Fitness App Runkeeper Secretly Tracks Users At All Times, Sends Data to Advertisers

An anonymous reader writes: FitnessKeeper, the company behind running app Runkeeper, is in hot water in Europe. The company has received a formal complaint from the Norwegian Consumer Council for breaching European data protection laws. But why? Runkeeper tracks its users' location at all times -- not just when the app is active -- and sends that data to advertisers. The NCC, a consumer rights watchdog, is conducting an investigation into 20 apps' terms and conditions to see if the apps do what their permissions say they do and to monitor data flows. Tinder has already been reported to the Norwegian data protection authority for similar breaches of privacy laws. The NCC's investigation into Runkeeper discovered that user location data is tracked around the clock and gets transmitted to a third party advertiser in the U.S. called Kiip.me.Finn Myrstad, the council's digital policy director, said: We checked the apps technically, to see the data flows and to see if the apps actually do what they say they do. Everyone understands that Runkeeper tracks users while they exercise, but to continue after the training has ended is not okay. Not only is it a breach of privacy laws, we are also convinced that users do not want to be tracked in this way, or for information to be shared with third party advertisers.

Price?

[Nidi62]

Not surprisingly, it is a free app(with in app purchases-not sure how that works with a running app, but whatever). They had to be getting their money from somewhere....

Re:Price?

[SumDog]

With Map My Ride, the in app purchases are to unlock "MVP mode" which allows you to get more workout analytics (break down your split times) or live tracking (let your friends track your ride)

Re:Price?

[wardrich86]

Simple solution: Offer up an IAP to stop unwanted tracking and selling of data!

Re:Price?

[angel'o'sphere]

By killing my data plan? I would say that is close to fraud!

Re:Price?

[Tim+the+Gecko]

Runkeeper also keeps trying to sell you a premium service, which has more analytics. There is also the "reward" after you complete some accomplishment, which seems to be some product discount, and they probably could make money from advertising there.

Last year I wondered if it was a Runkeeper developer asking what to do when dividing by zero. If you stay completely still for an entire workout, it decides that you are running at "zero minutes per kilometer" and even congratulates you on setting a new record.

Sometimes the phone's GPS has been still running after I've finished, and I have had to swipe away the app. Up until now I've assumed this was incompetence on their part, rather than malice.

Re:Price?

[Mistakill]

I paid for the app long before they went with the freemium model

Not just for running

[PPH]

... for running(NSFW)

Can we sue for this?

[Locke2005]

If I'm going over my monthly data cap because an app it using up my bandwidth, can I ask them to reimburse me for added data costs? Seems fair to me...

Re:Can we sue for this?

[crow]

Right. The solution is to have the OS support per-application data caps. If an app hits the daily limit, you get a pop-up asking permission. Unless (and until) you say yes, the app sees that the network is down.

Re:Can we sue for this?

[gurps_npc]

You can sue for anything. I can sue you for daring to use the username Locke2005, when I am clearly the one and only Locke2005.

This is the kind of thing that you need a class action lawsuit, because the money is so small that it can't be worth it.

If this were the US, a class action lawsuit of this type would most likely settle with the company paying legal fees, agreeing to stop doing it, and maybe give their customers a coupon of some kind for pennies off future services. Not worth it for the customers, well worth it for the lawyers.

Re:Can we sue for this?

[vux984]

You sure can.

First, you must calculate how much bandwidth they used at times that you weren't expecting it to be using bandwidth. Be precise. Its likely in the low MB.

Next, look at your recent phone bills, and document your actual overages. (If you weren't actually over, what are you suing for?)

And calculate (show your work) what portion of that overage is attributable to the app running when it wasn't supposed to be. Hope you didn't have a 2GB overage streaming movies because the 2MB contribution of the app to your overage is then only about 1% the 20$ you spent on overages. (or 20 cents)

Next, document what steps you took to minimize the harm. (If you've had data cap overages for the last 3 years and you are only doing something about it now, the judge will disallow most of your claim as you have an obligation to minimize harm. So you'll need to show that you took reasonable steps to monitor and control your data use and manage overages.)

Finally, file your lawsuit; attend the hearing; and then wait for your check for $2.27 in data overages that the court is likely to allow as directly attributable harm from the app for data use.

Assuming it allows anything at all.

Re:Can we sue for this?

[NotAPK]

Your logic is perfect.

Yet "we" still get hurt.

So how is this system supposed to protect us?

Re:Can we sue for this?

[sjames]

They know it isn't likely to be free. If they did anything to obscure the constant tracking and use of data, they should be forced to pay.

Re:Joggers don't care about privacy

Cyclists are worse.

Garmin Connect

[IMightB]

I'm not surprised at all, I would like someone to do this analysis with the Garmin Connect app. A while ago it was updated so that you couldn't connect the vivosmart directly to your phone without doing it through the app. Then, another update the app isn't even usable unless you turn on location services. So for someone like me whose use case is mostly so I don't have to pull my phone out of my pocket to check/ack a page and occasionally for exercise. It became a piece of junk that sits in a drawer.

Re:Garmin Connect

[Piata]

I'm curious about this as well. Garmin's primary business is selling reliable hardware with a long term ecosystem so you would hope that selling user information to marketers isn't worth the effort.

Re:Is this not in the EULA?

[U2xhc2hkb3QgU3Vja3M]

You can write whatever you want in your EULA, even with "user consent" (i.e. nobody reads those damn things, they're 20 pages long and requires you to be a lawyer to understand half of it) it cannot overrule the existing laws of the country.

I think they all do

Sister got Dad a fitbit as a gift. It wants so many permissions in Android that the family decided not to install, activate, or use it. Seems corporations view people as marks to be fleeced instead of valued customers.

Re:I think they all do

[NotAPK]

Uninstalled 15 minutes ago.

Easiest decision I had to make today.

Re:I think they all do

[Bender+Unit+22]

I have been looking at these type of devices too, as I am getting in to better shape, why not buy gadgets and make it more fun. But I could not really see what they could do for me, and I must say I had concerns about how much data I am giving out to unknown parties.

Re:I think they all do

[Voyager529]

Another one to echo your sentiment here. There are no tasks that the Fitbit account does that couldn't be handled within the app with the data kept locally. The fact that this isn't an option - not just on a fitbit but with any of the other fitness trackers I've looked at - gives me grave discomfort. It'd be a trivial selling point for anyone to do, but the fact that no one is doing it means that someone, somewhere, is paying handsomely for that data.

Battery usage?

[smileham]

That's am immediate uninstall then. I'm personally not that fussed about being tracked, it's more a concern on battery drain from an app that shouldn't be doing it!

Re:Joggers don't care about privacy

[Gadget_Guy]

Never met one that didn't tell the world when and where they ran.

How would you know? If you met a jogger who didn't tell you anything about their jogging then you wouldn't know it. You would just assume that they were non-joggers and your preconceived notions about joggers would remain untested.

I'm curious about the tracking results

[JoeyRox]

I agree it's a violation of user privacy but still I'm curious about what the tracking data shows. For example I wonder what percentage of those exercising hit up a donut shop after they're done.

Re:Joggers don't care about privacy

[zarr]

When joggers don't jogg, they're just ordinary, but fit, people. Some of those actually care about privacy.

Re:Joggers don't care about privacy

[DoubleParadoxx]

Its one thing to share where you ran. Its another to share your location at all times.

Re:Oh wow how unexpected!

[Falos]

I was going to do Shocked! but you've gone and beat me to it.

If they can, they will. Why is this so hard to understand? Why do we think automated, dragnet surveillance knows the difference between "good guys" and "bad guys" (as if there was some binary, defining property)? Why do we think we Totes Dodge The Bullet because we clicked some "No thanks" checkbox with carefully phrased wording?

Security doesn't have this problem. When they see an access, they assume everything's been hoovered up. Why would it not? When they see a vulnerability, a potential means of discernment, they assume it WILL be used and must be corrected until inaccessible.

Inaccessible in their vocabulary means hard walls, not words and paper walls.

Re:Is this not in the EULA?

[NotAPK]

Just downloaded my data and uninstalled the app from my phone.

No time for BS like this, the meager benefit derived from the app was definitely not worth it.

Re:Is this not in the EULA?

[WaffleMonster]

You can write whatever you want in your EULA, even with "user consent" (i.e. nobody reads those damn things, they're 20 pages long and requires you to be a lawyer to understand half of it) it cannot overrule the existing laws of the country.

Going to be awesome to start to see these companies who believe they can get away with spying on everyone unravel as privacy laws and awareness of creepy stalker mentality that pervades this industry is brought out of the shadows.

Re: in the EULA?

[Frankzy]

Doesn't matter since that shit carry very little weight here...

A numbers of apps does this

[Bender+Unit+22]

my iPhone says that the app wants access to GPS even when I am not using it or have opened it. So these get uninstalled again. I believe the last one I tried was Waze.

Re:A numbers of apps does this

[orev]

You can easily going into the Location Services and change it to "While Using", and actually in the most recent version at least, there isn't an option for "Always", so this must only be an Android thing.

Android Version Only?

[jIyajbe]

The first link goes to a website named "Android Authority"; the article in the second link includes the phrase "...the Android version of the app...". Anyone know if the iOS version is doing this also?

Re:Android Version Only?

[orev]

You can check by going into Location services and seeing what it's set to. Only options I see are "Never" and "While using", so it can't be tracking you all the time.

Re:Android Version Only?

[Incadenza]

No, it cannot do this. You can't even give it permission to track you all the time.

Re:Android Version Only?

[jIyajbe]

Thanks, both you and orev.

I expect that, in the (vast?) majority of cases, RunKeeper is doing this without the user's knowledge or permission; I inferred from the articles that it may be doing that by somehow overriding the user's tracking settings in Android. (But, that was an inference only.) I didn't think there was a way to do that in iOS, so glad to have my understanding affirmed.

Re:Android Version Only?

[SuperKendall]

It could do the same if it had the Location permission "always" (and the user allowed it), but like they said it only offers "Never" and "While Using" - Apple added the "while using" item back with iOS8 I think. After they added that I always shut down location permissions for any app that does not offer the "While Using" option.

Re:Joggers don't care about privacy

[Incadenza]

Its one thing to share where you ran. Its another to share your location at all times.

Which it cannot do. Privacy settings on iOS9 for Runkeeper has only two settings: never, and only when app is active. What is stated in the summary should not be possible.

Re:Oh wow how unexpected!

[Dins]

If they can, they will. Why is this so hard to understand?

It's not, and I kinda figured apps like this may very well be doing this. But when it's confirmed that they are, well, bye bye...

Re:Oh wow how unexpected!

[mspohr]

Welcome to the world of "Surveillance Capitalism"... you are the product they are selling.

Shouldn't happen on iOS 9

[Isao]

There are only two location sharing options, Never and while the app is active. If they're bypassing this on iOS 9, Apple has got some problems.

Re:Shouldn't happen on iOS 9

[Cimexus]

Article mentions that this issue is specifically for the Android version of the app. You are correct that this is impossible on iOS. Doubly so if you actually completely close the app (swipe it away).

So these people are safe ... right?

[140Mandak262Jamuna]

All those people who did not root their phones, used official market place or the official app store all should be safe, right?

The App is snooping, it has been outed, it is simply a matter of time, next security update will blacklist the app, revoke all it s privileges and all is well in the world, right?

In reality, people who rooted their phone, run a security manager that sandboxes all apps and prompts for every network access, will be safe. People who trusted Apples and Googles to keep them safe would be taken to the cleaners.

Re:Joggers don't care about privacy

[friesofdoom]

That is a bit presumptuous. Maybe the first think he asks people when he meets them is if they jog...

You need the ability to lie to the app

[Alain+Williams]

Some apps that you really want demand all sorts of capabilities that you do not want to give to them. Some will not install or behave badly if you do not grant what they want. What is needed is a 3 way grant of permissions: yes (allow), no (do not allow), lie (use a contact list of: mickey mouse, the queen, pres obama, ...; location: North Pole; ....) like that they are happy and just report to their masters junk information.

Re:Is this not in the EULA?

[JustAnotherOldGuy]

I know I'm shocked that this information-gathering gadget was in fact gathering information.

Basic right and contracts

[aepervius]

In the US maybe you can put a lot of stuff in some state like enforcing arbitration and giving up rights, but in europe we take a deem view of this, you cannot waive your fundemental rights, and, depending on the juridiction, either be those clause are waived , and can in some cases up to nullify a contract. In this case data protection comes in, and I am guessing that kiip.me will find itself in very hot water rapidly.

How many times must it be said?

[jenningsthecat]

Anyone who has gotten burned by this kind of crap and is surprised, hurt, or indignant, please repeat after me: "If I'm not paying for the product, I AM the product". Now, continue to repeat it, out loud if necessary, until it sticks. Make it a daily mantra. When you see a 'free' service you're interested in, if your immediate thought is "how will I and / or my data be taken advantage of if I sign up for this?", then you've successfully activated your best protection against being an unwitting victim of 'free'.

Re:How many times must it be said?

[epine]

"If I'm not paying for the product, I AM the product". Now, continue to repeat it, out loud if necessary, until it sticks.

Sure. But here's a question. What does Caveat Emptor 101 for Slow Learners actually buy you at the end of the day?

What it bought me is an Android cell phone with such a pathetically small number of data-enabled applications installed on it that I turned off my data modem six months ago and have yet to miss it.

Furthermore, actually paying for an application is no guarantee it doesn't partake in same additional revenue streams. If you were too busy shouting the take-away slogan from Caveat Emptor 101 from the nearest available e-rooftop to notice this ugly fact, you might want to check yourself into the horror show known as Caveat Emptor 102. No need to write "102" down on paper lest you forget.

No, just "continue to repeat it, out loud if necessary, until it sticks."

With hard work and persistence, eventually you'll become qualified to enroll in Houston We Have a Problem Here 400 or Privacy 911 (dissertation mandatory).

Re:Joggers don't care about privacy

[Tom]

Never met one that didn't tell the world when and where they ran. They're like vegans in that regard. I doubt many of their users will care.

Here.

There are a lot of casual joggers in the world, who don't make it a religion but use an App simply to track or to remind or because they can.

Just like there are a lot of people in the world who sometimes eat a lunch that would qualify as vegan, not because they think anything about vegan food, but simply because their choice of what to eat that day turned out to be so.

Moving your data from runkeeper

[dagooncrn]

There's very useful service https://tapiriik.com/ (free and open source https://github.com/cpfair/tapi... ) that lets you migrate workouts between different fitness apps. It supports runkeeper, strava (my favourite), endomondo, garmin and even dropbox.

Remember, folks

[JohnFen]

If you're transmitting data to a service provider, that data will be sold.

Locke2005

[antdude]

Prove it that you're the only Locke2005. I am Locke2005 too. :P

Battery life

[hoggoth]

So that explains why my battery life has tanked since I installed Runkeeper...
F' them.