Fitness Trackers are Changing Online Privacy — and It's Time to Pay Attention

Wearable devices such as fitness trackers are all the rage. In the rush to get them to market, though, manufacturers haven't always paid attention to security and privacy — and in the rush to get moving, neither have consumers.


Throughout the history of technology, few sectors have expanded and evolved as rapidly as today's burgeoning wearable tech market. Piles of unique and unusual, flashy and fancy — often goofy and gimmicky — new wearables are announced every week. There are smartwatches, smartglasses, intelligent socks and "onesies" for infants, rings for public transit payments and even "wearable tattoos."

One reason the category is growing so quickly is the fact that it's incredibly broad. There's no set definition for what constitutes a wearable today. It's any sort of gadget that you wear, carry (in some cases) or have implanted or otherwise attached to your body.

What's clear is that wearable technology is here to stay. One category of devices leads the charge: fitness trackers. 

The majority of people today want to be healthier, lose weight and live longer — or at least look better in a bathing suit. Fitness trackers help those people take steps toward a healthier lifestyle. Many trackers are relatively inexpensive, which makes them available to a massive pool of potential users. Nearly three quarters of all U.S. adults already use a fitness tracker, according to the Pew Research Center’s Internet & American Life Project.

In a rush to get started, to earn that new beach body, many users of fitness trackers and other health and wellness devices grant access to personal data without even considering the security and privacy implications. This could prove to be a major mistake, according to privacy experts. 

"I think [wearable devices] have enormous potential, I really do," says Ruby Zefo, vice president of legal and corporate affairs and chief privacy counsel at Intel and a member of the International Association of Privacy Professionals (IAPP). "But people need to get the privacy and security right." (Last spring, Intel purchased BASIS Science, maker of the popular BASIS fitness band.)

Wearable Tech, Fitness Trackers and Security

An unintended consequence of the remarkable popularity of fitness trackers, health apps and other devices with sensors for tracking certain activities is an influx of new or inexperienced companies rapidly introducing products, in an effort to ride the wave and make a quick buck.

In the rush to market, security and privacy considerations often fall by the wayside, according to Kevin Haley, director of Symantec's Security Response team. "Cost and time to market are so important, that's where the focus is," Haley says. "Companies think, 'We need to get this out quickly, cheaply.' But nobody buys something because it's the most secure tracker."

Many of today's wearable gadgets, including fitness trackers, are "companion devices" that connect to other devices to sync data. Those companion devices then send the data to the cloud for storage and analysis.

The relationship creates three areas of security concern:

  1. The wearable itself.
  2. The transfer of data to the companion device, which is typically done using Bluetooth or another short-range wireless technology, and the subsequent transmission of that data over the Internet to the cloud.
  3. The actual storage of the data in the cloud.

"It's one thing if a hacker somehow manages to hack into your Fitbit. It's really only an accelerometer, maybe an altimeter," says Jeremy Gillula, staff technologist with the Electronic Frontier Foundation (EFF), a privacy rights group. "The issue there is that someone could use the Fitbit to get access to your online account, get your credentials and do other things with other accounts."

Gillula says he's not currently aware of any specific exploits that use fitness trackers or apps to gain access to their companion devices — but he would be surprised if some don’t surface in the future.

Symantec researchers recently built scanning devices that cost less than $100 each and brought them to athletic events and highly trafficked areas to see if they could hack into people's activity trackers. The company was able to track individual users via their fitness devices; it also identified vulnerabilities in how personal data was stored on the devices and then transmitted.

"From the results of this research, it appears that manufacturers of these devices (including market leaders) have not seriously considered or addressed the privacy implications of wearing their product," Symantec wrote in a summary of its report.

Haley says the sloppy storage of potentially sensitive data after it's collected is particularly worrisome. "At Symantec, we know attackers often prefer to go where much of data is stored."

Intel's Zefo, who regularly uses a BASIS fitness band, agrees. "I have chosen to allow the device to collect information that I know it's collecting. That was a decision I made. I know how it's being analyzed. That's OK with me, but I don't want someone else getting that data that shouldn't have it. That's my biggest concern." 

As part of the Symantec's report, titled "How Safe is Your Qualified Self?," the company analyzed a selection of the "top 100 health and fitness apps" on the Apple App Store and Google Play, according to Haley. (He wouldn't name specific apps.) Among Symantec's most notable findings: 20 percent of the apps transmitted user credentials in clear text.

Among Symantec's most notable findings was the fact that 20 percent of the apps transmitted user credentials in clear text.

"The transmission of credentials in clear text is especially troubling given that large numbers of people have a propensity to reuse login credentials at multiple sites," the report reads. "Due to reuse, login details stolen from one service could potentially be used to gain access to more sensitive services such as email accounts or online shopping accounts."

Symantec offers 12 tips to secure your fitness trackers and other wearables:

  1. Use a screen lock or password to prevent unauthorized access to your device.
  2. Don't reuse the same user name and password on different sites.
  3. Use strong passwords.
  4. Turn off Bluetooth when not required.
  5. Be wary of sites and services asking for unnecessary or excessive information.
  6. Be careful when using social sharing features.
  7. Avoid sharing location details on social media.
  8. Avoid apps and services that don't prominently display a privacy policy.
  9. Read and understand the privacy policy of app and services.
  10. Install app and operating system updates when available.
  11. Use a device-based security solution if available.
  12. Use full device encryption if available. 
1 2 Page 1
Page 1 of 2
Learn how leading CIOs are reinventing IT. Download CIO's new Think Tank report today!