Ensure that you're comfortable with the exchange of data for Fitbit's service
I think about my body a lot. I think about how it feels; how to make it feel better; what parts hurt; what I’m putting into it; how it’s sleeping; how much it weighs; how tall it is; whether or not it’s going to get Covid-19; how to treat it better… You get the idea.
And as someone who thinks about their body a lot, I’ve chosen to use a Fitbit — specifically a Fitbit Inspire HR — to help me understand it. But it wasn’t until I started this What Does the Internet Know About Me? series that I realized that while the Fitbit gives me a lot of information about myself, I don’t actually know what it knows about me.
Let’s start with the obvious: The purpose of a Fitbit is to help you track your health, in various ways. Users can customize what they want to track. I’m tracking:
On the less obvious side of things, the Fitbit also knows:
And then there are the even less obvious things that Fitbit could know about you, if they really wanted to. The following is all conjecture — there’s no evidence that Fitbit has an interest in figuring this stuff out about users. But I wanted to highlight how this data can be used in ways we all, as users, might not think about.
I decided to focus on whether or not Fitbit can tell when a user ingests different types of intoxicating substances. For example, a few months ago I had a boozy, full afternoon brunch with friends. Altogether, it was a very unhealthy day.
But when I got home, I noticed I’d burned over 3,000 calories that day, despite sitting on my butt and not getting even close to my 10,000 step goal. What was that about?
So I did some research. According to threads on the Fitbit Community site, it’s common for resting heart rate to go up a few beats both while drinking and for a couple of days after. This can “confuse” your Fitbit, because a higher heart rate should mean more physical activity — but in this case just means you’re boozing.
I was surprised by some of the other edge ways that people are using Fitbit. According to articles from 2018, at least one person was using their Fitbit to monitor how harder drugs were affecting them. There were also stories about using the Fitbit to keep a handle on drug use at Burning Man, the yearly music and art festival.
It might seem farfetched, but it’s theoretically possible that Fitbit — or someone with their hands on a user’s Fitbit data — could use a combination of location data (are they at a bar? At a festival like Burning Man?), time of day, and heart rate to determine if someone was ingesting a substance. For this to work, aggregate data would need to be studied to identify the markers of one activity (such as using an illicit substance) from other activities. This might be far unlikely, but even a simple peak at someone's data would allow you to draw broad conclusions about their health.
A perhaps more common theoretical situation is what could happen if the Affordable Care Act (ACA) is eliminated, allowing insurance companies to deny coverage if someone has a pre-existing condition. In that case, Fitbit data could be used to determine if someone has a heart condition, is overweight or obese, or even if they have issues with fertility.
Has this been done so far? Not to our knowledge. But we do know that Fitbit has programs that work with both insurance companies and employers. We also know that they share data with law enforcement if they’re legally required to. It’s impossible to know all of the edge cases of how this data could theoretically be used, but it’s important for us as users to understand the fact that there are edge cases — and that data this personal might reveal things about us that we’d prefer not to be revealed.
Lastly, I was curious about whether or not Fitbit knows my social media handles. In my profile, I checked out “Third Party Apps,” which showed that the only one I’d connected was MyFitnessPal. However, if you use the Facebook or Google sign-in option for Fitbit, it will have that information.
They also mention that they might share information when asked to share by the user, for example if you give a third-party app access to your Fitbit account or if you participate in an employee wellness program. In those cases, Fitbit will share information with those accounts or with your employer, until and unless you revoke that access.
I also asked who the “third parties” that Fitbit may share information with are. In addition to the ones I’ve already mentioned, they said they might share data with “partners who help us provide our product and services – for example, we share limited data on a confidential basis to our third-party customer support and billing service providers.”
Now, if I were in Europe, things might be slightly different because Europe has more stringent privacy protection than the US, in the form of the General Data Protection Regulation (GDPR). European Fitbit users are asked for explicit consent when they “take actions leading to” Fitbit obtaining “health data or another special category of personal data subject to the GDPR.” The examples they give include “when you pair your device to your account, grant us access to your exercise or activity data from another service, or use the female health tracking feature.” They also let European users withdraw their consent to sharing data or using their data for direct marketing at any time.
Fitbit is “free” in that you pay once for the device and that’s it — you don’t have to pay for subsequent access to the app. But I am giving them something in return: My data. So is it worth it?
For me, the benefit of trading my data for access to the Fitbit is clear. My Fitbit is my third-most used device, after my laptop and phone. I look at it dozens of times per day, whether it’s to check the time, my steps, my calories burned, my heart rate when I’m working out, or the timing of a workout. It’s an essential part of my health plan, keeping me on track with my health and fitness goals and giving me insights into what’s going on inside my body.
What can I say? I’m a nerd. I like data and numbers and Fitbit is excellent at providing me with those.
The data collected by Fitbit is some of the most personal data that a company could collect. It’s about our bodies; these weird vessels that we move around in. Fitbit is great because it tells us things about our insides, but it also means that it should be held to a high standard when it comes to how they manage and use our data.
From what I can see from the outside, they take that responsibility pretty seriously. They don’t sell personal data to advertisers. They’ve taken HIPAA into account, becoming as close to compliant as possible in order to make it easier for them to work with insurance companies and health care providers. And they give users the right to view, download, and delete their data at any time, which is right in line with privacy best practices.
However, like all data sets, it’s possible that my Fitbit data could be used against me in ways I haven’t anticipated. For example, it could be used in a criminal case, which has happened a couple of times already. So far, though, the data that have been used in criminal cases — at least the ones we know about — were supplied by the users themselves. I reached out to Fitbit for more information on when they share information with law enforcement and have not heard back at time of publication.
The other big question mark at this time is what will happen now that Fitbit has been acquired by Google. The deal was originally announced in 2019; was tied up in regulations for a while; and finally went through in January 2021. And, some users are concerned about Google having access to even more information about them.
Both Fitbit and Google have made strong statements about protecting user privacy moving forward, assuring us that nothing will change. Google says that “This deal has always been about devices, not data, and we’ve been clear since the beginning that we will protect Fitbit users’ privacy.” And in their announcement about the acquisition, Fitbit wrote:
“The trust of our users will continue to be paramount, and we will maintain strong data privacy and security protections, giving you control of your data and staying transparent about what we collect and why. Google will continue to protect Fitbit users’ privacy and has made a series of binding commitments with global regulators, confirming that Fitbit users’ health and wellness data won’t be used for Google ads and this data will be kept separate from other Google ad data. Google also affirmed it will continue to allow Fitbit users to choose to connect to third party services.”
After all of this, I still feel comfortable with the exchange of data for service that I have with Fitbit. Might that change in the future? Sure. Maybe. But so far they seem to be doing a pretty good job.
The latest sizable data breach from Facebook can and should be a motivation for many people to move off SMS-based codes to authenticator apps.
Sharing your location by choice is a great way to connect with your loved ones, but many apps that share your location can also be used as a form of stalkerware.