" />
Privacy & Security

Is the FBI's Fitness App a Cop?

Sep 29, 2018
Is the FBI's Fitness App a Cop?

Getting into the FBI is not easy, as the agency's new "Do you have what it takes?" fitness app will happily tell you. The app, which was released in August 2018, walks users through the five legs of the fitness requirements former director James Comey re-implemented in 2015--daring them to achieve high scores on sit-ups, pull-ups, push-ups, a 300-meter dash, and a 1.5-mile run.

Getting to be an FBI snitch, however, does not carry any physical fitness requirements. And eagle-eyed users spotted something they were concerned turned them into just that, per CNBC: When the roughly 28,000 people who the FBI said installed the app by mid-September downloaded it to their device, they were greeted with a summary privacy policy reading "The FBI does not collect any personal information associated with the use of this app. The app does not gather or save any personal information other than what you select for your profile. This information is stored solely on your phone, and it is not transmitted to, or saved by, the FBI." But when a user clicked through to read a longer privacy policy on the FBI's website, they'd see this [emphasis ours]:

For site security purposes and to ensure that this service remains available to all users, all network traffic is monitored in order to identify unauthorized attempts to upload or change information or otherwise cause damage or conduct criminal activity. To protect the system from unauthorized use and to ensure that the system is functioning properly, individuals using this computer system are subject to having all of their activities monitored and recorded by personnel authorized to do so by the FBI (and such monitoring and recording will be conducted). Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals evidence of possible abuse or criminal activity, system personnel may provide the results of such monitoring to appropriate officials.

That fine print raises the question of whether the FBI was using some sleight of hand to gain access to users' data. And CNBC noted that while the app apparently accesses both a device's GPS and accelerometer, it's not listed in the location services section of iOS settings and there's no clear in-app notifications that it enables the accelerometer.

But according to CNBC, an FBI spokesperson denied the agency is collecting location data or monitoring phone activity and said that the extended privacy policy refers to "activity on our website [that] is monitored for protection and site improvements." It added, "The FBI receives standard app usage analytics from Google and Apple. The data collected is not personally identifiable."

Experts consulted by CNBC agreed that the FBI was not intentionally misleading people and that the confusion arises out of a non-uniform approach to privacy policies across the federal government. For example, some agencies like the Centers for Disease Control have a separate mobile privacy policy, while the FBI only hosts one directly related to the usage of their website.

Carnegie Mellon University professor of computer science Lorrie Cranor told the site, "I think that if somebody were just to read the privacy policy that's linked from the App Store, they might be somewhat alarmed about downloading this app. But if they read the app's privacy policy, it would be much more reassuring. So it's confusing to people... The policy talks about monitoring activities, I believe that what they mean is that they are recording all of the clicks on the FBI website that they make."

So, to recap: There's no evidence that the FBI's app is tracking your movements, though it might be collecting standard metrics like how often you use the app.

But the FBI also has other dubious ways to track people of interest that are probably more effective than releasing an app secretly primed to spy on random users. For example, as the Intercept reported earlier this year, Section 702 of the Foreign Intelligence Surveillance Act allows the National Security Agency to "spy on Americans' transnational communications without a warrant so long as the 'targets' are not Americans," though documents leaked by former CIA employee and intelligence contractor Edward Snowden shows the program sucks up large swathes of domestic communications.

Section 702 has no controls on how that data can be used, giving the FBI and other federal law enforcement agencies the opportunity to collect it without a warrant. A bipartisan reform effort earlier this year failed after key Democrats failed to support it.