Skip Navigation

Fitness Trackers

A popular method for collecting health data about individuals is to convince them to use a fitness tracker. Simple fitness trackers can be implemented as phone apps, which use the phone’s sensors to estimate steps and distance traveled. However, a more popular type of fitness tracker is the wearable type, which usually takes a wristwatch form factor and measures movement, heart rate, and other activity information.

Page Contents

Underestimating the Risks

Fitness trackers are risky devices, since they capture medical information but are not subject to any type of HIPAA privacy regulation. Even if the user of the device (or app) trusts the device manufacturer or app developer with their personal information, there can be significant cybersecurity risks with these devices and apps. For example, Under Armour suffered a massive data breach involving its MyFitnessPal nutrition app in 2018. The underlying security failure was a direct result of using a weak password hashing algorithm to store user account credentials.1

Users of fitness trackers consistently underestimate the risk of privacy threats created by these apps and devices, even when they understand the potential consequences of information leaks.2 Part of the problem is that users do not understand the extent to which these fitness tools are collecting and reporting data, nor do they understand what kinds of harmful things can be done with those data (such as inferring the user’s sexual orientation or religion). A second issue is that users underestimate how likely it is that a data breach will occur sooner or later.3 Ironically, research has shown that users are less willing to share their fitness data with their doctors than they are with random companies, friends, or work colleagues.4

Sensitive Data Collection

While the average user of a fitness tracker might consider the benefits of the device to outweigh its risks, part of the problem with data collection arises from the fact that most users of these kinds of devices are collecting data 24/7 instead of just during workouts. As a result, these devices can detect and report sexual activity, complete with timestamps, duration, and calories burned. Even if the device itself doesn’t perform automatic sex detection, heart rates and motions can be correlated to infer these activities. Real-world applications of this information have already been observed, in which partners have discovered their significant others to be cheating on them by noticing elevated heart rate and motion during times the partner was away for a suspicious reason. Changes in resting heart rate as measured by these devices also have been used to detect pregnancy.5

Early in the days of the Fitbit, the default privacy settings for the device shared fitness information to a public profile that was set to allow search engine indexing. The device or service also tagged sexual activity automatically. Users’ sexual activities were there discoverable via a simple Google search.6 Speaking of Google, it acquired Fitbit in 2021 for $2.1 billion, giving it direct access to users’ fitness data.7

Mitigation

Fitness tracking apps and devices deliver numerous positive benefits to their users, to be sure. Unfortunately, they deliver even more positive commercial benefits to the companies that create, sell, and collect data from them. Fitness tracking is itself not a new concept: people used to write down their exercise routines on paper, measure their pulse using a stopwatch and a finger on the wrist, and track their workouts by hand. Electronic step counters (pedometers) have existed since the 1960s.8 The only thing revolutionary about modern fitness trackers is the level of convenience they offer, but that convenience comes at a significant privacy cost. Given that the ability of companies to process and draw new inferences from existing data only seems to increase with time, the best recommendation I can give is not to use a commercial fitness tracker that shares any kind of information. The one exception to this recommendation would be for individuals with specific, chronic health conditions for whom the benefits of monitoring clearly outweigh the privacy risks.

While tracking fitness information by hand is certainly an option, there are open-source fitness apps and trackers that are readily available and have much stronger privacy protections. An example fitness app is OpenTracks, which can track and map workouts. This app can interface with simple Bluetooth sensors to gather heart rate and other information. Data are not sent to the cloud automatically, and there is even a build available that has no Internet access.9 The Pine64 PineTime smartwatch is a fully open-source watch that contains a heart rate sensor and an accelerometer for step counting.10 OpenTracks already has support for the PineTime watch as a sensor.11

Notes and References

  1. Lily Hay Newman. “The Under Armour Hack Was Even Worse Than It Had To Be.” Wired. March 30, 2018. 

  2. Sandra Gabriele and Sonia Chiasson. “Understanding Fitness Tracker Users’ Security and Privacy Knowledge, Attitudes and Behaviours.” CHI Conference on Human Factors in Computing Systems (CHI ‘20). Honolulu, HI, April 25-30, 2020. 

  3. Lev Velykoivanenko, Kavous Salehzadeh Niksirat, Noé Zufferey, Mathias Humbert, Kévin Huguenin, and Mauro Cherubini. “Are Those Steps Worth Your Privacy?: Fitness-Tracker Users’ Perceptions of Privacy and Utility.” Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies 5(4): 181:1-41. December 30, 2021. 

  4. Mohamed Abdelhamid. “Fitness Tracker Information and Privacy Management: Empirical Study.” Journal of Medical Internet Research 23(11). November 2021. 

  5. Becca Caddy. “From cheating to pregnancy reveals, wearables know what you’re doing intimately.” Inverse. March 21, 2020. 

  6. Leena Rao. “Sexual Activity Tracked By Fitbit Shows Up In Google Search Results.” TechCrunch. July 3, 2011. 

  7. Jon Porter and Nick Statt. “Google completes purchase of Fitbit.” The Verge. January 14, 2021. 

  8. Audrey Watters. The History of the Pedometer (and the Problems with Learning Analytics). June 22, 2017. 

  9. OpenTracks

  10. PineTime

  11. pine time // Pine time.” OpenTracks Issue 1063. December 27, 2021. 

Health Apps and Services

Health and Fitness Data
Sex Toys
Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.