New study asks, "Who's tracking whom?"

They’re like having your own personal trainer – at a fraction of the cost. But findings from a study by researchers at the University of Toronto reveal that fitness trackers, the popular wearable devices that track our steps, calories, sleep, and other data, may also be tracking us.

The report, Every Step You Fake: A Comparative Analysis of Fitness Tracker Privacy and Security, analyzed devices made by Apple, Basis, FitBit, Garmin, Jawbone, Mio, Withings, and Xiaomi. The research, a collaborative effort between Open Effect, a non-profit applied research group focussing on digital privacy and security, and the Citizen Lab at the Munk School of Global Affairs at the U of T, was funded by the Privacy Commissioner of Canada’s Contributions Program.

Two sections of the report - the study background and the technical methodology and findings - were released in advance to alert consumers to the measures the companies were – or were not, as the case may be - taking to secure their personal information.

Researchers found that seven out of eight of the devices emitted unique identifiers (Bluetooth Media Access Control addresses) that could expose users to long-term location tracking when the tracker was not paired and connected to a mobile device. Other vulnerabilities were also exposed. According to the report, Jawbone and Withings apps can be exploited to create fake records, while Garmin Connect does not use basic data transmission security practices for its iOS or Android applications. Only the Apple watch was found to be without technical vulnerabilities.

While these devices enjoy a widespread appeal, the researchers assert that as fitness data is used in an increasing number of new areas, such as insurance, corporate wellness, and courts of law, consumers deserve to be better informed about the privacy policies of these devices. 

Read the full report here.