USA TODAY International Edition
Does your fitness app protect your info?
Justin Brookman was urged by his doctor to use a fitness tracker.
“I told her no,” Brookman, Consumer Reports’ director of consumer privacy and technology policy, told USA TODAY Sports. “I just try to make sure I work out four times a week. I don’t trust the companies.”
Brookman said he also decided to go against his doctor’s advice because of trackers’ reliance on third- party cloud services and not wanting to lose control of his information. “They could be making bad choices or get breached,” he said.
Concerns over what information is kept and shared by applications that run on smartphones crop up regularly. FaceApp drew scrutiny this summer
after many used it to project what they’ll look like as they age.
Fitness- tracking devices and apps, however, log a different set of user data – from heart rate to location – that can prove valuable to more than just marketers.
USA TODAY Sports examined what popular fitness- tracking hardware and app companies such as Apple, Fitbit and Strava state in those privacy statements and terms of service. Some share information with third parties.
Fitbit said it “may share non- personal information that is aggregated or de- identified so that it cannot reasonably be used to identify an individual.”
“We may disclose such information publicly and to third parties, for example, in public reports about exercise and activity, to partners under agreement with us, or as part of the community bench- marking information we provide to users of our subscription services,” Fitbit told USA TODAY Sports.
There’s no federal law that prevents the sale of most fitness- related information to third parties. Such information is not covered by the Health Insurance Portability and Accountability Act ( HIPAA).
Brookman said the data can be bundled and sold to advertisers and hedge funds. Five years ago in a news release, Sen. Charles Schumer, D- New York, advocated for the Federal Trade Commission to create rules that would prevent “insurers, mortgage lenders or employers” from purchasing fitness data.
Jen King, director of consumer privacy at Stanford Law School’s Center for Internet and Society, said the information provided by companies might not be as devoid of details as users may think. “People think, ‘ Why would that hurt me? It’s anonymized,’ ” King said. “But there’s location information attached. People start and stop their runs at their house. People don’t think about that level of abstraction. I think there is a little more propensity to assume it won’t come back and hurt you.”
Anonymous doesn’t always mean anonymous
So- called anonymized information collected by tech companies has shown it is not always so anonymous, an issue that goes back more than a decade.
AOL, for example, published random ID numbers from about 650,000 users that showed the searches that person did over the course of several weeks, making it fairly easy to figure out that user’s identity. AOL made that information public – at least for a short time – before it was taken down amid a vocal uproar and, yes, threat of a boycott.
That was summer 2006. A year later, Netflix released a cache of data publicly and researchers were able to cross- reference that info with IMDb reviews to identify many Netflix subscribers.
Strava, which is as much a social network for runners and cyclists as a fitness- tracking app developer, faced scrutiny last year over worries its global heat map – which uses GPS information to map the activity of millions of users – could reveal secret military bases and troop movements around the world. Strava made changes as a result, including making it easier to opt out of sharing such information.
Another way such information can boomerang is if you are using a fitness tracker while you commit a crime, as former NFL player Kellen Winslow II allegedly did last year.
A year ago, USA TODAY Sports published a story that detailed a Winslow bike ride in May 2018 that coincided with an allegation that he exposed himself to a 59- year- old woman. The information of that ride was posted to Winslow’s verified Strava page. That led investigators on the case to send a preservation request to Strava and, prosecutors said in court, investigators followed up days later with a search warrant for the information of that ride.
“Strava responded that they no longer had the backup data for the information that was available online because the user had deleted his account,” San Diego County Deputy District Attorney Dan Owens told the judge.
Strava spokesperson Andrew Vontz pointed USA TODAY Sports to its privacy policy that states “once deleted, your data, including your account, activities and place on leaderboards cannot be reinstated.”
Vontz didn’t respond to an inquiry related to Strava’s inability to preserve the data after it had received the preservation request or if efforts had been made to retrieve the deleted data.
The Strava info, however, was allowed into the trial and on June 10, Winslow, 36, was convicted of raping Jane Doe No. 2 and two counts of committing a lewd act – including the one detailed in his ride.
‘ Most companies reluctant’ to share data
Fitness trackers can also exonerate individuals wearing them.
Nicole VanderHeyden, 31, was murdered in the early- morning hours of May 21, 2016, outside the Wisconsin home she shared with her boyfriend and their infant son. The police investigation quickly zeroed in on the boyfriend, with whom VanderHeyden had quarreled the night before, witnesses reported. But then investigators learned the boyfriend’s Fitbit revealed he had been sleeping that night and that he’d taken just a few steps, probably to the bathroom and back, near the period when she probably had been murdered.
The reliability of Fitbit data became a hotly debated issue during pre- trial motion hearings, although Brown County Circuit Judge John Zakowski ruled Fitbit’s pedometer feature and resulting measurements would be allowed.
“Most companies are reluctant to hand over their users’ data,” King said. “It’s due to the reputational damage they will suffer. Generally they aren’t pretending to fight. Most understand that if they start cooperating with law enforcement they will quickly open themselves up to many, many similar requests, and then come the requests from civil suits. Before you know it, you need a huge compliance and paralegal team to keep up, with no financial benefit for the company.”
Fitbit said in a statement that it doesn’t comment on specific cases.
“Like many companies, Fitbit responds to valid legal process issued in compliance with applicable law,” Fitbit said in a statement to USA TODAY Sports. “Respect for the privacy of our users drives our approach. Our policy is to notify our users of legal process seeking access to their information unless we are prohibited by law from doing so as explained in our privacy policy. When we receive a request, our team reviews it to make sure it satisfies legal requirements and Fitbit’s policies, and Fitbit will only disclose data pursuant to a valid search warrant.”
How do companies handle requests for your data?
Fitness app developers Strava and Under Armour ( the parent company of popular fitness apps like MapMyFitness and UA Record) declined to state how many requests they had received for user information from U. S. law enforcement and how many of those requests led to data being turned over.
Garmin and Fitbit – which make hardware and software – also declined to answer questions related to the number of requests received.
“We don’t share any information about how many times we have given law enforcement data pursuant to court orders, subpoenas, etc.,” Garmin said in a statement to USA TODAY Sports. “It is not a normal part of our operations, and it happens relatively infrequently.”
Asics – the footwear company that acquired the popular running app Runkeeper – and Nike ( Nike+ Run app) did not respond to multiple USA TODAY Sports requests for information related to its policies.
Apple and Google – the two dominant smartphone companies where these apps are used – regularly publish statistics on government requests for information as long as those requests don’t involve national security. In 2018, Apple received 5,066 – nearly all via subpoenas or search warrants – from U. S. law enforcement agencies and provided information between 87- 88% of the time. Google, likely due to its widely used online services like Gmail and Google Maps, took in 43,683 requests from U. S. law enforcement and provided data 81- 82% of the time.
Those statistics do not include National Security Letters and requests made under the Foreign Intelligence Surveillance Act ( FISA). Companies are precluded from releasing precise figures on those requests, and when they are authorized, even those numbers must be delayed by six months.
Neither company broke down exactly which devices or services were targeted in those requests, although fitness- related data are a tiny fraction of those requests, a person with knowledge of the process told USA TODAY Sports. The person was granted anonymity because the information is not publicly disclosed.
Moreover, law enforcement – or anyone else – would find it difficult to get information from Apple as it pertains to its fitness app built into the Apple Watch. That information is encrypted and stored in the user’s HealthKit database.
Although Apple and Google have tightened privacy restrictions for apps available on their respective app stores, Stanford’s King said much of the responsibility for data lies with individual users.
“I have a Fitbit and I feel I have a decent grasp on what it tracks,” King said. “I noticed that when I went through the configuration process it asked me for a lot more stuff than I was willing to give it, but I wasn’t required to give them everything. With the Fitbit, for example, I could track my period. Do I want them to have that information about my life?”
Contributing: Paul Srubas of the ( Green Bay, Wisconsin) Press- Gazette