Fitness Tracker Applications — Leaky, Insecure, and a Sign of the Times

Last week, the Citizen Lab in collaboration with Open Effect released a new report, “Every Step You Fake: A comparative analysis of fitness tracker privacy and security.” The report contains primarily the background, overview, methods and technical findings.  A subsequent report will include the policy and legal analysis that the team is presently completing.  Open Effect is a non-profit organization led by Citizen Lab research fellow Andrew Hilts, and one on whose board I presently serve.  We work together on a variety of projects in the area of privacy and security, and we’ll have more reports coming down the pipeline together beyond the work on Fitness Trackers. (Open Effect and Citizen Lab also worked together on the Access My Info project).

The “fitness tracker” topic may seem to be a bit of an outlier for us at the Citizen Lab, but lately we have become more and more interested in privacy and security of mobile applications. Part of it has to do with the refinement of reverse engineering and other technical analysis methods that inform several Citizen Lab projects.  A much broader concern of ours is around the privacy and security of the growing number of devices and applications that surround us in the so called “Internet of Things” ecosystem.  Obviously, the implications for consumers of these devices and applications are important from a privacy and security point of view.  But personally speaking, I find it very compelling to try to see how security holes, vulnerabilities, and other unintentional flaws could be exploited by government threat actors, putting users at risk.  Having spent considerable time studying the Snowden disclosures, I have been struck by how seemingly trivial leaks of users’ data can end up being routinely leveraged by SIGINT agencies.  A recent talk by the chief of the NSA’s TAO underscored this point well.  We leave a trail of digital droppings where ever we go, which in and of themselves may seem unimportant but when collated and analyzed together can reveal a lot.

One of the other interesting components of this report was the responsible notification process we undertook, and which is explained in the report. We notified the fitness tracker vendors who had security and privacy problems with their products, and only a few of them got back to us — until journalists reached out to them, that is.   Media strategy is important to creating positive outcomes of research, and this case illustrates it well.  (We gave an exclusive to CBC on the Fitness Tracker report for this reason). For example, although Garmin did not respond to our initial responsible disclosure, they did after the report came out. The updated version of their application seems to suggest they’ve implemented some basic security protocols that were lacking (ht Ryan Budish), which is a positive outcome of the research.