Fitness trackers, wearable devices that track people's step count, heart rate, and calories burned, generate a lot of data that is sent over the internet (sometimes insecurely), and used by device manufacturers in often untransparent ways.

Every Step You Fake: A Comparative Analysis of Fitness Tracker Privacy and Security is a report by Open Effect, a not-for-profit research group, with significant contributions from the Citizen Lab at the Munk School of Global Affairs, University of Toronto. The report describes security and privacy issues found in fitness wearables and their implications for consumers and policy makers.

This report is the product of a year-long study that used three different methodologies to better understand what fitness tracking companies are doing with consumer's personal inromation. We employed technical analysis to observe actual data transmissions, policy analysis to understand the rights companies give to themselves and others, and a method where research participants filed legal requests for access to their data.

Main Findings

  • All studied fitness trackers except the Apple Watch were vulnerable to Bluetooth MAC address surveillance
  • Garmin, Withings, and Bellabeat applications failed to use transit-level security for one or more data transmissions, leaving user data exposed.
  • The Jawbone UP application routinely sent out the user's precise geolocation for reasons not made obvious to the user.
  • Fitness tracking companies gave themselves broad rights to utilize -- and in some cases, sell -- consumer's fitness data
  • Data collected by fitness tracking companies did not necessarily match with what can be obtained through an access request.

Devices Studied

We studied nine different fitness tracking devices. We looked at the Bluetooth communications between device and smartphone, and the Internet communications of the device's companion smartphone application. We also examined each device manufacturer's privacy policy, and had research participants using the devices file right to information requests to the device manufacturers.

Apple Watch
Basis Peak
Bellabeat LEAF
Fitbit Charge HR
Garmin Vivosmart
Jawbone UP 2
Mio Fuse
Withings Pulse O2
Xiaomi Mi Band

Funding Acknowledgement

This project is funded by the Office of the Privacy Commissioner of Canada (OPC); the views expressed herein are those of the author(s) and do not necessarily reflect those of the OPC.
Open Effect has licensed this work under a Creative Commons Attribution-ShareAlike 2.5 Canada license. All brand and product names and associated logos contained within this report belong to their respective owners and are protected by copyright. Under no circumstances may any of these be reproduced in any form without the prior written agreement of their owner.