Fitness trackers run into resistance over data security concerns

Self-tracking boom has prompted consumer worries about security of personal data

Ten years into the self-tracking boom, wearable devices are becoming more sophisticated and multifunctional but are they really tracking what we want them to, do we even want to use them and how do we deal with the huge personal data trail left in their wake?

A decade ago the "quantified self" movement began in a whirlwind of techno-utopian promises of self-knowledge through self-tracking. Started by Wired magazine editors as a series of conferences and events, it mostly involved Silicon Valley types exploring self-empowered health and fitness through novel wearable sensors and big-data analytics. A few years later, the consumerisation of these tracking devices led to widespread adoption of wearables for counting everything from steps and calories to blood sugar and cholesterol levels.

Fitness trackers are now a staple of modern life: many of us either own a wearable such as a Fitbit, Apple Watch or Samsung Gear, or we use a smartphone app to count steps or workouts. The underlying assumption of the self-tracking, or the quantified self, is that to know thyself is to improve your quality of life.

Tracking steps taken every day can motivate us to reach the World Health Organisation’s recommendation of a 10,000 minimum to keep healthy and active; many trackers include a heart rate monitor, motion detection for sleep tracking and even blood oxygen levels. All this data is sent into the cloud and aggregated on apps designed to provide feedback for an optimised life.

Market success

And this is big business. The Pew Research Centre estimates that 60 per cent of all Americans engage in some sort of fitness tracking (weight, diet or exercise) while a report by ABI Research estimates that the number of wearable device shipments will reach 485 million units by 2018, and this excludes the market for self-tracking smartphone apps. Fitbit alone has 23.2 million active users, capturing 34.2 per cent of the wearable market (as of February 2017) while it is estimated that 11.9 million units of the Apple Watch were shipped in 2016 alone.

Market success aside, there is a dark side to self-tracking that includes high levels of device abandonment, issues of accuracy, emotional stress and, of the most concern, personal data security. Should we think twice before we transform our every move into a collection of data points?

First of all, if we splash out on fancy tracking gadgets, there is an expectation of accuracy but a 2017 study from the Stanford University School of Medicine sheds light on the wildly varying results between devices calculating calorie burn. An evaluation of seven popular wearables (the Apple Watch, Basis Peak, Fitbit Surge, Microsoft Band, Mio Alpha 2, PulseOn and the Samsung Gear S2) found that while the most accurate device was off by an average of 27 per cent, the least accurate was off by a staggering 93 per cent.

“The heart rate measurements performed far better than we expected but the energy expenditure measures were way off the mark. The magnitude of just how bad they were surprised me,” said Euan Ashley, professor of cardiovascular medicine, genetics and biomedical data science at Stanford.

The problem with these wearables, he said, is that users are expecting medical-grade results from consumer-grade devices that are clearly not held to the same standard. So, don’t go rushing into that third slice of pizza just because your app said you burned an impressive number of calories today – you probably didn’t.


Even if we take this energy consumption data with a pinch of salt, it can be useful as a motivator to keep you walking and exercising more, no? Not always. It turns out that personal trackers can some of turn us into guilt-ridden step-dodgers who fear that next workout notification popping up. A 2016 study of personal tracker abandonment found that individuals who stopped using their trackers (many blame uncharged devices) either were wracked with guilt when they stopped or felt frustrated with the technology for failing to help them reach their fitness goals.

Speaking of failure, are you wearing your right now? A 2016 study from Gartner says that about one in four of us are not. Twenty-nine per cent of smartwatch owners leave them lingering in the drawer while 30 per cent of other fitness trackers dump theirs. Reasons include not actually finding them useful, getting bored with them or because they break.

The biggest issue around these devices, however, is that of data security. A 2014 report from security firm Symantec concluded that "all of the wearable activity-tracking devices examined, including those from leading brands, are vulnerable to location tracking".

The quantified self is technologically driven but it has a long history that originates in pencil and paper, notes Prof Deborah Lupton, researcher and author of The Quantified Self, a critical analysis of the social, cultural and political dimensions of data-driven self-tracking.

“In the past people did engage in self-tracking with written journals but now we have these devices that do it for us 24/7. The big change is that it is no longer easy to keep this very personal information to yourself,” she says.

“The interesting paradox is that the deeper we go into knowing ourselves, the more we expose ourselves. And what I’m finding in my research is that people aren’t thinking about this,” says Lupton.

"Every time there is a significant data breach or cyber attack like the Ashely Madison hack or celebrity nude photos, it's all over the news so people may have heard of these events but they don't necessarily relate it to the personal data they generate through self-tracking."

Privacy concerns

During her research, Lupton says she has questioned individuals about privacy concerns with responses along the lines of “of course it’s safe” to “but it’s only on my smartphone”.

It is similar, she says, to attitudes towards online privacy where users of social media platforms might know on some level that the information is public but it “feels” private because they are talking to friends, thus mitigating any feelings of unease around this kind of semi-public sharing of personal information.

So the data generated from a morning run, afternoon snack or good night’s sleep feels personal but it leaves our personal domain as soon as we sync. It not only leaves us open to identity theft but also profiling from the insurance industry among other, stalking (if we use location tracking), and even extortion because many tracking apps are for sensitive health-related behaviours including mood, toilet schedules and sexual activity.

The Symantec report goes on to outline three separate risk phases for data generated on these personal tracking devices: on the device itself (storage), in transit (transmission), and in the cloud (storage). What this means is that local smartphone storage of tracking data is an initial risk: users are open to malware, especially when allowing permissions to potentially insecure or leaky third-party apps. As data is transferred to the cloud, it goes through wifi, Bluetooth and NFC, all of which have their own security issues. And then there are hacking and other data breach concerns as your data sits in the proprietor’s cloud storage facility.

And while most people think of risks in terms of hackers looking for valuable medical data or inadvertent data breaches, the device manufacturers may not always have our best interests at heart. Lupton warns that this data is “highly open to third parties including the device developers” who could use the information for their own purposes including advertising or selling it on to other companies.

The moral of the story? If you use a fitness tracker, take some aspects of data accuracy with a pinch of salt (oh wait, hypertension and bloating), take every effort to secure the device and associated app, and don’t forget to charge it. Or maybe just stop counting, have a piece of cake and go for a long walk.

Read More