A friend and I once used Strava, cross-referenced with public water records, to find a celebrity athlete’s house so we could take a picture in front of it. While our adventure was relatively benign, this is exactly the kind of thing people are worried about when they share their workouts on sites like Strava: that someone will use it track them down.
“We take privacy very seriously,” says Rosamaria Gonzalez, Strava’s director of customer support. Because the site thrives on users posting and sharing workouts, it’s had to confront users’ fears head on. That means you can now opt to make workouts only visible to certain people, to hide your start/end location, to make some or all of your activities private, or to opt out of many features.
But with more and more people using fitness trackers, social media sites, and a variety of technology in their workouts, the odds are that you’re not covering all your privacy bases. And you’re probably worrying about the wrong thing.
When it comes to your digital security there are three areas of concern, explains Candid Wueest, a principal researcher and security expert at Symantec: the hardware itself that records your data, apps that transmit data, and social media sharing of workouts or races. The apps and data transmission are “the most critical part,” says Wueest. Maik Morgenstern, the chief technology officer at AV-TEST, another top internet security firm, agrees. “The data is the biggest problem,” he says.
While there are a growing number of urban legends about criminals using Instagram posts to track your daily run routes or trawling Facebook to find out when you’re away from home, that’s not the biggest worry, Wueest and Morgenstern say. Those things can and do happen, and have created new issues for law enforcement. And for some, that risk is magnified if there are people they don’t want in their lives, stalkers, or possible threats. While Strava has not had complaints of criminal activity, Gonzalez says, they do get users who want to be sure their activities will be blocked from specific people. The challenge with separating out those issues, says Wueest, is that while social media has made stalking easier, for example, stalkers can find your information other ways if they really want it. If someone wants to rob you, they’re going to; posting your activities online just makes it a little less difficult.
The bigger concern, though, on the aggregate, when it comes to fitness and online security, says Morgenstern, isn’t what you choose to share—it’s what you don’t. The fitness tracking app on your cell phone holds a lot of personal data about you—and it’s not very well-protected.
Both AV-TEST and Symantec conducted separate tests on some of the top fitness apps and trackers. What they found was not encouraging. According to Wueest, 20 percent of the top 100 apps send your password in clear text unencrypted on the backend. That means that any fairly low-level hacker could simply access your password if you’re using free wi-fi. (Once Symantec alerted those apps to the security risk, only half fixed the problem.)
Why does that matter?
“Well most people only use one password,” says Wueest, meaning that anything that gives someone access to your password gives them access to more important accounts. There have also been a number of complaints that criminals have hacked into fitness trackers or bracelets, changed the email connected to the account, and then warrantied the item so they could re-sell it (in turn, disabling the old one).
The second problem is that much of our fitness and health data is very personal: our date of birth, height and weight, address, and all of our health issues and activities. In the wrong hands that information could be problematic. Even according to the FBI’s most recent report on criminal internet activity, the biggest threat, outside of Nigerian prince-style scams, is the theft of people’s personal data, which is then used to steal money, assets, or identities.
Morgenstern believes the additional danger no one is yet worried about is that “even if the device or app is secure, there are still the ‘authorized’ parties that will have access to the data.” What that means is, ultimately, your data could be legally accessed by health insurance companies, corporations willing to pay for the information, or even consumer reporting agencies. In the worst version of the future, he says, there are concerns your private data could affect your ability to get a loan or the price you pay for health insurance.
To protect yourself, Wueest suggests abiding by all the traditional rules of data security: using strong and different passwords, double authentication when possible, vetting the credibility of the trackers and apps you use, and limiting what you post.
Or, you can just go with the old ‘abstinence is the best birth control’ theory. “If possible, don’t share any information at all: Not with Google, not with social media, not with other people,” says Morgenstern.
That will probably be a lot less fun though.