wearables and fitness devicesWe live in a wonderful time where technology is now able to interface with health systems. In the past, measuring health and fitness was something reserved for just doctor’s appointments and personal training sessions. But now, with wearable technology and smartwatches like the Fitbit or Apple Watch, we can keep track of everything — from our quality of sleep to our daily calorie expenditure and even our heart rate. While there may be some benefits of using wearables and fitness devices, there may also be some privacy-invading aspects. Here are some of those potential privacy invasions.

All sorts of third parties may get a front row seat to your life

We’ve talked about opt-in insurance programs that use the data you generate to adjust your premiums on the fly. As it turns out, insurance companies may not be the only ones interested in using this data.

The good news is that the privacy policies of many wearable products suggest that they don’t sell personal data. That said, the policies state that they may share personal data with associated business partners, usually ones who help them provide their services, in order to maintain the quality of the user experience. As of now, most wearable and fitness tracking companies only share a collection of anonymous data, but many also reserve the right to sell your personal data pending a change in their policies or a major event like a merger or buyout, which is a scary thought. The issue with this is that if third parties have access to the data of the device, this increases the potential for your information to be seen or stolen through a breach or hack. So while anonymously sharing your heart rate or average number of daily steps may not be an issue now, the idea of sharing much more information — perhaps even your name and other demographics — down the road is quite unnerving.

Bluetooth enables tracking, but you might not be able to turn it off

As with anything involving the Internet of things, there is always some concern surrounding any device that connects to another through Bluetooth, Wi-Fi or any other network. While wearables and fitness devices are technically Internet of things devices, they are somewhat different, as their functions are usually always running at any given time. As such, their relationship with Bluetooth is a little different. Here’s how it works: typically any option to turn off Bluetooth on newer wearable devices usually unsyncs the device from “classic Bluetooth” connections — meaning the wearable, fitness device or smartwatch will not update until you sync it again. But many newer devices come with an additional capability called Bluetooth LE (LE for “low energy”), which is an always active variant of regular or classic Bluetooth that can’t be turned off. Bluetooth LE “wakes up” when in proximity to a compatible or paired Bluetooth device (thus saving energy, hence the name). Also, the broadcast range for Bluetooth LE is shorter than classic Bluetooth — just enough to pair your fitness tracker on your wrist to your phone in your pocket — which usually means it’s much harder to passively track and believed to be a more secure form of Bluetooth.

However, last month researchers demonstrated in a study that they could track some devices using this newer form of Bluetooth, showing this new form of Bluetooth may not be as secure as originally thought. While most devices encrypt the contents of their communications — meaning your number of steps or heart rate are safe — a unique identifier is often used to establish the identity of the device when seeking connections or connecting to a device. A lot of fitness trackers tested in this study failed to randomize this identifier (randomization is a common security feature), which is why the researchers were able to track them. This is the equivalent of your device giving out its name freely. Even if the contents of what it’s saying are incomprehensible, its name can be used to track you on a map — wherever this name is located, the device will be. Although this might not be enough to compromise your identity, it can allow you to be tracked, which may put you in physical danger.

Your device may be used to testify for (or against you) legally

While it’s not legal precedent to use fitness tracking data per se, there have been cases in both Canada and the U.S. where Fitbit data was used as evidence to either support or refute a legal claim or a police report. In the Canadian case, the data wasn’t just personal data, but personal data compared to aggregated data, while the data was used in the U.S. case to disprove a woman’s claim — both showing that data can be used in a myriad of unanticipated ways. Although the U.S. and Canada have laws against self-incrimination, so far those laws haven’t prevented this type of data from being used.

The data is only as secure as technology allows

Users and companies essentially find out about security flaws and vulnerabilities together as the technology advances, which means there could be dozens of undisclosed vulnerabilities in current and emerging technologies. In 2011, for example, many Fitbit users found the entirety of their fitness logs, including potentially embarrassing information, indexed on Google due to insecure default privacy settings. While we like to believe our wearables are invincible to hacks, that isn’t the case. In fact, a security researcher recently demonstrated a theoretical, proof-of-concept hack involving hijacking a Fitbit and using it to hack into a network. Because the company merely saw the threat as theoretical, it remains to be seen if the potential exploit has been patched. Dozens of researchers, including the ones who conducted the Bluetooth LE study mentioned above, have found ways of feeding trackers false fitness data.

If an exploit is ever found or taken advantage of by the wrong people, personal data can be skimmed from your fitness band, smartwatch or even your home network. As with anything else in this tech-driven world we live in, your data also has the potential to be stolen in a corporate breach from the company itself or the partners with whom it shares information. With such privacy concerns surrounding wearables, fitness devices and smartwatches, you may want to look into your device’s privacy policy as well as make more of a conscious effort when determining how often you wear your device or when you allow it to connect via Bluetooth.

Follow our privacy blog to learn more about how you may or may not be exposing your information in your everyday life.