Fitness App Runkeeper Secretly Tracks Users At All Times, Sends Data to Advertisers (androidauthority.com) 93
An anonymous reader writes: FitnessKeeper, the company behind running app Runkeeper, is in hot water in Europe. The company has received a formal complaint from the Norwegian Consumer Council for breaching European data protection laws. But why? Runkeeper tracks its users' location at all times -- not just when the app is active -- and sends that data to advertisers. The NCC, a consumer rights watchdog, is conducting an investigation into 20 apps' terms and conditions to see if the apps do what their permissions say they do and to monitor data flows. Tinder has already been reported to the Norwegian data protection authority for similar breaches of privacy laws. The NCC's investigation into Runkeeper discovered that user location data is tracked around the clock and gets transmitted to a third party advertiser in the U.S. called Kiip.me.Finn Myrstad, the council's digital policy director, said: We checked the apps technically, to see the data flows and to see if the apps actually do what they say they do. Everyone understands that Runkeeper tracks users while they exercise, but to continue after the training has ended is not okay. Not only is it a breach of privacy laws, we are also convinced that users do not want to be tracked in this way, or for information to be shared with third party advertisers.
Re:Is this not in the EULA? (Score:5, Insightful)
You can write whatever you want in your EULA, even with "user consent" (i.e. nobody reads those damn things, they're 20 pages long and requires you to be a lawyer to understand half of it) it cannot overrule the existing laws of the country.
Re: (Score:2)
You can write whatever you want in your EULA, even with "user consent" (i.e. nobody reads those damn things, they're 20 pages long and requires you to be a lawyer to understand half of it) it cannot overrule the existing laws of the country.
Going to be awesome to start to see these companies who believe they can get away with spying on everyone unravel as privacy laws and awareness of creepy stalker mentality that pervades this industry is brought out of the shadows.
Re: (Score:1)
Re: (Score:1)
Just downloaded my data and uninstalled the app from my phone.
No time for BS like this, the meager benefit derived from the app was definitely not worth it.
Re: (Score:2)
I know I'm shocked that this information-gathering gadget was in fact gathering information.
Basic right and contracts (Score:2)
Price? (Score:4, Informative)
Re: (Score:3)
With Map My Ride, the in app purchases are to unlock "MVP mode" which allows you to get more workout analytics (break down your split times) or live tracking (let your friends track your ride)
Re: (Score:2)
Runkeeper also keeps trying to sell you a premium service, which has more analytics. There is also the "reward" after you complete some accomplishment, which seems to be some product discount, and they probably could make money from advertising there.
Last year I wondered if it was a Runkeeper developer asking what to do when dividing by zero [slashdot.org]. If you stay completely still for an entire workout, it decides that you are running at "zero minutes per kilometer" and even congratulates you on setting a new record.
Re: (Score:2)
Re: (Score:2)
By killing my data plan? I would say that is close to fraud!
Re: (Score:2)
Re: (Score:2)
If they can, they will. Why is this so hard to understand? Why do we think automated, dragnet surveillance knows the difference between "good guys" and "bad guys" (as if there was some binary, defining property)? Why do we think we Totes Dodge The Bullet because we clicked some "No thanks" checkbox with carefully phrased wording?
Security doesn't have this problem. When they see an access, they assume everything's been hoovered up. Why would
Re: (Score:2)
If they can, they will. Why is this so hard to understand?
It's not, and I kinda figured apps like this may very well be doing this. But when it's confirmed that they are, well, bye bye...
Re: (Score:3)
Welcome to the world of "Surveillance Capitalism"... you are the product they are selling.
Not just for running (Score:2)
Re: in the EULA? (Score:1)
Can we sue for this? (Score:3)
Re: (Score:2)
Right. The solution is to have the OS support per-application data caps. If an app hits the daily limit, you get a pop-up asking permission. Unless (and until) you say yes, the app sees that the network is down.
Re: (Score:2)
They know it isn't likely to be free. If they did anything to obscure the constant tracking and use of data, they should be forced to pay.
Re: (Score:2)
You can sue for anything. I can sue you for daring to use the username Locke2005, when I am clearly the one and only Locke2005.
This is the kind of thing that you need a class action lawsuit, because the money is so small that it can't be worth it.
If this were the US, a class action lawsuit of this type would most likely settle with the company paying legal fees, agreeing to stop doing it, and maybe give their customers a coupon of some kind for pennies off future services. Not worth it for the customers,
Locke2005 (Score:2)
Prove it that you're the only Locke2005. I am Locke2005 too. :P
Re:Can we sue for this? (Score:4, Interesting)
You sure can.
First, you must calculate how much bandwidth they used at times that you weren't expecting it to be using bandwidth. Be precise. Its likely in the low MB.
Next, look at your recent phone bills, and document your actual overages. (If you weren't actually over, what are you suing for?)
And calculate (show your work) what portion of that overage is attributable to the app running when it wasn't supposed to be. Hope you didn't have a 2GB overage streaming movies because the 2MB contribution of the app to your overage is then only about 1% the 20$ you spent on overages. (or 20 cents)
Next, document what steps you took to minimize the harm. (If you've had data cap overages for the last 3 years and you are only doing something about it now, the judge will disallow most of your claim as you have an obligation to minimize harm. So you'll need to show that you took reasonable steps to monitor and control your data use and manage overages.)
Finally, file your lawsuit; attend the hearing; and then wait for your check for $2.27 in data overages that the court is likely to allow as directly attributable harm from the app for data use.
Assuming it allows anything at all.
Re: (Score:1)
Your logic is perfect.
Yet "we" still get hurt.
So how is this system supposed to protect us?
Re: (Score:1)
Cyclists are worse.
Re:Joggers don't care about privacy (Score:4, Insightful)
Never met one that didn't tell the world when and where they ran.
How would you know? If you met a jogger who didn't tell you anything about their jogging then you wouldn't know it. You would just assume that they were non-joggers and your preconceived notions about joggers would remain untested.
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Its one thing to share where you ran. Its another to share your location at all times.
Which it cannot do. Privacy settings on iOS9 for Runkeeper has only two settings: never, and only when app is active. What is stated in the summary should not be possible.
Re: (Score:3)
Never met one that didn't tell the world when and where they ran. They're like vegans in that regard. I doubt many of their users will care.
Here.
There are a lot of casual joggers in the world, who don't make it a religion but use an App simply to track or to remind or because they can.
Just like there are a lot of people in the world who sometimes eat a lunch that would qualify as vegan, not because they think anything about vegan food, but simply because their choice of what to eat that day turned out to be so.
Garmin Connect (Score:2)
I'm not surprised at all, I would like someone to do this analysis with the Garmin Connect app. A while ago it was updated so that you couldn't connect the vivosmart directly to your phone without doing it through the app. Then, another update the app isn't even usable unless you turn on location services. So for someone like me whose use case is mostly so I don't have to pull my phone out of my pocket to check/ack a page and occasionally for exercise. It became a piece of junk that sits in a drawe
Re: (Score:2)
I think they all do (Score:3, Informative)
Sister got Dad a fitbit as a gift. It wants so many permissions in Android that the family decided not to install, activate, or use it. Seems corporations view people as marks to be fleeced instead of valued customers.
Re: (Score:1)
Uninstalled 15 minutes ago.
Easiest decision I had to make today.
Re: (Score:2)
I have been looking at these type of devices too, as I am getting in to better shape, why not buy gadgets and make it more fun. But I could not really see what they could do for me, and I must say I had concerns about how much data I am giving out to unknown parties.
Re: (Score:3)
Another one to echo your sentiment here. There are no tasks that the Fitbit account does that couldn't be handled within the app with the data kept locally. The fact that this isn't an option - not just on a fitbit but with any of the other fitness trackers I've looked at - gives me grave discomfort. It'd be a trivial selling point for anyone to do, but the fact that no one is doing it means that someone, somewhere, is paying handsomely for that data.
Battery usage? (Score:1)
I'm curious about the tracking results (Score:2)
Falling behind (Score:1)
"Another branch of the European government was furious they had not thought of this first because les terroristes "
A numbers of apps does this (Score:2)
my iPhone says that the app wants access to GPS even when I am not using it or have opened it. So these get uninstalled again. I believe the last one I tried was Waze.
Re: (Score:2)
Android Version Only? (Score:2)
The first link goes to a website named "Android Authority"; the article in the second link includes the phrase "...the Android version of the app...". Anyone know if the iOS version is doing this also?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Thanks, both you and orev.
I expect that, in the (vast?) majority of cases, RunKeeper is doing this without the user's knowledge or permission; I inferred from the articles that it may be doing that by somehow overriding the user's tracking settings in Android. (But, that was an inference only.) I didn't think there was a way to do that in iOS, so glad to have my understanding affirmed.
Re: (Score:2)
It could do the same if it had the Location permission "always" (and the user allowed it), but like they said it only offers "Never" and "While Using" - Apple added the "while using" item back with iOS8 I think. After they added that I always shut down location permissions for any app that does not offer the "While Using" option.
Shouldn't happen on iOS 9 (Score:2)
Re: (Score:2)
Article mentions that this issue is specifically for the Android version of the app. You are correct that this is impossible on iOS. Doubly so if you actually completely close the app (swipe it away).
So these people are safe ... right? (Score:2)
The App is snooping, it has been outed, it is simply a matter of time, next security update will blacklist the app, revoke all it s privileges and all is well in the world, right?
In reality, people who rooted their phone, run a security manager that sandboxes all apps and prompts for every network access, will be safe. People who trusted Apples and Googles to keep them safe would
You need the ability to lie to the app (Score:2)
Some apps that you really want demand all sorts of capabilities that you do not want to give to them. Some will not install or behave badly if you do not grant what they want. What is needed is a 3 way grant of permissions: yes (allow), no (do not allow), lie (use a contact list of: mickey mouse, the queen, pres obama, ...; location: North Pole; ....) like that they are happy and just report to their masters junk information.
How many times must it be said? (Score:2)
Anyone who has gotten burned by this kind of crap and is surprised, hurt, or indignant, please repeat after me: "If I'm not paying for the product, I AM the product". Now, continue to repeat it, out loud if necessary, until it sticks. Make it a daily mantra. When you see a 'free' service you're interested in, if your immediate thought is "how will I and / or my data be taken advantage of if I sign up for this?", then you've successfully activated your best protection against being an unwitting victim of 'fr
Re: (Score:2)
Sure. But here's a question. What does Caveat Emptor 101 for Slow Learners actually buy you at the end of the day?
What it bought me is an Android cell phone with such a pathetically small number of data-enabled applications installed on it that I turned off my data modem six months ago and have yet to miss it.
Furthermore, actually paying for an application is no guarantee it doesn't pa
Moving your data from runkeeper (Score:1)
Remember, folks (Score:2)
If you're transmitting data to a service provider, that data will be sold.
Battery life (Score:2)
So that explains why my battery life has tanked since I installed Runkeeper...
F' them.