Jogging under close surveillance with Runtastic from Adidas

Runtastic multiplies trackers and leaks your name

Practicing jogging regularly, I wanted to know more about "fitness" applications, starting with Runtastic. This application has been bought in 2015 by Adidas and since renamed to "adidas Running by Runtastic". While fitness applications are excellent for motivating yourself and measuring your progress, they collect quite sensitive personal data such as:

Your physical activity : this data may, for example, be of interest to insurance companies because if you are in better shape, you will be more profitable (in the United States, an insurer already offers to lower its prices if you wear a health bracelet).
Your sporting trips : particularly from your home or work but not only, this data is of particular interest to advertisers.

Google was not mistaken and decided to buy Fitbit last year, further completing the mass and diversity of personal data which it holds over a large part of the world's population.

To see the tracking tools installed by Runtastic, I followed the following procedure on my iPhone:

Closing the various background applications.
Launching the application Charles Proxy and enabling tracking.
Launching the application Runtastic, then navigation in the App including launching an activity.
Export of logs from my Charles Proxy session to my computer.

Runtastic iOS

As you can see, Runtastic calls many third parties, let's look at the ones tracking you:

Google : essential, Runtastic uses Firebase, Google's toolbox for Apps.
Facebook : also essential, Runtastic uses the Facebook toolbox for Apps, and in particular the analytics brick.
Pushwoosh : toolbox for applications, notably provides notification services, emails and personalized in-App messages. Bad surprise: in addition to sending a pseudonym and your various actions, Runtastic leaks your first name, last name, gender and age range.
NewRelic : tool for measuring the performance of the Runtastic application, particularly useful for developers.
Adjust : mobile marketing company specializing in the attribution of advertising campaigns (knowing which ad you have installed Runtastic). Adjust collects your actions on the Runtastic app.
Emarsys : data marketing company allowing Runtastic to profile you extensively to then better retarget you. Emarsys thus recovers the details of your activities: the distance covered, the duration of the exercise, the number of calories burned, your impressions at the end of the exercise, the weather, the type of activity, the outside temperature, etc.

Massive collection of personal data and leaking to third parties without valid legal basis

When I first launched Runtastic, I unfortunately had no choice: I was forced to accept the conditions of use to use the application.

Conditions of use

I was then able to refuse to receive targeted Runtastic advertisements on third-party platforms such as Google and Facebook (but without being able to prohibit these third parties from collecting my personal data):

Third-party targeting

Note the "Accept" button, clearly highlighted compared to "I refuse", an additional example of Dark Pattern.

The privacy policy of Runtastic lists in detail the various personal data collected. You can read section 3."Data we collect and process" in order to better understand the variety and extent of the personal data collected (and thus better understand why Google bought Fitbit). Here are the different categories of personal data:

Identity information.
Contact details.
Location information.
Information on sizes and shoe sizes.
Purchasing information.
Profile and Behavioral Information.
Community information.
Social media information.
Device information.
Activity information.
Preference information.
Creators Club information.
Registration through Google or Facebook.
Facebook friends list.
Information regarding training activities imported from Connected Accounts.

For each category of recipients, Runtastic informs of the categories of personal data transferred here.

Runtastic then explains in detail its use of Firebase, Google Analytics, Adjust and Facebook Analytics. Further down in the privacy policy, Runtastic gives brief information on the different providers that we have seen previously:

We use subcontractors such as Adjust, Google, Facebook, Amazon Web Services, Inc., Emarsys eMarketing Systems AG, Pushwoosh, Inc., NewRelic, Inc., Apptimize, Inc. or Zendesk, Inc.

If these explanations are laudable, Runtastic indicates that it is based on legitimate interest (read CNIL documentation on this legal basis) to leak your personal data to these third parties: "The basis for processing Data is our legitimate interests". However, this interpretation of the GDPR is not valid. For analytical tools, we can notably refer to this CNIL page :

If the system implemented by the data controller does not strictly comply with the criteria of the two previous cases, only consent of people may be used as the legal basis for processing (article 7 of the Data Protection Act, article 6 of the GDPR). This consent can be obtained by any means (for example, connection to a specific wifi network, downloading a specific application, registration via a dedicated website, “badging” the terminal with an NFC terminal). This consent must be informed (individuals must be informed in accordance with the point below before consenting), free (people must be able to freely choose whether or not to consent, and must not suffer negative consequences if they do not consent) and specific (consent must only concern follow-up processing and cannot be included in acceptance of CGU for example).

Runtastic cannot therefore rely on legitimate interest and must obtain my consent to leak my personal data to third parties such as Google, Facebook or Adjust. In particular, the fact of having accepted the T&Cs does not mean that I have consented to this monitoring.

Yet, Runtastic persists in relying on the legal basis of legitimate interest, as also evidenced in section 8.1 of its privacy policy, "Legal foundations" :

The lawfulness of the processing of Data is based on: [...] the legitimate interests of Runtastic or a third party, for example, our use of cookies, plug-ins or targeted advertising.

Clearly, the use of cookies, plug-ins or targeted advertising cannot be based on legitimate interest.

It is surprising to see a famous German multinational (Adidas) collect the personal data of millions of users in such a massive way, without valid legal grounds. It is also surprising to note that Adidas does not limit itself in the use of marketing tools that leak your personal data, always without valid legal basis. What can you do to prevent leaks to third-party tools? While waiting for a possible sanction from a competent regulatory authority, you can use apps such as DNSCloak, Adguard or NextDNS on iOS.