580 Million Devices Tracking Your Body
In 2024, over 580 million wearable devices shipped globally. [1] They track your heart rate, sleep patterns, menstrual cycles, stress levels, and every step you take.
That data exposed secret military bases in Afghanistan and Syria. [2] It can be sold to insurance companies to adjust your premiums. [3] And HIPAA, the health privacy law, doesn't protect most of it. [4]
Your fitness tracker monitors your body 24/7. But the law barely monitors what happens to that data.
The Strava Disaster: When Jogging Exposed Secret Bases
In January 2018, a 20-year-old Australian student named Nathan Ruser was browsing Strava's global "heatmap", a visualization of 13 trillion GPS data points from the fitness app's users. He noticed something odd: bright lines in Syria, Afghanistan, and other conflict zones. [2]
Those lines were US military personnel jogging around secret bases.
What Got Exposed
Strava's heatmap revealed or confirmed: [5]
- US military bases in Afghanistan, Syria, and Djibouti
- CIA facilities and suspected black sites
- Patrol routes around sensitive installations
- Operating patterns of military personnel
- Bases belonging to the UK, France, Turkey, Russia, and other nations
In remote areas where locals don't use fitness apps, American soldiers' jogging routes lit up like beacons on the map. [6]
It Happened Again in 2024
The problem wasn't fixed. In October 2024, French newspaper Le Monde published "#StravaLeaks", showing that: [7]
- President Macron's security detail posted runs near hotels before his visits
- Secret Service agents protecting US presidents exposed operational routines
- Israeli soldiers near Gaza mapped sensitive military positions
- Security personnel for Biden, Harris, Trump, Putin, and Macron all had their locations compromised
Six years after the original incident, the underlying problem remains unsolved. People who should know better keep sharing their location through fitness apps.
The $60 Billion Health Data Market
The global fitness tracker market hit $60.9 billion in 2024. [1] By 2030, it's projected to reach $162.8 billion. That's not just hardware sales, it's the value of the data being collected.
Scale of Collection
What's Tracked
- Heart rate (24/7)
- Sleep patterns and quality
- Steps and exercise
- GPS location
- Menstrual cycles
- Stress and HRV
- Blood oxygen (SpO2)
Google Bought Fitbit, And Your Data
In January 2021, Google completed its $2.1 billion acquisition of Fitbit. [11] Privacy advocates immediately raised concerns.
What Google Gets
Fitbit had over 29 million active users when Google bought it. Each user brings: [12]
- Years of historical health data
- Sleep pattern records
- Heart rate history
- Exercise habits
- Location data from workouts
- Weight and dietary logs
Combined with Google's existing data, search history, Gmail content, YouTube viewing, Android phone location, Chrome browsing, this creates what European economists called "unique opportunities for discrimination and exploitation of consumers." [13]
Google's Promises
Google claims: [14]
- Fitbit health data won't be used for Google ads
- They never sell personal information
- The data will be kept separate from advertising systems
Privacy advocate Paul Bischoff wasn't convinced: "Just because the companies say user data will not be used for advertising now does not mean that won't change." [13]
The Forced Migration
In 2024-2025, Google began requiring Fitbit users to migrate their accounts to Google. [15] When users selected "maybe later," the app recycled them back to the beginning. There was no way to proceed without handing their data to Google.
All new Fitbit devices now require a Google account to set up.
The HIPAA Loophole
Here's the uncomfortable truth: HIPAA doesn't protect your fitness tracker data. [4]
What HIPAA Actually Covers
HIPAA (the Health Insurance Portability and Accountability Act) only protects "Protected Health Information" (PHI) handled by "covered entities", healthcare providers, health plans, and healthcare clearinghouses.
Consumer wearables don't qualify. Your Fitbit isn't a healthcare provider. Your Apple Watch isn't bound by HIPAA. [16]
What This Means
Your fitness tracker data can be: [3]
- Sold to data brokers without your specific consent
- Shared with insurance companies to adjust your premiums
- Accessed by employers through corporate wellness programs
- Used by law enforcement with fewer restrictions than medical records
- Bought by marketers for targeted advertising
Insurance Companies Want Your Data
Health and life insurers are increasingly interested in wearable data. [17]
How It Works
Some insurance programs already offer discounts for sharing fitness tracker data. The pitch: prove you're healthy, get lower rates.
The flip side: if your fitness data reveals a lifestyle more sedentary than you reported to your doctor, insurers could increase your premiums. [3]
What Insurers Can Infer
- Activity levels: Do you actually exercise?
- Sleep quality: Are you getting enough rest?
- Heart rate patterns: Signs of stress or heart conditions
- Location data: Do you live in a "high-risk" area?
- Behavioral patterns: Consistent routines = lower risk
42% of large companies now include fitness trackers in employee benefit programs. [18] That's a lot of health data flowing to corporate wellness vendors, and potentially to insurers.
Reproductive Health Data After Roe
After the Supreme Court overturned Roe v. Wade in 2022, period tracking apps became a new privacy frontier.
The Fear
Menstrual cycle data could theoretically be used to identify pregnancies, and pregnancy terminations. Law enforcement in states with abortion restrictions could potentially subpoena this data.
Company Responses
Oura Ring issued a statement: "Oura will oppose any request to provide legal authorities with access to user data for surveillance or prosecution purposes, and will notify users if we receive any such request." [19]
Other companies have been less forthcoming. If you're tracking cycles on a fitness app, know that the data exists and could be requested.
How Different Trackers Handle Privacy
Better Privacy Practices
Apple Watch
- Stores sensitive health data encrypted on device
- End-to-end encryption available for iCloud sync
- Business model isn't advertising-based
- Strong public privacy stance
Oura Ring
- Subject to EU GDPR (Finland-based)
- Doesn't sell data to advertisers
- Offers "privacy mode" (airplane mode on device)
- Published post-Roe statement opposing law enforcement data access [19]
Garmin
- Business model based on device sales, not data
- Relatively transparent privacy policies
- No red flags in Mozilla's review
Higher Privacy Concerns
Fitbit (Google)
- Now owned by Google (advertising company)
- Forced account migration to Google
- Google Fit APIs shutting down June 2025
- Long-term data use uncertain despite promises
Xiaomi/Huawei
- Highest cumulative privacy risk scores [10]
- Subject to Chinese data laws
- Less transparent data practices
Strava
- Default settings share activity publicly
- Heatmap feature exposed military bases
- Location data visible to anyone unless locked down
The Security Breach Epidemic
Health-related cybersecurity breaches increased over 4,000% between 2009 and 2023. [20] The body-data market is expected to exceed $500 billion by 2030.
When fitness trackers get breached, attackers get:
- Years of heart rate and health data
- Sleep pattern records
- GPS location history
- Email addresses and passwords
- Potentially sensitive health conditions
Unlike a credit card, you can't change your resting heart rate after a breach.
How to Protect Yourself
Before You Buy
- Research privacy policies: Mozilla's "Privacy Not Included" rates wearables
- Prefer on-device processing: Apple Watch keeps more data local
- Avoid advertising-based companies: If the product is free, you're the product
- Consider GDPR-based companies: EU privacy laws are stronger (Oura, Polar)
Privacy Settings to Change
Strava
- Go to Settings → Privacy Controls
- Set profile to "Followers" or "Only You" (not "Everyone")
- Enable "Hide Start/End Points" (adds privacy zones around your home)
- Disable "Enhanced Activity Heatmap" contributions
- Review past activities and make sensitive ones private
Fitbit
- Go to Settings → Privacy
- Set profile visibility to "Private"
- Disable "Share for Research" if not comfortable
- Review which third-party apps have access
- Regularly delete old data you don't need
Apple Watch
- Enable end-to-end encryption for Health data in iCloud
- Review which apps have Health data access
- Disable location for apps that don't need it
- Consider using "Private" workout types
General Best Practices
- Disable GPS for workouts near home: Your neighborhood running route reveals where you live
- Don't sync with every app: Each connection is a new data risk
- Review third-party app connections: Revoke access you don't use
- Use device PIN/lock: Protects data if device is lost
- Consider what you really need tracked: Do you need 24/7 heart monitoring, or occasional workouts?
For Sensitive Situations
- Reproductive health tracking: Consider apps with strong legal commitments or local-only storage
- Military/security personnel: Don't use social fitness features period
- Activists/journalists: Your movement patterns are valuable intelligence, protect them
- Domestic abuse situations: Fitness trackers can be used to track your location
What Needs to Change
A 2024 report titled "From Skin to Screen: Bodily Integrity in the Digital Age" recommends: [20]
- Expand health privacy laws to cover data from wearables and fitness apps
- Clarify data protection laws to encompass all forms of bodily data
- Regulate data brokers that trade in health information
- Require explicit consent for any health data sharing
Until those changes happen, you're largely on your own.
The Bottom Line
580 million wearables shipped in 2024. They track your heart, sleep, location, and activity. HIPAA doesn't protect most of this data.
Strava exposed military bases and presidential security details. Google owns Fitbit and its 29 million users' health histories. Insurance companies can buy fitness data to adjust your premiums. And period tracking apps could theoretically be subpoenaed in abortion investigations.
Some trackers handle privacy better than others. Apple, Oura, and Garmin have stronger protections. Xiaomi and Huawei have weaker ones. Fitbit's future under Google remains uncertain.
To protect yourself:
- Choose trackers with strong privacy practices
- Lock down sharing settings (especially on Strava)
- Disable GPS near your home
- Limit third-party app connections
- Consider what data you really need collected
Your body's data is valuable, to you, to companies, to insurers, and potentially to law enforcement. The tracker on your wrist generates it 24/7. Decide carefully who else gets to see it.
References
- Market.us - Fitness Tracker Statistics and Facts (2025)
- Newsweek - Fitness App Strava Reveals Location of Secret Military Bases Around the World (January 2018)
- GovTech - Could Your Fitbit Data Be Used to Deny You Health Insurance?
- MDPI Cryptography - Wearable Health Monitoring Devices and Privacy Regulations in the U.S.
- Mapulus - When Fitness Trackers Exposed Military Secrets: The Strava Heatmap Story
- Alphr - Strava is a military security nightmare as US base locations are leaked
- GIJN - Running Into Open Secrets: How to Investigate Using the Strava Fitness App (2024)
- DemandSage - Smartwatch Statistics (2025) - Users & Market Share
- Coolest Gadgets - Fitness Trackers Statistics By Market Size, Types, Usage
- Nature Digital Medicine - Privacy in consumer wearable technologies: a living systematic analysis
- PBS - Google bought Fitbit. What does that mean for your data privacy?
- Spirion - Is Google's Purchase of Fitbit a Data Privacy Risk?
- TechRadar - Where is all your health data going? The Google and Fitbit scandal explained
- Google/Fitbit - Our Continued Commitment To Data Privacy and Security
- Fitbit Community - My thoughts about the Fitbit app and Google migration
- GovTech - Health Device Data Is Protected, but Also Used, Shared
- NC State Data Column - Fitness Trackers' Ethical Use of Data (January 2024)
- Kaspersky - Fitness Tracker Privacy Risks
- Mozilla Foundation - Oura Ring Privacy & Security Guide
- IS Partners - Data Privacy at Risk with Health and Wellness Apps