BY: Victoria Heath
I bet you were sold when you saw the 15-second Apple Watch ad featuring a sweaty Nick Jonas. Five seconds in, his angel face looked down at his Apple Watch to check his sprint time. Unsatisfied (or satisfied, it’s hard to tell) he then sprinted off again into the futuristic distance, taking your reservations about the Apple Watch with him.
Or maybe you’ve bought one of the other fitness wearable devices on the market, such as Basis Peak, Bellabeat Leaf, Fitbit Charge HR, Garmin Vivosmart, or Jawbone Up 2. All of them promise a healthier life by tracking your fitness data throughout the day and helping you set attainable fitness goals.
However, if you’re wearing one of these right now, I suggest taking it off.
Whether you’ve bought one already or are thinking of buying one, a group of researchers wants you to think twice about the security of those devices. Open Effect, in collaboration with the ambiguously named “Citizen Lab,” operating out of the University of Toronto, tested all of these products and found them riddled with security flaws.
One of the most striking flaws researchers found in the devices were their vulnerability to Bluetooth MAC address surveillance, especially if they were not connected to a user’s phone. As we all know, most of our devices, including our phones have the ability to transmit signals over Bluetooth–that’s fairly standard nowadays. What worries these researchers, however, is the fact that the MAC address, which is a unique serial number for every device (essentially its identity and thereby yours if your wearing it), is openly transmitted through Bluetooth on these fitness devices, wholly unprotected.
This essentially means that if someone wanted to track your location, they could identify you through that unique MAC address and track the signals your Bluetooth emits. In fact, many public venues, such as malls, scan customer Bluetooth signals in order to track their movements for data. Most of this information is a gold mine of user’s information for law enforcement, or other entities that might not have your best interest at heart. Fortunately, Apple Watch doesn’t have this vulnerability, so you’re safe to follow Nick Jonas’ example in this case.
Empower yourself and turn up the pressure.
If the security flaws in your fitness tracker worry you, or if you’re just paranoid about mass surveillance in general, Open Effect has developed a website dedicated to this report. In fact, the organization encourages you to learn more about your particular device and pressure its manufacturers to fix its flaws. It even offers a “compare the trackers” option if you’re currently shopping around for a device.
Also through this website, you can conduct an “access information” request that goes directly to the companies to find out what they do with your personal data. Well, that’s only if you live in Canada. There is actually no federal, comprehensive information privacy law in the United States that requires companies to release to you information about your data, and what they do with it. California, however, always a beacon of progress (and debt) in the U.S., will be voting on a “Right To Know Act” in November 2016 that mirrors Canada’s law.
Still want to use that fitness tracker? Maybe move to California, or Canada. I vote Canada.
You can read the full report by Open Effect, “Every Step You Fake: A Comparative Analysis of Fitness Tracker Privacy and Security,” by following this link.