informed decisions about our well-being and lifestyles. The popularity of these devices means you can pick one up for just a few dollars, but you could be paying much more than you expect when it comes to your privacy.

The personal data that fitness trackers collect, store, and share raises numerous privacy and security concerns. Data breaches, hacking, third-party data sharing, and location tracking are all potential pitfalls that leave users open to stalking, identity theft, and further phishing attacks.

But if fitness tracking is important to you, then staying vigilant and adopting best practices to safeguard your personal information is crucial. Stay fit, but stay safe!

Wearable technology isn't the only “smart” device you should be worried about. Read Why You Might Want to Delete Alexa Recordings