Fitness apps have revolutionised the way we approach health and exercise. They provide users with the ability to track their workouts, monitor their progress towards fitness goals and share achievements with a like-minded community. However, these benefits come with significant privacy and security risks, particularly regarding the disclosure of users' locations .
Author
- Pin Lean Lau
Senior Lecturer (Associate Professor) in Bio-Law, Brunel University of London
Recent articles in the Guardian and French newspaper Le Monde , reported that fitness apps, such as Strava, had revealed the locations of some world leaders, posing a potential security risk.
This situation spotlights the gaps in legislative measures that fail to evolve at pace with technological advancements. But it also underscores a critical need for users themselves to adopt a more vigilant approach when engaging with such platforms.
While legal frameworks lay the foundation for protecting user privacy, they are not foolproof against breaches. This necessitates a dual responsibility. Both regulatory bodies and users must collaborate to ensure robust data security.
Fitness apps often require access to location data to provide accurate tracking of activities like running, cycling and walking. While this functionality is beneficial for users, it also opens up potential security vulnerabilities. This is not the first time that Strava has faced scrutiny for its handling of location data.
In 2018, the company's Global Heatmap feature, which visualises the activities of its users, inadvertently revealed the locations of secretive military bases. This occurred because soldiers using the app were unknowingly sharing their running routes, which were then aggregated and displayed on the heatmap.
Such vulnerabilities are not isolated but rather endemic across similar applications that rely heavily on data aggregation and transmission processes. This incident highlighted the potential for fitness apps to compromise sensitive locations. As a primary risk, users' real-time locations and habitual routes are revealed, which could be exploited by those with bad intentions, such as cybercriminals.
So how can users protect themselves, and is the UK's legal framework adequately robust to ensure that user rights are protected?
Well, in the UK, the primary legislation governing data protection is the Data Protection Act 2018 (DPA) which incorporates the General Data Protection Regulation. This legal framework sets out stringent requirements for how personal data, including location data, must be handled by organisations.
For example, Apple's Location Services privacy policy provides how the location data will be used. Users have several rights with respect to their personal data under the DPA. This includes the right to be informed, the right of access and the right of rectification among others. However, these legislative measures have yet to evolve alongside rapid technological progress.
The DPA may not be adequately equipped to specifically target the intricacies of data shared through fitness apps. Fitness apps are also regarded as low-risk artificial intelligence systems and therefore only subject to basic product liability laws instead of more stringent laws that govern medical devices.
Taking responsibility
Nevertheless, the onus of responsibility cannot rest solely on regulatory frameworks. Users must cultivate a heightened awareness regarding the potential hazards of sharing personal information online.
For instance, Strava offers privacy zones that hide the start and end points of activities within a specified radius. In addition to this, users should learn about the potential risks of sharing location data and how to use privacy features effectively, including reviewing privacy policies.
Users can also choose to share the minimum amount of personal data necessary for the app to function. Promoting awareness of these features could help create a culture where heightened caution becomes second nature.
In the meantime, fitness app developers must ensure compliance with data protection laws, including implementing robust security measures to protect user data. Regular security audits and updates can also help identify and address vulnerabilities in fitness apps.
This dual approach - comprehensive legislative action coupled with informed user and developer behaviour - can mitigate risks associated with emerging technologies, ensuring that personal data remains secure even as users engage more deeply with these platforms.
Pin Lean Lau does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.
