A report on fitness tracker activity has just been published by OpenEffect, Canadian not-for-profit applied research organization focusing on digital privacy and security, and The Citizen Lab at the Munk School of Global Affairs, University of Toronto. The scope of this report is as follows:
Every Step You Fake explores what information is collected by the companies which develop and sell some of the most popular wearables in North America. Moreover, it explores whether there are differences between the information that is collected by the devices2 and what companies say they collect, and what they subsequently provide to consumers when compelled to disclose all the personal information that companies hold about residents of Canada.
The report does not contain any conclusions or specific recommendations yet, so this is obviously very preliminary at this point. Some points raised, however, include:
- Seven of the eight wearables tested revealed unique Bluetooth identifiers that allowed them to be tracked by nearby Bluetooth beacons. Beacons are used more and more in stores and malls to profile shoppers and push tailored offers.
- While the devices themselves show the wearers’ location, the accompanying apps provide more personal information, e.g., they failed to protect against interception and tampering when they were transmitting data between smartphone, wearable, and the wearable company’s own servers.
I have worn a fitness tracker for some years now, and I tend to not have my Bluetooth device active on my smartphone when I am away from home. I sync my wearable device when I am at home. I’m not sure how much protection this affords me. The default setting on my Bluetooth is to not make the device visible to anyone other than me, but I’m not sure if this is sufficient. I minimize the information I load to my tracker; I don’t include what I’ve eaten, or track my sleep, so at least I do control how much of my personal information is tracked. Still, this report does raise a few red flags, even as preliminary as it may be.