IMAGE: Getty
IMAGE: Getty

BusinessFebruary 1, 2018

Can you trust your Fitbit?

IMAGE: Getty
IMAGE: Getty

Good news – troops on deployment all around the world are keeping up their physical fitness and now we have proof! Bad news – troops on deployment all around the world are jogging with their fitness trackers turned on, drawing a helpful map of where they are. But former TUANZ boss Paul Brislen says we can opt out from this stalker technology.

Strava, the company that “connects the world’s athletes” by ensuring their Fitbit, Jawbone, Vitafits and other assorted fitness trackers all talk to each other and share data, regularly publishes a “heat map” of where all the runners, walkers, rowers, cyclists and other assorted People of Mobility gather to enjoy their sport, and swap stories of shin splints and the like.

Previously this hasn’t been a problem, but this year, with over 1 billion activities generating 10 terabytes of data, the company’s map has helped reveal where vast numbers of athletes have been over the past two years, and in remote corners of the world “athletes” means “military”. Nathan Ruser, an Australian international relations student at the Australian National University, took a closer look at the heat map after his father made a dad joke about it being a snapshot of “where rich white people are”. One quick zoom in on Syria and “it sort of lit up like a Christmas tree”.

The Pentagon and assorted other rear echelon organisations have jumped in and suggested their troops might like to wrap their devices in tinfoil, or even display some leadership and turn off the GPS beacon that is attached to their wrists before they go for a run in sensitive parts of the world, but it’s too late. US bases in Iraq, secret military bases in Syria and Yemen, and even the secret headquarters of Taiwan’s missile defence installation have been exposed for all the world to see by its fitness freak users. In Taiwan, you can even see where the joggers avoid the security to jog through the carpark where Taiwan keeps its truck-transported missiles.

Auckland by Strava map. Woodhill Forest is to the left. Image: Screenshot

Of course, we would never be so stupid to let that happen in New Zealand. Oh no. But of course, we have.

One Twitter user had a good close look at Woodhill Forest (home to mountain bikers of all kinds) while another discovered some happy souls schlepping around the Waihopai spy base, although these days the government no longer pretends it knows nothing about it; possibly because years ago Google Earth showed us all what was there including the two giant golf ball satellite trackers and the compound with its own swimming pool (!).

And before you think it’s only the security forces that suffer from this, don’t forget what you’ve got in your pocket. At last count somewhere north of 100% of us carry a cellphone, and the vast majority of those are smartphones, meaning we take photos of our lunch, chat with friends via various apps and argue with complete strangers on the internet via social media. Hands up those of you who have checked each app to see if it publishes your location? Because many of them do, from the various Twitter apps to Google’s fantastically good Photo service that now puts all my photos into geography-based folders, and so on.

Even if you don’t use any social media, don’t take photos and refuse to use the GPS on your phone – heck, even if you refuse to use a smartphone at all and stick to your tried and trust Nokia from the dark ages – the network has to know where you are so it can connect calls to you. You’re basically carrying a honking great tracking device, much like a polar bear I saw on TV the other night, only probably not on a collar around your neck (although YMMV and who am I to judge).

All of which should be ringing really loud privacy alarm bells in your head because while it’s funny to point at grunts painting a target on their facilities without thinking about it, the real problem here is the production of metadata that is increasing hugely but which is often ignored when we talk about privacy issues.

Metadata is just this kind of thing. Any TXT message you send to a friend includes data (the content of the message) but also metadata (what type of phone you use, what type of phone they use, what time of day it was sent, what cellsite you were attached to, for example). The same is true for emails, for websites visited and of course for apps used on your phone, and all of that paints a pretty comprehensive story of who you are and what you’re up to with your life. It’s comprehensive enough that Facebook makes billions of dollars selling precisely that kind of information to advertisers, so imagine how useful it is to governments and others.

Activity by Waihopai Station. Image: Screenshot

Before you start in with your “I’ve got nothing to hide so I don’t care”, let me suggest that that you do, in fact, have things to hide. Not because they’re things to be ashamed of but because they’re private. I am happy to share my medical data with anyone who asks and many who don’t (ask me about my sore knee, go on) but for others that’s a huge breach of trust. Similarly I’m happy to share my phone number and business address, but I don’t want my bank account details being bandied about the place, or my IRD number.

We have things that are private and should remain so (or be divulged only if we chose to) and location is way up there on the list. I don’t want my kids being targeted by those strangers I argue with on the internet just because they can figure out where they go to school, or that we’re at a particular park eating ice creams because of a social media post.

These devices have brought us incredible freedom, and access to information. We really need to be doubly sure that freedom isn’t applied both ways – that our own information is only made available when we decide and not before. Fitbit says “only users that have signed up for Strava and have given consent to synchronise their Strava and Fitbit accounts are included in the Strava heat map”,  so a first port of call could be making sure your fitness tracker isn’t linked to anything else.

Five things to think about when you’re out on your run:

1: Turn off location on photos and social media apps unless you want everyone to know you’re in Barbados.
2: Review what permissions you’ve given various apps (different phones do this in different ways so just Google it).
3: Not all apps need all permissions – your mapping app probably needs to know your location but does that game you play need to know?
4: As more devices talk to each other (the Internet of Things) the need to be assured about the level of security will increase. It’s not just phones and tablets, now it’s fitness trackers and tomorrow it’ll be your car, your toaster or your fridge reporting back to base. That’s fine if it works securely but if your fridge starts telling the world you’re away this week so that service visit will have to wait, you’re exposed to a new level of threat.
5: If you are going to wear a tin-foil hat make sure you fold it properly and try not to worry about whether aluminium gives you Alzheimer’s or not.

Paul Brislen is a communications expert and former chief executive of the Telecommunications Users Association of New Zealand.

The Spinoff’s business content is brought to you by our friends at Kiwibank. Kiwibank backs small to medium businesses, social enterprises and Kiwis who innovate to make good things happen.

Check out how Kiwibank can help your business take the next step.

Keep going!