By Emily Byrne, Content Manager & Marketing Executive at Track24

The third edition in our new series, exploring tracking in the digital world considers, from a duty of care perspective, how we engage with tracking day-to-day, through the activity and location tracking apps we use.

We also consider how recent announcements made by communications giants which promise to change the way they use third-party cookies will incentivize a privacy-first marketplace. Of course at Track 24, our approach is always privacy-first.

There’s no denying we’re in awe of these wondrous wearables and tactile activity trackers. But do you know the data you’re actually sharing when you use everyday applications which track your location, actions and behaviours? 

Colossal comms corporations embark on privacy-first changes

We’ve seen immense news from Google this month. Google will stop selling ads based on users’ specific browsing searches and habits by 2022. “Google’s recent announcement that it would stop selling ads based on users’ specific web browsing histories was met with enthusiasm among consumer privacy experts.” Source. Go, Google! 

The issue of privacy once again takes the spotlight, as the recent passage of Virginia’s new privacy regulation combines with changes made by California’s Privacy Rights Act and the EU’s General Data Protection Regulation.

‘Google’s plan to stop using or investing in tracking technologies that uniquely identify web users as they move from website to website has the potential to move the digital advertising industry as a whole away from individualized tracking.’ Source. 

This announcement doesn’t come as an overwhelming surprise, as Google has already announced its Chrome browser will phase out the enforcement of third-party cookies by 2022. Google’s made it explicit it doesn’t plan to track individuals online by building substituting identifiers once third-party cookies have been painted out the picture. 

StreetFight notes: ‘IAB recently reported that only 48% of brands feel that they are “very or somewhat” prepared for the loss of third-party cookies and identifiers. Agencies fared a little better at 64%.’ Source. Google’s privacy-first changes will have an enormous future impact on advertising revenues, whilst pushing other corporations in the privacy-first direction.

Google isn’t the only colossal corporation undergoing user tracking changes. The big Apple are following suit. ‘In its announcement, Apple states: “App Tracking Transparency will require apps to get the user’s permission before tracking their data across apps or websites owned by other companies.”’ Source. These changes are expected to come into play from March of 2021. 

With it recently being declared by a TapResearch poll conducted in 2020, 76% of iPhone users would choose to decline the sharing of their location with apps or remain indifferent on the matter, we can gauge the impact on advertising agencies and applications would be phenomenal. Source.

A final string to add to the privacy bow comes with location-based marketing association, Cuebiq announcing the shutting down of their SDK to become more privacy-friendly. Source. 

We’ve seen a shift in recent years in the behaviour of the ad industry, suggesting where digital identity is going. ‘Brands, publishers, and others dependent on Google’s, and other, marketing platforms need to invest in alternatives and realize that there are new challenges ahead.’ Source. Independent companies reliant on Google’s marketing platforms will need to think outside the box and make their own preparations ahead of changes in 2022.

Staying security-savvy on Strava 

What information are you sharing with the world when you don your trainers and upload that impressive 50 minute 10k to Strava?

What information is shared?

Strava declares itself to store the following data on its website: Your name, location, route taken, your speed and your exercise activity – whether this be running, cycling, or even wind-surfing!

Strava notes you can change your privacy settings in the ‘settings’ section of the platform. You can make your profile entirely private by heading to Strava and going to: ‘Settings > Privacy. Under “Edit Past Activities,” select “Activity Visibility,” then click “Next.” Select either “Everyone,” “Followers,” or “Only You,” then click “Next.” Confirm your choice and Strava will update all the activities.’ Source.

It can be argued those who choose not to go private, are willingly sharing their data with their friends and network. Duh… isn’t this the social concept of the app? We hear you cry?

What happens to your data?

Who outside your chosen social network can view your information? An article recently published by Cosmopolitan, unveils a functionality of Strava which goes unnoticed by many: “One user tweeted about her experience with the app, writing, ‘Ran past the same girl a couple of times on my morning run and Strava has automatically added her as a ‘group activity’. Incredibly creepy and unsettling (particularly when you consider most of us run close to home lately). And there’s no way to remove her …’” Source.

Strava settings are automatically set to add users and share data. So, if you’d rather keep this information to yourself, then be sure to change your privacy settings. 

For additional information on varying privacy settings, be in the know and data-secrecy savvy, by visiting Strava’s website here. Source.

Media coverage in recent years has highlighted how activity trackers may have revealed the whereabouts of US military operations. The Strava saga was uncovered on Twitter by an International Security student from Australia, in January 2018.  

‘Natahn Ruser, pointed out Strava user activities potentially related to US military forward operating bases in Afghanistan, Turkish military patrols in Syria, and a possible guard patrol in the Russian operating area of Syria.’ Source.

Ruser’s findings were inevitably followed by a flurry of examples, ‘based on cross-referencing Strava user activity with Google Maps and prior news reporting: a  French military base in Niger, an Italian military base in Dijbouti and even CIA “black sites.”‘ Source.

A bigger concern from an operations security angle surrounded how activity data could be used to identify particular individuals and track them to sensitive locations. 

A researcher and activist ‘claimed to have used public data scraped from Strava’s website to track a French soldier from overseas deployment all the way back home.’ Source.

• Paul Dietrich, A Researcher and Activist – 2018

Since these data discoveries dating back to 2015, the US military have been actively pursuing solutions and enacting changes in policy to keep their location whereabouts secure. 

‘Some of the security tightening may involve certain “no-go areas” or “leave-at-home policies” for personal smartphones and wearables, similar to what already exists in sensitive offices of the Pentagon and other installations.’

• Peter Singer: Strategist and Senior Fellow at New America, a think tank based in Washington, DC – 2018

In light of modern geolocation technology, which is soaring in usage and popularity in recent years, persistent training and awareness is required by not only the military, but other corporations and establishments, to analyse and address security threats.

‘Militaries and other organizations will require constant, up-to-date training for both their leadership and the rank-and-file, to ensure they’re aware of the threat from modern geolocation technology.’ 

• Lynette Nusbacher: Strategist and Military Historian, UK – 2018

Strava is a hugely popular, well-loved app, used across the globe to motivate and mobilise us to exercise and then proudly share our activities with our networks. We’ve acknowledged the worst-case scenarios from a data-security perspective, without discrediting the success and importance of this app to users’ day-to-day lives. Our report simply gives you everything you need to know to stay security-savvy whilst recording your runs.

Zooming in on Google Maps

What information is shared?

What happens to your data when you share it with one of the nation’s favourite location-based applications, Google Maps? To create a more personalised user experience, every place you’ve looked up in Maps is stored and integrated into Google’s search engine algorithm for 18 months. Source. To view more information on Google’s ‘Web & Activity’ settings, click here. Source.

Google Maps won’t allow the saving of frequently visited places if you’re not logged into your Google account, a loophole if you’d like to prevent your favourite spots being stored.

Leaving reviews for your most-loved haunts on Google Maps documents your location. Be security-savvy about the information you might be sharing when you leave a review. If you’d like to make your review private after leaving it, here’s how: ‘Profile icon> Your profile > Edit profile > Profile and privacy settings > Scroll down > Restricted profile. If you enable this, you’ll need to approve who can follow your profile and see your reviews.’ Source.

What happens to your data?

Currently, Google sells advertisers the chance to evaluate how well their campaigns are doing and how many people have visited their shops. However, this only happens if you choose to opt in, or forget to opt out of this service on Google Maps. Plus, remember, all this will change come 2022.

There are of course alternatives out there, but Google Maps really does lead the market when it comes to map-apps. Substitute apps aren’t readily available on both iOS and Android devices, or arguably simply aren’t as feature-rich as Google’s intuitive platform.

Fitbits: Locking down your health and wellness data

What information are you sharing with the world when you upload the 20,000 steps you’ve smashed on your long Sunday stroll?

What information is shared?

As outlined in Fitbit’s extensive privacy policy, using a Fitbit device will collect data to estimate metrics like distance travelled, number of steps taken, calories burned, heart rate, active minutes and location. These are collected in order to determine your stats and progress. Source.

Reassuringly, Fitbit’s website states: “We do not share your personal information except in the limited circumstances described in our privacy policy like when you agree or direct us to share the information, or when the information is shared for external processing, for legal reasons, or to prevent harm.” Source.

What happens to your data?

Fitbit allows you to customise your profile information, determining which stats you make publicly available to your network. You can adjust your privacy preferences in account settings to your liking.

Community features are those like 7-day leaderboards and forums, which you may link in with when competing with your friends. If you choose to participate in a challenge on Fitbit, information like your profile photo, posted messages, total steps, personal stats and achievements are not protected by your privacy preferences. Be aware, this information will be available to other challenge participants, not just your selected network. 

If you know your friends are on Fitbit, you can invite them to join your network by providing their email address. Fitbit will then use their contact information to send them an invitation. The company claims never to add this data to a marketing list. Fitbit’s website humorously states: ‘We’ve tried, but we just can’t get the psychic thing down. So, when you contact us for help, we collect your name, contact information, and message to make sure we get you the answers you need.’ Source.

When you visit Fitbit’s website, your IP address is collected and used to make sure you’re receiving content which is relevant to you and your location. 

Fitbit’s chucklesome tone embellishes their Cookie policy content. ‘Our policy on cookies—in life, and online—is that we like them a lot, in moderation. When you visit our site, we use cookies and other technologies to improve what we do and how we do it. Source.

Only if you grant Fitbit permission to access your location, will GPS and location data be collected. ‘Some features, like mapping a run or activity, use precise location data. This includes GPS signals, device sensors, Wi-Fi access points, and cell tower IDs.’ Source.

With regards to your account info, Fitbit explains its collection of information like your height, gender, age and weight upon creation of your account with them with a dutiful: ‘Everything’s better when it’s tailored to you.’ This information helps Fitbit personalize daily exercise and activity stats, including the number of calories you’ve burned and the distance you’ve travelled. These key features are of course, what most users buy and own their wise wearables for!

Partnerships and pastures new

Fitbit is part of the Google family, as of 2021. ‘The search giant bought the health-tracking company for $2.1bn (£1.5bn) in November 2019 but faced questions from regulators. Following a four-month European Commission investigation, it agreed not to use health and location data from Fitbit devices for advertising. The deal was then approved by authorities in December.’ Source.

Both Fitbit and Google remain crystal clear about their data privacy policies under their new partnership. ‘The trust of our users will continue to be paramount, and we will maintain strong data privacy and security protections, giving you control of your data and staying transparent about what we collect and why’, says Fitbit CEO, President and Founder, James Park. Source.

It will come as exceedingly reassuring news to Fitbit users, that their health and wellness data will not be used for Google ads, with this data being stored completely separately.

‘Google said the acquisition “has always been about devices, not data”. “We’ve been clear since the beginning that we will protect Fitbit users’ privacy.”  Source. Google also promises the commitments given to the European commission, which it must keep for 10 years, will be implemented globally.

Google promises: ‘to store Fitbit data in a “silo”, separate from data used for advertising, to maintain third-party access to the Fitbit platform and not to degrade the user experience of third-party smartwatches paired with an Android phone.’ Source.

James Park assures: ‘Google will continue to protect Fitbit users’ privacy and has made a series of binding commitments with global regulators, confirming that Fitbit users’ health and wellness data won’t be used for Google ads and this data will be kept separate from other Google ad data.’ Source.

Park summarises the new partnership with a triumphant: ‘Many of Fitbit’s ‘devices’ features will remain the same but, with Google at the helm, “possibilities are truly limitless’. Source.

It’s worth remembering with Fitbit, regardless of all its data-privacy assurance, particularly in light of the Google partnership, a user can change their profile to entirely private in settings, if they wish.

Technology takeaways

To conclude, the third edition in our tracking series comes to your readership from a privacy-first, duty of care perspective, much like the popular-with-the-people examples we’ve evaluated. We’ve shared our insights on how to stay safe whilst engaging with location-based tracking day-to-day and addressed your burning questions about what happens with your data. 

In light of the recent announcement from Google of plans to stop sharing location based marketing information with third-party services by 2022, we’ll continue to see a rise in privacy-first technology models and witness companies approaching location data with a refreshed and revived, privacy-first perspective.

To find out more about the work of Track24, visit our main website here: www.track24.com