Fitness apps are a “privacy nightmare”, shedding personal data to the highest bidder

Fitness apps are a "privacy nightmare", shedding pounds of personal data to the highest bidder

Image of jogger with phone courtesy of ShutterstockLately, Zumba has been killing me.

My right knee aches, and I swear I’ll need a new hip within a few years.

Is that really data that I want sold to the highest bidder, from whence it could find its way into the hands of prospective employers, insurers, or mortgage lenders, any of which could conceivably discriminate against me based on this intimate information?

Unfortunately, privacy advocates warn, we’re jogging with our fitness apps straight into that type of privacy quagmire.

The Washington Post quotes Deborah Peel, the executive director of Patient Privacy Rights, who called the growing fitness data marketplace a “privacy nightmare”, given that the vast majority, if not all, of the health data these apps collect has “effectively zero” protection.

Take, for example, Facebook’s recently acquired fitness and activity tracking app, Moves.

Moves describes itself as an “activity diary” for iPhone and Android mobile devices. It does things like count how many steps you take every day, then presents it in a slick interface on your mobile phone.

It gets that information by mixing data from mobile phones’ motion sensors with GPS information to track a user’s location and activity throughout the day.

Moves’s algorithms can differentiate between different types of exercise, such as biking or running, and can calculate distances traveled and calories burned.

That means the app knows not only a user’s location, pinpointed down to an exact building, but also whether he or she got there on foot, bike or bus.

The data-rich landscape being created by the proliferation of this type of fitness app has tech heavyweights drooling.

Apple, for one, has been on a hiring spree in the biomedical field, Reuters recently found when rifling through LinkedIn profile changes, with much of the hiring being centered on sensor technology that could feed into its development of the iWatch and other wearable technology.

Google, for its part, has been working not just on wearable tech such as Glass, but also on other medical products, such as contact lenses for diabetics that read tears to ascertain glucose levels, the Post reports.

Google pre-briefed Lorenzo Hall, chief technologist at the Center for Democracy & Technology, before its January announcement about the contact lenses. Google assured Hall that data collected by the contacts would be kept out of the wealth of personal data collected by the company through its other services, Hall told the Post.

So who’s keeping an eye on the sensitive data collected by fitness apps?

Unfortunately, we can expect little oversight by traditional medical watchdogs.

The data isn’t protected by the Food and Drug Administration, given that fitness apps or gizmos don’t generally qualify as medical devices.

Nor does it merit the privacy protection of the US’s Health Insurance Portability and Accountability Act (HIPAA), which covers privacy with regards to information handled by medical professionals.

As the Post reports, fitness apps seem to be falling through an FDA loophole:

A list of examples of types of apps that fall into this category on the FDA Web site appears to encompass features commonly found in fitness tracking apps, but a footnote includes a potential loophole -- saying that when these type of apps "are not marketed, promoted or intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, or do not otherwise meet the definition of medical device, FDA does not regulate them."

The FDA for now is pretty much steering clear of regulating health-related apps unless they pose a clear and present medical danger to consumers.

The Federal Trade Commission, for its part, hosted a public conference about consumer-generated health data earlier this month as it tries to figure out where it fits into this new regulatory scene.

But the FTC has limited means to punish companies if they break their promises to consumers, lacking the power to issue fines over first offenses.

That leaves it up to consumers to watch their own backs when it comes to reading the privacy policies for these apps, FTC Senior Staff Attorney Cora Han pointed out to the Post:

Consumers may not always read the privacy policies of some of these apps. And even if they do some of them might be worded in legalese so consumers might not understand the choices they are making with their information.

Some things to keep in mind when reading such privacy policies, as privacy advocates point out:

  • Just because an app’s privacy policy rules out selling data doesn’t mean it’s not getting around that on a technicality by trading the same data.
  • Beyond an FTC investigation, there’s nobody really auditing these apps’ privacy promises.
  • As Moves’s privacy policy change made clear, privacy policies aren’t immune to being changed – particularly when changing them benefits an acquiring company.

Image of jogger with phone courtesy of Shutterstock.