Fitbit and the Data Mine

I got a Fitbit years ago as part of a workplace “health intitiave” and have used it on and off ever since. Being a bit concerned since Google entered a deal to acquire Fitbit (and thus, of course, all its data), I’ve stopped using it and have considered selling it off. Of course, there’s an online account to go with it, so I logged in and found my way to the settings so I could try exporting all my data. While I’m not so much concerned about keeping my data for myself, I was definitely curious exactly how they log that data.

I more or less assumed that all data would be exported in CSV format, given that’s exactly how it states it will. I thought I’d see a table of each date logged, with the accompanying total steps for each day, similar to how it’s reflected in the app. It turns out, the data has only a handful of CSV files, mostly with any “challenges” between you and friends. Steps themselves are in .json files, and when you open them in a text editor, it turns out that there’s a log of the total number of steps for every single minute of every single day logged.

A screenshot of a Fitbit export showing steps taken each minute from a day in December 2019.

Keep in mind that my Fitbit is the now-discontinued Fitbit One, so it tracked just steps and stairs automatically, and sleep had to be manually started with the timer, and any exercise also had to be manually added in the app. I can only assume that those which are tracking heart rate and exercises are doing so in similar fashion. This isn’t necessarily to say that that’s a good or a bad thing (there are certainly some health implications and potential benefits there), but it should no doubt be more clearly indicated exactly how that information is going to be collected, storied, and ultimately used.

I used to refer to my Fitbit is a ‘glorified pedometer’, but it’s clear now that it’s much, much more.

Update: See this Fitbit blog post that uses collected (and relatively anonymized, given there’s regional information as well as gender and age information) data to look at how COVID-19 and related lockdowns have affected movement. To their credit, Fitbit’s privacy policy does indicate that it may do so, as noted by the following text (emphasis mine):

We may share non-personal information that is aggregated or de-identified so that it cannot reasonably be used to identify an individual. We may disclose such information publicly and to third parties, for example, in public reports about exercise and activity, to partners under agreement with us, or as part of the community benchmarking information we provide to users of our subscription services.

Still, if you ask the casual Fitbit wearer on the street, I imagine it’s a good bet that they have no idea their personal fitness tracker can be used in this manner. The findings are interesting, to be sure, and especially relevant given the public health needs. Still, we need better and much clearer consent when it comes to use of collection of data, both for how it’s collected (in my case, thinking it was just a daily count and discovering it was counter down to the minute, even in aggregate) and how it’s ultimately used.