FIT File Privacy – How PRIVATE Is Your Personal Data?

You’ve got your STRAVA account and you’ve set up the HOME ZONE so no-one can find out where you live and steal your bike. Phew!!

All’s good, right? Your data is private and safe?

Well…emphatically …NO.

Before STRAVA even gets your file from, let’s say, Garmin, you will probably have already given Garmin MUCH more private data than just the likelihood of where you live based on the start points of your workouts.

Q: Is that important

A: Generally speaking, “probably not”. But I know MANY people are concerned about what data they are passing, to whom and simultaneously being very suspicious about what is being done with their data.

garmin

Let’s say you post a FIT file on the net for some help. Well, that FIT file probably tells the world your age, height, sex, VO2max and maybe a good estimate of the location of your home address. Probably also what expensive Garmin watch you own too!

Garmin fenix 6 specifications reviewI was generally not too bothered about these things myself but there have been a couple of incidents which gave me pause for thought and that’s one of the reasons why I run this blog pseudo-anonymously. You may well have other, valid reasons of your own for wanting a similar level of privacy. Perhaps you really are that fast.

What Data Is Involved?

The worst offender is the PERSONAL data in FIT files

Let’s start off with looking at what data you are putting in a FIT file from a modern Garmin device. For this article, I’ve used fitfilerepairtool.info to interrogate some of my workout files from the recent Fenix 6 and other devices. Handily, fitfilerepairtool has just come up with a new PRIVACY mode to clean your FIT Files. More on that in a minute.

Really Personal Stuff

Here are some of the data elements in a FIT file that you might consider to be private & personal, you can see they include gender, height, weight & age/year of birth as well as language. I guess knowing what language I speak isn’t that personal…but the rest is. This image shows the record names but the record contents ARE POPULATED with the ‘correct’ data that I’ve not shown.

Wahoo does NOT seem to need the same information, although you might consider your FTP to be private, especially if it has been ‘incorrectly calculated’ by your sports device (hmmm)

Looking instead at a TCX file the situation is much cleaner – it might be possible to ‘correctly’ incorporate some personal data into tcx files with the tcx schema but, other than device ID, I don’t think so.

Equipment-Related Stuff

You will also see other fields list the device type and ID, in this case, it’s the V800

You could perhaps check published files from reviewers to make sure that they really were using the devices that they claimed to be for certain tests.

Although you probably could NOT look at a FIT file to discover the identity of NEW devices that have not yet been made available for public sale. From my fleeting looks into this area, new devices (like the Fenix 6 today) do NOT have the device name saved into FIT files. This is added ‘later’ through a firmware update.

Location-related Stuff

Of course, the GPS points of every single part of your ride is in the original source file be that TCX, GPX or FIT. Maybe that gives away the exact location of your home or office.

STRAVA introduced privacy zone(s) to stop you inadvertently revealing your home or work location on a public profile. Apparently, there were cases of bike thefts several years ago where thieves identified fast riders and assumed they had expensive bikes and tracked them down and stole their bikes. Where I live in SW London, bike thefts ARE a problem but I don’t think that any are stolen using this particular method. Maybe because the STRAVA route to identifying where you live has been sufficiently closed down?

STRAVA Privacy Zone – EXACTLY How Does It Work?

However, if you post a FIT file on a forum then I guess you’re fair game for having some unwanted person appearing at your doorstep.

Edit: As of 19 Sept, fitfilerepairtool.info has now added a HOME ZONE similar to that from STRAVA. I guess that’s one of the reasons removed that has previosuly stopped me publishing some workout test files (the other reasons is that my FTP is about 50w below where it was a few years back 😉 )

fitfilerepairtool.info – export screen – strip that personal data !!

Thoughts

You can take privacy to extreme levels and argue that every heart beat or any performance statistic is personal. If you go down that route then you will only ever send anyone GPX files that just contain GPS points…and even they will still give an indication of how fast you are if you’re not careful.

You might shout “GDPR!” very loudly but I’m betting that we’ve all ticked the appropriate boxes somewhere that give the sports data companies of our choice the full right to do pretty much whatever they want with our data IF we want to keep using their services. Although most (all?) of them do give the options to create private accounts and/or private workouts.

You can ‘lie’ to Garmin Connect and put in incorrect personal information. The problem with that is that I would assume that ALL THE FIRSTBEAT stuff will be wrong as a result. So you should probably make all your accounts private but then that spoils the fun of social sharing of your sporting endeavours.

It’s perhaps cleaner to keep your private data and public data in separate accounts. To a degree, I do that but it’s a real, time-consuming PITA.

You could use something like fitfilerepairtool.info to strip out the personal data AND THE LOCATION POINTS AT THE START AND END OF THE RIDE – it costs Eu39 and does have an automatic batch mode. But you would have to run that BEFORE any kind of synchronisation with Garmin Connect. So, it’s possible but you would need to be organised.

Ideally, Garmin will introduce privacy settings into their ecosystem to cut out the data at source but I can’t see that happening as a) not enough of you will complain and b) it probably will be quite hard to do whilst still delivering the benefits of the Firstbeat physiology metrics throughout their ecosystem

So the only real solution to maintaining your data privacy that I can see is that you have to be more careful and insular.

Inspiration: fitfilerepairtool.info and, no, I don’t get anything if you buy it

Support this site with purchases at these partners - should click to a local choice in your country

12 thoughts on “FIT File Privacy – How PRIVATE Is Your Personal Data?

  1. By wearing any sort of sports tracker, you’re basically waving your rights to privacy for at least that company. What they do with that data is governed well by gdpr and the likes but they’re still going to have it.

    Recently cleared out a bunch of old accounts based on this topic and am considering ditching Strava for the same. Not sure the social side of fitness is important enough to me to let strava know where I am every day of the week.

  2. Worth adding that Garmin Connect also has privacy zones like Strava; something I believe that everyone should set up, but sadly they don’t as they’re not aware of the feature.

    • For anyone unsure where to go to set up privacy zones in Garmin Connect, log in to your Garmin Connect account on a web browser (you can’t do it from the Garmin Connect Mobile app), then click on your account symbol at the top right of the screen and go to Account Settings>Privacy Settings>Privacy Zones.

    • Most strava users setup the privacy zone in a way that reveals exactly where they are!
      If your address is the center of the zone, and the strava zone has a known width (which it does), then your private location is defined by a arc from the “vanish point”. If your activity track has more than one “vanish point” then it is simple to locate the center of the zone!

      So always hide the true center of the privacy zone. Maybe place it on your neighboring competitor’s bike storage shed.

      • The privacy zone is no longer that simple. It used to be, but is no longer a static circle. It now moves.

        Maybe, MAYBE, their movement is so simple that one could find the true center by finding what spot has the lowest frequency of paths running through it, but that’s not the same thing at all as what you’re alleging.

  3. Is it still actually a shock to people that this is what you agree to when accepting a companies terms and conditions / terms of use / data privacy policy? If you want to know, read those documents when you sign up. If you don’t like it, nobody forces you to use the service. Get over it.

    • I think most people realise that.
      Hopefully the post highlighted some of the kinds of data that are in a FIT file eg age, gender and your location. and a means to remove it by stripping out the data.

Leave a Reply

Your email address will not be published. Required fields are marked *