A blog post

Your Self-Tracking Data Is At Risk

Fitness Band and Digital SelfUse an activity-tracking device, such as a fitness tracking band, or application? Users should be very cautious due to serious security issues as your data may not be safe. These tracking devices and applications contain a lot of personal, private information. According to Symantec, in a Report entitled “How safe is your quantified self?” users need to be very concerned about security with these devices and applications as their data may be at risk.

ACTIVITY/ SELF TRACKING

The “quantified self” is a phrase that has gotten a lot of attention in the past couple of years. It generally means a person using technology to help gather information about themselves, which may be used to track activities, personal well-being, health, productivity and many other items. Other terms that are sometimes used for “quantified self” include self-tracking and activity-tracking.

The self-tracking market is already very large. According to some studies, 60 percent of Americans now regularly track their weight, diet or exercise activity through an application or device. By the year 2018, the number of wearable computing devices shipped each year will reach 485 million units.

There are a number of different types of activity tracking devices and applications. The most common devices are smartphones and wearable tracking devices. These devices can track some data themselves while some use a combination of data gathered plus what a user inputs. As for applications, most of these, which are not using the device’s sensors to track something, rely on the user to input information. An example is a “calorie counter” in which a user enters what he or she ate during the day.

Information gathered by these devices is stored on the device itself. It can also transmitted to a paired device, such a smartphone, tablet or computer. It can also, either through the device itself or a paired device, go into the cloud and the manufacturers or developers services. According to Symantec, all of these areas have significant security vulnerabilities.

INFORMATION GATHERED

What's Driving Quantified SelfActivity tracking devices and applications may contain all of information about users including that the user would be unlikely to want shared publicly. Some of this information is entered by the user themselves while other information is gathered by the device or application itself .Such private Information goes beyond that which usually be vulnerable, such as date of birth and social security number, and may include:

  • Consumption (Food; Drink; Medication)
  • Bodily functions (Body PH; Menstruation/Fertility; Pregnancy; Stool/Bowel motion)
  • Physical activity (Sports Activity; Sleep; Travel; Sexual Activity; Tooth Brushing)
  • Medical Symptoms
  • Spatial (Location; Altitude; Time; What You See)
  • Physiological Statistics (Heart rate; Blood Sugar/Glucose; Temperature; Blood pressure; Weight; Breathing)
  • Mental Health (Mood; Stress Levels; Alertness)

Symantec’s Report contains a diagram of the anatomy of a tracking device

Typical wearable activity-tracking device

WHY YOU SHOULD BE WORRIED

Your might be asking, “Why should I worry?” You should be worried according to the Symantec Report that your private information can be used to harm you if obtained by a malicious third party. Some of the risks and harms include:

  • Identity Theft
  • Profiling
  • User Location/ Stalking
  • Embarrassment and Extortion
  • Corporate Use and Misuse

As most of the trackers are used for self-improvement or for medical purposes, the information can be extremely private. Not many people want others to know about their sexual activity or toilet usage.

SECURITY DEFICIENCIES

Symantec found significant deficiencies with many of the devices and applications especially in the areas of:

  • Location Tracking
    • All wearable tracking devices tested
  • Transmission of Tracking and Personal Data, including passwords, in clear text
    • 20% of applications examined
  • Lack of Privacy Policies
    • 52% of apps examined did not have available privacy policies
  • Contacting Multiple Domains
    • Average number of unique domains contacted by the self-tracking apps was 5 and the maximum number was 14
  • Weak Session Management and Security
  • Unintentional Data Leakage

With all of these security problems, your private information is vulnerable to hackers and others. Without privacy policies, many users are not even aware of the risks being intercepted or shared.

PROTECT YOURSELF

The Report makes the following suggestions for users using fitness tracking devices and applications:

  • Use a screen lock or password to prevent unauthorized access to your device.
  • Do not reuse the same user name and password between different sites.
  • Use strong passwords.
  • Turn off Bluetooth when not required.
  • Be wary of sites and services asking for unnecessary or excessive information.
  • Be careful when using social sharing features.
  • Avoid sharing location details on social media.
  • Avoid apps and services that do not prominently display a privacy policy.
  • Read and understand the privacy policy.
  • Install app and OS updates when available.
  • Use a device based security solution.
  • Use full device encryption if available.

These security suggestions are basically the same for many mobile devices and some are not available for a lot of activity trackers. They may help protect the information once it reaches your phone, tablet or computer, but, are not foolproof. Unfortunately, there is not a lot you can do to a device itself other than not use it.

CONCLUSION

The quantified self is important and a natural progression of technology. It is a better and more efficient way to track information. Activity-tracking devices and applications are readily available and can, for some, be free or very inexpensive. They are also very useful. I use a fitness tracking band myself. However, make sure you aware of the privacy risks and protect your data as much as you can. You do not want to become a quantified victim. Hopefully, manufacturers and developers will start to consider security in future devices.

Source (content and some images): How safe is your quantified self? (Version 1.0 – July 30, 2014, 12:00 GMT) by Mario Ballano Barcena, Candid Wueest, Hon Lau / Symantec

Blog Post: Your Self-Tracking Data Is At Risk

The following two tabs change content below.

Jeffrey Lapin

Lawyer, Founder and Owner at Lapin Law Offices
I am a trial lawyer and the Founder and Owner of Lapin Law Offices. I represent injured, abused and disabled clients with caring, passion and dedication in Lincoln and throughout Nebraska.

Latest posts by Jeffrey Lapin (see all)

->