Every step you fake: a comparative analysis of fitness tracker privacy and security

Privacy Information technology Physical activity Data protection Wearable technology Canada North America
Attachment Size
apo-nid61229.pdf 798.99 KB


Canadians, and many people around the world, are increasingly purchasing, and using, electronic devices meant to capture and record the relative levels of a person’s fitness.

Unlike past fitness devices, such as pedometers, electronic fitness trackers are designed to display aggregate fitness information automatically on mobile devices and, frequently, on websites developed and controlled by the company that makes the given device. This automatic collection and dissemination of fitness data began with simply monitoring the steps a person had taken in a day.

Contemporary consumer fitness wearables collect a broad range of data. The number of floors, or altitudinal changes, a person climbs a day is measured, levels and deepness of sleep, and heart rate activity are all captured by best-of-class consumer-level fitness trackers. And all of this data is of interest to the wearers of the devices, to companies interested in mining and selling collected fitness data, to insurance companies, to authorities and courts of law, and even potentially to criminals motivated to steal or access data retained by fitness companies.

This report explores what information is collected by the companies which develop and sell some of the most popular wearables in North America. Moreover, it explores whether there are differences between the information that is collected by the devices and what companies say they collect, and what they subsequently provide to consumers when compelled to disclose all the personal information that companies hold about residents of Canada.

In short, the project asks:

  • Were data which are technically collected noted in companies’ privacy policies and terms of service and, if so, what protections or assurances do individuals have concerning the privacy or security of that data?
  • What of that data is classified by the company as ‘personal’ data, which is tested by issuing legally compelling requests for the company to disclose all the personal data held on a requesting individual?
  • Does the information received by the individual match what a company asserts is ‘personally identifiable information’ in their terms of service or privacy policies?
Publication Details
Access Rights Type: