"Revoked just now!" Users' Behaviors Toward Fitness-Data Sharing with Third-Party Applications

Authors: Noé Zufferey (University of Lausanne), Kavous Salehzadeh Niksirat (University of Lausanne), Mathias Humbert (University of Lausanne), Kévin Huguenin (University of Lausanne)

Volume: 2023
Issue: 1
Pages: 47–67
DOI: https://doi.org/10.56553/popets-2023-0004


Download PDF

Abstract: The number of users of wearable activity trackers (WATs) has rapidly increased over the last decade. Although these devices enable their users to monitor their activities and health, they also raise new security and privacy concerns, given the sensitive data (e.g., steps, heart rate) they collect and the information that can be inferred from this data (e.g., diseases). In addition to sharing with the service providers (e.g., Fitbit), WAT users can share their fitness data with third-party applications (TPAs) and individuals. Understanding how and with whom users share their fitness data and what kind of approaches they take to preserve their privacy are key to assessing the underlying privacy risks and to further designing appropriate privacy-enhancing techniques. In this work, we perform, through a large-scale survey of N=628 WAT users, the first quantitative and qualitative analysis of users' awareness, understanding, attitudes, and behaviors toward fitness-data sharing with TPAs and individuals. By asking these users to draw their thoughts, we explore, in particular, users' practices and actual behaviors toward fitness-data sharing and their mental models. Our empirical results show that about half of WAT users underestimate the number of TPAs to which they have granted access to their data, and 63% share data with at least one TPA that they do not actively use (anymore). Furthermore, 29% of the users do not revoke TPA access to their data because they forget they gave access to it in the first place, and 8% were not even aware they could revoke access to their data. Finally, their mental models, as well as some of their answers, demonstrate substantial gaps in their understanding of the data-sharing process. Importantly, 67% of the respondents think that TPAs cannot access the fitness data that was collected before they granted access to it, whereas TPAs actually can do this.

Keywords: wearable activity trackers, fitness data, data sharing, fitness tracker, wearable, third party, privacy

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.