Fitness wearables: Who's tracking who?

They are a hot product, since they can tell you so much about your health. The problem is fitness wearables can tell the same things to a lot of other people, from marketers to identity thieves

Fitness wearables are apparently in superb shape when it comes to collecting your health data: Heart rate, sleep patterns, steps taken per day, calories burned, weight gain or loss, mile splits, stress levels, location – even sexual activity or how you’re doing in your effort to quit smoking.

But they are in lousy shape when it comes to protecting that data and keeping it private.

And given the number of them in use – there were more than 13 million sold in the U.S. just in the last two years according to Statistica – there are more vocal warnings from Internet of Things (IoT) experts and privacy advocates that users need to be aware of how vulnerable their health data are, and how it could be used for identity theft, discrimination and more.

The makers of fitness trackers – the biggest names are Samsung, Pebble, Fitbit, Apple, Jawbone, Nike, Sony, Lenovo and LG – generally stress their commitment to privacy, and say they do not “sell” the data they collect.

But, as numerous experts note, selling is not the same as sharing or protecting. Theresa Payton, president and CEO of Fortalice and a former White House CIO, said fitness wearables and associated apps, “have a track record of poor privacy and security measures.


Theresa Payton, president and CEO, Fortalice

“The culprit is the innovation life cycle,” she said. “There is tremendous pressure to get cool and affordable products on the market at a dizzying speed. That means the time to put the devices in the lab and attack them like an adversary is too short or nonexistent.”

The resulting security flaws in hardware or companion apps, “often allow someone to track your whereabouts or your patterns,” she said.

While there has so far not been a reported catastrophic breach of one of the major fitness wearable companies, Craig Spiezle, executive director of the Online Trust Alliance (OTA), said that, “data can and has been captured off fitness bands easily with $100 and a determined adversary. As more of these devices are amassing data, the risk is increasing.”

And while Eva Velasquez, president and CEO of the Identity Theft Resource Center (ITRC), said she thinks fitness wearable data are “one step down” in privacy value from EHRs (electronic health records) that, “include enough PII (personally identifiable information) to commit ID theft almost immediately,” the trackers still include “sensitive information.”

She said data on heart rate, weight, food log, BMI (body mass index) and exercise are generally not enough on their own to allow identity theft, “but the privacy implications are there. We need to take a much closer look at where it’s valuable and who it’s valuable to.”


Eva Velasquez, president and CEO, Identity Theft Resource Center

Indeed, even if it does not contain specific PII, Spiezle noted that, “the data on wearables is unique to an individual and ultra-sensitive in the data types collected.”

Its value, especially when accumulated over time, can be significant, and more intimate than users may expect. If it is shared with insurers, it could affect the rates people pay. If it is shared with employers, it could affect job status.

Mother Jones reported in January 2014 that Ira Hunt, then the CIA’s chief technology officer, had said at a data conference in New York City that the agency, “likes these things (fitness trackers). What’s really most intriguing is that you can be 100% guaranteed to be identified by simply your gait – how you walk.”

Much more recently, just last month, Open Effect, along with the Citizen Lab at the Munk School of Global Affairs at the University of Toronto, released a report titled, “Every Step You Fake: A Comparative Analysis of Fitness Tracker Privacy and Security.” They studied eight popular fitness trackers and found that all but the Apple Watch, “wirelessly emit a persistent unique identifier over Bluetooth. This leakage lets third parties, such as shopping centers or others interested in location-based monitoring, collect and map out people’s movements over time.”

The study also found vulnerabilities that could allow the user or an intruder to manipulate the data generated, which would falsify activity levels.

Another privacy problem is the one that exists with virtually any connected device: Terms of service and privacy policies are long, complex and hard to read – most of them are 4,000 words or more. Beyond that, if a user does not check the “agree” box, thereby “consenting” to the policy, in many cases the device or app may limit functionality or it can’t be used at all.

[ MORE: Why smart devices and wearables will be security's new headache ]

Not surprisingly, experts agree that most users simply check the box without reading the policy. And that puts their information at risk. The Federal Trade Commission (FTC) reported in 2014 that when they studied a dozen health and fitness apps, they found they were collectively disseminating data to 76 third parties. One app alone shared data with 18 other entities.

Also in 2014, Jessica Rich, director of the Bureau for Consumer Protection at the FTC, said data from fitness trackers could end up in the hands of data brokers or other companies, and eventually be used, “to market other products and services to (users); make decisions about (their) eligibility for credit, employment, or insurance; and share with yet other companies.”

Even if it is shared voluntarily, with an employer or insurance company, the results could be unwelcome. “At the start, we may look at this as a great way for people to get a break on their medical or life insurance,” Velasquez said. “But what if I gain 20 pounds and my insurer knows I’ve stopped exercising regularly? I could see it first being an option, then being compulsory and then leading to penalties if you’re not meeting a standard.”

She also noted that if users share their fitness data with their health provider, and then the health provider gets breached, “that could be another entry point to their information.”

What to do about both risks has prompted intense discussion and is also the subject of a number of private sector initiatives.

The OTA formed the IoT Trustworthy Working Group about a year ago, and since then has published an “IoT Trust Framework” – 30 principles for building security and privacy into connected devices. Spiezle also moderated a panel at the recent RSA conference in San Francisco titled “Diffusing the IoT time bomb – Security and privacy trust code of conduct,” which discussed those principles.

The IEEE Center for Secure Design recently released a paper titled, “WearFit: Security Design Analysis of a Wearable Fitness Tracker,” which “created” a fictitious wearable aimed at showing how developers of fitness trackers can design a device that, “addresses each of the top 10 software security design flaws.”

Jacob West, cofounder of the center and lead author of the report, said he doesn’t think fitness trackers have more security vulnerabilities than other consumer devices, “but the challenge for any product company is to determine the right balance between security, functionality, and usability.”

To address that, he said, “we need to expand the focus in security away from simply finding and fixing bugs to include avoiding design flaws as well.”


Jacob West, cofounder, IEEE Center for Secure Design

West also said he thought market pressure could be effective. He said better-informed consumers who, “understand security and privacy and make buying decisions based on that knowledge,” could lead to improvements in both security and privacy.

Velasquez is a bit skeptical of market wisdom. “The market has failed (to cause product improvements) in the past,” she said. “But it does respond to losing customers.

“The way it needs to be framed is: ‘Today you’re not concerned, but at the pace we’re moving, in five years you will be.’”

Susan Grant, director of consumer protection at the Consumer Federation of America, shares the skepticism. “Bad publicity (about breaches) is helpful but not it's not enough because not everything that companies are up to gets exposed,” she said.

Grant called for a stronger “general” privacy law at the federal level, “or at the least, a specific law covering health devices and services that are not already subject to law.”

Spiezle called for consumers to have a true choice about how their data are used. “Non acceptance (of a privacy policy) should not impact the core functionality of the product,” he said.


Craig Spiezle, executive director, Online Trust Alliance

But Payton said the reality is that if consumers truly want to protect their privacy when using connected devices, “don’t wait for government or industry to do it for you. The standards are still emerging, and by the time they are adopted, they will be out of date.”

Payton offered several suggestions on how to do it yourself:

  • Give the device a name that is not your actual name.
  • Assign your device and corresponding account strong passwords that are unique to each.
  • Tedious or not, read the privacy policy. Most spell out how your data can be used. Then make sure your privacy settings don’t broadcast your whereabouts when using it.

“Many devices are designed to be open and social, and you may be shouting out your personal details and data unwittingly,” she said.

Spiezle suggested it may be time to shame the industry into providing better security. “In meetings last week a major brand told me the cost to protect the device would be 11 cents and potentially impact battery life as a reason to not make a change,” he said. “This is like Ford not willing to protect the gas tank in the Pinto.”

Join the CSO newsletter!

Error: Please check your email address.

More about AppleCSOFederal Trade CommissionFTCIEEEJawboneLenovoLGNikeRSASamsungSonyWest

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts