Technology, Thoughts & Trinkets

Touring the digital through type

Month: March 2016

Every Step You Fake: A Comparative Analysis of Fitness Tracker Privacy and Security

Every Step You Fake CoverCanadians, and many people around the world, are increasingly purchasing and using electronic devices meant to capture and record their relative levels of fitness. Contemporary fitness trackers collect a broad range of data, and can include the number of floors climbed, levels and deepness of sleep, how many steps taken and distance travelled over a day, heart rates, and more. All of this data is of interest to the wearers of the devices, to companies interested in mining and selling collected fitness data, to insurance companies, to authorities and courts of law, and even potentially to criminals motivated to steal or access data retained by fitness companies.

Given the potential privacy implications associated with fitness trackers, Andrew Hilts (Open Effect/Citizen Lab), Jeffrey Knockel (University New Mexico/Citizen Lab), and I investigated the kinds of information that are collected by the companies which develop and sell some of the most popular wearable fitness trackers in North America. We were motivated to specifically understand:

  • Whether data which are technically collected by the wearable devices was noted in the companies’ privacy policies and terms of service and, if so, what protections or assurances individuals had concerning the privacy or security of that data?
  • If fitness and other collected data was classified as ‘personal’ data by the companies in question?
  • Whether the information received by the individual matched what a company asserted was ‘personally identifiable information’ in their terms of service or privacy policies.

Our analysis depended on a mixed methodology of technical research, policy analysis, and legal/policy testing. Some of our core findings included:

  • All studied fitness trackers except the Apple Watch were vulnerable to Bluetooth MAC address surveillance
  • Garmin, Withings, and Bellabeat applications failed to use transit-level security for one or more data transmissions, leaving user data exposed.
  • The Jawbone UP application routinely sent out the user’s precise geolocation for reasons not made obvious to the user.
  • Fitness tracking companies gave themselves broad rights to utilize — and in some cases, sell — consumer’s fitness data
  • Data collected by fitness tracking companies did not necessarily match with what can be obtained through an access request.

This research was funded by the Office of the Privacy Commissioner of Canada’s Contributions Program, with additional contributions from the Citizen Lab at the Munk School of Global Affairs, at the University of Toronto. Open Effect has created a webpage dedicated to the report and its impacts.

Download the Report (Alternate Link)

Public Submission on IMSI Catchers

5047039173_36fbdc9523_oOn October 14, 2015 the Pivot Legal Society in British Columbia filed a complaint with the Office of the Information and Privacy Commissioner (OIPC) of British Columbia concerning the Vancouver Police Department’s (VPD) refusal to disclose any documents concerning the department’s use of IMSI Catchers. IMSI Catchers, also known as Cell Site Simulators or Mobile Device Identifiers, are designed to impersonate cellular telecommunications towers. The devices are used to collect identifiers and potentially content transmitted from mobile phones in the device’s vicinity. In response to Pivot Legal Society’s complain Tamir Israel (from CIPPIC) l and I intervened on behalf of Open Media to argue that VPD ought to be compelled to disclose documents they possessed concerning their use of IMSI Catchers.

Our intervention begins by outlining how IMSI Catchers technically function. Next, we demonstrate how the test for investigative necessity advanced by VPD simply does not apply to responsive records in light of the significant general information regarding IMSI Catcher use. Finally, we argue that even if disclosure of responsive records will, to some degree, undermine the utility of IMSI Catchers as an investigative tool, disclosure must still occur. Confirmation of IMSI Catcher use is a necessary precursor to informed public debate and to the proper legal constraint of an invasive surveillance tool and is therefore in the public interest.

Download the Intervention (Alternate Link)

Authors

Tamir Israel

Tamir is staff lawyer with the Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic (CIPPIC) at the University of Ottawa Faculty of Law, where he conducts research and advocacy on various digital rights-related topics, with a focus on online privacy and anonymity, net neutrality, intellectual property, intermediary liability, spam, e-commerce, and consumer protection generally.

Christopher Parsons

Dr. Christopher Parsons received his Bachelor’s and Master’s degrees from the University of Guelph, and his Ph.D from the University of Victoria. He is currently the Managing Director of the Telecom Transparency Project and a Postdoctoral Fellow at the Citizen Lab, in the Munk School of Global Affairs.

Photo credit: Mobile Phone Tower by Michael Coghlan (CC BY-SA 2.0) https://flic.kr/p/8FZoUM