Fitness wearables are apparently in superb shape when it comes to collecting your health data: Heart rate, sleep patterns, steps taken per day, calories burned, weight gain or loss, mile splits, stress levels, location – even sexual activity or how you’re doing in your effort to quit smoking.
But they are in lousy shape when it comes to protecting that data and keeping it private.
And given the number of them in use – there were more than 13 million sold in the U.S. just in the last two years according to Statistica – there are more vocal warnings from Internet of Things (IoT) experts and privacy advocates that users need to be aware of how vulnerable their health data are, and how it could be used for identity theft, discrimination and more.
The makers of fitness trackers – the biggest names are Samsung, Pebble, Fitbit, Apple, Jawbone, Nike, Sony, Lenovo and LG – generally stress their commitment to privacy, and say they do not “sell” the data they collect.
But, as numerous experts note, selling is not the same as sharing or protecting. Theresa Payton, president and CEO of Fortalice and a former White House CIO, said fitness wearables and associated apps, “have a track record of poor privacy and security measures.
“The culprit is the innovation life cycle,” she said. “There is tremendous pressure to get cool and affordable products on the market at a dizzying speed. That means the time to put the devices in the lab and attack them like an adversary is too short or nonexistent.”
The resulting security flaws in hardware or companion apps, “often allow someone to track your whereabouts or your patterns,” she said.
While there has so far not been a reported catastrophic breach of one of the major fitness wearable companies, Craig Spiezle, executive director of the Online Trust Alliance (OTA), said that, “data can and has been captured off fitness bands easily with $100 and a determined adversary. As more of these devices are amassing data, the risk is increasing.”
And while Eva Velasquez, president and CEO of the Identity Theft Resource Center (ITRC), said she thinks fitness wearable data are “one step down” in privacy value from EHRs (electronic health records) that, “include enough PII (personally identifiable information) to commit ID theft almost immediately,” the trackers still include “sensitive information.”
She said data on heart rate, weight, food log, BMI (body mass index) and exercise are generally not enough on their own to allow identity theft, “but the privacy implications are there. We need to take a much closer look at where it’s valuable and who it’s valuable to.”
Sign up for CIO Asia eNewsletters.