This post was updated on November 1, 2019.
Fitness and health apps are designed to help you record and quantify how much you exercise, what prescription drugs you take, even what birth control methods you use. While these apps can help improve your health, they can also put your privacy at risk. In the worst cases, they’ve put people in physical danger, such as revealing joggers’ home addresses and real-time location.
These types of apps have exploded in popularity over the past five years. In 2018, Fitbit alone had over 27 million users. Earlier this year, Strava claimed it had 42 million users—and that it was adding one million users each month. Given the sensitive data these apps collect and their poor record of protecting this data, these apps present a substantial threat to the privacy of their users.
What fitness apps know about you
Most fitness apps, like Fitbit, Strava, MapMyRun, Nike+ Run, and Asics Runkeeper, just to name a few, have a wearable device that syncs with your smartphone. That wearable device can collect a trove of information, including the number of steps you take, your heart rate, where you travel and when, your weight, and when you are awake or sleeping.
Health trackers are generally applications that you install on your phone. They rely on you to fill out forms about your health for data collection. Depending on what the app is targeting, it could range from standard questions about your health (Are you injured?) to questions about pretty sensitive topics (Do you use protection when you have sex?).
This data can be breached
Fitness app makers, just like every other industry, have suffered data breaches. The breach that hit UnderArmour’s MyFitnessPal in 2018 is the largest to date. It exposed the usernames, passwords, and email addresses of more than 150 million users. While hackers typically go after data they can easily monetize (like your credit card number) the thought that location data was exposed is especially troublesome. Given that joggers and bikers generally run and ride where they live, attackers could also identify where the user lived by looking at where the majority of their routes began and ended.
None of the other major fitness and health apps have suffered a major data breach. Unfortunately, there is little you can do to ensure an app is responsibly storing your data besides only sharing data with companies and organizations you trust.
Learn more about what to do if you are the victim of a data breach.
The ultimate data mine
Data sharing is the crux of the issue. Fitness app companies are often incentivized to share your valuable real-time health data with third parties, whether they are advertisers, law firms, or social networks like Facebook that profit from your sensitive information. If they were fully transparent about how your data was shared or how to adjust your privacy settings, users might be less likely to trust the apps. That’s why, to date, the fitness and health app industry has been dogged by scandals.
There are many valid reasons for an app to share data. It can lead to better service that the user wants. It can also be required by law for police investigations. But app makers don’t always treat the privacy of your sensitive information as a top priority.
There are three main ways fitness and health apps abuse your data:
- They automatically expose data right out of the box. If users want to use these apps and guard their privacy, they must update the privacy settings within the app or on their smartphone, which few users do.
Weak default privacy settings
A prime example of the first problem is the fitness app Strava and its Beacon feature, which betrays the real-time location of bikers and runners. This has made the app a gold mine for thieves.
Here’s how it works. Strava combines fitness tracking with a social media platform that allows its users to compete and interact with each other. For Strava to work, it needs access and permission to share your location data. It also has a “FlyBy” feature, which allows you to look up other Strava users you saw or passed while on your run.
However, you don’t need to be a Strava user to access the platform or look up routes. Once a route is selected, you can find out who it belongs to, look at that individual’s profile, and see where else they are likely to go running. This data can often be used to locate people’s homes. This issue is also present to a lesser extent for MapMyRun, Nike+ Run, and any app that tracks your runs and lets you share that data.
While the media fixated on military bases being exposed by soldiers’ jogging routes with Strava’s “HeatMap” feature, this data could be used to find and follow any Strava user.
In 2014, law enforcement attributed a sharp rise in bike thefts in the UK to thieves using Strava data. The same thing happened again in 2018.
“I don’t think a lot of people were aware that these mapping apps can basically give a huge amount of information to a would-be thief. So we need to have people checking their privacy,” said Adam Lang, a police officer who looked into the bike thefts in 2018.
Strava comes with privacy controls. Unfortunately, few users activate them, and it only takes a few runs to expose the location of your home. Furthermore, activating some of the privacy features, like disabling the “FlyBy” feature, undermine the usability of the app.
Vague privacy policies
The Flo ovulation tracker app stopped sharing data with Facebook after a Wall Street Journal story exposed similar data sharing without consent. (One thing that Flo, Maya, and MIA Fem have in common is that they were built with Facebook’s Software Development Kit (SDK), which lets developers incorporate features and lets Facebook collect user data so it can show targeted ads. Facebook’s SDK has been at the heart of many other privacy violations.)
Misleading privacy policies
HealthEngine is a popular app in Australia, used by over 1.5 million people to schedule doctor’s appointments. A recent investigation found that the app shared its users’ private medical information with local injury lawyers without their consent.
In the US, the health apps Cardiio and My Baby’s Beat and the fitness app Runtastic are being forced to revise their privacy policies after the Attorney General of New York said they were sharing data with third parties without clear consent.
What you should do to protect your privacy
It may be surprising that it’s even legal for apps to share people’s medical information so widely. But the US health privacy law, HIPAA, does not apply to information that customers collect for their own use. This means, in the majority of cases, fitness apps do not fall under the regulation.
New regulations in the US specifically targeting fitness and health apps could encourage developers to be more responsible with sensitive data, but so far there has not been any progress. Efforts by US senators to prevent the sale of private health data to insurers, mortgage lenders, and employers have not led anywhere.
The best way to stay private while using fitness tracking or health monitoring apps is to take matters into your own hands.
These are the most important steps you can take to stay safe:
- Check if there are privacy settings: Take the time to check the privacy settings. Preventing the app from sharing your data is good, but the most private solution is to prevent it from collecting data in the first place.
- Limit the data you enter in the app: Many of these apps collect more data than is necessary for them to serve their core function. Question whether you need to share that data to use the app. For example, there is no reason an ovulation tracker needs to know if you are having unprotected sex for it to function.
- When in doubt, ask: If you aren’t sure how a fitness app company plans to use your data, then send them an email and ask. (And if you do, let us know what they say!)
Fitness and health apps are great tools that can help motivate you to stay fit and track your progress. But you shouldn’t have to endanger your digital health for the sake of your physical health. It’s important to be aware that the apps you download can put your privacy at risk.
The Proton VPN Team
UPDATE Nov. 1, 2019: Google announced that it would be purchasing Fitbit for $2.1 billion. This raises the possibility of Google accessing Fitbit’s health data for advertising, but Google executives have said this will not be the case. In an email to customers, Fitbit’s CEO wrote, “We never sell your personal information, and Fitbit health and wellness data will not be used for Google ads.” The deal is expected to be finalized some time next year.
You can follow us on social media to stay up to date on the latest Proton VPN releases:
Twitter | Facebook | Reddit | Instagram
To get a free Proton Mail encrypted email account, visit: proton.me/mail
Just bought an inexpensive smartwatch on Amazon. Was surprised at how many permissions were required in order for the app to even load. I was unable to selectively deactivate certain permissions such as my Contacts, it was all or nothing, even though I had no intention of receiving messages on the phone. Kinda creepy.
Enjoyed this article.
Currently looking for open source fitness app with social to quickstart development.
Will definitely keep privacy in mind.
Thanks for writing this. If someone wants to get the benefits of a health tracker without the privacy concerns what are the best options? Is Apple’s Health app the most trustworthy one? Are there good open source apps?
Thanks for reading. This can be a bit hard to generalize since there are so many different types of health trackers. In general, fitness apps that collect location data or encourage social sharing make it more difficult to keep your data private. Apple’s Health app is a decent alternative, and Apple has made its privacy controls pretty straightforward. In the past, I used StrongLifts 5×5. They do not advertise and they state that they do not sell your data. Unfortunately I don’t know of any good or reputable open source fitness apps. If I come across one, I’ll come back here with it.
Thanks for the great questions!
Your aggressive and finger pointing journalism is noted.
Comments are closed.