Waarschuwing: *Privacy niet inbegrepen bij dit product
It's a watch! It's a sleep tracker! It's a heart rate monitor! It's a swim/workout/meditation coach. It's a motivational, inspirational, health pal. It's almost everything but a kitchen sink. It will notify, buzz, and ding to get you off your butt and out doing stuff. It's got Alexa built-in (because, what doesn't have Alexa built-in these days), and comes with a variety of bands to help you look good at the gym or at the office. Before you kick off your journey to track everything about your life, know that for new users, Google will be tracking that information too.
Wat kan er gebeuren als er iets misgaat?
It's 2023 and that means the Fitbit + Google marriage that started back in 2019 has gotten even more intertwined. What's that mean for your Fitbit Versa 4? Well, it’s complicated and confusing. If you already have a Fitbit (and account) then you’re a “legacy user” which means your Fitbit is playing by the rules of Fitbit’s privacy policy (as far as we can tell). If you’re a new user, you now have to use a Google Account to login to the Fitbit app and agree to Google’s privacy policy instead (we think). To be honest, it's not compeletly clear to us when only Fitbit's privacy policy applies or when Google's privacy policy applies. So, we'll just tell you about both of them knowing that your data is eventually going to end up with Google anyway.
So, what's going on with Fitibit's privacy? Well, Fitbit can collect a good amount of data, as most fitness trackers do. They say they collect things such as name, email address, phone number, birthdate, gender, height, weight, location, wi-fi access points, and of course all the body related data like steps, activity, sleep, stress, calories burned, and more. Fitbit also says they can collect data from third parties social media sites like Facebook and Google if you choose to connect them (please, don’t) and from employers and insurance companies if you choose to share to receive wellness benefits or discounted or free services (again, not a good idea).
How does Fitbit use all this personal information it collects? Well, the good news is their privacy policy says they never sell your data. However, they do say they can share your personal information with advertising partners for targeted, interest-based advertising across the internet, which isn’t good news. And they say they can use that information to make inferences about you to show you more relevant content -- like using your sleep data to show you content to help you sleep better, which I’m pretty sure wouldn’t actually help me sleep better. So yeah, your Fitbit data is being used to show you ads and keep you using the platform as much as possible. Not surprising, but not great either.
Fitbit also says it can share non-personal information that has been de-identified or aggregated. This is pretty common, but still, can be a bit of a concern as it’s been found to be pretty easy to re-identify these data sets and track down an individual’s patterns, especially with location data. So, be aware with Fitbit--or any fitness tracker--you are strapping on a device that tracks your location, heart rate, sleep patterns, and more. That's a lot of personal information gathered in one place.
What’s the worst that could happen with Fitbit and all the personal and health related data it collects? Well, in 2021 it was reported that health data for over 61 million fitness tracker users, including both Fitbit and Apple, was exposed when a third-party company that allowed users to sync their health data from their fitness trackers did not secure the data properly. Personal information such as names, birthdates, weight, height, gender, and geographical location for Fitbit and other fitness-tracker users was left exposed because the company didn't password protect or encrypt their database. This is a great reminder that yes, while Fitbit might do a good job with their own security, anytime you sync or share that data with anyone else including third party apps, your employer, or a insurance company, it could be vulnerable.I don’t know about you, but I don’t need the world to know my weight, how well I sleep, and where I live. That’s really dang creepy.
Now, about Google and their privacy. Google published a Fitbit FAQ to answer specifically how their privacy policy applies to the unique data that’s collected by the fitness tracking device. In addition to the data that your Fitbit creates about you, Google says they can collect: height, weight, and sex since they need that information to calculate your stride length, distance, and some other fitness stats. They can also collect any information you enter yourself, like your profile photo, period tracking information, and even snore detection data if you pay a premium. Tempting! They also collect “device data” that tells Google how you use the app and when you check it, as well as your precise location (if you let them).
What else? Well, Google can collect information from many of the other third-party fitness and health apps you choose to connect to Fitbit. We usually suggest not doing that. On the other hand, if you’re already using Gmail, Google Drive, and Google Calendar to organize your life, that’s already a heck of a lot of eggs in one data-collecting basket. Through Fitbit Care, Google might partner with your employer or insurance provider, in which case they will get some personal information about you to invite you to the service. The Fitbit Care FAQ doesn’t say what information might be shared back with your employer or insurance company, but I would definitely ask about that before making the relationship between my employer and my fitness data official. I’d hate to have to confront my step count during a performance review.
Now for the million dollar question. Will Google use your private health data to sell you stuff or combine it with the loads of other information they probably have about you? Google says: “Your Fitbit health and wellness data won’t be used for Google Ads, and it will continue to be kept separate from Google Ads data.” (Cue the world’s tiniest party popper -- weeeee.) That’s also what they promised when they bought Fitbit, not that that keeps the privacy-conscious among us from worrying about how exactly this information will be used by one of the world’s largest data companies. As privacy advocacy group NOYB pointed out, Google’s Fitbit is already seemingly skirting Europe’s data privacy law, GDPR, by forcing users to consent to having their data transferred outside the EU if they want to use the app at all.
So can you trust Google with your data? We've always struggled a bit with Google here at *Privacy Not Included. There is no doubt Google is bad for the world's privacy. They kinda set the standard for collecting huge amounts of data on us and using that to target ads. The end result of Google's years and years of data collection and targeted advertising is a huge billion dollar company with tons and tons of power around the world. And now we're all perhaps way too conditioned to having our data being scooped up to target us with ads based on our location, our interests, and inferences that can be drawn about us from all these thousands of data points. This is all really bad for privacy.
That being said. Google has always managed to avoid our *Privacy Not Included warning label because they do some good things too -- like give everyone the ability to delete their data, they do a pretty good job and keeping all the data the hoover up on us secure, and hey, we know they don't really sell that data because, why would they? They want that data for themselves to make lots of money.
This is the year that we've finally decided Google has gotten bad enough we can justify dinging them with our *Privacy Not Included warning label (yes, we don't disagree we should have done it sooner, but we do have a methodology full of criteria we work from and they always walked the line of being bad but not exactly crossing enough of our lines to ding them). Here's why we decided to ding them this year.
First, we already know Google collects a TON of personal information on us, through location tracking, searches, cookies and app tracking technologies, and more. And while Google says they don't sell that information, they do provide access to that information to many, many third parties for advertising purposes. Google goes even farther these days and says that they allow "specific partners to collect information from your browser or device for advertising and measurement purposes using their own cookies or similar technologies." That means you're not just being tracked by Google when you use devices but also by these mysterious "specific partners" in ways that you might not be aware of or been given the opportunity to consent to. This is bad.
We're in the age of AI now, so there is even more bad. We are very concerned that Google's privacy policy now says they can "use publicly available information to help train Google’s AI models." This is a concern to us and others because we don't know what Google counts as "publicly available information," and we don't know if people are ever given any idea, warning, or opportunity to consent to have this data used to train Google's AI.
The second big concern we have about Google is their track record at being honest and respecting all this personal information they collect on us. Google has racked up quite a long list of fines for privacy violations. In 2023, they settled a lawsuit with the state of California for $93 million for continuing to collect and store location data even after users turned off location tracking, according to the lawsuit. In 2022, they settled a similar lawsuit for continuing to track users' locations after they opted with 40 states for $392 million. Also in 2023, a $5 billion lawsuit was allowed to continue against Google for secretly tracking users internet use when the judge ruled "she could not find that users consented to letting Google collect information about what they viewed online because the Alphabet (GOOGL.O) unit never explicitly told them it would." And in December of 2022, the French data protection authority fined Google $57 million for "failing to acknowledge how its users' data is processed." Those are just the fines and lawsuits that have happened since we last reviewed Google in 2022. Over the past few years, there have been even more. South Korea fined Google (and Meta) millions of dollars recently for privacy violations. So did France and Spain. And in the US, Google has faced a host of lawsuits and settlements from Texas, California, Illinois, Arizona, the Federal Trade Commission, and more. All this makes it pretty hard to trust what a company says they do with that massive amount of personal information they collect on you.
One thing about Google we do like: They have a decent way to communicate with users about how they collect and use data in their Safety Center. Google does collect a ton of data on you and your children, especially if you don't take the time to adjust your privacy settings to lock down just how much info they can gather. You should absolutely take the time to adjust these privacy settings. Just beware, you will get notifications that some things might not work right if you change settings. That’s annoying, and probably worth it for a little more privacy.
What’s the worst that could happen? Well, when you give away a lot of personal information, especially sensitive information like your live location and you combine that with health information like your heart rate, mood, or menstrual cycle, that has to come with a lot of trust. And our trust in Google -- who owns Fitbit -- is wavering.
Tips om uzelf te beschermen
- Follow Fitbit's advice to keep your stats private
- Be very careful what third party companies you consent to share you health data with. If you do decided to share your health data with another company, read their privacy policy to see how they protect, secure, and share or sell your data.
- Stop sharing friends' lists: Under “Friends” on your profile page, select Privacy Setting and then Private.
- Do not sign up with third-party accounts. Better just log in with email and strong password.
- Chose a strong password! You may use a password control tool like 1Password, KeePass etc
- Use your device privacy controls to limit access to your personal information via app (do not give access to your camera, microphone, images, location unless neccessary)
- Keep your app regularly updated
- Limit ad tracking via your device (eg on iPhone go to Privacy -> Advertising -> Limit ad tracking) and biggest ad networks (for Google, go to Google account and turn off ad personalization)
- Request your data be deleted once you stop using the app. Simply deleting an app from your device usually does not erase your personal data.
- When starting a sign-up, do not agree to tracking of your data if possible.
Kan het me bespioneren?
Camera
Apparaat: Nee
App: Ja
Microfoon
Apparaat: Nee
App: Ja
Volgt locatie
Apparaat: Ja
App: Ja
Wat is er nodig om u aan te melden?
E-mailadres
Ja
Telefoonnummer
Nee
Account van derden
Nee
A Google Account is required for all new users. A Google Account is required to activate new Fitbit devices released after the launch of Google Accounts for Fitbit. Existing users have the option to use either a Google Account or their existing Fitbit account until at least 2025 at which point they will be required to use a Google Account for login.
Welke gegevens verzamelt het bedrijf?
Persoonlijke
Name, email address, or billing information, or other data that can be reasonably linked to such information by Google, such as information we associate with your Google Account; Precise geolocation data, including GPS signals, device sensors, Wi-Fi access points, and cell tower IDs If you choose: profile photo, biography, country information, and community username; Data on your activity, such as terms you search for, videos you watch, views and interactions with content and ads, voice and audio information, purchase activity, people with whom you communicate or share content, activity on third-party sites and apps that use our services, Chrome browsing history you’ve synced with your Google Account; Your address, ZIP code, and where the device is placed; Sensor data such as detected motion, ambient light measurements, temperature, humidity, carbon monoxide, and smoke levels as well as information derived from this data, such as sleep information; (If you use calls) Phone number, calling-party number, receiving-party number, forwarding numbers, sender and recipient email address, time and date of calls and messages, duration of calls, routing information, and types and volumes of calls and messages; GPS location and other sensor data from your device
Lichaamsgerelateerd
Height, weight; If you choose: logs for food, weight, sleep, water, or female health tracking Voice (if you use Google Assistant).
Sociale
Contacts
Hoe gebruikt het bedrijf deze gegevens?
Hoe kunt u uw gegevens beheren?
Hoe staat het bedrijf bekend als het gaat om het beschermen van gebruikersgegevens?
Google
In September 2023, the US Department of Justice launched a trial against Google arguing "that Google abused its power as a monopoly to dominate the search engine business." Full disclosure, Mozilla testified in this trial.
In September 2023, Google was set to pay $93M in settlement over deceptive location tracking.
In August 2023, a US District Court judge allowed a $5 Billion lawsuit to continue against Google for alleged privacy violations of users for secretly tracking them without their consent.
In January 2023, Google confirmed data breach in its cell network provider Google Fi. The breach is linked to the recent T-Mobile hack. Google announced the breach immediately. Google says the hackers accessed limited customer information, including phone numbers, account status, SIM card serial numbers and information related to details about customers’ mobile service plans, such as whether they have selected unlimited SMS or international roaming.
In December 2022, Google was fined by EU watchdog over GDPR violations.
In September 2022, Google lost anti-trust ruling of EU which put a fine of over $4.34B on Google because of its Android monopoly.
Google received plenty of fines from European, American, and Korean authorities in the last few years. The biggest was the $170M fine from New York Attorney General for mishandling the children consent. The other cases include the fine of $100M for violating the Biometric Information Privacy Act in Illinois, $71.8M fine for mishandling consent in South Korea, $57M fine for violating GDPR in France, as well as other fines from local Data Protection Authorities in Ireland, Italy, and Spain.
In August 2019, the company admitted that partners who work to analyze voice snippets from the Assistant leaked the voice snippets of some Dutch users. More than 1,000 private conversations were sent to a Belgian news outlet, some of the messages reportedly revealed sensitive information such as medical conditions and customer addresses.
In December 2018, a bug exposed the data of 52.5 million Google+ users.
Nest Security Bulletin contains details of security vulnerabilities that previously affected Google Nest's devices.
Fitbit:
In August 2023, Fitbit faced three data transfer complaints in the EU, that allege the company is illegally exporting user data in breach of the bloc’s data protection rules: "European privacy rights not-for-profit, noyb, has filed the complaints with data protection authorities in Austria, the Netherlands and Italy on behalf of three (unnamed) Fitbit users. Commenting in a statement, Maartje de Graaf, data protection lawyer at noyb, said: “First, you buy a Fitbit watch for at least €100. Then you sign up for a paid subscription, only to find that you are forced to ‘freely’ agree to the sharing of your data with recipients around the world. Five years into the GDPR, Fitbit is still trying to enforce a ‘take it or leave it’ approach.”
In 2021 Fitbit's security measures did not prevent the major data leak of 61 million fitness tracker data records, including Fitbit user data, by the third-party company GetHealth. In September 2021, a group of security researchers discovered GetHealth had an unsecured database containing over 61 million records related to wearable technology and fitness services. GetHealth accessed health data belonging to wearable device users around the world and leaked it in an non-password protected, unencrypted database. The list contained names, birthdates, weight, height, gender, and geographical location, as well as other medical data, such as blood pressure.
In 2020, it was reported the emails and passwords of nearly 2 million Fitbit users were leaked online.
Privacyinformatie voor kinderen
Kan dit product offline worden gebruikt?
Gebruikersvriendelijke privacy-informatie?
Users must comb through privacy policies for both Fitbit and Google to make sure they've covered all their bases when it comes to privacy documentation for Fitbit products. It is complicated and cumbersome and confusing.
Koppelingen naar privacy-informatie
Voldoet dit product aan onze minimale beveiligingsnormen?
Versleuteling
Sterk wachtwoord
Beveiligingsupdates
Beheert kwetsbaarheden
Privacybeleid
Google publishes academic papers about its AI research (https://ai.google/) and makes several tools available via open source. https://ai.google/tools
FitBit Coach and FitBit Care services are said to be based on Machine Learning
Is deze AI onbetrouwbaar?
Wat voor soort beslissingen neemt de AI over u of voor u?
Is het bedrijf transparant over hoe de AI werkt?
Heeft de gebruiker controle over de AI-functies?
Dieper duiken
-
Your Fitbit is useless – unless you consent to unlawful data sharingnoyb
-
Google Stops Selling Fitbits in Regions Where it Doesn't Sell PixelsGizmodo
-
Fitbit targeted with trio of data transfer complaints in EuropeTechCrunch
-
Fitbit Setup RequirementsFitbit
-
Fitbit users will be forced to migrate to Google accounts by 2025The Verge
-
Fitbit Increases Security Requirements, Mandates Google Login From 2023Infosecurity
-
Google’s New Plan to Make Fitbit Data More Useful for HealthcareHealth Tech Insider
-
2 Million Fitbit Accounts Were Exposed by CybercriminalsHackerNoon
-
Standard Privacy Report for FitbitCommon Sense
-
Google Now Owns Fitbit: What It Means For Your Fitness Data PrivacyForbes
-
61M Fitbit, Apple Users Had Data Exposed in Wearable Device Data BreachHealth IT Security
-
Google closes $2.1B acquisition of Fitbit as Justice Department probe continuesFierce Healthcare
-
Here's what your Fitbit knows about youAvast
-
Fitbit Joins GoogleFitbit
Opmerkingen
Hebt u een opmerking? Laat het ons weten.