Canadians, and many people around the world, are increasingly purchasing and using electronic devices meant to capture and record their relative levels of fitness. Contemporary fitness trackers collect a broad range of data, and can include the number of floors climbed, levels and deepness of sleep, how many steps taken and distance travelled over a day, heart rates, and more. All of this data is of interest to the wearers of the devices, to companies interested in mining and selling collected fitness data, to insurance companies, to authorities and courts of law, and even potentially to criminals motivated to steal or access data retained by fitness companies.
Given the potential privacy implications associated with fitness trackers, Andrew Hilts (Open Effect/Citizen Lab), Jeffrey Knockel (University New Mexico/Citizen Lab), and I investigated the kinds of information that are collected by the companies which develop and sell some of the most popular wearable fitness trackers in North America. We were motivated to specifically understand:
- Whether data which are technically collected by the wearable devices was noted in the companies’ privacy policies and terms of service and, if so, what protections or assurances individuals had concerning the privacy or security of that data?
- If fitness and other collected data was classified as ‘personal’ data by the companies in question?
- Whether the information received by the individual matched what a company asserted was ‘personally identifiable information’ in their terms of service or privacy policies.
Our analysis depended on a mixed methodology of technical research, policy analysis, and legal/policy testing. Some of our core findings included:
- All studied fitness trackers except the Apple Watch were vulnerable to Bluetooth MAC address surveillance
- Garmin, Withings, and Bellabeat applications failed to use transit-level security for one or more data transmissions, leaving user data exposed.
- The Jawbone UP application routinely sent out the user’s precise geolocation for reasons not made obvious to the user.
- Fitness tracking companies gave themselves broad rights to utilize — and in some cases, sell — consumer’s fitness data
- Data collected by fitness tracking companies did not necessarily match with what can be obtained through an access request.
This research was funded by the Office of the Privacy Commissioner of Canada’s Contributions Program, with additional contributions from the Citizen Lab at the Munk School of Global Affairs, at the University of Toronto. Open Effect has created a webpage dedicated to the report and its impacts.
Download the Report (Alternate Link)
I downloaded a copy of Desk last week, an OS X applications that is designed for bloggers by bloggers. It costs $30 from the Mac App Store, which is in line with other blogging software for OS X.
To cut to the chase, I like the application but, as it stands right now, version 1.0 feels like it’s just barely out of beta. As a result there’s no way that I could recommend that anyone purchase Desk until a series of important bug fixes are implemented.
What’s to Love
I write in Markdown. At this point it’s so engrained in how I stylize my writing that even my paper notebooks (yes, I still use those…) prominently feature Markdown so I can understand links, heading levels, levels of emphasis, and so forth. Desk uses Markdown and also offers a GUI where, after highlighting some text, you’re given the option to stylize add boldface or italics, insert a hyperlink, or generally add in some basic HTML. That means that people like me (Markdown users) are happy as are (presumably) those who prefer working from a graphical user interface. Everyone wins!
In line with other contemporary writing applications (e.g. Byword, Write) the menu options are designed to just fade away while you’re writing. This means there are no distractions when you’re involved in writing itself and that’s a good thing. You always have the option to calling up the menu items just by just scrolling somewhere in the main window. So, the menu is there when you want it and absent when you’re actually working. Another win.
I’ve written a fair bit about mobile phones; they’re considerable conveniences that are accompanied by serious security, privacy, and technical deficiencies. Perhaps unsurprisingly, Apple’s iPhone has received a considerable amount of criticism in the press and by industry because of the Apple aura of producing ‘excellent’ products combined with the general popularity of their mobile device lines.
In this short post I want to revisit two issues I’ve previously written about: the volume of information that the iPhone emits when attached to WiFi networks and its contribution to carriers’ wireless network congestion. The first issue is meant to further document here, for my readers and my own projects, just how much information the iPhone makes available to third-parties. The second, however, reveals that a technical solution resolves the underlying cause of wireless congestion associated with Apple products. Thus, trapping customers into bucket-based data plans in response to congestion primarily served financial bottom lines instead of customers’ interests. This instance of leveraging an inefficient (economic) solution to a technical problem might, then, function as a good example of the difference between ‘reasonable technical management’ that is composed of technical and business goals versus the management of just the network infrastructure itself.