Tracking Fitness, Exposing Data

Now you can read us on your iPhone and iPad! Check out the BTRtoday app.

In the market for a new fitness tracker? You might want to think about your privacy before making the purchase.

According to a recent study conducted by international technology security firm AV-Test, some of the most popular fitness trackers have serious issues when it comes to the security of users’ personal data. Seven Android devices were found to have major deficiencies in terms of secure connections and tamper protections. The report criticized device-makers’ lack of attention when it came to device security, leaving users open to potential data manipulation and theft.

BTRtoday spoke with Maik Mortgenstern of AV-Test about the inspiration for the study, the implications of the report’s results, and whether it might have any affect on future devices.

BTRtoday (BTR): To start, can you talk about the genesis of this study?

Maik Mortgenstern (MM): It all started about three years ago when the implementation of things like smart homes became a hot topic, and we actually started testing smart home gateways, and eventually other devices and products. Fitness trackers seemed to be a good target because they access sensitive data, including health data, and there are many big players involved. There are the manufacturers of those devices as well as Google and Apple who may have access to these things. We have seen insurance companies who are interested in this data as well, so we thought it would be a good thing to test this kind of stuff.

BTR: When did testing begin, and what did the results show?

MM: We started testing last year, and did a follow-up test this year to see what kind of data was being stored and transferred, and if it was being securely done or if there were any security problems. In fact, we have found quite a few security problems. While we thought security and privacy would be one of the key factors for these devices, it wasn’t like that. It was obvious some vendors never thought about privacy or security issues, while a few others did take this into account and did a good job. The results really showed the differences in products.

BTR: What are the implications of this type of personal health data being released?

MM: This is kind of an open question right now, because we don’t really know where insurance companies are going and we don’t really know what criminals might be doing with this data. But there are certainly a few things for people to think about. Right now, there are insurance companies that will give you a discount on your fee if you share your fitness tracker data with them. If you take that further, there will be times when this discount is tied to certain goals that you have to achieve to attain it.

At some later point, it might not be about a bonus anymore, but a penalty. So if you’re not sharing your data requirements, it’s possible the insurance fee could be raised.

Also, what we found is that the data you’re sharing can easily be manipulated. This enables users to fake data, but also enables criminals to hold your data ransom. As of right now, we aren’t seeing where this might be headed, but since we’re dealing with sensitive data, we should be talking about security and privacy from the beginning.

BTR: Are fitness trackers worse than other smart products in terms of lack of security surrounding personal data? Did the findings of your study surprise you given the lack of attention paid to security on these devices?

MM: No, unfortunately it was expected, because all the other devices and product groups that we have examined have shown exactly the same results. As you already mentioned, it’s not only about fitness trackers, it’s also about all the other Internet of Things (IoT) devices that do collect sensitive data, and we’re seeing the same problems everywhere.

BTR: Third parties like insurance companies, advertisers, and criminals will always have an incentive to get their hands on this type of sensitive information. Do you think studies like AV-Test’s will help to refocus these companies’ emphasis on security within their devices?

MM: Right now the problem is that most users are not aware of the privacy and security issues, and unless something really big happens, like a really big hack with serious implications, users are not going to put pressure on the vendors. All users want are features and good design. They don’t really think about security at this point, which is understandable—we are all using so many services every day without thinking about the security and privacy of them. We just expect that it’s okay, and someone will take care of it.

The only other option would be governments putting pressure on. In Europe, we have relatively strict privacy laws—they’re not explicitly covering this at the moment, but there are discussions in Germany about fitness trackers and about usage of this data by insurance companies. We don’t know whether it’s going to have any effect because most of the vendors aren’t from Germany, they’re in the United States or Asia, so it’s hard to see what kind of pressure will be exerted here.