The popular health apps that collect most user data - including your photos
The scale at which some fitness apps collect significant amounts of data on users has been revealed by new analysis - including those that can share the information with so-called ‘data harvesters’.
The data collected includes individual’s precise locations and financial information to the photographs they’ve taken. In fact, out of the 10 apps analysed, seven collected photos from users and five collected the precise current location of users.
The vast majority of users will most likely know that the apps they have on their phone legitimately store certain personal information, such as email addresses and their names. However, the lengthy Ts & Cs that come with each download means they may not be aware of quite how much information they give away.
What data are apps collecting?
Researchers at data protection service Incogni analysed 10 apps on the Google Play Store on 27 March - Strava, Fitbit, AllTrails, Calm, Flo, Runna, MyFitnessPal, Headspace, Calorie Counter, ShutEye.
They noted the wide range of user information the apps collected and shared (such as Precise location, Name, Email, Health info, Fitness info, Photos, App interactions, Other user-generated content, Other actions, Crash logs, Diagnostics, Other app performance data, Device or other IDs).
The results showed that fitness apps Fitbit and Strava collected the most amount of personal information and all but three of the apps (Fitbit, Fl, Calorie Counter) shared data with third parties.
Running coach app Runna collected 13 data points and shared all of them with third parties - including users’ precise location, name and email addresses, photos, and health and fitness information. The hiking app AllTrails collected and shared eight data points about the people who use it.
Seven out of 10 apps analysed collected users’ photos (FitBit, Strava, AllTrails, Flo, Calorie Counter, Runna, MyFitnessPal), and five collected their precise current location (Fitbit, Strava, AllTrails, Runna, MyFitnessPal). This means app developers could ‘see’ where people regularly travel to or even their home.
Fitbit was found to have collected the most amount of data points about their users, collecting 21 different types of information. Strava collected 19 different types.
Should we be concerned?
Data collection is something users should be aware of. Brokers can collect information from apps, social networking sites, and blend this with other publicly available information - this data can even be used in background checks by employers or checks by insurers.
Darius Belejevas, head of data protection service Incogni, comments: “Apps that record and track exercise data can be a great motivational tool that millions of Brits use to get more out of their workouts, eat better, keep running or just keep active. But without realising it, many of us are giving away personal data that doesn’t just show how many calories we’ve eaten or steps we’ve walked, but also reveals the precise location where and when we took those steps.
“Sensitive, personal health and fitness information is highly valuable to data brokers because there are hundreds of interested parties — both legal and illegal — willing to pay for such information, including insurance companies and marketers. It is especially worrying that some apps collect ‘other info’ and ‘other user-generated content’ without specifying what these vague terms involve."
Gaël Duval, co-founder and developer of privacy focused operating system /e/OS, said: “Many of these apps are marketed as 'free', yet people don't realise their data is now currency. Free and paid apps will request certain permissions during installation that allows them to collect and sell your data to data brokers. This is often disguised as being part of the functionality of the app, yet in reality the data is then passed or sold to data brokers, who sell it on for advertising purposes and more.
“Data brokers collect/analyse user data from various sources to create a detailed profile on a person and sell it on for profit. The data collected about you in apps can range from things like age and location, to medical information and sexual interests. It's then used to create an accurate picture of your habits, allowing advertisers and big tech to deliver increasingly relevant content and product suggestions - encouraging you to spend more time and money online, to the detriment of your mental health and finances.”
Yahoo News has reached out to the apps for comment.
Dom Maskell, co-founder of Runna, said, "At Runna, we take data privacy extremely seriously. We collect only what we need to build an amazing app (we don't even ask for your surname for this reason) and process data accordingly.
"We use industry standard 3rd party data tools such as Mixpanel for Product Analytics, Intercom for Customer Support and Statsig for Feature Rollout. For these to work (e.g., for us to reach you in Intercom, we need your email) we need to share limited amounts of data with those platforms. This is only done as absolutely necessary. For all sensitive data we process, such as users' completed activities, these are kept securely in AWS using industry standard encryption during both transit and rest and access to this data is restricted. Runna does not sell or share user data."
Which apps collect what?
Fitbit
21 data points collected
0 shared with third parties
Strava: Run, Bike, Hike
19 data points collected
3 shared with third parties (Crash logs, Diagnostics, Device or other IDs)
AllTrails: Hike, Bike & Run
18 data points collected
8 shared with third parties (Precise location, Approximate location, Name, Email, User IDs, Purchase history, App interactions, Device or other IDs)
Calm - Sleep, Meditate, Relax
16 data points collected
6 shared with third parties (Email, User IDs, User payment info, Purchase history, App interactions, Device or other IDs)
Flo Period & Pregnancy Tracker
15 data points collected
0 shared with third parties
Runna: Running Plans & Coach
13 data points collected
13 shared with third parties (Precise location, Name, Email, Health info, Fitness info, Photos, App interactions, Other user-generated content, Other actions, Crash logs, Diagnostics, Other app performance data, Device or other IDs)
MyFitnessPal: Calorie Counter
12 data points collected
3 shared with third parties (Precise location, User IDs, Devices or other IDs)
Headspace: Meditation & Sleep
9 data points collected
7 shared with third parties (Name, Email, User IDs, App interactions, Crash logs, Diagnostics, Device or other IDs)
Calorie Counter
13 data points collected
0 shared with third parties
ShutEye: Sleep & Relax
1 data point collected
2 shared with third parties (User IDs, Device or other IDs)