Americans have fallen for fitness devices and apps the same way we fell for the ease of mobile banking and the simplicity of ordering dinner online.
Digital fitness trackers generated more than $238 million in sales in 2013 and downloads of sports and fitness apps are projected to grow by 63 percent by the year 2017, according to a report by research firm IHS Electronics and Media.
We use them to track our weight loss, map our favorite running routes, and tell us how many calories were in our morning bagel. But as fun and useful as some of these tools may be, privacy experts worry that consumers may be overestimating the ability of fitness apps and devices to keep our sensitive health information secure.
“All technology is hackable, and if there’s a data breach, these devices could open up your whereabouts, your workout patterns, your weight, height, friends’ contact information, everything,” says Theresa Payton, author of “Privacy in the Age of Big Data” and former White House Chief Information Officer under President George W. Bush. “It makes it easier [for hackers] to socially engineer a fake identity and convince people they’re somebody that they’re not.”
On the black market, electronic health records can be worth 20 times as much as stolen credit card data, according to Stephen Boyer, CTO of security rating firm BitSight Technology. There’s really no richer source of personal information about a person than their medical chart. It may include insurance details, past home addresses, phone numbers, Social Security numbers, as well as a patient’s entire medical history — plenty enough to commit insurance fraud or identity theft.
Health providers (doctors, hospitals, insurers, etc.) are required under the Health Insurance Portability and Accountability Act (HIPAA) to safely store any patient data they collect and aren’t allowed to share your medical history without your explicit permission. If there’s a data breach, they’re obligated to tell affected users within 90 days.
But HIPAA was implemented in 1996, long before anyone had dreamed up Fitbits, Jawbones, or the myriad weight-loss and sleep-aid apps on the market. As it stands, fitness devices and apps don’t have to play by the same rules, despite the fact that they collect the kind of information that could be gold in a hacker’s hands — our geo-location history, age, date of birth, email address, links to social media, and more. App and device makers can share our data with whomever they desire and we pretty much have to take them at their word that they’ll keep it safe.
“You have to think about how your information in the app itself could be used to benefit you but also how it could be used in the wrong hands by cyber criminals,” Payton says.
‘You’ for sale
Even if an app or device has airtight security, there’s no telling how many other sites they are sharing their user data with. Once that information leaves their database, it’s at the mercy of whatever security system the next site has.
In July 2013, the Privacy Rights Clearinghouse, a California-based consumer advocacy group, conducted a study of 43 popular health and fitness apps (both free and paid models). They found that nearly three-quarters either sent unencrypted data or connected to third-party sites without user knowledge.
Most of these third-party sites are marketers and advertisers, the same companies that track consumers’ online activity in order to target ads based on their habits and preferences. Free apps often rely on this kind of revenue to keep their services free for users.
A similar study by online security app Ghostery found the presence of no less than 70 third-party sites (again, mostly advertisers) linked to a sample of 20 leading fitness apps.
Device- and app-makers generally argue that they anonymize user data before selling it. But it’s not too difficult to link that information back to an identity, Payton says.
“Every smartphone and tablet has a unique device ID and they could have your device ID mixed in with all the data” they sell to marketers, she says. “That’s what we’ve learned time and again that is typical of free products. ‘You for sale’ is part of the business model.”
A recent study by the Federal Trade Commission found 18 out of 76 health and fitness apps collected this unique device ID.
Despite the fact that they’re off the hook as far as HIPAA is concerned, some health device- and app-makers have taken steps to become HIPAA-compliant anyway, as a way to appease customers concerned about privacy. But it can be a lengthy and expensive process. For scrappy startups looking to cash in on the digital fitness fad, it’s the kind of expense they can’t afford.
“It’s very easy for apps to claim HIPAA compliance even though that may not be the case,” says Jason Wang, CEO of TrueVault, a company that offers secure, HIPAA-compliant data storage for health-care apps. “Big brands have a lot to lose but some no-name brands have nothing to lose, so they’ll just get breached by hackers, go bankrupt, and move on to their next venture.”
Even apps and device makers that attempt to meet HIPAA requirements unknowingly fall short.
“We see a lot of companies who think they are, but when we look they’re nowhere close,” Wang says.
How to protect yourself:
Don’t take privacy for granted. Just because an app looks great and promotes a healthier lifestyle doesn’t mean its team has done the legwork to make your data secure. You can learn a lot about how a company values user privacy by taking a look at their privacy disclosure before signing up. Look for key phrases like “third party” and “advertisers” to find out whether your data is potentially for sale. Again, free apps will almost certainly earn revenue by selling user data to marketers, but you may find paid apps are less likely to do so.
Make a designated fitness app email. Payton recommends setting up a dummy email address under a fake name, which would make it much harder for a hacker to find your identity if they get hold of your account. “I wouldn’t use the email that I use for my insurance account, for example,” she says. “If there’s a breach, you don’t want somebody to be able to pull together the whole picture.”
It never hurts to ask. Ifyou’re not sure an app has taken steps to become HIPAA-compliant, Wang suggests sending their customer service team an email to ask. Even if they’re not completely HIPAA-compliant, they may tell you that they’ve had their security system routinely examined. “If they’ve been audited, they’ll be more than happy to share that report with you, because they’ve probably paid a lot of money for it,” he says. “If they can’t really tell you anything, then it’s a sign that company hasn’t thought about HIPAA.”
Give them the bare minimum. Every app or fitness device should have a privacy settings page where you can pick and choose who can see your profile information. If an app doesn’t need your date of birth or ZIP code to function properly, then it’s better to leave it out altogether.
Don’t link to social media if it’s not necessary. A lot of fitness apps and devices allow users to integrate their social media accounts with their profile. Once you’ve done that, you’ve made it twice as easy for a hacker to find out who you are. For example, if you link your Facebook to apps like Runkeeper or MapMyRun and have saved your favorite routes, you’re making it much easier to link your first and last name with your usual whereabouts. “I’ve got a close private network on [a fitness app] myself,” Payton says. “But I’m very careful not to link my social media accounts so I don’t allow somebody to link two and two together.”