74 votes

Your Fitbit is useless – unless you consent to unlawful data sharing

23 comments

  1. [4]
    kuzbr
    (edited )
    Link
    Thanks for sharing this OP. I never considered a fitbit previously, as they are so expensive, but I will avoid entirely. Off topic, but I am increasingly bothered by the prevalence of devices in...

    Thanks for sharing this OP. I never considered a fitbit previously, as they are so expensive, but I will avoid entirely.

    Off topic, but I am increasingly bothered by the prevalence of devices in which you must make an account with the manufacturer to use them, or even worse the requirement of an internet connection + account to use the device. The fitness watches are a big example (for the account portion). I recently discovered many security cameras are this way currently: account required, as well as constant internet connection; if internet goes down, the security camera stops recording. I found a dumb example with color changing light bulbs - recently I want to get some LED light bulbs that changed color, only to discover you had to create an account with a manufacturer, as an app + internet connection is the only way to operate them. Really bugged me, and I opted not to purchase.

    The example in this article is one reason why I am weary of this trend. It seems to becoming so common these days, and in such a way that you just shrug and do it because that's how everything seems to be, and there's no way around it. I wonder if this will become a permanent change in technology.

    33 votes
    1. [3]
      Pioneer
      Link Parent
      Tried to buy a doorbell last week... endless reams of camera bells rather than just a simple button and dingdong. Bulbs are the same. So many of them are 'smart' now? Why? I want to get some CCTV...

      Off topic, but I am increasingly bothered by the prevalence of devices in which you must make an account with the manufacturer to use them, or even worse the requirement of an internet connection + account to use the device. The fitness watches are a big example (for the account portion). I recently discovered many security cameras are this way currently: account required, as well as constant internet connection; if internet goes down, the security camera stops recording. I found a dumb example with color changing light bulbs - recently I want to get some LED light bulbs that changed color, only to discover you had to create an account with a manufacturer, as an app + internet connection is the only way to operate them. Really bugged me, and I opted not to purchase.

      Tried to buy a doorbell last week... endless reams of camera bells rather than just a simple button and dingdong.

      Bulbs are the same. So many of them are 'smart' now? Why?

      I want to get some CCTV setup for my home and that's just a nightmare. I'm going to have to setup my own kit that gets wired into my attic. Because everything cloud is just a nightmare (Especially Eufy shitting the bed in the past 12-18 months.)

      Data Protection & Security is so frustrating. Internally, firms secure themselves happily. Externally? It feels like it's just not even remotely considered.

      12 votes
      1. [2]
        sparksbet
        Link Parent
        smart bulbs CAN be used safely, since it's whatever hub you use to control them that matters for data protections purposes. But obviously they shouldn't be the only option by any means. And...

        smart bulbs CAN be used safely, since it's whatever hub you use to control them that matters for data protections purposes. But obviously they shouldn't be the only option by any means.

        And anything with a camera is a completely different story. Unless you jerry-rig something up yourself, including hosting all the videos, I wouldn't have faith that my data isn't being used by an outside party. We've already seen instances of providers who advertised they didn't share your data doing just that in that space.

        7 votes
        1. Pioneer
          Link Parent
          Totally. It feels like the "Easy to setup" comes with an asterix the size of Jupiter these days around confidentiality and security purposes for data, let alone your actual physical security (in...

          Totally.

          It feels like the "Easy to setup" comes with an asterix the size of Jupiter these days around confidentiality and security purposes for data, let alone your actual physical security (in the case of cameras.)

          I will probably install CCTV that I can remote into a box in the attic and just do it that way. Yeah, it's more faff... but honestly? Just bloody safer.

          10 votes
  2. [10]
    primarily
    Link
    That kind of health data had so many negative ways it could be used against you, it's staggering to think about the way FitBit is abusing it's position. Junk food, diet plans, clothing, baby...

    That kind of health data had so many negative ways it could be used against you, it's staggering to think about the way FitBit is abusing it's position. Junk food, diet plans, clothing, baby products. So much can be a customized ad experience if you just tell FitBit about all your hopes and dreams.

    Frankly, there's a reason in negotiation or trade you don't show your hand or you act coy; you're keeping your hand to your chest to get a better deal. When the other side already had you as a mark, you won't even know it, because there's no individual pitching to you.

    The fact that it's sheister tricks at a mass scale makes my head spin. In Canada, we just had three gigantic retailers break Canadian law and give/sell data to Facebook. I have yet to brush a soul that even knows about it.

    18 votes
    1. [7]
      Wuju
      Link Parent
      You've just found another who hasn't a clue what happened. Who did what? I tried a bunch of web searches, but only recent articles I can find on broken laws from retailers in Canada are about an...

      In Canada, we just had three gigantic retailers break Canadian law and give/sell data to Facebook. I have yet to brush a soul that even knows about it.

      You've just found another who hasn't a clue what happened. Who did what? I tried a bunch of web searches, but only recent articles I can find on broken laws from retailers in Canada are about an underweight bag of No Name chips.

      11 votes
      1. [4]
        primarily
        Link Parent
        I read this in a CBC article published in February of this year. Retailers that appeared in the Facebook data include: Some pull quotes As for my previous mention of them selling the data, that...

        I read this in a CBC article published in February of this year.

        Retailers that appeared in the Facebook data include:

        *Anthropologie.
        *Bed, Bath & Beyond.
        *Best Buy.
        *Gap.
        *Hudson's Bay.
        *Lululemon.
        *PetSmart.
        *Sephora.
        adding from the article
        *the Home Depot

        Some pull quotes

        The privacy watchdog's report stemmed from a complaint filed by a man who was deleting his Facebook account, only to discover the platform had a list of in-store purchases he'd made at Home Depot.

        The privacy commissioner said Home Depot customers' encoded email addresses and purchase information were handed over. Meta then used the data to analyze how online ads lead to purchases in brick-and-mortar stores.

        Dufresne's report raised concerns that in certain stores, purchase details could prove "highly sensitive … where they reveal, for example, information about an individual's health or sexuality."

        "For the average person, it might feel invasive," said Opeyemi Akanbi, an assistant professor at Toronto Metropolitan University's school of professional communication. But from a business's perspective, "data is very precious… to get a better sense of what people are doing and to target advertising more effectively."

        As for my previous mention of them selling the data, that has its own correction at the bottom:

        Corrections
        A previous version of this story included a video caption that said retailers were "selling" data to Meta. In fact, Meta says this data is provided in exchange for market research. The caption has been updated. Feb 13, 2023 12:50 PM ET

        14 votes
        1. [2]
          Wuju
          Link Parent
          I never thought I'd feel this justified over not sharing my email with stores. What an absolute blatant invasion of privacy that is only made worse by it no one even trying to defend their...

          I never thought I'd feel this justified over not sharing my email with stores. What an absolute blatant invasion of privacy that is only made worse by it no one even trying to defend their actions. I can't believe it just got swept under the rug like that.

          Thank you for following up on this.

          12 votes
          1. tauon
            Link Parent
            Going slightly off-topic now; but this is yet another example illustrating why I believe everyone, and I really mean everyone, should have at the very minimum two email addresses. Whether the...

            I never thought I'd feel this justified over not sharing my email with stores. What an absolute blatant invasion of privacy

            Going slightly off-topic now; but this is yet another example illustrating why I believe everyone, and I really mean everyone, should have at the very minimum two email addresses. Whether the distinction is "private" (family & friends) vs. "public" (shared outwards with businesses etc.), or "important" (banks, tax, …) vs. "everything else" (like social media accounts), that everyone has to decide for themselves.

            But one singular email address used for all sign-ups, from potential in-store spam to potential future employer, just isn't cutting it.

            5 votes
        2. beardedchimp
          Link Parent
          Christ the hubris of these people. They are selling their data to Meta and in return are provided a service. How dare these people think it isn't selling because they haven't paid cash, as if...

          previous version of this story included a video caption that said retailers were "selling" data to Meta. In fact, Meta says this data is provided in exchange for market research

          Christ the hubris of these people. They are selling their data to Meta and in return are provided a service. How dare these people think it isn't selling because they haven't paid cash, as if illegally providing personal data and being paid in kind with "market research" that is based upon illegal data collection is somehow more palatable than a pure financial transaction.

          3 votes
      2. [2]
        Venko
        Link Parent
        I can't find anything either. Perhaps it's due to Canada's new law that has resulted in Canadian news effectively being delisted from everywhere.

        I can't find anything either. Perhaps it's due to Canada's new law that has resulted in Canadian news effectively being delisted from everywhere.

        6 votes
        1. primarily
          Link Parent
          Just letting you know, I've posted a link in the other comment.

          Just letting you know, I've posted a link in the other comment.

          2 votes
    2. Stranger
      Link Parent
      Not just health, but location. There was an article a while back about how the fitness tracking app Strava was inadvertently giving away the locations of US intelligence operations and military...

      Not just health, but location. There was an article a while back about how the fitness tracking app Strava was inadvertently giving away the locations of US intelligence operations and military patrol routes due to members of the military who wore fitness devices.

      7 votes
    3. skybrian
      Link Parent
      I think these are all things you’ve imagined rather than actually happened, though? Do we have any evidence of Fitbit data being used against someone?

      I think these are all things you’ve imagined rather than actually happened, though? Do we have any evidence of Fitbit data being used against someone?

  3. Habituallytired
    Link
    I finally switched away from fitbit last month. I've been really upset at the product since the company was bought by google. I'd been hoping that apple watches would step up their battery game,...

    I finally switched away from fitbit last month. I've been really upset at the product since the company was bought by google. I'd been hoping that apple watches would step up their battery game, but they haven't. As I need to track certain health measurements for my chronic illness, one of these devices is the easiest ways to do it without spending literally every waking minute on tracking. I finally got an apple watch to replace the fitbit, and I'm working on getting all of my data from fitbit and having it deleted from their site.

    it's the worst.

    5 votes
  4. [5]
    anadem
    Link
    I'm usually very privacy-conscious, for example browsing the web only with Firefox locked-down with anti-tracking add-ons, but made an exception for Fitbit although I see why many people find it...

    I'm usually very privacy-conscious, for example browsing the web only with Firefox locked-down with anti-tracking add-ons, but made an exception for Fitbit although I see why many people find it offensive. The All Of Us research program gave me a free Fitbit Versa 4 to wear for a year to give them data, and that seems worthwhile. As an old person who spends little I don't mind what influence Fitbit has on ads shown to me, and in any case ads are blocked in my Firefox by uBlock Origin. Whatever tracking Google is getting from Fitbit doesn't seem important and my Google Pixel phone undoubtedly gives more than the Fitbit though the phone is largely locked down too.

    2 votes
    1. [4]
      Habituallytired
      Link Parent
      I don't want to start a fight, but it seems counter-intuitive to me to have a google device as your phone if you are privacy-conscious. I'm not saying get an iphone (I'm an apple user for most of...

      I don't want to start a fight, but it seems counter-intuitive to me to have a google device as your phone if you are privacy-conscious. I'm not saying get an iphone (I'm an apple user for most of my devices at this point due to ease of use, not so much privacy).

      Is there anything on android that can be done to make the devices more private?

      5 votes
      1. [2]
        swchr
        Link Parent
        The privacy nuclear option is to install a custom OS like LineageOS without any Google apps. This does depend on each device though, since support varies, maintainers vary and manufacturers like...

        The privacy nuclear option is to install a custom OS like LineageOS without any Google apps. This does depend on each device though, since support varies, maintainers vary and manufacturers like Samsung break certain features if you unlock your device to install a custom OS. Other than that, best thing you can do on a normal phone is go through all the toggles, disable them all, uninstall the unnecessary apps, don't let stuff run in the background, disable permissions, etc.

        6 votes
        1. anadem
          Link Parent
          I'd add to your list: use a VPN that filters out trackers (like DDG's VPN does). I also avoid doing much on my phone, using a computer for most stuff.

          best thing you can do on a normal phone

          I'd add to your list: use a VPN that filters out trackers (like DDG's VPN does). I also avoid doing much on my phone, using a computer for most stuff.

          1 vote
      2. anadem
        Link Parent
        Fyi I just saw this explainer of how Apple doesn't give the privacy most people think it does: https://proton.me/blog/apple-ad-company

        Fyi I just saw this explainer of how Apple doesn't give the privacy most people think it does:
        https://proton.me/blog/apple-ad-company

        1 vote
  5. Amun
    Link
    NOYB - European Center for Digital Rights No way around the transfer of personal data Highly personal data Maartje de Graaf, Data Protection Lawyer at noyb: “First, you buy a Fitbit watch for at...

    NOYB - European Center for Digital Rights


    NOYB filed three complaints against Fitbit in Austria, the Netherlands and in Italy. The popular health and fitness company, acquired by Google in 2021, forces new users of its app to consent to data transfers outside the EU. Contrary to legal requirements, users aren’t even provided with a possibility to withdraw their consent. Instead, they have to completely delete their account to stop illegal processing.

    No way around the transfer of personal data

    When creating an account with Fitbit, European users are obliged to “agree to the transfer of their data to the United States and other countries with different data protection laws”. This means, that their data could end up in any country around the globe that does not have the same privacy protections as the EU. In other words: Fitbit forces its users to consent to sharing sensitive data without providing them with clear information about possible implications or the specific countries their data goes to. This results in a consent that is neither free, informed or specific – which means that the consent clearly doesn’t meet the GDPR’s requirements.

    Highly personal data

    According to Fitbit’s privacy policy, the shared data not only includes things like a user’s email address, date of birth and gender. The company can also share “data like logs for food, weight, sleep, water, or female health tracking; an alarm; and messages on discussion boards or to your friends on the Services”. The collected data can even be shared for processing with third-party companies of which we do not know where they are located. Furthermore, it is impossible for users to find out which specific data is affected. All three complainants exercised their right of access to information with the company’s Data Protection Officer – but never received an answer.


    Maartje de Graaf, Data Protection Lawyer at noyb: “First, you buy a Fitbit watch for at least 100 euros. Then you sign up for a paid subscription, only to find that you are forced to “freely” agree to the sharing of your data with recipients around the world. Five years into the GDPR, Fitbit is still trying to enforce a ‘take it or leave it’ approach.”


    Take it or leave it

    To make sure users can change their mind, the GDPR also gives every person the right to withdraw their consent. At least in theory. Fitbit’s privacy policy states that the only way to withdraw consent is to delete an account. For consumers, this means losing all their previously tracked workouts and health data. This even applies if you buy a premium subscription for 79,99 euros per year. Although these features are the main reason to buy a Fitbit, there is no realistic way to regain control over your data without making your product useless.


    Bernardo Armentano, Data Protection Lawyer at noyb: “Fitbit wants you to write a blank check, allowing them to send your data anywhere in the world. Given that the company collects the most sensitive health data, it’s astonishing that it doesn’t even try to explain its use of such data, as required by law.”


    Massive data transfers not allowed

    Even if there was a way to withdraw consent, Fitbit still wouldn’t comply with European privacy law. The GDPR clearly states that consent can only be used as an exception to the prohibition of data transfers outside the EU – which means that consent can only be a valid legal basis for occasional and non-repetitive data transfers. Fitbit, however, is using consent to share all health data routinely.


    Romain Robert, one of the complainants: “Fitbit may be a nice app to track your fitness, but once you want to learn more about how your data is being handled, you are bound for a marathon.”

    32 votes
  6. [2]
    jaylittle
    Link
    Every single product Google makes relies upon unlawful data sharing. Duh.

    Every single product Google makes relies upon unlawful data sharing.

    Duh.

    3 votes
    1. ThrowdoBaggins
      Link Parent
      Has Fitbit’s data sharing got worse since being bought by Google? I assume they’ve been abysmal for years

      Has Fitbit’s data sharing got worse since being bought by Google? I assume they’ve been abysmal for years