Alex Gillis

Barb Gormley didn’t know that strangers could track her fitness tracker. Or that anyone could rip off personal data leaking from the device.

The personal trainer and her clients use the exercise-boosting devices to record steps taken, calories burned and other data about their progress when working out.

“People are hooked on them,” she said. “I feel like I have a training assistant.”

But the machines also leak personal information, such as name, age and gender, that’s communicated via wifi.

Researchers at U of T released a new report today about major security and privacy issues in devices made by Basis, Fitbit, Garmin, Jawbone, Mio, Withings and Xiaomi. The research involved analyzing data transmissions between the internet and apps for the fitness trackers.

The report, Every Step You Fake: A Comparative Analysis of Fitness Tracker Privacy and Security, shows that Bluetooth on the seven studied fitness trackers leak personal data that enable anyone near a device to track a user’s location over time.

In addition, certain devices by Garmin and Withings transmit information without encryption, leaking other personal data to anyone with the know-how to collect the leaks. The researchers also analyzed the Apple Watch and found no issues.

The report is a collaborative effort between Open Effect, a non-profit applied research group focusing on digital privacy and security, and the Citizen Lab at the Munk School of Global Affairs at U of T. Open Effect previously published research on the security of ad tracking cookies. It also developed Access My Info, an application that makes it easy for Canadians to file legal requests for access to their personal information.

“I hadn’t thought about the issues too much,” said Gormley, “that somebody could find me using my watch.”

“The upside is they’re so great,” she said. She uses a Garmin device. “I guess we’re maybe a bit blind that there could be a downside.”

The downside is based on the fact that each device has a unique identifier that’s emitted constantly via Bluetooth, even after users think they’ve stopped it, according to Andrew Hilts, one of the report’s authors. He’s the executive director of Open Effect and a research fellow with the Citizen Lab at the Munk School.

Hilts said that savvy analytics firms or someone in a coffee shop can collect that unique identifier, and in some cases, collect your location and a whole lot more.

“The perception might be, ‘Okay, I’m done with this. I’m turning off Bluetooth,’ but your tracker is still emitting this unique identifier, even if your phone has Bluetooth turned off,” Hilts explained.

“There is a Bluetooth privacy standard in place that provides specifications on how device manufacturers can protect the privacy of their users,” Hilts said. “We’re trying to encourage fitness tracking companies to adopt this standard.” Most devices mentioned in the report do not implement Bluetooth privacy, leaving users vulnerable to location-based surveillance.

“We hope our findings will help consumers make more informed decisions about how they use fitness trackers, help companies improve the privacy and security of their offerings, and help regulators understand the current landscape of wearable products.”

The researchers sought contact with the seven fitness tracker companies whose products exhibited security vulnerabilities. Fitbit, Intel (Basis), and Mio responded and engaged the researchers in a dialogue. Fitbit further expressed interest in exploring the topic of implementing Bluetooth privacy features in its communications with the researchers. Out of the devices studied, only the Apple Watch adopted the Bluetooth privacy standard.

The report’s authors (Christopher Parsons, Jeffrey Knockel and Hilts) reveal a third issue that arose in two of the seven devices (the two from Withings and Jawbone): users can falsify their own activity levels. The findings cast doubt on the reliability of data for insurance or other purposes.

“Maybe I’m naïve,” Barb Gormley says. “Maybe an insurance company is conducting top-secret research on me and decide they don’t want to give me insurance?”

“Should I be worried?” she wonders.

February 2, 2016


Read more on the Citizen Lab website.

Download the full report.

Read the CBC exclusive.