Today, we published a piece on the Polar company’s fitness app. We discovered it was pretty easy to find the home addresses for intelligence operatives and military personnel on assignment. Which means it’s just as easy to find the home addresses for “ordinary” users of this and other fitness apps.
In this piece, we discuss the measures you as an individual app user can take to protect your data. We examine five popular apps, including Polar. But don’t stop there: take a good look at other apps that access and store your location data. It’s a good idea to revisit your privacy settings for every app that displays your information on a map.
To start, a lesson for the users of any fitness app whatsoever:
If it’s absolutely crucial that no one knows where you live, don’t use the app. Even if the app maker has done everything right, your information is still stored in an external, Internet-accessible database that can be hacked. So ask yourself: how important is it really to log my workout data?
If you do use the app, here’s what you need to remember:
- Don’t turn your sports watch on until you’ve put a few streets between you and your house. Even better: start your walk, run, or bike ride in a public place, such as a major road or a park. Don’t forget to turn off your watch away from home, too, or the GPS tracker can still follow you to your front door.
- Don’t use your real name, and don’t list the city you live in on your profile page. If you absolutely must use your own name, then limit it to your first. All someone needs to find out exactly where you live is your last name and a city.
- A general tip for any app: tell customer service how the app should handle your data. What additional features you’d like. Or that you’d like the option to delete your workout history. If enough people let customer service know, the app’s maker will sit up and listen.
And now, instructions for stranger-proofing your data in five specific apps.
Polar is a Finnish company subject to Finland’s stringent privacy legislation. Their fitness app has gotten most of its settings right. Polar makes use of the opt-in principle, which is a great start . That means you have to actively turn on sharing to share your profile and workout data with your friends or the rest of the world. So take a good look at these settings in your Polar account, and turn sharing off if it makes you uncomfortable.
Next, click on the “Account” tab to disconnect from other services: social media such as Facebook and other sports apps such as Strava. That keeps your location data from being sent to other service providers. Then remove all optional information from your profile settings, such as your favorite sports, the state or province where you live, and your telephone number.
Polar has promised to add a button in July that will let you switch your entire workout history to private. When it does, use it.
In Endomondo, click on your profile picture at the top right and go to “Settings,” then click on “Privacy.” Here, you can choose whether other Endomondo users and the rest of the world can see your profile. The best way to protect your privacy is to select “Custom,” which opens an “Advanced Settings” screen.
For maximum privacy, check the icon in the rightmost column for every piece of information. That way, only you will be able to see your date of birth, heart rate, workouts, training plan, and locations. Finally, at the bottom, make sure the “Search Engines” button is off, so people can’t find your Endomondo profile through Google and other search engines.
In Runkeeper, click on the gear icon at the top right of the page and then on “Account Settings”. Under “Apps,” disconnect from all other services: Facebook, Google+, Twitter, Garmin Connect, and FitBit.
Then go to “Sharing,” where you can limit your profile’s visibility to a minimum. Make sure you set everything, from your personal map to your dietary habits – in Runkeeper, you can even tell the world you have diabetes – to “Just Me.”
After that, go to “Promotions & Privacy.” Turn everything here off, too: email promotions, health and location data sharing, and Google Analytics. Make sure you’ve checked the “Keep my profile and account private” box at the bottom of the page.
By the way, if you’re curious how much Runkeeper knows about you, you can download all your data as an Excel spreadsheet. Click on “Export Data,” select the time frame you want to see, and then click “Start Export.”
You know the drill: on your Runtastic dashboard, click on “Edit Profile” at the left beneath your profile photo. Then click on “Privacy.” Set every item to “Only me.” You can also opt out of marketing emails and community leaderboards here.
At the top right of your Strava dashboard, click your profile picture, then “Settings.” In the menu on the left, click “Privacy.” Check everything on this page, starting with “Turn on Enhanced Privacy.” This will keep your workouts from showing up in the Flyby community tool and in leaderboards, and will prevent others from seeing your training logs and group activities you’ve participated in.
Scroll down and check the “Hide anonymized data from Metro & Heatmap” and “Do not promote my activities to my followers” boxes. That first one is crucial: your future data will no longer be included in Strava’s now-infamous maps of frequently used routes.
Now click “Data Permissions” in the left menu and click “Deny Access.” This will keep Strava from collecting your heart rate and other health-related data.
There are two more drastic steps you can take, for even greater data security. The first is to set up what Strava calls a “privacy zone.” Go back to the “Privacy” tab and scroll down to “Hide your house/office on your activity maps.” Strava will stop tracking your activity around the address you enter. The zone’s extent is limited, however, to a radius of one kilometer (just over half a mile).
If you’ve lost all confidence in Strava, you can delete your account. Click “My Account” in the left menu. Under “Download or Delete Your Account,” click “Get Started.” As a security precaution, Strava asks you to perform the last few steps from the email address you signed up with.
Note this doesn’t actually delete all your data, however. Your data will be removed from clubs, heatmaps, challenges, and leaderboards, but any data you’ve shared with the community, such as public segments and routes, will remain on the Strava platform.
Once you delete your Strava account, you can’t get it back. If you don’t want to lose all your walking, running, biking, or rowing history, then before you say goodbye, download a copy of your data at “Download or Delete Your Account.”
Translated from Dutch by Grayson Morris and Rufus Kain. The original articles in Dutch can be found here.
All our coverage in English can be found below.