Some of the top-selling brands of fitness trackers that monitor wearers' heart rates, sleeping patterns and movement are putting user data and privacy at risk, according to a new report.
Cybersecurity researchers at the University of Toronto examined eight popular wrist-worn trackers. They tested how they communicate with mobile apps and even upload and store a user's workout information on manufacturers' computer servers.
- Wearable technology: Canada emerging as a global leader
- Retailers use smartphones to track your habits in the store
- Do fitness trackers really change our behaviour?
The researchers conclude that several models expose users to potential internet snoops and hackers even when devices aren't being used for exercise and mobile apps are turned off.
"Fitness trackers are a fairly new technology and we don't have many regulations right now," said lead researcher Andrew Hilts, who is executive director of Open Effect and a research fellow at Citizen Lab at the U of T's Munk School of Global Affairs.
"We found cases where your data is being sent and you might not be aware, and there's no apparent reason why it's being sent," Hilts told CBC News.
The study examined popular models made by Garmin, Fitbit, Jawbone, Mio, Withings, Xiaomi, Basis and Apple.
Each of the devices uses Bluetooth technology that emits a signal and a unique ID that can be detected even when the tracker is not paired with a mobile phone.
This "can leave their wearers exposed to long -term tracking of their location," concludes the Open Effect / Citizen Lab research report released Tuesday.
To demonstrate, Hilts accompanied CBC News to Yorkdale Shopping Centre in suburban Toronto. He used his own mobile phone to scan for Bluetooth signals. He detected many devices, including a Garmin Vivoactive Smartwatch worn by squash enthusiast Mike Maiola.
"That can be a bit invasive," Maiola said with some surprise when CBC News showed him that his wristwatch fitness tracker could be detected even when he wasn't using it for a workout.
The researchers warn this exposes users to having their devices tracked and logged each time they enter a mall or another environment using sophisticated retail data scanning technology.
"I got it for fitness tracking, for golf and a whole host of things. And I wear it every day — it never comes off my wrist, really," says Maiola .
But now he's reconsidering.
This information "might change how I actually use the device and whether or not I have the Bluetooth functionality on."
The Apple Watch received high marks in the study for data security because it is the only model that randomizes a user's Bluetooth ID, making it impossible to track over the long term.
Bogus workout results
The Citizen Lab researchers conclude the Garmin app, called Connect, sends heart rate, workout and movement data across the internet without encryption.
"Eavesdroppers could easily look at their data," Hilts cautions.
In addition, Hilts says other devices have vulnerabilities that could allow a user with a bit of technical know-how to tamper with their fitness information to log bogus workout results.
This is concerning, says Hilts, because fitness tracker data is increasingly being relied on as evidence in court, or as a basis for rewards or discounts tied to corporate wellness programs and health insurance policies.
"Potentially people could meddle with their data and say they are doing fitness events, fitness activities, even when they weren't," Hilts said.
Sitting at his computer, Hilts demonstrated for CBC News how he was able to send false "walking data" to his Jawbone UP 2 account to make it appear he walked one million steps on a recent Saturday. That's roughly 800 km, the distance from Toronto to Quebec City.
"I could definitely fake my workout to astronomical levels," Hilts said.
"Let's say the person's insurance premiums are related to the amount of activity they report on their fitness tracker. All it takes is a few bad apples to exploit their device and inflate their step counts."
The manufacturer, Jawbone, told CBC News it is investigating the claims made in the research report and declined to answer questions.
Garmin, the maker of the device that transmits basic fitness data without encryption, declined requests for comment.
Other manufacturers issued statements (Mio, Fitbit, Withings) expressing commitments to privacy, stressing data transmitted from apps does not disclose a user's name. They insist that using Bluetooth LE (Low Energy) is industry-standard and power-efficient despite potential privacy exposures.
Withings, maker of the Pulse O2 tracker, stated the company "does not believe any customer is at risk of having their location tracked over the long term."
However, Withings shut down the Share Dashboard social-media function on its Health Mate app for Android users after CBC News contacted the company about the findings.
"An updated version of the Android app will be available in the coming week and will feature enhanced encryption," said company spokesman Ian Twinn in an email.