Jogging under close surveillance with Runtastic from Adidas

Runtastic multiplies trackers and leaks your name

As someone who jogs regularly, I wanted to know more about "fitness" applications, starting with Runtastic. This application was bought by Adidas in 2015 and has since been renamed "adidas Running by Runtastic". While fitness applications are excellent for motivation and measuring progress, they collect fairly sensitive personal data such as:

Your physical activity : this data may, for example, interest insurers because if you are in better shape, you are more profitable (in the United States, an insurer already offers lower prices if you wear a connected health bracelet).
Your sports routes : especially from your home or workplace, but not only there, this data is of particular interest to advertisers.

Google understood this perfectly and decided to buy Fitbit last year, further expanding the mass and diversity of personal data it holds on a large share of the world's population.

To identify the tracking tools installed by Runtastic, I followed this procedure on my iPhone:

Close the various background applications.
Launch Charles Proxy and enable tracking.
Launch Runtastic, then browse the app, including starting an activity.
Export the logs from my Charles Proxy session to my computer.

Runtastic iOS

As you can see, Runtastic calls many third parties. Let's look at the ones tracking you:

Google : unavoidable. Runtastic uses Firebase, Google's toolbox for apps.
Facebook : also unavoidable. Runtastic uses the Facebook toolbox for apps, in particular its analytics component.
Pushwoosh : a toolbox for applications, notably providing notification services, emails and personalized in-app messages. Bad surprise: in addition to sending a pseudonym and your various actions, Runtastic leaks your first name, last name, gender and age range.
NewRelic : a tool for measuring the performance of the Runtastic application, particularly useful for developers.
Adjust : a mobile marketing company specializing in advertising campaign attribution (knowing which ad led you to install Runtastic). Adjust collects your actions in the Runtastic app.
Emarsys : a data marketing company that allows Runtastic to profile you extensively and then retarget you more effectively. Emarsys therefore receives the details of your activities: distance covered, exercise duration, calories burned, your impressions at the end of the exercise, the weather, the type of activity, the outside temperature, etc.

Massive collection of personal data and leaks to third parties without a valid legal basis

When I first launched Runtastic, I unfortunately had no choice: I was forced to accept the terms of use to use the application.

Conditions of use

I was then able to refuse to receive targeted Runtastic ads on third-party platforms such as Google and Facebook (but without being able to prevent these third parties from collecting my personal data):

Third-party targeting

Note the "Accept" button, clearly highlighted compared to "I refuse": another example of a dark pattern.

Runtastic's privacy policy lists in detail the various personal data collected. You can read section 3, "Data we collect and process", to better understand the variety and extent of the personal data collected (and therefore better understand why Google bought Fitbit). Here are the different categories of personal data:

Identity information.
Contact details.
Location information.
Information on body measurements and shoe sizes.
Purchasing information.
Profile and Behavioral Information.
Community information.
Social media information.
Device information.
Activity information.
Preference information.
Creators Club information.
Registration through Google or Facebook.
Facebook friends list.
Information regarding training activities imported from Connected Accounts.

For each category of recipients, Runtastic lists the categories of personal data transferred here.

Runtastic then explains in detail its use of Firebase, Google Analytics, Adjust and Facebook Analytics. Further down in the privacy policy, Runtastic gives brief information on the different providers we saw above:

We use subcontractors such as Adjust, Google, Facebook, Amazon Web Services, Inc., Emarsys eMarketing Systems AG, Pushwoosh, Inc., NewRelic, Inc., Apptimize, Inc. or Zendesk, Inc.

Although these explanations are welcome, Runtastic states that it relies on legitimate interest (read the CNIL documentation on this legal basis) to leak your personal data to these third parties: "The basis for processing Data is our legitimate interests". However, this interpretation of the GDPR is not valid. For analytics tools, we can notably refer to this CNIL page:

If the system implemented by the data controller does not strictly comply with the criteria of the two previous cases, only the consent of individuals may be used as the legal basis for processing (article 7 of the Data Protection Act, article 6 of the GDPR). This consent can be obtained by any means (for example, connection to a specific wifi network, downloading a specific application, registration via a dedicated website, “badging” the terminal with an NFC terminal). This consent must be informed (individuals must be informed in accordance with the point below before consenting), free (people must be able to freely choose whether or not to consent, and must not suffer negative consequences if they do not consent) and specific (consent must only concern tracking processing and cannot, for example, be included in acceptance of the T&Cs).

Runtastic therefore cannot rely on legitimate interest and must obtain my consent before leaking my personal data to third parties such as Google, Facebook or Adjust. In particular, the fact that I accepted the T&Cs does not mean I consented to this tracking.

Yet Runtastic persists in relying on the legal basis of legitimate interest, as also shown in section 8.1 of its privacy policy, "Legal foundations":

The lawfulness of the processing of Data is based on: [...] the legitimate interests of Runtastic or a third party, for example, our use of cookies, plug-ins or targeted advertising.

Clearly, the use of cookies, plug-ins or targeted advertising cannot be based on legitimate interest.

It is surprising to see a famous German multinational (Adidas) collect the personal data of millions of users so massively, without valid legal grounds. It is also surprising to note that Adidas shows no restraint in its use of marketing tools that leak your personal data, again without a valid legal basis. What can you do to prevent leaks to third-party tools? While waiting for a possible sanction from a competent regulatory authority, you can use apps such as DNSCloak, Adguard or NextDNS on iOS.