by Al Sacco

Fitness Trackers are Changing Online Privacy — and It’s Time to Pay Attention

Aug 14, 201411 mins
Consumer ElectronicsHealthcare IndustryMobile

Wearable devices such as fitness trackers are all the rage. In the rush to get them to market, though, manufacturers haven't always paid attention to security and privacy — and in the rush to get moving, neither have consumers.

Credit: Thinkstock/Fitbit

Throughout the history of technology, few sectors have expanded and evolved as rapidly as today’s burgeoning wearable tech market. Piles of unique and unusual, flashy and fancy — often goofy and gimmicky — new wearables are announced every week. There are smartwatches, smartglasses, intelligent socks and “onesies” for infants, rings for public transit payments and even “wearable tattoos.”

One reason the category is growing so quickly is the fact that it’s incredibly broad. There’s no set definition for what constitutes a wearable today. It’s any sort of gadget that you wear, carry (in some cases) or have implanted or otherwise attached to your body.

What’s clear is that wearable technology is here to stay. One category of devices leads the charge: fitness trackers. 

The majority of people today want to be healthier, lose weight and live longer — or at least look better in a bathing suit. Fitness trackers help those people take steps toward a healthier lifestyle. Many trackers are relatively inexpensive, which makes them available to a massive pool of potential users. Nearly three quarters of all U.S. adults already use a fitness tracker, according to the Pew Research Center’s Internet & American Life Project.

In a rush to get started, to earn that new beach body, many users of fitness trackers and other health and wellness devices grant access to personal data without even considering the security and privacy implications. This could prove to be a major mistake, according to privacy experts. 

“I think [wearable devices] have enormous potential, I really do,” says Ruby Zefo, vice president of legal and corporate affairs and chief privacy counsel at Intel and a member of the International Association of Privacy Professionals (IAPP). “But people need to get the privacy and security right.” (Last spring, Intel purchased BASIS Science, maker of the popular BASIS fitness band.)

Wearable Tech, Fitness Trackers and Security

An unintended consequence of the remarkable popularity of fitness trackers, health apps and other devices with sensors for tracking certain activities is an influx of new or inexperienced companies rapidly introducing products, in an effort to ride the wave and make a quick buck.

In the rush to market, security and privacy considerations often fall by the wayside, according to Kevin Haley, director of Symantec’s Security Response team. “Cost and time to market are so important, that’s where the focus is,” Haley says. “Companies think, ‘We need to get this out quickly, cheaply.’ But nobody buys something because it’s the most secure tracker.”

Many of today’s wearable gadgets, including fitness trackers, are “companion devices” that connect to other devices to sync data. Those companion devices then send the data to the cloud for storage and analysis.

The relationship creates three areas of security concern:

  1. The wearable itself.
  2. The transfer of data to the companion device, which is typically done using Bluetooth or another short-range wireless technology, and the subsequent transmission of that data over the Internet to the cloud.
  3. The actual storage of the data in the cloud.

“It’s one thing if a hacker somehow manages to hack into your Fitbit. It’s really only an accelerometer, maybe an altimeter,” says Jeremy Gillula, staff technologist with the Electronic Frontier Foundation (EFF), a privacy rights group. “The issue there is that someone could use the Fitbit to get access to your online account, get your credentials and do other things with other accounts.”

Gillula says he’s not currently aware of any specific exploits that use fitness trackers or apps to gain access to their companion devices — but he would be surprised if some don’t surface in the future.

Symantec researchers recently built scanning devices that cost less than $100 each and brought them to athletic events and highly trafficked areas to see if they could hack into people’s activity trackers. The company was able to track individual users via their fitness devices; it also identified vulnerabilities in how personal data was stored on the devices and then transmitted.

“From the results of this research, it appears that manufacturers of these devices (including market leaders) have not seriously considered or addressed the privacy implications of wearing their product,” Symantec wrote in a summary of its report.

Haley says the sloppy storage of potentially sensitive data after it’s collected is particularly worrisome. “At Symantec, we know attackers often prefer to go where much of data is stored.”

Intel’s Zefo, who regularly uses a BASIS fitness band, agrees. “I have chosen to allow the device to collect information that I know it’s collecting. That was a decision I made. I know how it’s being analyzed. That’s OK with me, but I don’t want someone else getting that data that shouldn’t have it. That’s my biggest concern.” 

As part of the Symantec’s report, titled “How Safe is Your Qualified Self?,” the company analyzed a selection of the “top 100 health and fitness apps” on the Apple App Store and Google Play, according to Haley. (He wouldn’t name specific apps.) Among Symantec’s most notable findings: 20 percent of the apps transmitted user credentials in clear text.

Among Symantec’s most notable findings was the fact that 20 percent of the apps transmitted user credentials in clear text.

“The transmission of credentials in clear text is especially troubling given that large numbers of people have a propensity to reuse login credentials at multiple sites,” the report reads. “Due to reuse, login details stolen from one service could potentially be used to gain access to more sensitive services such as email accounts or online shopping accounts.”

Symantec offers 12 tips to secure your fitness trackers and other wearables:

  1. Use a screen lock or password to prevent unauthorized access to your device.
  2. Don’t reuse the same user name and password on different sites.
  3. Use strong passwords.
  4. Turn off Bluetooth when not required.
  5. Be wary of sites and services asking for unnecessary or excessive information.
  6. Be careful when using social sharing features.
  7. Avoid sharing location details on social media.
  8. Avoid apps and services that don’t prominently display a privacy policy.
  9. Read and understand the privacy policy of app and services.
  10. Install app and operating system updates when available.
  11. Use a device-based security solution if available.
  12. Use full device encryption if available. 

Wearables, Fitness Trackers and Privacy 

The concept of privacy in the modern world is ever changing. User expectations vary widely based on age, culture, geographic location and a variety of other factors. Younger Americans sign up for new social networking services every day and share the most mundane details of their lives without a second thought.

The risks associated with wearables are similar to those of smartphones, tablets and mobile apps that collect and store personal information. However, wearables are different, according to Symantec’s Haley, because of the kinds and volume of data they collect. This includes, but isn’t limited to, email addresses, logins, passwords and other credentials; steps; heart-rate information; physical addresses, routes travelled and other location data; sleep habits, and height and weight details.

“It’s the nature of the data that’s being collected,” Haley says. “This is really getting to the essence of our being. It’s hard to believe people are willing to share all this stuff, especially around health.”

Haley says people need to think about what could be done with their information in the future when they decide to give some random device or service permission to store data. “In five years, we’ll discover it’s being used in ways we couldn’t have guessed. In the short term, people may not care if people know how much they weigh, but…we may not ultimately want people to have that information.”

The EFF’s Gillula is concerned with the digital “paper trail” all this wearable-related data collection creates and suggests that it could eventually be used against the users.

wearable privacy Wikimedia/Thinkstock

“Having more information about yourself also means that other people could potentially have a lot more information about you, too,” he says. “And you may not have control over how that information gets used.”

Gillula worries about how law enforcement could eventually use the data collected by fitness trackers and other wearables.

“If for some reason you were suspected of something, the government could compel a company to provide data. It’s one more trail of data, and just as much as it could be used to help you, it could be used against you,” Gillula says. “It’s not that I’m concerned about the government maliciously going after people, but where there’s a ton of data and a ton of bureaucracy, it’s not that difficult for someone to get unintentionally caught up in it.”

There’s also a notable absence of laws governing the makers or wearable gadgets and fitness trackers and restricting what they can collect and do with user data — though one N.Y. senator recently called on the FTC to investigate the data collection and sharing practices of fitness device makers and app developers.

The best place to begin protecting your privacy when using wearables is a manufacturer or provider’s privacy policy. Unfortunately, most privacy policies aren’t exactly consumer-friendly. (For more details on wearable-tech privacy policies, read: “How to Read (and Actually Understand) a Wearable Tech Privacy Policy.”)

 “They’re geared towards regulatory concerns, so they’re sometimes very complicated and long,” Intel’s Zefo says. “For the average user, they’re a little bit difficult to cut through.” 

Even if you can’t understand or dissect a company’s privacy policy, it’s a good idea to make sure they offer one. In fact, Symantec’s Haley says checking to see that a policy exists is “even more important than actually reading it.”

Adds Gillula: “If you look for a privacy policy and can’t easily find one on a provider’s website, you may want to be wary of handing over your personal data.”

Of all the popular fitness apps Symantec examined in its report on the quantified self movement, more than half (52 percent) didn’t offer privacy policies.

“Most companies should realize by now that it’s an important thing to do,” Gillula says. “If a privacy policy isn’t readily available, I would definitely shy away from that. It indicates that they’re not taking privacy very seriously.”

Of course, not everyone thinks you need to worry about the security and privacy of your fitness data. And some people may choose not to read any privacy policies.

Florian Gschwandtner isn’t worried about privacy. He’s the CEO of Runtastic, which makes a number of fitness tracking devices, including the new Orbit fitness band and a connected scale called Libra, as well as a collection of fitness apps for iOS, Android, Windows Phone and BlackBerry.

Gschwandtner has been using fitness trackers for years and has experimented with many of the most popular options, but privacy has never been a concern.

“I never really cared about data [collection]. I’m happy to share it,” he says. “I see both sides of it, but I see more benefits than risk. The important thing is that the end user decides what they want to do with the data and with whom they share the data.”

When asked specifically about privacy policies, Gschwandtner says, “It’s almost impossible for users to read and understand privacy policies. All of the [services] I use, it doesn’t matter if it’s Netlfix or whatever, I don’t read privacy policies. I wouldn’t understand it without a lawyer.”

The Runtastic CEO was clear, though, that his company takes data security and privacy seriously. Whenever Runtastic collects data, it gets approval first via opt-in options. To Runtastic’s credit, it makes its privacy policy easy to find — there is a link to the policy, in all capital letters, at the bottom of the company’s home page.

Wearables and fitness trackers undeniably shine a new light on the challenge of securing all of the information we allow our devices to collect. It may be time to think differently about privacy and the way you use tracking device in the future – but it’s not time to panic, either.

“I don’t think you need to go to extremes. Take basic precautions,” Haley says. “Use a good password. Don’t have things [like Wi-Fi and Bluetooth] turned on if they don’t need to be. Don’t make [your device] personally identifiable. Don’t share info on social media sites…Those are the simple things that go a long way.