In Part 1 of this blog series we talked about how consumers are adopting fitness bands and other devices and apps on a record scale. We also talked about how those devices and apps store and sometimes share valuable data about a person’s identity and health, data that can be used by cyber criminals and hackers.
The fact is that even if the device and/or app you’re using is incredibly secure, it may be sharing your data with other sites that aren’t. Once that information is sent from its database there’s no telling where it’s going or what type of security systems are in place to protect it.
When a study of 43 popular health and fitness apps was conducted in July of last year by the Privacy Rights Clearinghouse, it was found that almost 75% of them sent out either unencrypted data or, without the knowledge of the user, connected with other third-party sites.
The fact is that free apps (and most health and fitness apps are free) rely on revenue from marketers and advertisers to be able to provide their free services. Many of the third-party sites that they connect to are the same ones that track consumers’ online activities, habits and preferences in order to be able to better target their advertisements.
20 of the leading fitness apps were studied by an online security app company called Ghostery last year and it was found that over 70 3rd-party sites were linked to them and were given access to consumer data. Many of these app and device makers will tell you that, before selling user data, they “anonymize it” for security purposes, but the fact is that linking it back to an identity is relatively easy for cyber criminals.
Theresa Payton, the author of “Privacy in the Age of Big Data” says that “Every smartphone and tablet has a unique device ID and they could have your device ID mixed in with all the data.” She adds that “That’s what we’ve learned time and again that is typical of free products. ‘You for sale’ is part of the business model.”
The Federal Trade Commission found, in a recent study, that a quarter of all health and fitness apps are currently collecting this unique ID.
We mentioned in Part 1 that these apps and devices don’t have to follow HIPAA rules but, in a positive measure, many of the makers of these health devices and apps have already taken steps to become compliant anyway, most likely in an attempt to make sure that customers feel better about their privacy concerns.
The fact is however that it’s a long and expensive process and startup companies that are trying to “cash in” on this new digital fitness fad may find it too expensive to afford.
Jason Wang, the CEO of TrueVault, says that “It’s very easy for apps to claim HIPAA compliance even though that may not be the case,” adding that “Big brands have a lot to lose but some no-name brands have nothing to lose, so they’ll just get breached by hackers, go bankrupt, and move on to their next venture.”
Wang says that even some of the companies that make these new apps and devices unknowingly fall short of HIPAA requirements. “We see a lot of companies who think they are, but when we look they’re nowhere close,” he says.
If you’re now feeling a little uneasy about using your new fitness device or, please make sure to come back and join us for Part 3 and find out what you can do to protect yourself.