Difference between revisions of "Fitbit"

From SI410
Jump to: navigation, search
(Data Security)
(Data Security)
Line 33: Line 33:
  
 
===Data Security===
 
===Data Security===
Fitbit collects an extraneous amount of data. This includes the sleep cycle, heart rate, steps count, weight, food intake, exercise and devices owned by the users. From the data collected, Fitbit device can also derive the time of a user from being awake to going to bed, the time zone that the user is in and the IP address of the user. These data, according to the privacy policy of the Fitbit company <ref>https://www.fitbit.com/global/us/legal/privacy-policy</ref>, may be shared in a way that is aggregated or de-identified and non-personal. “For example, in public reports about exercise and activity, to partners under agreement with us, or as part of the community benchmarking information we provide to users of our subscription services.” Fitbit also includes that the data may be shared when asked to share by a user through a third-party such as an employee wellness program. Fitbit’s privacy policy states that they will not sell any personal data but later on in the policy, Fitbit states that some data is used for marketing. According to a Fitbit spokesperson, Fitbit never sells personal data and we do not share customer personal information except in the limited circumstances described in our privacy policy. Our business model is not based on advertising. We do not target users with third-party ads. Like many others, we advertise our own products and services and work with advertising partners who help us with this. We disclose this in our Privacy Policy and explain to users what their privacy options are.” <ref>https://blog.avast.com/what-fitbit-knows-about-you-avast </ref>
+
Fitbit collects an extraneous amount of data. This includes the sleep cycle, heart rate, steps count, weight, food intake, exercise and devices owned by the users. From the data collected, Fitbit device can also derive the time of a user from being awake to going to bed, the time zone that the user is in and the IP address of the user. These data, according to the privacy policy of the Fitbit company <ref>https://www.fitbit.com/global/us/legal/privacy-policy</ref>, may be shared in a way that is aggregated or de-identified and non-personal. “For example, in public reports about exercise and activity, to partners under agreement with us, or as part of the community benchmarking information we provide to users of our subscription services.” Fitbit also includes that the data may be shared when asked to share by a user through a third-party such as an employee wellness program. Fitbit’s privacy policy states that they will not sell any personal data but later on in the policy, Fitbit states that some data is used for marketing. According to a Fitbit spokesperson, Fitbit never sells personal data and we do not share customer personal information except in the limited circumstances described in our privacy policy. Our business model is not based on advertising. We do not target users with third-party ads. Like many others, we advertise our own products and services and work with advertising partners who help us with this. We disclose this in our Privacy Policy and explain to users what their privacy options are.” <ref>https://blog.avast.com/what-fitbit-knows-about-you-avast </ref>Fitbit also stated in the Privacy Policy that they will share information with the law enforcement when required by the law. However, Fitbit does not publish any warrant canary to inform the users that the provider has been served with government subpoenas.
  
 
===Unauthorized Tracking===
 
===Unauthorized Tracking===

Revision as of 10:39, 4 February 2022

Back • ↑Topics • ↑Categories

Fitbit is an American company focused on digital health and fitness and was founded in 2007 by Eric Friedman and James Park. The company focuses on using sensor and wireless technology to better advance the experience to fitness and health. [1] The Fitbit company is most known for its smartwatch and tracker products. The products are usually worn on the wrist or are clipped to clothing and other accessories to help keep track of steps, workout sessions, heart rate, and quality of sleep. [2] The Fitbit company was acquired by Google in 2021. [3]

Fitbit Logo


History

Features

Heart-rate monitor

Fitbit uses photoplethysmography in their technology to track heart rate. The new technology is named PurePulse. By monitoring the heart rate, it can help the user to achieve their weight goals, optimize their exercise routine and help to manage the stress levels. Photoplethysmography is a technology that uses light to measure blood flow. The volume of the blood in the users’ wrist will change when the heart beats. The blood can absorb green light. The higher one’s blood volume is, the more green light is absorbed. Photoplethysmography utilized this feature of the blood to calculate the blood flow by shining green light onto the skin. Then it uses light detectors to measure how much green light has been absorbed, it can then determine the heartbeat rate. [4]

Calories Burned

Fitbit devices combine the users’ BMR and activity data to estimate the amount of calories burned. This estimation can also be influenced by the heart rate data. The heart rate data have a heavy impact on estimation of calories burned during exercise sessions. The BMR data, which is also known as basal metabolic rate, is based on the physical data that the user entered such as height, weight, sex and age of the user. The data helps to estimate at least half the calories the user burns in a day since the body automatically burns calories even with daily activities. [5]

Sleep monitoring

Fitbit devices can help estimate the users’ sleep stages by using a combination of movement and heart-rate patterns. The device will assume the user is asleep if it hasn't been active for about an hour. Additionally, it can further confirm that the user is asleep by matching the length of time of movement to typical sleep behavior such as rolling over. While the user is asleep, the device tracks the changes in the user’s heart rate. This is known as heart rate variability. The heart rate will change as the user is going through different stages of light sleep, deep sleep and REM sleep stages. The Fitbit device will collect those data and compare them to the heart rate and movement pattern in the next morning to estimate a more accurate sleep cycle from the previous night.[6]

Products

Ethical Issue

Data Security

Fitbit collects an extraneous amount of data. This includes the sleep cycle, heart rate, steps count, weight, food intake, exercise and devices owned by the users. From the data collected, Fitbit device can also derive the time of a user from being awake to going to bed, the time zone that the user is in and the IP address of the user. These data, according to the privacy policy of the Fitbit company [7], may be shared in a way that is aggregated or de-identified and non-personal. “For example, in public reports about exercise and activity, to partners under agreement with us, or as part of the community benchmarking information we provide to users of our subscription services.” Fitbit also includes that the data may be shared when asked to share by a user through a third-party such as an employee wellness program. Fitbit’s privacy policy states that they will not sell any personal data but later on in the policy, Fitbit states that some data is used for marketing. According to a Fitbit spokesperson, Fitbit never sells personal data and we do not share customer personal information except in the limited circumstances described in our privacy policy. Our business model is not based on advertising. We do not target users with third-party ads. Like many others, we advertise our own products and services and work with advertising partners who help us with this. We disclose this in our Privacy Policy and explain to users what their privacy options are.” [8]Fitbit also stated in the Privacy Policy that they will share information with the law enforcement when required by the law. However, Fitbit does not publish any warrant canary to inform the users that the provider has been served with government subpoenas.

Unauthorized Tracking

Device Security Risk

According to a study, Security Analysis of Wearable Fitness Devices(Fitbit), done by MIT researchers Britt Cyr, Webb Horn, Daniela Miao, and Michael Specter, Fitbit provides a reasonable level of privacy for user data. However, the study also shows that the Fitbit devices were assigned a private address and this address does not change. This can potentially lead to unauthorized tracking through the person’s Fitbit’s bluetooth. This can also lead to attackers extracting the authentication key between the Fitbit device and smartphone or computer application which can result in launching a replay attack over bluetooth. During the process of pairing the fitbit device to the user’s phone, the phone can detect all fitbit devices within a certain range. This can raise some security concerns for finding or pairing wireless devices that do not belong to the user. The researchers also found that Fitbit device sends over Javascript to the phone, this may leave room for the attackers. Although the general security setup of the Fitbit devices is decent, there are some possible rooms that may yield unknown attacks. [9]

References

  1. https://www.fitbit.com/global/us/about-us
  2. https://www.fastcompany.com/company/fitbit
  3. https://www.fiercehealthcare.com/tech/google-closes-2-1b-acquisition-fitbit-as-justice-department-probe-continues
  4. https://healthsolutions.fitbit.com/blog/how-do-fitbit-trackers-monitor-heart-rate/
  5. https://help.fitbit.com/articles/en_US/Help_article/1141.htm
  6. https://healthsolutions.fitbit.com/blog/track-sleep/
  7. https://www.fitbit.com/global/us/legal/privacy-policy
  8. https://blog.avast.com/what-fitbit-knows-about-you-avast
  9. https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/03/20082016/17-cyrbritt-webbhorn-specter-dmiao-hacking-fitbit.pdf