Fitness Trackers: A Way to Good Health or a Big Privacy Threat
Since their first appearance on the consumer market, people from all around the world have fallen in love with fitness trackers. Data from Statistica reveal that there were more than 13 million sold in the United States in just the last two years. These devices are great at keeping people motivated to adhere to healthy exercise habits, monitor their daily caloric intake, or watch out for dangerously high stress levels. But many security experts and technology analysts are unsure whether they are equally great at protecting all the associated private data.A typical fitness tracker (also known as activity tracker) is an electronic device fitted with a wide assortment of specialized sensors that measure anything from heart rate to the quality of sleep, distance walked, body and ambient temperature, elevation, acceleration, speed, position, or calorie consumption. We can expect that future fitness trackers will be FDA-approved devices capable of alerting users to medical problems and suggesting the best possible remedy or action to take.
Integrated sensors collect various information, which are then both processed locally to display results on the device itself and sent to the cloud in order to allow for multi-platform access and management. This is exactly where the biggest problem is: most users are not aware of how their data are being used, who exactly can access them, and how they could be used for identity theft in case it falls into the wrong hands.
This is not surprising at all. With the average terms of service agreement nearing 5,000 words, the temptation to skip all that hassle and just click on the “agree” button is very high. However, when customers do so, they unknowingly give access to their private data to third-party companies, as discovered by the Federal Trade Commission (FTC) in 2014. The commission reported that a sample of a dozen health and fitness apps collectively sent data to 76 third parties. What exactly can those third-party companies do with users’ data is only between them and the manufacturer of the particular fitness tracking device.
To outline some of the contemporary data handling issues in this industry segment, Open Effect, a Canadian not-for-profit that conducts research and advocacy efforts focused on ensuring people’s personal data is treated securely and accountably, create a report called Every Step You Take.
They studied some of the most popular fitness tracking applications in the Google Play store as of mid-2015 and asked the following questions: What technical security mechanisms are in place? How could they be exploited? What categories of data does each device actually collect?
All device except for one transmitted their data over the internet. In some cases, this included sensitive and unnecessary information such as the IMEI number or fine-grained location data. Out of all devices, only the Apple Watch randomized the MAC address as a protective measure against persistent monitoring of the wearer’s presence. What’s much more alarming than the absence of the MAC address randomization is Garmin’s failure to implement HTTPS encryption to secure the transmission of personal information. The company has since then corrected this flaw, but nobody can know for sure how many other devices on the market remain similarly defenseless against even the most basic types of attacks.
As explained by Theresa Payton, president and CEO of Fortalice and a former White House CIO, “The culprit is the innovation life cycle. There is tremendous pressure to get cool and affordable products on the market at a dizzying speed.” She went on to say that wearables and associated apps “have a track record of poor privacy and security measures.”
A good news is that substantial effort has been and is being made to protect the privacy and security of end-users. The IEEE Center for Secure Design released a paper titled, “WearFit: Security Design Analysis of a Wearable Fitness Tracker,” to “addresses each of the top 10 software security design flaws” of fitness trackers and show developers of these devices how to design a product that meets all modern security standards.
Their WearFit system is an imaginary wearable personal health monitoring device that resembles many currently available products. The device can measure step count and heart rate and sends the data to a compatible mobile application, which then communicates with the platform backend. Many common attack vectors were taken into consideration, including Denial of Service (DoS), falsifying the users’ data, stealing users’ data via SQL injection or phishing, and, for example, compromising device integrity with malicious firmware updates.
It’s hard to predict what future holds for fitness trackers. As customers are becoming increasingly more conscious of their privacy and security, companies will have to ensure that their products are free of any vulnerabilities that could lead to a data leakage or a loss of sensitive information. Customers themselves should demand a high level of transparency when it comes to how exactly their data are handled and used. Only then we’ll be able to embrace all latest technological innovations and used them to improve our daily lives.