Before strapping on that fitness device, check out the privacy policy
If you’re a fitness geek, you might wear a device that counts your steps or use a mobile app that logs your workouts. You might even sport a smartwatch that collects your heart rate and other vitals.
And you’d have plenty of company. Hundreds of millions of consumers have downloaded a fitness app or donned an activity tracker. Under Armour, which owns the Endomondo and MapMyFitness apps, as well as a line of connected sportswear, boasts a network of nearly 200 million users all by itself.
While using this type of technology—from any number of companies—could help you get or stay fit, it might not be so healthy for your personal privacy.
In a December 2016 report, the Center for Digital Democracy warned that the makers of fitness apps and wearables could end up selling your health information to the highest bidder.
“After financial data, health data is the most lucrative information for sale,” says Jeff Chester, executive director of CDD and one of the report’s three authors. “We see companies making a substantial investment in collecting our health information and monetizing it in real time.”
Your health data, Chester warns, could be used in ways you might never be aware of.
“If this information is shared with insurance companies or employers, it could affect your career,” he says. “They’re going to have exact information about you—what you eat, what you do, how sedentary you are, and whether you go to the doctor. It could raise your rates for health and life insurance, and [it] opens the door to a new set of problems, penalizing people for their behavior in an unfair way.”
Where the rubber meets the road
Fitness apps and devices can track how far (and where) you run or cycle. Depending on their design and purpose, they can record your heart rate, blood pressure, body temperature, glucose levels, or sleep patterns.
“What companies can do with your data depends on what you consented to when you signed up. That’s usually buried in their terms and conditions, which most people don’t read.” — Paul Lanois, attorney specializing in privacy and technology
They might even track how often you have sex. In March, a British company announced a “smart condom”—a ring that slips over the base of a prophylactic—designed to clock a user’s performance between the sheets and detect STDs.
That data, combined with other information you provide, such as your gender, ethnicity, weight, and dietary habits, can develop into a perfect storm of intensely personal information. And there are few, if any, U.S. regulations surrounding the creation, manipulation, and exposure of that data storm.
Data your doctor collects about you, such as your blood pressure, is partly protected by the Health Information Portability and Accountability Act, which limits who can access your personal health information and what they can do with it. The same would be true of data collected by devices your doctor or other HIPAA-covered entities give you, notes Paul Lanois, an attorney who specializes in privacy and technology.
The fitness gadget you bought online or over the counter is another story. Because HIPAA does not apply to open-market consumer technology, “the key factor is consent,” Lanois says. “What companies can do with your data depends on what you consented to when you signed up. That’s usually buried in their terms and conditions, which most people don’t read.”
Under Armour, for its part, reserves the right to use the data it collects to target mobile ads to app users. And when it detects that an app user is inside one of its retail stores, it may push special offers her way.
Your protections, Lanois says, are only as good as a company’s privacy policy. If you don’t like it, you shouldn’t use it.
Another big consideration: security.
A February 2016 study by researchers in Toronto found that devices from Fitbit, Jawbone, Withings, Garmin, and Intel leaked unique ID numbers that could help third parties track your movements. Two of those companies’ apps, Garmin Connect and Withings Health Mate, had transmitted users’ health data in the clear, potentially allowing attackers to access it. (Shortly after the report appeared, Garmin fixed the flaw by encrypting users’ data; a Withings representative says the company did the same.)
A newer study by AV-Test Labs found that 60 free e-health apps share information with ad networks and analytics companies, most transmitting information without encrypting it first, and 4 out of 5 lacking comprehensive privacy policies.
Up close and personal
This doesn’t mean that all makers of fitness products will (or would) compromise customer privacy, but “we’re still a bit in Wild West territory,” says Jon Thomas, co-founder of wearables maker Minna Life, which designed its kGoal device to help women strengthen pelvic muscles, especially following vaginal childbirth, to improve bladder control.
Minna, Thomas says, collects just email addresses, time stamps, and Kegel exercise results.
“When we set out to do this in 2014, there wasn’t really a guide for best [privacy] practices, so we had to come up with one ourselves,” he says. “It would be useful to know our users’ names, ages, and whether they have kids, but that feels intrusive and unnecessary at this point.”
As we wait for the wearables industry to adopt clear privacy and security standards—or to even adhere to privacy regulations like HIPAA—CDD’s Chester says we should think twice before strapping on a fitness device.
“We’re on the verge of new territory, where all information connected to us or related to our health is used without our consent or knowledge,” he says. “It’s a privacy problem, a security problem, and a consumer protection problem.”