Fitbit is a Major Privacy Peeping Tom

I ran the setup for my new fitbit Surge watch and during the Windows 10 fitbit app setup, it showed me this list of fitbit owners from MY PRIVATE CONTACTS!FitBit Contacts cleaned

In this list of fitbit owners:

  • Dude from High School I barely knew
  • Ex girlfriend from Jr. High.
  • Several people I don’t recognize.
  • Bunch of girls I knew from 1-12 grades.
  • A good friend’s cheating ex.
  • Little sister’s friend.
  • Brother in law.
  • Wife of brother in-law’s good friend (dont’ know why she’s in my contacts… probably through a facebook sync from years ago).

Also, everyone else in my contacts that do not have a fitbit account.

Some of these names are NOT in my contacts on my PC, which means they came from my phone.  And for the Windows 10 app to know that these 16 people have fitbits, my contacts had to have been uploaded to the fitbit servers so it could compare them to its database.  At no time was I asked permission to upload my private contacts (from either my phone nor my PC).  And I’m guessing these people didn’t explicitly grant it permission to let me know they have fitbits and they will likely be notified that I have one, even though I’ve given no such explicit permission to notify them nor any explicit permission to hijack my entire contacts list.

Fitbit spying

In addition to this, 100% of all health data that a fitbit collects is uploaded to the fitbit servers, viewable by fitbit employees… all done without notifying you and certainly without asking for explicit permission.  Turns out, the only way to use a fitbit without uploading all your private data is to not use the PC app or the mobile app, but, of course, the fitbit is mostly useless without them.  There’s no technical reason for uploading our data to the fitbit servers.  The PC and mobile software could easily have communicated with the watch without the involvement of the fitbit servers.

While on technical support today trying to resolve why my fitbit won’t charge, I discovered that they have access to all my health information collected by this watch, even though the employee I spoke with said it “only” uploads… then rattled off every thing the watch does… “for the purpose of knowing your fitbit is working”.  In addition to that, they know when we charge them, when we reboot them, and what devices we charge them from.  All this without permission from us.  Sure, some of this is somewhat inacuous data, but I did not give it permission and collected together, all this information can be used against you.  This is your HEALTH information.

Just about any kind of personal information online can be used against you and your _*personal health*_ information is especially vulnerable.  In this article, I list ways that seemingly innocent information can hurt you:

So, HOW do you stop it?

  1. Don’t run the mobile fitbit app.
  2. Don’t run the desktop fitbit software.

Of course, without the apps, the fitbit is pretty much useless.  Your only real option here is to stop using your fitbit.  There should be other smartwatches that can do similar or better things that DO NOT send all (or any) of your private data to remote servers.

[Update] I sent my fitbit back and got my money back and bought an Android Wear watch that does everything the fitbit does, and more, but without uploading everything to its owners servers.

Thank you for sharing this article.  See this image?


You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.

CodeStock 2012: What’s New in .Net 4.5?

imageBelow are my raw notes during the “What’s New in .Net 4.5?” session at CodeStock 2012 on Friday, June 15th at 1:50 PM / 70 min.  This session was hosted by Layla Driscoll from Microsoft.  She’s on the Silverlight CLR team.

Click here to follow me on Google+.

Follow me on Twitter @CSharpner.

And below are my crude, raw notes taken during the session, only minimally cleaned up.

This sample will use:

  • Async & await
  • Asplnet web api
  • Entity framework

Creating a Metro app

  • Multiple tiles
  • Drill down into them for more stuff.
  • Using some sort of MVC type of development.  (Really?  For a DESKTOP app??!?!  I’d heard of this, but that’s the LAST way I want to develop a DESKTOP app… you get the worst of both worlds… no advantages of a native app and no advantages of web deployment and all of the frustrations of both.  Though, it’s cool you CAN do it… I’d just never do it that way.)
    • Looks like it’s a web app, but it’s a Metro app.
    • Controllers are deriving from ApiController
    • Type called Feature.
    • (Note, code snippet below is incomplete.  Remember, I typed this in “class” as fast as I could…)
    public class FeaturesController: ApiController
        private Feature[] features - {{new Feature{Id=1,Name="LINQ"}, new Feature{Id-2,Name="OptionalParam"}};
        public Ienumerable<Feature> Get()
            return features;
        //Feature is her own plain old class with several fields in it.
        public Feaure Get(int id)
            var feature = features.SingleOrDefault(f=>f.Id=id);
            If (feature == null)
                var resp = new HttpResponseMessage(HttpStatusCode.NotFound);
                Response.Content = new StringContent("Feature not found");
                throw new HttpResponseException(resp);
        return feature;

Async keyword can be placed on methods like


private async void blah()
    using (var httpClient = new HttpClient()
        httpClient.MaxResponseContentBufferSize = 1024*1024;
        var response = await httpClient.GetStringAsync("http://localhost blah blah");
        var list = JsonConvert.DeserializeObject<List<int>>(response);
        foreach(var I int in list)
            response = await httpClient.GetStringAsync("http://localhost blah blah" + i);
            var f = JsonConvert.DeserializeObject<FeatureDataItem>
  • Use nonvolatile for locking code. (or did she say non-locking?)
  • Win32 API (or whatever it’s called now) looks like managed code… no DLL import crap.
  • New large object heap. Anything 85,000 bytes.
  • Multi-core JIT
  • Prefetcher
  • ReadOnlyDictionary