QUESTION: I bought a fitness tracker, hoping it will help me boost my physical activity. However, a friend said the device might expose my personal health information to snooping by Internet hackers. Should I be worried?
ANSWER: A recent study by researchers at the University of Toronto pointed to several security and privacy risks associated with wearable fitness trackers. But whether these are serious enough for you to stop using your device is really your call. You could be concerned – or not.
For their study, the researchers examined eight wrist-worn trackers, and the related apps, including the Apple Watch, Basis Peak, Fitbit Charge HR, Garmin Vivosmart, Jawbone UP2, Withings Pulse O2, Xiaomi Mi Band and Mio Fuse.
Only the Apple Watch was found to be free of privacy-related problems. All the others raised some red flags.
One of the key concerns is that fitness trackers use Bluetooth technology to send data to the users’ other gadgets, such as smart phones. When a fitness tracker is not synced or paired to another device, it constantly sends out a signal searching for a mate.
“It is basically saying, ‘I’m here, I’m here, connect with me’,” explains the study’s lead author Andrew Hilts who is executive director of Open Effect and a research fellow at Citizen Lab at U of T’s Munk School of Global Affairs.
Each fitness tracker’s signal has a unique ID called a Bluetooth MAC (Media Access Control) address. That means, when you wear a fitness tracker that’s not paired, it will be creating a digital trail with every step you take. In theory, your movements could be monitored if someone knows the specific ID of your device.
Apple Watches avoid this potential problem by routinely altering the MAC address, making them nearly impossible to track long term.
Yet even if you have another type of fitness tracker, Mr. Hilts acknowledges, “the risk of someone tracking the MAC address of your device and figuring out your identity from it is extremely low.”
However, it’s possible your MAC address could be obtained through the courts or some other means. He notes that information from fitness trackers is being employed for an increasing range of purposes. It’s being used as the basis for insurance discounts and entered as evidence in legal disputes. What’s more, some malls are now monitoring Bluetooth signals to map the flow of shoppers for marketing purposes.
But why should you care about this level of surveillance if you’re a law-abiding citizen? “I think people should consider the bigger picture of how every citizen’s location could be tracked and saved in a database somewhere,” says Mr. Hilts. “While we live in a relatively healthy democracy right now, do we want to establish a precedent where this sensitive data is being collected and could potentially be misused down the line?” he asks.
Of course, people can safeguard their digital footprints by simply syncing their fitness trackers with their cell phones at all times. That way their devices aren’t constantly transmitting connection signals that can be monitored by others.
But even if you take this precaution, your privacy may still be put at risk, insists Mr. Hilts. The fitness-tracking companies are the de facto stewards of your personal information, he argues. Some devices, and their related apps, can amass a huge amount of data about your physical activity, heart rate, lifestyle and even the quality of your sleep. By “agreeing” to use their devices and apps, you are giving the makers of fitness trackers “a wide range of permissions on how they use the data that is collected and stored in their computer servers,” says Mr. Hilts. (The Apple Watch is the exception to the rule: The data is encrypted on your device before it is sent to the company.) In some cases, the corporate policies state that your data could be sold to a third party should the company go bankrupt.
To further complicate matters, the researchers also found that it’s possible to alter the data from some of the fitness trackers in order to create fake activity levels. It takes some technical know-how to be able to hack into the system and make false records. But a sedentary person could boost their daily step count by simply strapping their fitness tracker onto an energetic puppy. The fact that the information is vulnerable to manipulation should ring alarm bells if it’s used in future court cases, says Mr. Hilts.
Feeling nervous yet?
Well, those things don’t worry Dr. Kevin Imrie, Physician-In-Chief of Sunnybrook Health Sciences Centre.
He is actually a big fan of fitness trackers because they can help some people reflect on their overall physical activity and that can be a motivating force for change. He uses an Apple Watch to chart his own activity. “It has been very helpful for me. It encourages me to do more.” He even posts his results on a social networking website popular with runners and cyclists.
“Honestly, I wouldn’t be worried in the slightest that someone might be able to determine the number of steps I take in a day,” he says.
“My sense is that this risk to your privacy is small compared to other risks we take every day, such as online shopping.”
The bottom line, he adds, comes down to a fitness tracker’s ability to boost activity levels – and that varies from person to person. “Don’t use it, if you are not deriving value from it,” he says. “But it can be one of the most useful tools for someone who is looking to make a lifestyle change,” says Dr. Imrie.
Mr. Hilts agrees that, for some people, the benefits outweigh the risks. But he believes the public should at least be aware that the makers of fitness trackers have created potential privacy problems for their customers.
“I don’t think citizens should be responsible for making sure their devices are secure – that is the manufacturer’s job,” he says. “And if Canadians are concerned about these issues, they should get in touch with the fitness-tracking companies and let them know how they feel.”
