Do fitness trackers put your privacy at risk?
What is wearable technology?
Wearable technology refers to devices – such as fitness trackers or smart watches – which people can wear throughout the day. Users can wear them as accessories, embedded in clothing, or even implanted in the user's body. Wearable devices are equipped with sensors to track and monitor users, helping them achieve goals such as keeping active, losing weight, tracking physical or mental health, or simply being more organized. The term ‘wearables’ is sometimes used as shorthand.
In recent years, wearables have grown considerably in popularity as part of the Internet of Things. Today, the global market for wearables is worth over $20 billion per year. This has been driven by the growth of mobile networks, high-speed data transfer, and miniaturized microprocessors. However, this growing popularity has raised questions about wearable security and whether fitness trackers are safe.
While hackers won’t care that you beat your personal best 5K run time this morning, it’s the other information that fitness trackers may hold – such as your location, your health records, or your banking information – that could create problems if it fell into the wrong hands.
Are fitness trackers safe?
Fitness trackers could potentially pose risks to your privacy. This is because most trackers are designed to sync with other hardware, such as laptops or smartphones. When you run or cycle anywhere, the tracker monitors your location. This data moving through the cloud is potentially hackable. As a result, common fitness tracker privacy concerns include:
Fitness tracker data is very personal
The data captured by fitness trackers – for example, your weight, blood pressure, what distances you run or walk, your heart or lung function, your menstrual cycle, your sleep patterns – is very personal. In fact, it’s the kind of information you tend to confide to your doctor so they can diagnose any health concerns. Many users dislike the idea of this type of data being shared with others without their permission. Wearable monitoring can also include home addresses, real-time locations, and detailed maps of workout routes which can be readily available to other users.
Data could be shared or sold to third parties
The privacy policies for some popular fitness trackers can be open to interpretation and subject to change. This means legitimate questions about how data is stored, whether it is encrypted, who it is shared with, and how access is monitored or reviewed. For example, Fitbit explains that it collects your information to sell to third parties, albeit with personal identifiers removed. Your health information is valuable to advertisers and insurance companies, who are happy to pay for access. Fitness tracker companies may also be compelled to disclose your health information if required to do so for legal reasons – e.g., as part of a criminal investigation. In addition, US health privacy law HIPAA (the Health Insurance Portability and Accountability Act) does not apply to information that customers collect for their own use – i.e., they exclude fitness trackers.
How secure is the data?
Wearable companies could be vulnerable to data breaches – a famous example being 2018’s Under Armour MyFitnessPal breach, which exposed the usernames, passwords, and email addresses of over 150 million users. Another example in 2018 was when an Australian college student on his summer break exposed a security flaw in the fitness app Strava, which revealed extensive user data, including the locations of US military bases in war zones around the world.
Most fitness trackers connect to your phone via Bluetooth. This means that potential security holes could allow hackers to access your information. Even without hacking your device, someone could ‘sniff’ the Bluetooth signal sent back to your smartphone to guess your PIN. Once a hacker has your PIN, they can access your health information.
If malicious actors are successful in hacking the servers of a fitness tracking company, they could sell the information they steal or attempt to ransom it back to the fitness tracking company. If your personal health information does become publicly available, your health insurance provider could legally use the information to adjust your health premiums. For example, if the fitness tracker data reveals your lifestyle as more sedentary than you have portrayed to your doctor, an insurance company could increase your premiums accordingly.
Wearable data can be public by default
Often, fitness trackers have a social networking aspect, and users can choose to share their information publicly with others. However, it is not unusual for the default privacy to be set to public, allowing profiles to be found in search results. If you don’t want your personal fitness data to be searchable online, check your privacy settings and make sure you are comfortable with what information is being shared.
Who owns the data you generate?
The fitness tracking company could be sold
Tips to ensure fitness tracker privacy
Europe’s General Data Protection Regulation (GDPR) and California's Consumer Privacy Act (CCPA) provide some protection for wearable users. Still, there is no coherent global legal framework in place that governs wearable security and fitness tracker data. This highlights the importance of taking precautions yourself to maximize your privacy. Steps you can take include:
Understand what data is being collected, and restrict it where necessary
Wearable monitoring varies in complexity, from simply counting steps and measuring basic activity to measuring more complex data such as your oxygen uptake and time spent in specific heart rate zones. The more sensors your wearable has, the more data is generated, which means the more sensitive information there is to protect. For example, a wearable that tracks your running or cycling routes could provide information for potential stalkers. Data such as menstrual cycle tracking could, if breached, be a significant privacy invasion.
Often, apps and devices can collect more data than is necessary. Where possible, you should only allow apps to collect and store the fitness tracker data needed to give you the health feedback you want. For example, if you only want a tracker to count your steps, you don’t need to have data collected on your heart rate as well. Go through the different data categories and adjust your device’s settings based on your needs.
Understand where data is being stored
In older, simpler devices, such as step counters or heart rate monitors, the data stays on the wearable itself. That means security is a straightforward matter of knowing where your tracker is and not losing it. However, more up-to-date fitness trackers and smartwatches typically connect to external apps so that activity can be tracked, shared, and analyzed. Once the data is out of your hands, the issue of trust becomes more important.
Set up two-factor authentication
Two-factor authentication (2FA) is a good way to secure all your accounts, including your fitness trackers. Two-factor authentication involves a code being generated and sent to a trusted device, such as your phone. You then enter the code to access your fitness tracker.
Turn off location tracking
Location tracking data can reveal a lot of information about you, such as where you live, where you work, where you shop, and so on. Within your device and app’s settings, you can turn off location tracking to enhance your privacy. In addition, think about when and where you wear your fitness tracker. Crowded areas provide greater opportunities for hackers to skim data.
Keep your device up to date when prompted
As with any device, software updates often include critical security fixes. Keeping your fitness tracker up to date will ensure you have the latest security features and bug fixes in place.
Avoid using unsecured networks
Given the personal nature of the data which fitness trackers can collect, it’s advisable to avoid public Wi-Fi networks that could expose that data to risk.
Protect your anonymity with a VPN
One way you can protect your anonymity across devices is by using a VPN. A VPN protects your privacy by rerouting your data through its servers after encrypting it. For example, Kaspersky Secure Connection creates an encrypted tunnel between your devices and Kaspersky's internet servers so no one can read your online data.
Wearable technology like fitness trackers brings many benefits. In the future, they may help to save lives by detecting and slowing the spread of severe infections like Covid-19. But as well as celebrating technological advances, users must understand fitness tracker privacy risks and what steps they can take to mitigate them.