Shark Tank’s “Worst Pitch” Exposes Fitness Apps’ Security Flaw

Posted on July 21, 2017, 6 a.m.

Rolodoc is the “worst presentation ever” on Shark Tank. Featured in the Season 5 premiere, Rolodoc promised to be a social network connecting doctors with their patients.

Among Rolodoc’s many flaws, the most glaring was its strategy to make money. Watch an exasperated Mark Cuban call out this obvious red flag during the Rolodoc pitch:

Similar to most free apps, Rolodoc planned to make money selling “targeted advertising.” So what’s the big deal? Almost all free apps make money this way, including fitness apps and calorie counters.

The problem is specifically related to apps that deal with information about your health, like workout apps.

In the United States, health information is protected by certain laws like HIPAA, the Health Insurance Portability and Accountability Act of 1996. HIPAA means that your doctor or their staff can’t share your health information. It also ensures that your info is stored securely.

This is what Cuban was referring to when he said, “Within a secure environment you’re going to sell targeted advertising...not gonna happen.” He was worried about violating HIPAA laws by selling advertising in a health-related app.

And yet, that is exactly what your workout tracker does every single day.

Unlike free music apps and games, health-related apps, like a weight tracker, have access to much more personal information. Things like:

  • How much you weigh.
  • Blood glucose levels for diabetes tracking apps.
  • Whether or not you’re pregnant.
  • When your next period is happening.
  • The type of foods you eat.
  • The brand of foods you prefer.
  • How often you exercise.
  • Where you exercise or your usual running route.

However, the information that a workout tracker would collect is technically not covered by HIPAA even though it is clearly related to your health.

Watch the CEO of the Lose It! calorie counter app talk about how the data his app collects is a razor’s edge away from being considered “medical data.”

Even health insurance providers, including Aetna and Humana, recognize the value in fitness data and have started partnering with some health and fitness apps to get access to it source. Imagine having a life insurance rate that was impacted by data from a fitness app.

Since the sale of personal health information by fitness apps is not protected by HIPAA it is an unregulated, Wild West-style market. Calorie counters, workout trackers, and other health apps are exploiting this information loophole to generate massive revenue streams.

43 of the top fitness apps and calorie trackers connect to ad and analysis sites without their users’ permission source.

Some of the top fitness apps, including MapMyRun, share their users’ data with nearly a dozen third-party corporations source.

25% of free apps and 40% of paid apps don’t actually have a privacy policy source. You can read JoyApp’s privacy policy here. Here’s the section in our privacy policy relating to selling ads.

JoyApp does not sell any advertising space in our app or on our website. Our business relies 100% on user subscriptions instead of making money selling your personal data to third-parties or advertisers. We've chosen to do business this way because we believe the information you enter into our app and website is incredibly personal and should not be used for profit.

Furthermore, we take additional measures to protect the sensitive information that you entrust to us. We use end-to-end encryption on all communications between our app, website, and servers. This means malicious parties cannot capture your information as it is being transmitted to us.

We never store your credit card or any other financial information.

This shocking trend in even the best workout apps has been the subject of multiple academic studies. There was the 2013 study study by the Privacy Rights Clearinghouse. Watch PRC director Beth Gibbons talk about what they found after they studying the top 43 fitness apps.

There is also the 2016 study published in the Journal of the American Medical Association. This study looked at 211 Android diabetes apps and found that 81% did not have any privacy policy. Of the ones that did, almost half shared their users’ personal health information with third parties.

So what can users do to protect themselves while also using apps to help them reach their fitness and health goals? Here are two suggestions.

  1. Stop using free apps - If you’re not paying, you are the product. Free apps make money selling users’ data. Health apps are no different. Your personal health information is not just getting leaked, it’s getting sold for profit to multiple third parties. Using paid apps means there might be less incentive for the app developers to sell your data since they make money off your subscription.

  2. Do your research - Read the reviews in the App Store or Google Play before you download any app. Check out the website and read through the privacy policy (if they have one). You want to see if they value protecting your data and if that value is actually in writing in the privacy policy.

  3. Opt out - Many apps let you “opt out” of their data collection process. This option is often buried in the Settings of the app. Take a look through the Settings page and see if you can opt yourself out. Although, this can sometimes limit features that you can use.