Language selection

OPC Logo Office of the Privacy Commissioner of Canada

Search

Every Step You Fake: A Comparative Analysis of Fitness Tracker Privacy and Security

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Archived

This page has been archived on the Web.

Organization

Open Effect

Published

2016

Project Leader(s)

Andrew Hilts, Executive Director

Summary

Fitness tracking devices monitor heartbeats, measure steps, sleep, and tie into a larger ecosystem of goal setting, diet tracking, and other health activities. The researchers investigate the privacy and security properties of eight popular wearable fitness tracking systems. They use a variety of technical, policy, and legal methods to understand what data is being collected by fitness tracking devices and their associated mobile applications, what data is sent to remote servers, how the data is secured, with whom it may be shared, and how it might be used by companies.

The researchers are releasing the study background, the technical methodology, and their findings. Their key technical findings include:

  • Seven out of eight fitness tracking devices emit persistent unique identifiers (Bluetooth Media Access Control address) that can expose their wearers to long-term tracking of their location when the device is not paired, and connected to, a mobile device. Jawbone and Withings applications can be exploited to create fake fitness band records. Such fake records call into question the reliability of that fitness tracker data use in court cases and insurance programs.
  • The Garmin Connect applications (iPhone and Android) and Withings Health Mate (Android) application have security vulnerabilities that enable an unauthorized third-party to read, write, and delete user data.
  • Garmin Connect does not employ basic data transmission security practices for its iOS or Android applications and consequently exposes fitness information to surveillance or tampering.

The researchers sought contact with the seven fitness tracker companies whose products exhibited security vulnerabilities; Apple was not contacted because researchers found no technical vulnerabilities in the Apple Watch using their methodology. Fitbit, Intel (Basis), and Mio responded and engaged the researchers in a dialogue. Fitbit further expressed interest in exploring the topic of implementing Bluetooth privacy features in its communications with the researchers.

Overall, the research found that fitness data can provide detailed insights into people's lives. It is used in an increasing number of areas, such as insurance, corporate wellness and courts of law. The project indicates that consumers should be better informed about fitness tracking systems' privacy and security practices to help them determine whether or not they are comfortable with how their fitness data is being used.

This document is available in the following language(s):

English

OPC Funded Project

This project received funding support through the Office of the Privacy Commissioner of Canada’s Contributions Program. The opinions expressed in the summary and report(s) are those of the authors and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada. Summaries have been provided by the project authors. Please note that the projects appear in their language of origin.

Contact Information

Twitter: @Open_Effect
Website: https://openeffect.ca

Date modified: