Fitness apps can reveal your location – improved rules can help close this hole in our security

Fitness equipment has changed the way we approach health and fitness. They give users the ability to track their workouts, monitor their progress toward fitness goals and share success with a like-minded community. However, these benefits come with significant privacy and security risks, especially regarding the disclosure of user locations.

Recent articles in the Guardian and French newspaper Le Monde have reported that fitness apps, such as Strava, have revealed the locations of some world leaders, posing a security risk.

This situation highlights gaps in legal measures that fail to adapt to technological developments. But it also highlights the important need for users themselves to be more cautious when interacting with such platforms.

While legal regulations lay the foundation for protecting user privacy, they are not foolproof against violations. This requires a double responsibility. Both regulatory bodies and users must cooperate to ensure strong data protection.

Fitness apps often need access to location data to provide accurate information for activities such as running, cycling and walking. While this functionality is beneficial for users, it also opens up potential security vulnerabilities. It’s not the first time Strava has come under scrutiny for its handling of location data.

In 2018, the company’s Global Heatmap feature, which shows the activities of its users, unexpectedly revealed the locations of secret military bases. This happened because soldiers using the device were unknowingly sharing their tracks, which were combined and displayed on a heat map.

Such weaknesses are not unique but common to similar systems that rely heavily on data aggregation and transmission methods. This incident highlighted the possibility that exercise programs can damage sensitive areas. As a major risk, users’ real locations and routes are revealed, which can be exploited by those with bad intentions, such as cybercriminals.

So how can users protect themselves, and is the UK legal framework strong enough to ensure users’ rights are protected?

Well, in the UK, the main law governing data protection is the Data Protection Act 2018 (DPA) which includes the General Data Protection Regulation. This legal framework sets out strict requirements for how personal data, including location data, must be processed by organisations.

For example, the Apple Location Services privacy policy describes how location data will be used. Users have several rights regarding their personal data under the DPA. This includes the right to be informed, the right to access and the right to rectification among others. However, these legal measures have not changed along with the rapid development of technology.

The DPA may not be adequately equipped to effectively monitor the complexity of the data shared through practice processes. Fitness devices are also considered to be high-risk artificial intelligence devices, and are therefore only subject to product liability laws rather than the stricter laws that govern medical devices.

Taking responsibility

However, accountability cannot be limited to regulatory frameworks. Users must develop a strong awareness of the potential risks of sharing personal information online.

For example, Strava offers secret locations that hide the start and finish locations of activities in a particular area. In addition, users should learn about the potential risks of sharing location information and how to properly use privacy features, including reviewing privacy policies.

Users can also choose to share the minimum amount of personal data required for the app to function. Encouraging awareness of these aspects can help create a culture where being careful becomes second nature.

In the meantime, fitness app developers must ensure that they comply with data protection laws, including implementing strong security measures to protect user data. Regular security checks and updates can help identify and solve problems in practice systems.

This two-fold approach – a comprehensive legal process combined with user behavior and knowledgeable developers – can reduce the risks associated with emerging technologies, ensuring that your data remains safe and when users interact deeply with this platform.