07 Feb Fitness App Data Privacy – The Danger of OversharingReading Time: 6 minutes
The Downside of fitness apps
Last year I worked out 161 times, ran 360 miles and set 22 personal records. How do I know? GPS tracking and fitness apps on my phone have make it easy. Peter Drucker said, “You can’t manage what you can’t measure.” Technology makes it possible to measure life with no effort, and support the kind of self-realization that people strive for, but collecting all that data and sharing it comes with some peril to ourselves and society. You need to think about fitness app data privacy.
Measure to improve
I know I ran 6.5 miles this week because I use the Strava app on my iPhone. It records my location, speed, distance and pace for runs and rides on my bike. It also records my route using GPS and tells my time on any of the routes in it’s database that have been created by its 30 million users. I have a watch that does the same thing and automatically uploads the information to Strava, so I don’t even have to carry my phone to track my runs. I have another app, fitbod which programs and records my weight-training. Each app talks to the others and they talk to Apple health. I get a unified view of all my exercise and progress.
Continual progress towards a worthy goal
Ever tried to lose weight or get stronger? It is slow going. Any kind of sustainable effort yields gradual incremental results. Your weight loss may be imperceptible on a daily basis. Once you get past the newbie gains in strength training, you may not be ready to increase the weight on your lifts for weeks. Fitness trackers help you to see the gradual progress over time. They help you see the pattern emerging, even if on a daily basis nothing seems to be happening. Seeing this kind of progress does wonders for one’s motivation.
The old-fashioned way of timing your runs
I was doing this kind of tracking before all the technology arrived. When we would go for our weekend runs in Golden gate Park, my wife and I would mark off the miles with chalk on the roadway. Hanging out the door of the slowly rolling Miata, we’d use the car’s odometer to mark off 5K on our prospective route. Then we’d use stopwatches and notepads to keep time and calculate the pace on mile splits. Laborious, but that was how you did it back then.
Million man run
Millions of people use Strava all over the world. They share their runs and bike rides with their friends, and most share with everyone in the general public as well. You can compete with and cheer on your friends. You can see how you rank out of all the people in the world on any particular route. It’s a worldwide community of runners.
The danger of oversharing
Strava, wanted the show the power of this dataset. They made a heatmap of all the routes that athletes travelled in their database of over 3 trillion GPS coordinates. Billions of routes, each one a faint trace on top of each other. Where many traces stacked up the color becomes more saturated. The most popular routes glow brightly, whereas the lonely trails barely show. Europe is covered by a mesh of bright stripes so dense you can hardly make out lines. Places like Somalia or Afghanistan are almost blank, vast black voids.
Strava runner like me, you pored over the map to see where your effort had contributed to glow. Looking at the barren places like Afghanistan, some sharp-eyed person saw that there were traces way out in the middle of nowhere. Geometric traces like you would get if you were running around a campus or facility. It turned out that these routes were outlining military bases in Helmand province. Some special forces soldiers wanting to keep up their fitness were recording their runs, inadvertently giving away their location. Now, this is clearly not Strava’s fault. It is a failure of operational security more that malfeasance by the technology company. I suggest we might temper our criticism of anyone because the unintended consequences of data sharing are not always obvious
Who watches the weight watchers?
For a year, I tracked everything I ate on MyfitnessPal. It is incredibly easy. You just start typing in the name of the food you’re eating, and the nutritional information pops up and gets logged. Whether it’s a burrito from chipotle or a recipe you cooked up from home, there is a record in the MFP database which has the calories, fat, protein and carbohydrate content of it. If you can remember to do it once a day, logging your food takes less than 5 minutes. Going way beyond calorie counting, food logging apps let you focus on your nutrition with the same level of precision as a medical clinic or a sports training center. If recording your workouts was hard before smartphones, food logging was well nigh impossible.
Over the course of a year, I lost 20 lbs. and put on 10 lbs. of muscle. I eat better than I ever have in my life and get the protein and fiber that my doctor has been nagging me about for years. Beyond the value of measuring to manage, the whole time I was logging days in MFP, I was learning about the foods in my diet and how they contributed to my reaching my goals. The whole time I was learning. It sticks with you. After a year, I was pretty much done with MFP, I could tell at a glance how many calories were in a dish and what I needed to eat to hit my macronutrient targets. I could also see some patterns that weren’t obvious before. For example, if I ate more than the RDA of sodium any particular day, my weight would go up by several pounds the next. That sodium in my system was helping me retain water. I learned not to freak out bout large weight fluctuations and focus on longer term patterns.
Disorder from order
Some researchers think that this habit of measuring everything you eat looks a lot like disordered eating. Excessive focus on food data might exacerbate eating disorders for those who are prone to them. A logical premise, but the research so far doesn’t back that up. The harm doesn’t come necessarily from how use use the data but how that data might be hacked or stolen or legitimately sold to someone who has an impact on your life. Insurance companies have started to look at social media feeds to help evaluate risk in insuring people. Aetna Carepass service already has explicit partnerships with MyFitnessPal, Fitbit, RunKeeper and Withings. Right now, they are incorporating the data into corporate wellness programs. But if they start pricing healthcare premiums based on how many steps you take a day, you are ceding a whole lot of freedom.
Triangulating on identity
The problem is not just the health app data. That may be encrypted on your phone and protected by a password. Even without the PII, it is not hard to match up the health data with an individual. If you have somebody’s birthday and zip code and one other piece of information, 80-some percent of Americans are identifiable just based on those three pieces of information. Just imagine if you could associate location data as well. They’re going to know who you are. Your medical identity data may be worth 10 times what your financial identity data is worth.
They know who you are
Now add to this the information from your grocery store loyalty card. Any health insurer with access to all that data is going to be making some decisions about your pricing based on your recorded behavior. If you have diabetes and you only walk around the block once a week and buy pound cake at Safeway, an insurers not going to be too excited about covering you.
Garbage in, garbage out
The problem with all this is that there is little quality control in the datasets. A consumer of my Safeway rewards card data would get a very skewed very incomplete idea of what I eat. In my case, it’s usually meat and club soda that I buy from Safeway. I buy all my vegetables at the green grocer down the street and pay in cash. Those purchases can’t be tracked. I buy other things at Trader Joes. Anyone looking at my Safeway purchases as an indicator of nutrition would be very dismayed.
Fortunately they don’t know what I buy at Safeway because I use somebody else’s club code. It was my old cell phone’s number. Now it’s somebody else’s and so are my Safeway records. All my purchases go on her number. She’s probably getting a few cookie coupons that are rightfully mine. I can live with it. Thank you Mrs. Hernandez, whoever you are.
Fitness app data privacy
There are three things you have to do to protect yourself. 1.) Read the data use and privacy policies of any apps you use. Decide if they are worth the risk. 2.) Get involved. Decisions about how your data needs to protected are being debated right now. Support organizations like the Electronic Frontier Foundation who are advocating for you. 3.) Resist. Don’t make it easy to add your data up to identify you. I offer my Safeway rewards card story as an example of aggressive non-compliance.