, 13 January 2021

Ensure that you're comfortable with the exchange of data for Fitbit's service

I think about my body a lot. I think about how it feels, how to make it feel better, what parts hurt, what I’m putting into it, how it’s sleeping, how much it weighs, how tall it is, whether or not it’s going to get Covid-19, how to treat it better…you get the idea.

And as someone who thinks about their body a lot, I’ve chosen to use a Fitbit — specifically, a Fitbit Inspire HR — to help me understand it. But it wasn’t until I started this What Does the Internet Know About Me? series that I realized that while the Fitbit gives me a lot of information about myself, I don’t actually know what it knows about me.

What Fitbit tracks

Let’s start with the obvious: The purpose of a Fitbit is to help you track your health in various ways. Users can customize what they want to track. I’m tracking:

• Sleep: When and how much
• Heart rate: Resting; 24/7 tracking
• Steps: Per day and per hour
• Weight: Including weight change
• Food: Calories in; food eaten
• Exercise: What I do, when I do it, how much I do it, and what I do the most
• Friends: I’m only connected to my older brother (who always beats me in step count) but users can connect their contacts, Facebook, email, or search by username
• Device: Which one I have; which hand I wear it on

On the less obvious side of things, the Fitbit also knows:

• When I wake up and go to bed: Through silent alarms and sleep tracking
• Profile information: Birthday, sex, height, weight, location (if you share — I don’t)
• Time zone: I didn’t share my location, but it knows my time zone is Pacific Time
• IP address: If you visit the Fitbit website

What Fitbit could potentially figure out

And then there are the even less obvious things that Fitbit could know about you, if they really wanted to. The following is all conjecture — there’s no evidence that Fitbit has an interest in figuring this stuff out about users. But I wanted to highlight how this data can be used in ways we all, as users, might not think about. 

I decided to focus on whether or not Fitbit can tell when a user ingests different types of intoxicating substances. For example, a few months ago I had a very boozy, full afternoon brunch with friends. Put simply, it was not the healthiest day.

But when I got home, I noticed I’d burned over 3,000 calories that day, despite sitting on my butt and not getting even close to my 10,000 step goal. What was that about? 

According to threads on the Fitbit Community site, it’s common for resting heart beat to go up a few beats both while drinking and for a couple of days after. This can “confuse” your Fitbit, because a higher heart rate should mean more physical activity — but in this case just means you’re boozing.

This search led me down the rabbit hole of other substances. According to articles from 2018, at least one person was using their Fitbit to monitor how drugs were affecting them. There were also stories about using the Fitbit to keep a handle on drug use at Burning Man, the yearly music and art festival.

It’s theoretically possible, then, that Fitbit — or someone with their hands on a user’s Fitbit data — could use a combination of location data (Are they at a bar? At a festival like Burning Man?), time of day, and heart rate to determine if someone was ingesting a substance. It would require studying aggregate user data in order to say more definitively that someone was using drugs or drinking, but it wouldn’t be too difficult to draw accurate conclusions about someone’s activity from a combination of Fitbit data.

I was also curious about whether or not Fitbit knows my social media handles. In my profile, I checked out “Third Party Apps,” which showed that the only one I’d connected was MyFitnessPal. However, if you use the Facebook or Google sign-in option for Fitbit, it will have that information. 

What does Fitbit do with my data?

Once I knew what information Fitbit collected about me, it was time to figure out what they do with it. That required a deep dive into their Privacy Policy. It says that Fitbit “may share” aggregated or de-indentified non-personal information “so that it cannot reasonably be used to identify an individual. For example, in public reports about exercise and activity, to partners under agreement with us, or as part of the community benchmarking information we provide to users of our subscription services.”

They also mention that they might share information when asked to share by the user, for example, if you give a third-party app access to your Fitbit account or if you participate in an employee wellness program. In those cases, Fitbit will share information with those accounts or with your employer, until and unless you revoke that access. 

Fitbit’s Privacy Policy also says "We never sell your personal data". However, later in the privacy policy, they say that data is used for marketing. When asked to explain how these two can both be true, a Fitbit spokesperson told me, "Fitbit never sells personal data and we do not share customer personal information except in the limited circumstances described in our privacy policy. Our business model is not based on advertising. We do not target users with third-party ads. Like many others, we advertise our own products and services and work with advertising partners who help us with this. We disclose this in our Privacy Policy and explain to users what their privacy options are".

I also asked who the “third parties” that Fitbit may share information with are. In addition to the ones I’ve already mentioned, they said they might share data with “partners who help us provide our product and services – for example, we share limited data on a confidential basis to our third-party customer support and billing service providers".

Finally, the Privacy Policy also states that they’ll share info with law enforcement "when required by law". A Fitbit spokesperson elaborated: "Like many companies, Fitbit responds to valid legal process issued in compliance with applicable law. Respect for the privacy of our users drives our approach. Our policy is to notify our users of legal process seeking access to their information unless we are prohibited by law from doing so as explained in our privacy policy. When we receive a request, our team reviews it to make sure it satisfies legal requirements and Fitbit’s policies, and Fitbit will only disclose content and geo-location data pursuant to a valid search warrant".

What am I getting in exchange for my data? What are the tradeoffs?

Fitbit is "free" in that you pay once for the device and that’s it — you don’t have to pay for subsequent access to the app. But I am giving them something in return: My data. So is it worth it?

For me, the benefit of trading my data for access to the Fitbit is clear. My Fitbit is my third-most used device, after my laptop and phone. I look at it dozens of times per day, whether it’s to check the time, my steps, my calories burned, my heart rate when I’m working out, or the timing of a workout. It’s an essential part of my health plan, keeping me on track with my health and fitness goals and giving me insights into what’s going on inside my body. 

What can I say? I’m a nerd. I like data and numbers and Fitbit is excellent at providing me with those. 

What are the broader implications of Fitbit having access to my data?

The data collected by Fitbit is some of the most personal data that a company could collect. It’s about our bodies, these weird vessels that we move around in. Fitbit is great because it tells us things about our insides, but it also means that it should be held to a high standard when it comes to how they manage and use our data. 

From what I can see from the outside, they take that responsibility pretty seriously. They don’t sell personal data to advertisers. They’ve taken HIPAA into account, becoming as close to compliant as possible in order to make it easier for them to work with insurance companies and health care providers. And they give users the right to view, download, and delete their data at any time, which is right in line with privacy best practices. 

However, like all data sets, it’s possible that my Fitbit data could be used against me in ways I haven’t anticipated. For example, it could be used in a criminal case, which has happened a couple of times already. So far, though, the data that have been used in criminal cases — at least the ones we know about — were supplied by the users themselves. I reached out to Fitbit for more information on when they share information with law enforcement and have not heard back at time of publication.

The other big question mark at this time is what will happen when and if Fitbit is acquired by Google. While the deal was announced in 2019, it’s been tied up in regulations since then. But if it does eventually go through, some users are concerned about Google having access to even more information about them. Fair fear: Alphabet, Google’s parent company, runs on collecting and selling our data. 

Both Fitbit and Google have made strong statements about protecting user privacy moving forward, assuring us that nothing will change. But it’s a bit of a buyer beware situation any time we’re talking about data and privacy policies, because it’s not unheard of for companies to change their policies after they already have you hooked. Until better regulation exists, especially in the United States, we kind of have to take them at their word. And that’s not the easiest seat to sit in.

After all of this, I still feel comfortable with the exchange of data for service that I have with Fitbit. Might that change in the future? Sure. Maybe. But so far, they seem to be doing a pretty good job.