Practical privacy and simple cybersecurity.
TheNewOil.org

A Detour into Diet Apps

One thing I really envy Android users on is their access to alternate app stores, like F-Droid and Aurora. My partner approached me earlier this week and asked if I’d be willing to go on a diet with her as a show of solidarity. Not the same diet, just a diet. As I stepped on the scale to begin, I begrudgingly admitted that she was on to something and I’ve put on more weight than I realized. Ever the one to look for a silver lining though, I figured this might be a good time to dig through some of the most popular diet-tracking apps in the iOS app store and see which one was the least offensive. So this week, I’m sharing that with you.

I chose my apps based on a combination of “top” lists found on DuckDuckGo and which apps popped up first when I searched in the app store. I am rating them based on their privacy policies, specifically “information we collect.” I have organized them by alphabetical order. I also only highlighted things that stuck out to me specifically. I’m not really surprised with stuff like “cookies, things you willingly add to your profile, and IP address.” That’s all pretty standard. I was looking for anything out of the ordinary or alarming.

Calorie Counter +

Information collected: “first name, email address, encrypted password, personal profile (your age, sex, height, start weight, goal weight, activity levels and any other boxes you tick during sign up), Photo (if you upload this to the forum or Live Club weigh-in on the website), IP address, Mobile device ID, Your browsing behaviour (when using the Nutracheck App and website).” Uses Google Analytics. Shares information with Google and Facebook to advertise “as you browse around the internet.”

The alarming parts to me here were the fact that they shared with Google and Facebook so they could advertise to you off-site. No thanks. Other than that, pretty standard stuff although I did notice that a lot of sites require information like gender and age. I guess that’s medically relevant, but it still makes me a bit uneasy. Also what does “encrypted password” mean? Do they actually store my encrypted password, or are they dumbing down “hashed” for readers? Cause frankly, storing my actual password – even encrypted – is unacceptable.

FatSecret

Information collected: “age, gender, postal code, current and goal weight.” “IP, ISP, browser type, OS, language, profile information, profile info, food and exercise, and “general use.” “integration with other services such as Apple’s HealthKit…other services such as Apple’s HealthKit API’s and Google’s Fit APIs (all together “Health Data Services”). FatSecret will not use or disclose health data gained through Health Data Services to third parties for advertising, marketing or other use-based data mining purposes other than improving health or for the purpose of health research.”

I found a few things in particular problematic here. Let’s go in order. First, “postal code.” I realize than IP address is as good as a physical address, but why go out of your way to collect that? Next, “ISP, browser type,” and “OS.” Again, I realize that knowing my IP address is enough to correlate who my ISP is, but why go out of your way? I also know that browser type is helpful to know to make sure your site is working correctly with that browser, but why OS? And also, with the rise of CSS, I feel like “browser compatibility” isn’t really a thing as much as it used to be (but I could be wrong, I'm clearly not a web developer). “Integration with other services” combined with “FatSecret will not use that data...” means that not only will they submit the data to your HealthKit, but they’ll collect data from it, too. Finally, “for the purpose of health research.” Um, no thanks. Please don’t take my health data and then share it.

Lifesum

Information collected: “your email address, first and last name, height, weight, date of birth, and gender” upon registration. “Device identifiers (i.e. information on what device, IP-address, etc. you use to register and log on to the Services), and technical information related to your use of your device which could be attributed to you (i.e. geo-location data, access history, search history, and information regarding your interaction with the application or advertisements) which is used to provide the Services and to allow Lifesum to market to you in accordance with this Privacy Policy.” You can opt out of marketing but not collection.

This is a pretty standard privacy policy, and if it seems like a lot, that’s because it is. Most privacy policies are this invasive at a base level. You’d be hard pressed to find a policy less invasive. Except for one part: “technical information related to your use of your device which could be attributed to you (i.e. geo-location data, access history, search history, and information regarding your interaction with the application or advertisements).” So from what I understand, that means Lifesum is monitoring not just the app, but the device: my searches on Firefox, my location, what other apps I use, and other ads, just so they can advertise to me even more. Unacceptable.

Lose It!

Information Collected: “We may also use and allow third parties to track your browsing history profile.” “Personal Diet Data”, including, birthdate, height and weight, sex, and specific details of the foods and drinks that you consume and your exercise, and genetic results. Test results generated from a user’s genetic data. Email address and Lose It! Password. IP addresses, browser type and your operating system. Pages visited on the Websites referring and exit pages, and the dates and times of the visits. Financial information, such as your credit/debit card number or other billing information for purchases and product upgrades. Any additional information relating to you and your use of the Websites, Apps or Lose It! Services that you provide to use directly through the Websites, Apps or Lose It! Services. Location data and other information about devices used to access and interact with the Websites or App. Information that you make publicly available or publicly post using tools made available on the Websites or via the App. Information you may provide in user-to-user messages. Information collected from promotions with third party companies.”

So once again, nothing terribly bad here except that they specifically cover genetic data. If I get a genetic test, they collect the results (I assume the test has to be done through them or with one of the parties they work with). No thanks. They also collect Browser type and OS, yet again. And Location data, why? Why do dieting apps want to know my location? What are you gonna send me a push notification? “We noticed you just entered a Wendy’s. Don’t do it, bro!” C’mon.

Nutrients

Information collected: None

So this app claims that they don’t collect ANY information and furthermore than all information you enter stays on your device and never gets transmitted. But I was a little put-off by the fact that there’s no HTTPS on their website. It’s 2020. There’s no excuse for that. Also, personal opinion territory here, I noticed that in the app store the developer has another app called Donald J Trump, which seems to be just a hub for all his social media posts or something like that. I don’t know, I didn’t pay for it. Personally, I don’t support Trump, and since the Nutrients app is paid, I wanted to do a little digging and make sure that I’m okay giving my money to an organization that obviously does support him. Once I started digging on that front, I quickly noticed that there is zero mention of the Donald J Trump app on their website, which to me is kind of questionable. At the time of my research this week, the app had been updated less than two months ago, so clearly this isn’t something they just put out once and have since abandoned. This is an app they actively maintain. Why aren’t they owning up to it? Personally, I found that alone shady enough to not want to give over my money. I don’t mind if a company wants to publicly endorse a candidate, but the fact that they weren’t being fully forthcoming with it in a situation where they should’ve (in this case, not listing the app on their site alongside all the others), that personally didn’t sit right with me.

MyFitnessPal

Information collected: ? But it is collected through third party or “publicly available” sources.

So this is the one thing that bugs me more than a generic privacy policy. Their privacy policy doesn’t even exactly state what they collected. It’s already bad enough when you say “IP address, Device ID, and other information,” but when you just straight up say “we collect information that cannot be used to identify you” (first off, that’s a lie) “but is used to determine aggregate data such as usage, blah blah blah,” that’s even worse. Now you’re not even saying what’s collected. If it’s not a big deal then why won’t you say what it is? Furthermore, you collect additional data through third party and “publicly available” sources? Why are you going out of your way to collect more information about me outside the app? Just tell me how many calories my damn burger has.

MyNetDiary

Information collected: ?

This service was equally as opaque as MyFitnessPal. The only saving difference was this service didn’t claim to collect additional information from outside the app, and they also claim they never share it. Personally I find a blanket “we never share your info” claim to be suspect – especially if they do admit to collect information – because I fully expect any remotely not-shady organization to share my information with law enforcement with a warrant. So to just flat out say “we never share your information ever” already means that at best you’re telling a half-truth.

MyPlate

Information collected: device registration data (for example, the type of mobile device you use, your mobile device’s unique device or advertising ID, IP address, operating system and browser type), device settings (for example, your language preference), mobile carrier, information about how you use the Services (for example, how many times you use the Services each day), requested and referring URLs, location data collected through your device (including, for example, precise location data such as GPS and WiFi information), information collected through cookies and other tracking technologies including, but not limited to, your IP address and domain name, your browser version and operating system, traffic data, location data, web logs and other communication data, and the resources that you access.”

So this is another one that’s not AWFUL but still not great. Let’s pick apart the more alarming parts. First, “OS and Browser, as well as mobile carrier.” Why? Does whether I use AT&T or Sprint or Verizon really affect how the app experience is for me as a user? “Requested and referring URLs,” so I admittedly am not an expert on this stuff and I have to do more learning in this area, but from what I understand this means that they can track where I came from and go to on the internet before and after their site. Why? “Location data, including GPS and WiFi information.” So in addition to my usual “why do you need my location” rant, this also suggests (or at least doesn’t rule out the possibility) that they might collect additional information about my WiFi network specifically, like SSID (aka “wifi name”), router info, and possibly even WiFi password and other devices on the network. Seems a bit unnecessary just to tell me I’m fat. Finally, “Traffic data, web logs, and other communication data.” Man that’s broad. Are you gonna access my browser history? What other traffic goes over the network? My text messages? This one is way overreaching.

SparkPeople

Information collected: We may collect your name, address, email address, telephone number and other contact information...” “We do not share your information with third parties except as set forth in this Privacy Policy.” You can opt out of direct marketing but not out of collection. “We may collect information automatically about the use of the Website, through, for example, “cookies” or “IP addresses” (as described below). SparkPeople also archives log files and uses non-personally identifying information in aggregate form to” blah blah blah, improve the website.

Sorry, but at this point in my research I was getting tired. The short version is, SparkPeople’s privacy policy is super generic. Nothing alarming, but nothing great either. Contact information, information you willingly fill out, cookies, IP address, etc.

Summary

So the moral of the story here is that everyone is tracking you. This could be an entire blog post in and of itself – and it is on many other great sites – but cookies alone were the first real way of tracking people across the web back in the early days and while new, more sophisticated ways exist, the old ones haven’t gone away. So even the most generic, inoffensive privacy policy still has a way to track you and pass that information along to data brokers, and quite frankly I’d be surprised if they didn’t. That’s easy money. I think what I found most alarming was not the generic tracking – I fully expected that – but rather how invasive some of the others get. Location data? Other device info? Network info? Why, man? Just why?

So what did I ultimately decide to go with? A spreadsheet made with LibreOffice. It’s not sexy. It doesn’t give me pie charts or histograms (I know, it could if I wanted to). It doesn’t automatically tabulate my weekly total. It doesn’t have a cute animal encouraging me or recommending tips to keep on track. That’s fine. I took it upon myself to go out and do research and use online calculators to see what my daily calorie intake is based on my goals and my body. I decided what metrics were important to me, then I went and found the daily recommendations. In fact, I got a few premium features that way. For example, one app I used in the past (which is on this list) charged extra to set goals (instead of simply counting) and to monitor my sodium and sugar. I have all those things now, plus more. It’s a little more work. I can’t just scan a barcode. But that’s okay. It works for me, and it forces me to be conscious and put in the work myself.

I hope someday that Apple will be more forgiving and allow us to include privacy-respecting apps or app stores. I know, I can dream at least. But I guess the main reason I wanted to share this – in addition to being relevant and interesting – was to remind you to read the privacy policy. You don’t have to take five hours and read the entire thing top to bottom along with the terms of service. But at least skim. What are the parts that matter to you? Look for those parts. Get a general idea of what they’re doing with your data. And not to end on a depressing note, but just remember that 99% of the time those – according to themselves – can change at any time without notice. So be on your guard.

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...