Fitness apps are good for your health, but often bad for your privacy

Posted on October 31st, 2019 by in Privacy deep dives.

Fitness and health apps collect sensitve data that they often expose or share with third parties.

 

This post was updated on November 1, 2019.

Fitness and health apps are designed to help you record and quantify how much you exercise, what prescription drugs you take, even what birth control methods you use. While these apps can help improve your health, they can also put your privacy at risk. In the worst cases, they’ve put people in physical danger, such as revealing joggers’ home addresses and real-time location.

Many of these apps expose sensitive information or share it with dozens of third parties, including Facebook, without giving users the full details in their privacy policy. This information can include sensitive location data, confidential medical data, or even highly personal information, like whether or not you are having unprotected sex.

These types of apps have exploded in popularity over the past five years. In 2018, Fitbit alone had over 27 million users. Earlier this year, Strava claimed it had 42 million users—and that it was adding one million users each month. Given the sensitive data these apps collect and their poor record of protecting this data, these apps present a substantial threat to the privacy of their users.

What fitness apps know about you

Most fitness apps, like Fitbit, Strava, MapMyRun, Nike+ Run, and Asics Runkeeper, just to name a few, have a wearable device that syncs with your smartphone. That wearable device can collect a trove of information, including the number of steps you take, your heart rate, where you travel and when, your weight, and when you are awake or sleeping.

Health trackers are generally applications that you install on your phone. They rely on you to fill out forms about your health for data collection. Depending on what the app is targeting, it could range from standard questions about your health (Are you injured?) to questions about pretty sensitive topics (Do you use protection when you have sex?).

This data can be breached

Fitness app makers, just like every other industry, have suffered data breaches. The breach that hit UnderArmour’s MyFitnessPal in 2018 is the largest to date. It exposed the usernames, passwords, and email addresses of more than 150 million users. While hackers typically go after data they can easily monetize (like your credit card number) the thought that location data was exposed is especially troublesome. Given that joggers and bikers generally run and ride where they live, attackers could also identify where the user lived by looking at where the majority of their routes began and ended.

None of the other major fitness and health apps have suffered a major data breach. Unfortunately, there is little you can do to ensure an app is responsibly storing your data besides only sharing data with companies and organizations you trust.

Learn more about what to do if you are the victim of a data breach.

The ultimate data mine

Data sharing is the crux of the issue. Fitness app companies are often incentivized to share your valuable real-time health data with third parties, whether they are advertisers, law firms, or social networks like Facebook that profit from your sensitive information. If they were fully transparent about how your data was shared or how to adjust your privacy settings, users might be less likely to trust the apps. That’s why, to date, the fitness and health app industry has been dogged by scandals.

There are many valid reasons for an app to share data. It can lead to better service that the user wants. It can also be required by law for police investigations. But app makers don’t always treat the privacy of your sensitive information as a top priority.

There are three main ways fitness and health apps abuse your data:

  1. They automatically expose data right out of the box. If users want to use these apps and guard their privacy, they must update the privacy settings within the app or on their smartphone, which few users do.
  2. Their privacy policies are vague. A privacy policy that states, “We may share your information with our sponsors, and/or business partners,” does not give the user enough information to make an informed decision.
  3. Their privacy policies are misleading. In some instances, apps do not disclose how the data is used in their privacy policy. They hide it in a separate document or disguise it in confusing legalese. Other, smaller health apps might not have a privacy policy at all

Weak default privacy settings

A prime example of the first problem is the fitness app Strava and its Beacon feature, which betrays the real-time location of bikers and runners. This has made the app a gold mine for thieves.

Here’s how it works. Strava combines fitness tracking with a social media platform that allows its users to compete and interact with each other. For Strava to work, it needs access and permission to share your location data. It also has a “FlyBy” feature, which allows you to look up other Strava users you saw or passed while on your run.

However, you don’t need to be a Strava user to access the platform or look up routes. Once a route is selected, you can find out who it belongs to, look at that individual’s profile, and see where else they are likely to go running. This data can often be used to locate people’s homes. This issue is also present to a lesser extent for MapMyRun, Nike+ Run, and any app that tracks your runs and lets you share that data.

While the media fixated on military bases being exposed by soldiers’ jogging routes with Strava’s “HeatMap” feature, this data could be used to find and follow any Strava user.

In 2014, law enforcement attributed a sharp rise in bike thefts in the UK to thieves using Strava data. The same thing happened again in 2018.

“I don’t think a lot of people were aware that these mapping apps can basically give a huge amount of information to a would-be thief. So we need to have people checking their privacy,” said Adam Lang, a police officer who looked into the bike thefts in 2018.

Strava comes with privacy controls. Unfortunately, few users activate them, and it only takes a few runs to expose the location of your home. Furthermore, activating some of the privacy features, like disabling the “FlyBy” feature, undermine the usability of the app. 

Vague privacy policies

The example above — “We may share your information with our sponsors, and/or business partners” — is not a hypothetical. It comes from the privacy policy of the ovulation tracker Maya, which claims to have more than eight million users worldwide. This is not sufficient information for a user to give their informed consent. Nowhere in Maya’s policy do they list the type of data they share or which organizations they share it with.

This is especially concerning considering the type of data Maya collects, which includes information about your mood, what kind of contraception you are using, whether you are having sex, and whether you are using protection. A report by Privacy International exposed the vague policy and the fact that Maya is sharing data with several third parties, including Facebook. The report also highlighted the ovulation tracker MIA Fem. MIA Fem had an equally vague privacy policy but has since updated it to reflect what data goes to which partners. It is just the latest health app to adjust its privacy policy after being caught sharing data without informing its users.

The Flo ovulation tracker app stopped sharing data with Facebook after a Wall Street Journal story exposed similar data sharing without consent. (One thing that Flo, Maya, and MIA Fem have in common is that they were built with Facebook’s Software Development Kit (SDK), which lets developers incorporate features and lets Facebook collect user data so it can show targeted ads. Facebook’s SDK has been at the heart of many other privacy violations.) 

Misleading privacy policies

HealthEngine is a popular app in Australia, used by over 1.5 million people to schedule doctor’s appointments. A recent investigation found that the app shared its users’ private medical information with local injury lawyers without their consent.

Users were asked if they had been involved in a car accident or suffered a work-related injury. If they answered yes, the app notified injury lawyers about the details of their health problems. At no point were users asked if they consented to having their data shared with lawyers, nor was there any mention of their data being shared with lawyers in HealthEngine’s privacy policy. The fact that their private medical data would be sent to a law firm was only revealed in a separate “Collection Statement.” The only way users could opt out of this data sharing was to not use the app.

In the US, the health apps Cardiio and My Baby’s Beat and the fitness app Runtastic are being forced to revise their privacy policies after the Attorney General of New York said they were sharing data with third parties without clear consent. 

What you should do to protect your privacy

It may be surprising that it’s even legal for apps to share people’s medical information so widely. But the US health privacy law, HIPAA, does not apply to information that customers collect for their own use. This means, in the majority of cases, fitness apps do not fall under the regulation.

New regulations in the US specifically targeting fitness and health apps could encourage developers to be more responsible with sensitive data, but so far there has not been any progress. Efforts by US senators to prevent the sale of private health data to insurers, mortgage lenders, and employers have not led anywhere.

The EU’s GDPR does provide some protection in that it requires informed and unambiguous consent before data can be shared. This a threshold that Maya is likely violating, given that it does not list all the data it shares or who receives the data in its privacy policy. But this only applies to individuals living in the European Union.

The best way to stay private while using fitness tracking or health monitoring apps is to take matters into your own hands.

These are the most important steps you can take to stay safe:

  1. Read the privacy policy: If it is not explicit about what data it shares and what organizations it shares data with, assume that all the data you enter into that app could be shared with any number of unknown third parties. If you aren’t comfortable with that, find another app.
  2. Check if there are privacy settings: Take the time to check the privacy settings. Preventing the app from sharing your data is good, but the most private solution is to prevent it from collecting data in the first place. 
  3. Limit the data you enter in the app: Many of these apps collect more data than is necessary for them to serve their core function. Question whether you need to share that data to use the app. For example, there is no reason an ovulation tracker needs to know if you are having unprotected sex for it to function.
  4. When in doubt, ask: If you aren’t sure how a fitness app company plans to use your data, then send them an email and ask. (And if you do, let us know what they say!)

Fitness and health apps are great tools that can help motivate you to stay fit and track your progress. But you shouldn’t have to endanger your digital health for the sake of your physical health. It’s important to be aware that the apps you download can put your privacy at risk.

Best regards,
The Proton VPN Team

UPDATE Nov. 1, 2019: Google announced that it would be purchasing Fitbit for $2.1 billion. This raises the possibility of Google accessing Fitbit’s health data for advertising, but Google executives have said this will not be the case. In an email to customers, Fitbit’s CEO wrote, “We never sell your personal information, and Fitbit health and wellness data will not be used for Google ads.” The deal is expected to be finalized some time next year.

You can follow us on social media to stay up to date on the latest Proton VPN releases:

Twitter | Facebook | Reddit | Instagram

To get a free Proton Mail encrypted email account, visit: proton.me/mail

Prior to joining Proton, Richie spent several years working on tech solutions in the developing world. He joined the Proton team to advance the rights of online privacy and freedom.

Secure
your internet

Get Proton VPN
Get Proton VPN