Lately, fitness-minded Americans have started wearing sporty wrist-band devices that track tons of data: Weight, mile splits, steps taken per day, sleep quality, sexual activity, calories burned—sometimes, even GPS location. People use this data to keep track of their health, and are able send the information to various websites and apps. But this sensitive, personal data could end up in the hands of corporations looking to target these users with advertising, get credit ratings, or determine insurance rates. In other words, that device could start spying on you—and the Federal Trade Commission is worried.
“Health data from [a woman’s] connected device, may be collected and then sold to data brokers and other companies she does not know exist,” Jessica Rich, director of the Bureau for Consumer Protection at the Federal Trade Commission, said in a speech on Tuesday for Data Privacy Day. “These companies could use her information to market other products and services to her; make decisions about her eligibility for credit, employment, or insurance; and share with yet other companies. And many of these companies may not maintain reasonable safeguards to protect the data they maintain about her.”
Several major US-based fitness device companies contacted by Mother Jones—Fitbit, Garmin, and Nike—say they don’t sell personally identifiable information collected from fitness devices. But privacy advocates warn that the policies of these firms could allow them to sell data, if they ever choose to do so.
Let’s start with the popular Fitbit. When you buy one of these bracelets or clip-on devices, you have the option of automatically sending fitness data to the Fitbit website. And the site encourages you to also submit other medical information, such as blood pressure and glucose levels. According to Fitbit’s privacy policy, “At times Fitbit may make certain personal information available to strategic partners that work with Fitbit to provide services to you.” Stephna May, a Fitbit spokesperson, says that the company “does not sell information collected from the device that can identify individual users, period.” However, she says that the company would consider marketing “aggregate information” that cannot be linked back to an individual user—which is outlined in the privacy policy as aggregated gender, age, height, weight, and usage data. (This is similar to what Facebook does.)
Nike, which makes the Nike + Fuel Band, says in its privacy policy that the company may collect a host of personal information, but doesn’t say that it can be shared with advertising companies. Joy Davis Fair, a Nike spokesperson, says that the company, “does not share consumer data” with outside advertisers, but selectively shares it with other companies under the Nike’s corporate umbrella, including Converse and Hurley. Garmin’s policy says that users have to consent in order for the company to sell personal information. A Garmin spokesman says the company doesn’t sell personal or aggregated information to advertisers, and doing so isn’t part of the company’s business model. (Polar Flow, which makes the Polar Loop band, is the only company with a privacy policy that explicitly says it won’t sell personally identifiable data for advertising. It is based in Finland and subject to stringent European Union privacy laws.)
Jeffrey Chester, executive director for the Center for Digital Democracy, says that these privacy policies are so broad that they could allow the companies to sell health data—even if they aren’t doing so now. “When companies promise that they aren’t selling your data, that’s because they haven’t developed a business model to do so yet,” Chester says.
Scott Peppet, a University of Colorado law school professor, agrees that companies like Fitbit will eventually move toward sharing this data. “I can paint an incredibly detailed and rich picture of who you are based on your Fitbit data,” he said at a FTC conference last year. “That data is so high quality that I can do things like price insurance premiums or I could probably evaluate your credit score incredibly accurately.”
Even if the companies that make these devices aren’t selling the data, there is another potential privacy concern. Users can send their data to dozens of third-party fitness apps on their phone. Once users do that, the data becomes subject to the privacy policies of the app companies, and these policies do not afford much protection, according to the Privacy Rights Clearinghouse. The group examined 43 popular health and fitness apps last year, and found that, “there are considerable privacy risks for users.” A spokesperson for the FTC told Mother Jones that “fitness devices often work by having apps associated, and [Privacy Rights Clearinghouse’s] analysis here may be relevant.”
If there’s one entity that knows the value of the health data uploaded to these devices, it’s the CIA. Last year, at a data conference in New York, the CIA’s chief technology officer, Ira Hunt, gave a talk on big data. During the discussion, he told the crowd that he carries a Fitbit. “We like these things,” he said. “What’s really most intriguing is that you can be 100% guaranteed to be identified by simply your gait—how you walk.”