That Fitness App May Be Sweating Away Your Personal Info
Summary: Fitness trackers are a popular way to bring structure to workouts. But they could leave your Personally Identifiable Information (PII) vulnerable. According to a new study, one app might be unintentionally exposing some users’ home addresses. Here are the potential risks of fitness-tracking apps, as well as tips for protecting your privacy and identity.
Busy getting in shape? Be sure to also exercise your right to privacy
You’ve downloaded the fitness app, you’re wearing the tracker, and you’ve set a goal to get in better shape. Now, with the app’s help, you’re actually making progress. And you’re happily sharing information about your workout with friends, family, and followers on social media.
It’s easy to see why fitness-tracking apps are so popular: They can be a great way to positively reinforce your journey to better health. They quantify your fitness progress, bring support and accountability to your workouts, and connect you to a community of like-minded enthusiasts.
But they can also carry risks. These apps can enable third parties to collect your personal information, or potentially even give bad actors an opportunity to target you in the real world. Anyone who’s concerned about being stalked or harassed, or simply wants to preserve their privacy, should take note. In fact, a recent study reveals that at least one top fitness-tracking app might not have privacy among its core strengths. Here are the potential concerns around these apps, along with measures you can take to protect your personal information while using them.
Your home address and other personal data could be at risk
Most apps, including fitness trackers, have an “aggregated data usage” feature in which your personal data is combined with that of other users to create an anonymized data pool; the collective information is then used to improve your experience on the app. But is it truly anonymous?
Researchers at North Carolina State University have released a study showing that a leading fitness-tracking app, Strava, seemingly has a vulnerability in its aggregated data usage that could enable bad actors to physically locate individual users, which might lead to stalking or harassment.
Strava has a “heatmap” feature in which users can see specific running, cycling, or hiking locations and routes that are popular among other users. The map uses aggregated data, which in theory “should make it impossible for anyone to capture private information about any specific user,” says the study’s lead author. “However, we found a loophole in certain conditions.”
Users who live in less-populated areas and who have listed the name of their hometown in their profile may be particularly at risk, the study notes. Researchers were able to align the heatmap data with the hometown information to “identify the home addresses of some users... and confirmed those identifications using [publicly available] voter registration data.”
Beyond the privacy risks uncovered by the NC State researchers, know that if you share your app-enabled workout information on social media, it may compound your exposure. Depending on your privacy settings, people could use that information to physically locate and target you.
Fitness trackers can also potentially disclose your Personally Identifiable Information (PII) to data broker sites, which can in turn sell the data not only to marketers, but to any party willing to pay for it. (In this regard, fitness trackers are similar to mental health and wellness apps, many of which have demonstrated a willingness to sell user data to third parties.)
Finally, there’s the ever-present threat of a data breach. For example, the popular fitness app MyFitnessPal was hacked in 2018, affecting 150 million users; one year later, the stolen user data was found for sale on the dark web.
How to limit your privacy exposure in fitness apps
So how can you reduce your privacy risks? It boils down to two main strategies: Limit the amount and type of personal information you provide to fitness apps, and choose the strongest privacy settings possible. Specific steps include:
- If you’re starting a new account, create a username that doesn’t reveal your full first or last name. Avoid listing your hometown in your profile if at all possible.
- Limit location-sharing permissions on your phone and on any smart device such as a smartwatch or wearable tracker.
- If you must use location sharing, enable it only after you’ve gotten some distance away from your home, and turn it off at some point before you return home; this will help prevent bad actors from pinpointing your exact home location.
- Avoid uploading personal photos via the app.
- Review the app’s policies on data-sharing with third parties, and opt out of sharing your personal information to the greatest extent possible.
- Opt out of any “aggregated data usage” feature in the privacy settings.
- Think carefully about whether to link the app to social media; if you choose to link the app, be sure to use the most stringent privacy settings in your social accounts.
The no-sweat way to protect your privacy and identity
Everyone—fitness enthusiast or not—has an identity worth protecting. Consider a comprehensive coverage plan like IDX Complete. It includes advanced tools and services such as ForgetMe, which continuously and automatically handles removal whenever your personal data winds up for sale on data broker sites; CyberScan, which monitors all layers of the web, including the dark web where cybercriminals lurk, to search for breaches of your data; and Tracking Blocker, designed to keep your data from being collected and tracked across the web.
Go ahead and use that fitness-tracking app to assist in your quest for better health. But just as every workout routine needs a good warmup, you should start by adjusting the privacy settings and minimizing the amount of information you supply. Better still, strengthen your day-to-day protection with full identity and privacy coverage.
About IDX
We're your proven partner in digital privacy protection with our evolving suite of privacy and identity products.