Lately, fitness-minded Americans have started wearing sporty wrist-band devices that track tons of data: Weight, mile splits, steps taken per day, sleep quality, sexual activity, calories burned—sometimes, even GPS location. People use this data to keep track of their health, and are able send the information to various websites and apps. But this sensitive, personal data could end up in the hands of corporations looking to target these users with advertising, get credit ratings, or determine insurance rates. In other words, that device could start spying on you—and the Federal Trade Commission is worried.
"Health data from [a woman's] connected device, may be collected and then sold to data brokers and other companies she does not know exist," Jessica Rich, director of the Bureau for Consumer Protection at the Federal Trade Commission, said in a speech on Tuesday for Data Privacy Day. "These companies could use her information to market other products and services to her; make decisions about her eligibility for credit, employment, or insurance; and share with yet other companies. And many of these companies may not maintain reasonable safeguards to protect the data they maintain about her."
Several major US-based fitness device companies contacted by Mother Jones—Fitbit, Garmin, and Nike—say they don't sell personally identifiable information collected from fitness devices. But privacy advocates warn that the policies of these firms could allow them to sell data, if they ever choose to do so.
Jeffrey Chester, executive director for the Center for Digital Democracy, says that these privacy policies are so broad that they could allow the companies to sell health data—even if they aren't doing so now. "When companies promise that they aren't selling your data, that's because they haven't developed a business model to do so yet," Chester says.
Scott Peppet, a University of Colorado law school professor, agrees that companies like Fitbit will eventually move toward sharing this data. "I can paint an incredibly detailed and rich picture of who you are based on your Fitbit data," he said at a FTC conference last year. "That data is so high quality that I can do things like price insurance premiums or I could probably evaluate your credit score incredibly accurately."
Even if the companies that make these devices aren't selling the data, there is another potential privacy concern. Users can send their data to dozens of third-party fitness apps on their phone. Once users do that, the data becomes subject to the privacy policies of the app companies, and these policies do not afford much protection, according to the Privacy Rights Clearinghouse. The group examined 43 popular health and fitness apps last year, and found that, "there are considerable privacy risks for users." A spokesperson for the FTC told Mother Jones that "fitness devices often work by having apps associated, and [Privacy Rights Clearinghouse's] analysis here may be relevant."
If there's one entity that knows the value of the health data uploaded to these devices, it's the CIA. Last year, at a data conference in New York, the CIA's chief technology officer, Ira Hunt, gave a talk on big data. During the discussion, he told the crowd that he carries a Fitbit. "We like these things," he said. "What’s really most intriguing is that you can be 100% guaranteed to be identified by simply your gait—how you walk."