Do fitness trackers pose a privacy risk?

February 17, 2017

Dear Cecil:

I bought a Fitbit for my company's health challenge, and I was surprised to see how it could not only monitor steps but also track sleep, calories, and resting heart rate. This made me wonder what other information about me could be learned from these data. What are the privacy concerns? I don't care if my employer knows I ride my bike 50 miles a week, but could they know if someone was at the bar until 2 AM?

Cecil replies:

A nosy boss snooping on your off-the-clock peccadilloes may be the least of your worries. Fitness trackers can upload a nearly complete record of where you've been and what you've been doing during your every waking moment — and then how soundly you slept at night, too. As police and judges recognize the evidentiary value of such data, it's possible that every step you take can and will be used against you in a court of law. And most of these devices — Fitbit's the best known, but its competitors are legion — lack some basic security precautions. Even if you're one of those upstanding nothing-to-hide types, you might not want someone creeping in and tracking your movements, or worse.

Fitbit privacy has been a gradual process for maker and wearers alike. At first, the device's default settings made your online user profile public. Soon enough, those who hadn't paid attention to such details discovered that a quick Google search would turn up their Fitbit-measured activity — potentially including their, ahem, most intimate. Now publicly visible data is an opt-in, not an opt-out. Another privacy upgrade was a business necessity: In 2015, Fitbit voluntarily became compliant with the Health Insurance Portability and Accountability Act, the federal law that sets privacy and security requirements for medical info. Though HIPAA doesn't cover wearable devices (or online health-record storage, at-home paternity tests, or gene-testing companies, for that matter), Fitbit had to adopt its standards anyway in order to partner with corporate wellness programs.

But the big security hole for fitness trackers, according to a study published last year by the Canadian nonprofit Open Effect, is the way the wearable device gets your activity stats online for storage and review — namely via a Bluetooth link with your phone. Fitbit and most other popular wearables broadcast a single, unique Bluetooth address; whenever they’re not actually connected to a mobile device, the report warns, this allows for “long-term tracking of their location.” (The Apple Watch, which emits multiple randomized addresses, evidently does better on this front.) A Bluetooth signal can’t travel far — only about ten meters — but a set of monitors arrayed strategically in a mall could trail you from store to store, whether for overzealous inventory-control purposes or to build a profile of your shopping habits that marketers would pay well for.

Increasingly, law enforcement is also curious about what your Fitbit might have to say. The U.S. Supreme Court says police need a warrant to search your cell phone, so fitness trackers would probably be similarly protected; Fitbit's privacy policy allows that your data may be disclosed “if we're required to by law.” But where other tech companies including Google and Facebook regularly issue transparency reports, providing stats like how often the authorities have requested user info and how often the company has complied, Fitbit has yet to adopt such a policy.

And reported on or not, fitness tracker data is finding its way into legal proceedings. In 2015, a woman in Pennsylvania who told police she'd been raped was charged with making a false crime report after the cops found that tracking information from her Fitbit contradicted her story. A cyclists’ tracking app showed that Christopher Bucchere was over the speed limit when he rode his bike through a San Francisco crosswalk in 2012 and killed a 71-year-old pedestrian; he pleaded guilty to felony vehicular manslaughter. On the bright side, you might be able to use fitness stats on your own behalf as well: in a recent Canadian personal-injury case, lawyers for a former personal trainer have sought to introduce Fitbit data to demonstrate their client’s allegedly reduced level of activity following a car accident.

It may seem surprising how quickly insurers and courts are coming to accept tracker data as fact, given what seem to be real limits on the systems’ reliability. Independent studies have found that devices have difficulty consistently measuring heart rates accurately; the FDA announced last summer that it wouldn't regulate them. And tracker apps are hardly impervious to hacking — about a year ago, e-intruders busted into some Fitbit accounts and tinkered with user names and passwords, apparently hoping to use customer warranties to get replacement devices and sell them. The Open Effect study reports that some other fitness trackers are even more vulnerable, allowing hackers to delete or modify activity data, and you could do the same if you've got know-how and lack scruples. Modified heart-rate stats might convince an insurance company you're a fitter specimen than your doctor might think you are. And a tweaked itinerary? A solid alibi for the cops.

Related Posts with Thumbnails

Last Articles

hp sauce usa time locks choad or chode pirates bite are obituaries mandatory airplane nudity watch submarine races rated nr bobo tennis shoes reversi strategy penta water review ne washington state cracker barrel signs obvibase review crt tv goodwill jason street injury asian rub tug literary forensics cancel cashiers check ps3 spiderman font dental implants forum moringa zija turn beard white chandler muriel bing tall ape hangers fluorescent paint white christian bale teeth race indian 1.88m to feet mcafrika burger sebaceous cyst penis que guey parachute off buildings professor x telekinesis describe yourself in 20 words how long can you keep coffee in the fridge 3.5 liter 5 cylinder engine selling motorcycle on craigslist squeaky belt when starting car how to cancel snap benefits can vicodin make you high what is inverted sugar the big fig newton how to cut nails without clippers how to clean landscape rocks ad before or after date torture methods that don't kill is a bird egg a single cell number of possible go games die before you die quote cost of weeping willow tree tom selleck bacon number how does forwarding mail work how to patch a pvc inflatable boat diatomaceous earth bed bugs reddit how many quarters fit in a 2 liter bottle name an astrological sign minimum trade in deals is the pope catholic sayings how to dispose of unused cooking oil kids wearing diapers in public car key not working in door why does my car shake when i brake at high speed best online glasses reddit the one with the rifle shoots 3/16 on tape measure

Recent Additions:

A Straight Dope Classic by Cecil Adams
A Straight Dope Staff Report by Jillgat, Straight Dope Science Advisory Board
A Straight Dope Classic by Cecil Adams
A Straight Dope Staff Report by SDStaff Mac, Straight Dope Science Advisory Board
A Straight Dope Classic by Cecil Adams
A Straight Dope Staff Report by SDStaff Dogster, Straight Dope Science Advisory Board
A Straight Dope Staff Report by SDStaff Ian, Straight Dope Science Advisory Board
A Straight Dope Classic by Cecil Adams
A Straight Dope Staff Report by SDStaff Ian, Straight Dope Science Advisory Board
A Straight Dope Classic by Cecil Adams
A Straight Dope Staff Report by SDStaff Ian, Straight Dope Science Advisory Board