Wearable Activity Trackers: A Survey on Utility, Privacy, and Security

Over the past decade, wearable activity trackers (WATs) have become increasingly popular. However, despite many research studies in different fields (e.g. psychology, health, and design), few have sought to jointly examine the critical aspects of utility (i.e., benefits brought by these devices), privacy, and security (i.e., risks and vulnerabilities associated with them). To fill this gap, we reviewed 236 studies that researched the benefits of using WATs, the implications for the privacy of users of WATs, and the security vulnerabilities of these devices. Our survey revealed that these devices expose users to several threats. For example, WAT data can be mined to infer private information, such as the personality traits of the user. Whereas many works propose empirical findings about users’ privacy perceptions and their behaviors in relation to privacy, we found relatively few studies researching technologies to better protect users’ privacy with these devices. This survey contributes to systematizing knowledge on the utility, privacy, and security of WATs, shedding light on the state-of-the-art approaches with these devices, and discussing open research opportunities.


INTRODUCTION
Wearable Activity Trackers (WATs) are smart devices that record human activity data.They often exist in the form of wrist-worn bracelets and watches, such as fitness trackers and smartwatches.WATs are becoming extremely popular.In 2020, the market was estimated to be $36.3 billion and is projected to grow to $114.4 billion by 2028. 1 Due to high sales and market penetration, many WAT devices, brands, and Service Providers (SPs), such as the Apple Watch, Fitbit, and Garmin, have become household names.
There has been extensive research on WATs.Researchers have studied WATs from different perspectives, such as design [187], psychology and behavior change [133], health [194], rehabilitation [97], reliability and accuracy [53], security and privacy [153], usability [159], and sensing technology [217].Three very important aspects of WATs are utility, privacy, and security.Like any other technology, WATs have benefits but also expose users to risks.On the one hand, they can empower users to become more self-conscious and improve their well-being.On the other hand, due to the sensitive nature of the data they collect, they can also endanger users' privacy.These benefits and risks are also related to how users perceive the utility and privacy of their WATs.Utility and privacy are interwoven concepts.According to the privacy calculus theory [17,137], before using technology, users usually perform risk-benefit analyses and consider the tradeoffs between them.It is also essential to not overlook the critical dimension of security, as it plays a pivotal role in mitigating risks where the data collected by WATs must be protected from unauthorized access.In this survey, we provide knowledge on the benefits WATs provide, the users' perception of them, and the associated security and privacy risks.For additional relevant topics, we cover existing regulations for the protection of users, security vulnerabilities of WATs, and the existing privacy-enhancing solutions.The contributions of this survey are threefold: -We discover the main privacy issues that stem from using WATs.
-We shed light on the utility aspects of WATs; they have implications for privacy and security.
-We review the WATs' potential security vulnerabilities, attacks on WATs, and the existing countermeasures.

Novelty Statement
Numerous literature surveys related to WATs-and wearables in general-have been published.Table 1 summarizes these surveys.Several surveys provide valuable insights and in-depth knowledge, from different perspectives, about wearables.For example, they review applications of wearables for healthcare [110,177,256], rehabilitation [181], occupational safety [179,232], and activity recognition [130].They also review the reliability [81], adoption [117], privacy [52,206], and security [56,216,223] of wearables.However, these surveys cover various types of IoT devices and wearables (e.g., eye-worn glasses, EEG devices) that are not specifically designed to track Physical Activity (PA), thus making it difficult to determine which findings are specific to WATs.The present survey focuses solely on WATs to reveal related findings and research gaps that are specific to WATs.Whereas previous surveys on WATs focused on utility [220], reliability [68,127], quality [213], and WATs' effectiveness for behavior change [231], the present survey takes a holistic approach by integrating utility, privacy, and security aspects.This is important for three reasons.First, research on WATs is multi-faceted, as these devices serve practical purposes by collecting personal data and exposing users to privacy threats.The comprehensive approach provided by this survey ensures that readers gain a well-rounded understanding of the benefits and perils of using these devices.[181] -Lara and Labrador [130] -Evenson et al. [68] -Iqbal et al. [110] -Kolla et al. [127] -Kalantari [117] -Seneviratne et al. [216] -Shrestha and Saxena [223] -Sullivan and Lachman [231] -Georgiou et al. [81] -Datta et al. [52] -Saa et al. [206] -D'Mello et al. [56] -Wu and Luo [256] -Shin et al. [220]  ‡ -Schiller et al. [213] -Svertoka et al. [232] -Pasquale et al. [179] -→ Ours -, , , and show roughly the extent to which each survey covered each domain, indicating the following: Not Covered, Minimally Covered, Moderately Covered, and Mostly Covered.† These papers cover a wide range of wearable devices, such as head-mounted displays, biosensor systems, smart glasses, smart watches, fitness trackers, vital signs monitors, industrial wearables, smart fabrics, EEG devices, and other physiological sensors.‡ Shin et al. [220] present a comprehensive survey about WAT utility for papers published between 2013 and 2017.However, their focus on privacy is limited, with only half a page devoted to 29 privacy-related papers.This work does not cover security, nor does it discuss the tradeoffs between utility and privacy.
Second, utility, privacy, and security are inherently intertwined, where challenges in one domain inevitably affect the others.The well-documented tradeoff between utility and privacy further illustrates this connection [17,137].In addition, privacy threats identified for WATs are necessarily connected to the security measures implemented by SPs.Our integrated approach offers valuable insights into three cardinal dimensions of WAT research.Third, the holistic approach also allowed us to draw a research agenda for WATs by identifying six research gaps that researchers might explore next.
Finally, many research articles on WATs have been published in the past 5 years but were not considered in past surveys of wearable technology.Given the speed at which new technologies in WATs emerge and advancements in sensor technologies (e.g., oximeter sensors added after COVID- 19), updating the survey on WATs research was necessary.

Survey Method
Figure 1 summarizes our methodology.We conducted a systematic literature review following the assessment criteria of Kitchenham et al. [126] (e.g., inclusion/exclusion criteria, comprehensive literature search).To identify relevant papers, we crafted a set of search strings that encompassed the key terms related to our research focus: ["physical activity data" or "fitness data" or "fitness track- ing" or "wearable activity tracking" or "physical activity tracker" or "fitness tracker" or "wearable activity tracker"] and ["utility" or "privacy" or "security" or "perception" or "understanding" or "experience" or "expectation" or "sharing"] and ["system" or "device" or "application" or "app" or "service" or "bracelet" or "wrist-worn"].We chose these specific keywords, according to previous surveys [220,223], to ensure a comprehensive search and to enable us to capture a wide range of relevant literature while excluding studies that do not directly contribute to our inquiry.For example, we include "physical activity data" and "fitness data", as they are directly related to the topic of WATs.In addition, we used "fitness tracker" and "wearable activity tracker", as they were interchangeably used in the literature to refer to WATs.We also used terms such as "bracelet" and "app", as they uncover studies related to the physical form factor of WATs or other entities in the WAT ecosystem.We searched in ACM DL, IEEE Xplore, the AIS library, USENIX, PoPETs, ScienceDirect, and Springer Link.We used Google Scholar to include papers from other databases and publishers (e.g., Taylor & Francis).To update our paper database during the review process, we also kept track of the most recent and relevant published proceedings (e.g., IMWUT).We identified 688 papers (after removing duplicates).After retrieving the full articles, we excluded the papers that (i) are not written in English, (ii) were published in 2012 or earlier, or (iii) are not peer reviewed (e.g., position papers, letters, editorials, prefaces, article summaries, theses, patents, or books).We included only the papers that met both of the following criteria: (i) they are about WATs and/or have implications for WATs, and (ii) they have direct relevance to the utility, privacy, and/or security of WATs.The first author applied the inclusion and exclusion criteria and later confirmed them with the second and third authors.Out of 688 papers, 236 were selected to be reviewed (including two papers we added after the first survey submission). 2Three authors summarized the papers' context, methodology, and findings.The reviews were discussed in weekly meetings.To synthesize the findings, we adhered to the guidelines provided in the JBI Manual for Evidence Synthesis [13].First, we reviewed the summaries of the papers, identifying the common patterns and homogeneity between them.Then we highlighted aspects of heterogeneity and diversity with regard to their findings.

Survey Structure
The remainder of the survey is organized as follows.In Section 2, we define WATs and explain their ecosystem.In Section 3, we discuss several aspects of WATs' utility, such as their core benefits and different usage patterns, including social usage and data sharing.In Section 4, we first discuss the risks of WATs for users' privacy and the main findings about users' awareness, attitudes, and behaviors.We review WATs' privacy policies, the existing regulations for protecting users, and the ethical aspects of using WATs for research or health campaigns.In Section 5, we discuss how utility, privacy, and security are intertwined and how users make tradeoffs among these aspects.In Section 6, we review different types of attacks and security vulnerabilities related to WATs.In both Sections 4 and 6, we present the existing work as Privacy-Enhancing Technologies (PETs) and security countermeasures.In Section 7, we discuss several open issues concerning WATs and possible opportunities for future research.We conclude the article in Section 8.

WAT DEFINITION AND ECOSYSTEM
There is no consensus about the definition of a WAT.However, there are many commonalities between the various definitions.To create a standardized definition, we took a philosophical approach [201] by identifying the essential and accidental properties of WATs, according to earlier studies on WATs [23,106,186].To be a WAT, an object needs to have all of the following essential properties (e) and can also have accidental ones (a): -e1.It must be worn on the body -e2.It must have sensors that record physiological/environmental data -e3.It must be an electronic/digital device -e4.It can come in various forms (e.g., wrist-worn, strap, clip-on) -e5.It must provide data analysis that is available to users, without the need for a health professional -e6.It must enable users to gain access to actionable information that is derived from the sensor data -a1.It can upload data to a server or connected device -a2.It uses a docking station to sync with a PC or uses WiFi to upload data directly -a3.It enables users to visualize data in graphical format on a companion app or website -a4.It enables users to visualize data on the WAT itself -a5.It can provide immediate feedback -a6.It can provide general/numerical feedback (after an activity) The most common sensors used in WATs are accelerometers, photoplethysmograms (used for measuring heart rate and respiration), pulse oximeters (blood oxygenation), gyroscopes, altimeters, and GPS.The more advanced and recent models tend to include a compass, thermometer, microphone, magnetometer, ambient light sensor, and an electrodermal activity sensor.Therefore, we consider smartwatches as WATs, even if they offer more functionalities than some fitness trackers.We do not consider medical-connected devices (e.g., insulin pumps) and wearable devices with very specific purposes (e.g., connected shoes) as WATs.
The typical WAT ecosystem is composed of a WAT paired with a connected device (e.g., smartphone, tablet) on which a companion app provided by the WAT's SP is installed.The companion app communicates through the Internet with the SP's servers (Figure 2(a)).The servers store the users' WAT data and can process raw WAT data and perform various analytics [113].The WAT collects data by using different sensors and regularly synchronizes with the companion app that uses Bluetooth communication (see Figure 2(b)).During this synchronization, the data is usually uploaded to the SP's servers.The connected device can store recent data, whereas older data needs to be downloaded from the server (see Figure 2(c)).The connected device can also send data to the WAT, such as firmware updates or notifications [242].A user can also permit Third-Party Applications (TPAs), such as Strava, to access their data (see Figure 2(d)).The TPA requests data from the SP's server by using a dedicated API or, in some cases, it directly accesses data stored on the connected device (e.g., through Apple's Health app).The user will then generally be able to access their data by using the TPA's functionalities.The same data-sharing method also works in reverse, thus permitting the companion app and/or the SP to access the data originally collected by a TPA [269].Many existing WATs, such as the Apple Watch, 3 Fitbit, and Garmin match this model.Users can also access their data by using secondary connected devices (see Figure 2(e)) or on the web dashboard of their SP (see Figure 2(f)).

BENEFITS AND UTILITIES
Research shows that WATs can provide users with a variety of benefits: -Physical activity: WATs can increase users' motivation to engage in PA [43,76,97,98,113,133,151,159,173,180,186,190,194,199,228,253].They can help users increase PA [43,76,97,98,143,171,174,194,199,221], improve sports performance, and monitor their performance [180,186,196,253]. 4However, the increase in PA might not always be sustained after the users stop using a WAT [131,171].Generally, as WAT use increases, users tend to perceive more benefits [76,149].-Health improvements: WATs can provide the motivation for measurable benefits, such as weight loss for obese patients [76,194,253], and can have a positive effect on users' perceived self-efficacy and health behavior [200].-Medical benefits: WATs can improve interactions between patients and medical practitioners [97,159] and support patient monitoring [27,115,159,186].-Social benefits: WATs can facilitate, support, and strengthen users' social bonding [94,174,194,196,199,202,211], and can support collaborative fitness goals [203].-Sleep quality: Many WATs provide a sleep-tracking functionality.Users see benefits in having access to their sleep data [197], even if some track their sleep without a specific goal [202].However, users might have difficulties using such a functionality, due to not tracking continuously [145,242], to not trusting the accuracy of the data [186,197], and/or to not being able to easily manipulate or interpret the data [145,197].
Wearable Activity Trackers 183:7 Curiosity-focused trackers [67] Behavior-change trackers do a lot of research and aim to reach their goals.Instrumental trackers seek to maximize the benefits of their tools.Curiosity-focused trackers use WATs out of curiosity.Technologically savvy vs. Non-technologically savvy users [139,205] Technologically savvy users are more likely to find WATs easy to use.
Younger vs. Older users [122,139,188,205,211] Older adults had difficulties with setting up/syncing their trackers with TPAs [139]; older adults require the support of younger family members to help them overcome technological barriers [211].
Elite athlete vs. Amateur athlete users [196] Elite athletes focus on tracking metrics they consider important (e.g., HR) and share data to portray a specific image of themselves to impress their fans and confuse rivals.
Power users † [76,143,151,163,233] With regard to use consistency, they exemplify the simplest use pattern by having consistent and intense tracker use.Long-phase users † [76,143,163] They track without major disruptions for long periods of time.Consistent users † [76,163] They track with moderate consistency.
Intermittent users † [76,163] They have consistent but sparse usage; they do not want complete logging; instead, they have other reasons for tracking.
Inconsistent users † [143,233] They go through periods of varying length (daily use) and take breaks of varying lengths.
Experimenters † [163] They use WATs frequently but for short periods of time (e.g., only while exercising).Hop-on hop-of f users † [163,233] They frequently take long breaks yet regularly resume use.Quantified-selfers † [113] They never lose interest in the information provided by WATs.† These usage patterns emerge after long-term WAT use.
-Others: WATs can help users teach children to be more independent (e.g., via chore reminders) [174].They can also support scientific research [199,243,262].Some users simply use WATs as watches [131,186,202] and/or to satisfy their curiosity and design tastes [202].Next, we review general WAT usage patterns, data-sharing practices, and the ways WAT use was found to evolve over time.Finally, we summarize the studies that focus on the usability and user experience of WATs.

WAT Usage Patterns and Motivations
Users have unique reasons for (and ways of) using WATs [89,112,113,125,163]. Various patterns have been identified based on the profile characteristics of WAT users (Table 2).Users check their WATs more often while exercising [10,92] and prefer to engage in activities that their WATs can track [76].Users might use different trackers to track different types of activities (e.g., using one to track walks and another to track runs) [10,202].Users might concurrently use multiple devices [6,42,145].Next, we list users' motivations for tracking: -Logging: Some users use WATs to document their activities [176,186,202]. 5 -Goal setting: WATs usually support users in setting daily or weekly PA goals.Most users use the default 10K steps per day goal [233] , whereas others pursue longitudinal achievements (e.g., walking 10K steps every day for 30 days in a row) [202].Users might also have broader goals that are not directly measured by WATs (e.g., weight loss) [186,202].Generally, users follow defaults set by WATs [76,133].-Self-reflection: Some users do not follow specific goals with WATs [10,133].Instead, they use WATs to reflect and learn about themselves [92].For this, they mainly refer to their short-term usage data (e.g., only for the current day) [42,202,233].This analysis helps users to consider contextual information [209] (e.g., their emotional state [6]).Long-term data are rarely analyzed [42,202,233], but when it is, it prompts users to reconsider their past behaviors with regard to their PA [42] (e.g., peaks and extreme data).-Social benefits: Some users share data with groups to compete with others (e.g., challenging others or chatting about PA) [190].Some users like having access to other people's WAT data [94] to give and receive support [94,139,141,190].-Monetary incentives: Some users use their trackers to gain financial rewards, such as benefits provided by health insurance companies [159].

Social Usage and Data Sharing
The most common way of sharing WAT data is through companion apps on smartphones or, less frequently, through desktop companion software [71].Findings on users' propensity to share WAT data are varied.Tang and Kay [233] found that about 50% of users use social features, whereas Rooksby et al. [202] found that only a small percentage share their WAT data.To share and compare data easily, those who share tend to use devices and apps that are similar to those their friends and family have [94,139,196,211].Interestingly, Fritz et al. [76] found that sharing with friends and family is not an effective strategy for increasing motivation, whereas sharing with strangers is.Sharing could support reaching a common goal and increase motivation.In cooperative tracking, a group goal must be reached under specific constraints (e.g., only one member of the group can contribute toward the activity goal at a given time) [199,203].This was found to increase relatedness and boost individual motivation [203].In general, users find value in comparing their data with that of others [10,190,253].Sharing enables users to engage in constructive discussions [190], and to compete with friends, family [159,209,221], and strangers [190,202].Caregivers can monitor their children's data to check if they are healthy or to keep track of the children's chores [174].When a child's tracker does not work correctly, they can feel 'left out.' Families in low-income neighborhoods could have limited engagement with WATs, as they often prioritize their children's education over their physical health [209].But WATs can promote social mindfulness in high-crime areas, where users feel a sense of safety and community support [208].
Users' willingness to share WAT data depends on the type of data shared and with whom it is shared [78,190].Users mainly share WAT data with people they know [78,94,190] and with people who are similar to them (e.g., same gender, goals, activities, and/or interests) [190,211,228].Pevnick et al. [183] found that male and young healthcare workers are more willing to share WAT data with healthcare providers.Users share data with friends and strangers to compete and/or to show a positive image of themselves, whereas they share data with family members to encourage and motivate one another to be healthier [7].
Users can also share data to increase their social status [159,196,253].Some might even manipulate their data for entertainment/presentation purposes [94,196], which can be perceived as bragging [202].Furthermore, some users might feel intrusive looking at WAT data belonging to people that they do not know [190].Finally, other research has identified groups of users who prefer to not share their WAT data [76,202].

Evolution over Time
The way users use their WATs changes over time [76,233].We identified four categories of usage duration: -First evaluation (0-1 month): WAT use is generally consistent over time [163], and users explore and experiment with different features [121].During this initial phase, they begin to experience most of the previously discussed benefits (e.g., increases in PA, strengthening of 183:9 social bonds).During this phase, users typically decide whether WATs bring value to their lives [188], or if they will stop using them [143].-Short-term use (1-6 months): Users accommodate WATs into their lives [121].During this phase, the frequency of use was found to vary: from short periods of time to almost every day [143,163].-Medium-term use (6-12 months): Users integrate WATs into their lives, benefiting from improved well-being, lifestyle changes, noticeable physiological changes (e.g., weight loss), reinforced PA awareness, and greater social reach [194].-Long-term use and fading of interest (>12 months): Some users integrate WATs more deeply into their lives, whereas others lose their initial enthusiasm yet still continue to use them for their routine activities [76].Over time, users' habits were found to change: they change their motivations [10] and goals [186,233] to use WATs.Interestingly, WAT data utility becomes less meaningful and relevant over time, as users correlate it with their routines [113].After long-term use, distinct usage patterns emerge.These usage patterns are summarized in the second half of Table 2.
Several studies have identified patterns of engagement with WATs, more specifically around adoption, adherence, and abandonment.Table 3 summarizes various elements that were found to positively or negatively influence users' decisions to adopt, adhere to, or abandon their WATs.
Adoption.Research has identified several factors that can either motivate users to adopt WATs or can hinder their adoption [173].For example, curiosity and trust can act as nudges for adoption, whereas lack of interest and privacy concerns can be hindersome.Understanding how users typically acquire WATs helped us better understand WAT adoption.Most often, individuals were found to have purchased the WATs themselves [47].Specific WAT models might be selected based on friends' recommendations [151,202].However, they can also be acquired indirectly as part of a wellness program [47,102], as a gift, or as a prize [47].
Adherence.Users' adherence to WATs is influenced by a variety of factors.For example, users' perceived benefits of using WATs [25], convenient access to health information [32], and expert advice in companion apps [255] positively affect users' decisions for adherence.In addition, when a user feels invested in a WAT, they are more likely to use it [47].Once WAT use becomes routine, users continue using it, purely out of habit, even if they no longer perceive any benefits [115,131,204].On a different note, Tang et al. [234] defined different thresholds for assessing users' level of adherence, as follows: (i) strictly, more than 0 steps on a given day, (ii) more than 500 steps on a given day, (iii) more than 10 hours of data recorded on a given day, and (iv) activity logged in the morning, afternoon, and evening (or so-called "3-a-day").They showed that the step-related thresholds (items (i) and (ii)) are more effective and lead to similar adherence features when they are used to include/categorize participants in research studies.In contrast, the "more than 10 hours" and "3-a-day" thresholds (items (iii) and (iv)) have diverse effects on participant inclusion/categorization.Abandonment.After a certain time, most users were found to abandon their WATs.During the first 30 days after acquisition, if a user does not use their WAT weekly, they are more likely to stop using it [70].Past research identified the following proportions of users who churn after initial setup: -A small portion of users abandon their WATs within the first week [47].
-Many users abandon during the first 3 months [47,131].
-The remainder abandon within the first 3 years [70].[43,67] and keeping motivation [43,76,176]) --Perception of WATs as useful and beneficial [25,193] -To gain utility (customization [266], fashion and ergonomic [54,253], and design trends [44]) --Trusting SPs [2] --For curiosity [131,202] --Social influence [79,124,198] and intergenerational motivations [174,209,211] --To continue sharing data with friends and family [94] --Constructs of Self-Determination Theory (SDT): Relatedness, Competence, and Autonomy [266] -- Convenient access to health information [32] and expert health advice [255] --Being offered financial incentives for sharing WAT data, such as through corporate wellness programs [43,159,176] -- Feeling financially invested in a WAT [47] --Habituation: When usage becomes routine [115,131,204] --Collecting data for the future when more advanced analysis techniques are available [113,131] -- A lack of interest [43,47] or willingness to become overly focused on WAT data [43,209] --Lack of alignment with users' personal fitness goals or using another WAT and not wanting to switch, in the context of employer-sponsored wellness programs [43] -- A misalignment between expectations and the experienced reality of using WATs [47,131,194] --After accomplishing initial goals [14,47,65] --Internalizing PA goals and habits [89] --Contextual changes such as changes in life circumstances [14], participating in activities that their WAT cannot track [47,65] (e.g., a new fitness program), and changing jobs/schools if the new workplace/school does not allow tracking on their premises [47] --Changes in initial intrinsic motivations [14] and after the sense of curiosity is fulfilled [47,113,121,131] -- Health-related reasons such as injuries [14,47,65] or physical inability to engage in PA [47,91,98,115] --Lack of utility [14,66,131], technical barriers [43], and issues with data [14,131] (e.g., lack of accuracy [14,65,102,131,171] and/or feeling uncertainty about data [6,102]) -Physical discomfort (e.g., skin irritation) [14,47,102,115,131,159,186,242] -- † Unpleasant aesthetics [102] --Too much investment of time and effort for tracking (e.g., having to sync the device) [14,43,65,131] -Privacy concerns [14,43,65,79,124,137,173,176,198,215,242] - † Lack of social engagement [102], inability to compare data with others [47,102] The reasons for abandoning WATs vary greatly: tracking is no longer feasible or necessary, WATs do not provide sufficient utility, and the cost of using WATs is perceived to be too high (see Table 3).Sometimes users suspend usage of their WATs temporarily [163].In Table 3, we report factors that can cause temporary vs. permanent abandonment.Epstein et al. [65] found that users who abandon their WATs can feel guilty when the abandonment is due to factors beyond their control, frustrated when they realize they could not achieve their initial goals, and relieved if they realize they no longer need to invest the time and effort to maintain the device active.When users were found to be experiencing negative emotions in relation to the usage of their WAT, removing it could reinstate a feeling of control [89].

Usability and User Experience
Overall, interfaces of WATs are perceived as easy to use [159,186,188].In general, users perceive the immediate feedback provided by WATs as useful, because it helps them achieve their goals [173], and to become more aware of their body image [29].However, past research has identified several usability issues with different types of WATs. 6Matt et al. [159] found that the onboarding experience might be overwhelming for some users.Furthermore, users were found to have issues with basic tasks, such as synchronizing their WATs with their online accounts [167,174].With many types of WATs, the user interface tends to lack customization, personalization, and language (localization) support [167].Additional issues were identified with navigation, text entry, and voice recognition [26,167], and also with insufficient accessibility support [167].New users of WATs were found to have trouble making sense of the numerical and visual representation of their PA data [10,121], which could lead to frustration with their WATs [6,188].
Past research also identified issues with WATs' activity detection and notification.Several types of WATs were found to incorrectly identify context (e.g., WATs giving prompts to walk while the user is on an airplane) [167].WAT notifications were also found to be disruptive, interfering with concentration (e.g., by distracting the user by vibrating/flashing), and can reduce sports performances [10].
Identified issues also concerned the accuracy of measurements of WATs.Data collected by WATs was found to not always represent actual PA (e.g., steps were recorded when none were taken [159]).Accuracy issues can elicit negative emotions in users (e.g., mistrust and annoyance) toward their WATs [76,98].Users were found to have differing requirements for accuracy [186,261].Some categories of users were found to care about the accuracy of WAT data [26,65,145,167,176,188,202,253], whereas other types of users were not very interested in the accuracy of their WAT data [94].More specifically, past research identified that users tend to perceive the accuracy of their WAT data in three ways: accurate and reliable [196]; partially accurate, but still useful [6,26,186,196,202]; and inaccurate and unreliable [26,65,98,159,167,186,202].

PRIVACY
We begin by discussing the types of information that can be derived from WAT data and whether this information poses any threats to user privacy.Machine Learning (ML) models using WAT data can be used to infer the following information about users: -Health metrics: WAT data can be used to monitor ECG waveforms [37], post-surgery complications [264], symptoms of multiple sclerosis [95], SARS-COV-2 infections [105], and mental health states (e.g., stress resilience) [3], and it can be used to predict the readmission of cancer patients [15].Combining WAT data with other resources can help build a health persona [111].In an edge case, WAT data could help specialists better understand the social engagements between autistic children who have difficulties with non-verbal communication [251].-Activities: Studies about Human Activity Recognition (HAR) show how activities can be inferred using WAT data.The most frequently inferred activity types are eating and drinking [28,236,252].In addition, in relation to consumption, a model to detect users' drunkenness in real time was developed [99].Shoaib et al. [222] use WAT data to detect smoking events.WAT data can also be used for other purposes, such as tracing the geometric motion of a user's arm [217], recognizing objects moved by users and the identity of the users who moved them [195], and preventing pedestrian distractions [245].Several novel algorithms and frameworks were developed for HAR (e.g., [1,144]).Dietrich and van Laerhoven [55] propose a typology for classifying the different contexts of WAT usage.Activities can be successfully recognized, even for short-duration data (i.e., short and quick movements) [240].Such inferences are generally more efficient than with other common devices' data (i.e., smartphones) [53].This is because WATs, unlike phones that are usually in users' purses or pockets, are close to the body (i.e., wrist-worn).7 -Personal characteristics: Users' WAT movements, when using NFC payment terminals, can help infer their height [229].Information shared by users on social media in a WAT context can be used to infer personal information, such as weight [250].Under certain conditions, users' handwriting can also be recognized with WAT data, where inference is made not only to detect the event but also to infer the written letters and words [254,257].For example, WAT data can be used to recognize air-writing gestures (and words) [11], finger-writing gestures [259], and gestures of writing on a whiteboard [12].WAT data can also be used to predict users' moods and subsequently to recommend music [138].More recently, Zufferey et al. [268] showed that WAT data can be used to infer users' personality traits, particularly three of the Big Five personality traits (i.e., openness, extraversion, and neuroticism).-Location: A few studies focus on location inference.Hassan et al. [103] studied bypassing EPZs (endpoint privacy zones) to infer WAT users' locations; they could infer more than four-fifths of the locations.EPZ is a mitigation technique that consists in defining a private zone within which some data are not revealed.Meteriz et al. [162] also showed that location inference is possible, with certain previous knowledge and by using the elevation profile.
Are WATs Risky for Users' Privacy?A large majority of research on WAT inferences show that WAT data can also be used in adversarial settings, with potentially negative consequences for user privacy.For example, all information about consumption (e.g., eating, drinking, smoking), activities (e.g., sports), location (e.g., city name), traits (e.g., personality), and disease (e.g., cancer) can be directly used by adversaries (e.g., health insurers, employers, and advertisers) to target their customers and/or even to discriminate against them.

WAT User Privacy Awareness, Knowledge, Concern, Attitude, and Behavior
Awareness and Knowledge.Most users tend to have a limited understanding of how WATs and their ecosystem work (i.e., how their data is processed and analyzed).Users are not aware of who has access to their data, and of how their data are transmitted, stored, and used [45,49,253].They also cannot judge the difference between storing data on a cloud and on a device [35].Velykoiva-nenko et al. [242] showed that only a small proportion of users understood correctly how data is transferred between their WAT and the SP's servers.These findings are supported by the research of Wieneke et al. [253], which found that users do not understand how SPs use their data, and by Zufferey et al. [269], who show that users lack knowledge about the data-sharing ecosystem-in particular, users' understanding of TPAs.The mental models of most WAT users do not correspond with the WAT ecosystem, and they become confused about which data they really shared with TPAs [269].Users' lack of awareness might be due to a lack of interest in learning about how WAT data is used [253].
Users also have limited knowledge about the privacy policies of SPs [45,246].Vitak et al. [246] found that after they were asked to read the relevant part of the terms of service, most users were not aware of what they had given consent to and were surprised about the extent of access they provided to SPs.
Several misconceptions have been identified, including overconfidence in privacy knowledge [147].Some users mistakenly believe that WATs are secure due to their lack of conventional "input" methods, such as a keyboard.Hence, they assume that sensitive information (e.g., a password) is not saved [147].As people tend to use the same code for diverse applications and devices (e.g., ATM PIN codes), the risk of such attacks increases [148].Users' beliefs depend on the type of information collected by WATs.Most users recognize only sensors that they can see and verify [191].They believe that sensitive information not directly related to a specific sensor cannot be inferred from their data [242].Users tend to believe that most privacy risks are unlikely to materialize [78].They first consider the likelihood of being subject to privacy risk, and only then do they contemplate its severity [30].As a result, not knowing the likelihood of such threats prevents them from thinking about their severity. 8Many users consider privacy only from a 'social privacy' point of view and do not think about how their data could be used by third parties [152].
Privacy Concerns.Most users express only minor privacy concerns [7,30,123,134,147,267].The majority perceive their WAT data as harmless, innocuous, and not sensitive [134,147,267].They report that they would share their data without requiring that the privacy boundaries be managed [147,267].Lidynia et al. [142] found that their study participants did not consider storing data on the SP's server (compared to their device) as a critical issue.Many users had mainly utilityrelated concerns (e.g., to have a better self-image from data sharing) rather than privacy-related ones [7].
Aktypi et al. [4] highlight that multiple factors reassure users about their privacy, especially the fact that they tend to trust WAT companies.However, there is no consensus about this trust.Although some studies show that users trust companies to handle their data [267] and believe in companies' technical capabilities to prevent privacy breaches [134], others [22,147,242] do not.Given the huge amount of data collected from millions of individuals, some users cannot see how their data can be used against them: " the information that would come from my device would be just a drop in the ocean" [4, p. 8].For some users, privacy concerns can evolve over time.Some start being concerned if their data is misused or after their privacy is violated [123].In the workplace context (for more details, see Section 4.3), at first, some users perceive their data as harmless.But over time, they report different concerns, as their data creates many inter-colleague discussions that reveal their private-life activities and create social pressure [87].Interestingly, with the participants of research experiments, those who usually are unconcerned about privacy expressed their concerns about WATs, after being confronted with questions about their private life [147,253].This could be due to the well-known privacy paradox [82], where users report 183:14 K. Salehzadeh Niksirat et al.
having privacy concerns, but then they behave as if they do not have these concerns.Finally, Vitak et al. [246] show that the more value users place on their WAT data, the more privacy concerns they have.
The minority of users who are aware of privacy risks tend to be more concerned about their privacy.Concerned users use coping mechanisms [19], implement stronger privacy safeguards to protect their information [35,147,267], and contemplate abandoning their devices [198].Three types of concerns are recognized: -Data collection and storage: Concerns about the anonymization of data [22] and the location of the data storage [22,142].-Control over data: Concerns about the data being used for purposes other than the predefined purpose or being shared with third parties [22,147].Some users believe they have limited control over the disclosure of their own data [147,159,172].They also mention the forced-choice dilemma, where they have to decide between using the device (and facing the consequences) and not using it.Last, they mention the post-purchase lock-in effect where privacy policies might change after agreeing to them.-Storage security: Some users are concerned about their devices or the SPs' platforms being hacked.They believe that security breaches could lead to negative consequences [172,175].
Attitudes.Overall, users who are unaware of privacy risks tend to share more [184].However, users' willingness to share WAT data is strongly related to the type of data and to the targeted audience [78,214].They perceive location data to be the most sensitive data type [77,132,142,185,267] and are concerned about the associated negative consequences, such as home burglary and bike theft [185].In addition, users are more reluctant to share movement data, other than step data [123].Weight and sleep data [142], as well as any data related to Personally Identifiable Information (PII) and financial information [7], are perceived as particularly sensitive.If users sell their data, they would ask for significantly more money for their location data than for healthrelated data [77].
However, even for the most sensitive data, users change their sharing decisions, based on the intended recipients.They generally seem willing to share their location with their friends, whereas they do not want to share it with online advertisers [78].Schneegass et al. [214] found that users' willingness to share is inversely proportional to the size of the recipient group they share the data with.This finding is in line with other studies [7,78,134,142,269], wherein users would be willing to share their data with small groups of people, such as their family, friends and colleagues, and/or with health practitioners if they ask for it, but they would not share with the general public, employers, insurance companies, banks, and advertisers.
In the context of sharing WAT data with family, parents are interested in monitoring their children's health and activity levels, but not to the extent that it would compromise their relationships or prevent children from developing self-sufficiency [129].However, usage of WATs by parents for monitoring their children can deteriorate trust in both directions [116].Li et al. [139] find that younger users worry about their family members' opinions about them, based on their WAT data.Potapov and Marshall [187] reveal children's concerns about their data being misused by their teachers in a school context.In a different context, Leitão [136] shows that WATs can be used by abusive partners for stalking, threatening, and harassing (a.k.a.intimate partner abuse).
Behaviors.Overall, users take two types of privacy-related actions: -Preventive actions before privacy violation: A few users report adjusting the privacy settings of their WATs immediately after setting up their device (i.e., after unboxing), 9 whereas others could not remember when they changed them, and yet others thought they were using the default settings [267].In the context of the workplace, users might consider partial sharing if they could exclude specific parts of their data related to private situations [123].Almost one-third of users usually do not revoke the WAT data access they granted to TPAs, as they forget that they installed them on their devices [269].A minority of users consider removing WATs for privacy-related reasons (e.g., before engaging in sexual activity) [242].-Mitigating actions after privacy violation: Users use two main coping mechanisms [18][19][20].
The first is emotion-focused coping when the perceived level of threat is high and the level of efficacy is low, and the second is problem-focused coping when the perceived level of threat is low and the level of efficacy is high.Therefore, in the event of a privacy breach, users will likely not be able to show rational behavior and will instead seek emotional support.Although users' privacy perceptions do not have an effect on their preventive actions [30], their perceptions can affect their mitigating actions [18]: higher privacy concerns increase users' threat perception that it has an effect on an individual's coping behavior.Surprisingly, when users were asked what they would do if their SP had a security breach, none mentioned that they would stop using their WAT; however, they said this might affect their future WAT purchases [134].
Individual differences play an important role in users' privacy awareness, concerns, attitudes, and behavior.For example, older users tend to be more relaxed with data sharing [214] and give more value to their WAT data [246].Women tend to share more data than men do [214].The findings of studies about the differences between users from different regions are rather inconsistent.Ilhan and Fietkiewicz [109] find significant differences, regarding their level of concern and awareness, between users from the United States and those from Germany.However, the same group of researchers did not observe any differences between users from the United States and Europe [74].Earlier studies categorized users into different classes: -Non-sensitive and Sensitive users [142]; -Unconcerned, Somewhat Concerned, and Highly Concerned users [147]; -Data Protectors (i.e., those concerned with privacy), Benefit Maximizers (i.e., those concerned with utility), and Fact Enthusiasts (i.e., those most concerned with motivational design) [35]; and -Users, Former Users, and Non-users [74].
The last item helps us understand individuals' reasons for using technology or abandoning it and if they would contemplate using such technology in the future.Previous studies [60,74] show that non-users of WATs are more concerned than users about the collection of WAT data.Surprisingly, former users are less concerned about privacy than actual users [74].In contrast, Bélanger et al. [25] do not find any significant difference between the privacy concerns of users and non-users.

Privacy Policy.
As a means of communication between SPs and users, privacy policies are used to inform users about the data collection and usage practices and to obtain their permission.However, their usability and compliance with users' privacy needs and data-protection regulations is still under debate.Many studies have reviewed WAT-related privacy policies and identified two main issues: -A lack of (legal) accountability: Braghin et al. [31] argue that privacy policies are of "dubious validity." Users report a lack of accountability in cases of privacy breaches [4].Paul and Irvine [182] found many statements that have the potential to violate user privacy in the privacy policy content of four market leaders in 2012. 10Several studies present heuristic frameworks for evaluating privacy policies.Katurura and Cilliers [118] showed that both Fitbit and Apple did not provide minimal protection for choice or consent: before they collect data, these companies ask for consent; however, after the collection, the users were not permitted to enforce how their data is used.Hutton et al. [108] compared the privacy policies of selftracking apps in different domains and show that apps related to WATs generally met fewer heuristics, compared with apps related to other types of tracking (e.g., time management, cost management).Becker et al. [24] showed that the type of statements used in privacy policies can influence users' decisions about disclosing their health information (e.g., policies framed positively).-Usability problem: Privacy policies are lengthy, complex, and annoyingly profuse, thus users often do not read them to avoid cognitive load.Furthermore, users perceive their acceptance as a binary choice (i.e., forced-choice dilemma): a necessary condition to use the device [185].Researchers propose several solutions.Gluck et al. [85] show that shortening the privacy policies to some extent can be an effective way to increase user awareness.Guo et al. [96] propose a visualization tool, called Poli-see, for helping users understand WAT privacy policies.Drozd and Kirrane [58] present CURE, a consent-collection system that obtains users' partial consent in a more usable fashion and that provides the users with a better explanation of the consent they have given.Murmann et al. [168] study the adoption of privacy notifications (e.g., notifying users when their data is stored on a cloud or when it is transferred to another country) and show that most of their respondents perceived notifications as useful.Masuch et al. [158] show that confidencebuilding mechanisms (i.e., statements by SPs about how data will be treated securely) resulted in an increase of the users' expectations about the security of the service.However, users observed a large discrepancy between expectation and reality.This negatively influenced their satisfaction and intentions to continue using their WATs.Thuraisingham et al. [237] propose a (hypothetical) privacy-aware data management framework to enable users to manage the collection, storage, sharing, and analysis of their own data.

Protective Laws for Users.
Most of the works about existing regulations, laws, and policies studied regulations in the United States and Europe.In the United States, there are several relevant regulations.However, none are effective [33,34,128,135].More specifically, users are not affected by federal legislation, such as HIPAA (the Health Insurance Portability and Accountability Act) or HITECH (the Health Information Technology for Economic and Clinical Health) Act, as they are not expansive enough to address WAT data.WAT data is not counted as protected health information because SPs are not covered entities, unlike hospitals or clinics [157].In the case of WAT data being stored by a covered entity, HIPAA is applicable only for data processing and disclosure and not for data collection [75].Similarly, the FDA (the U.S. Food and Drug Administration) classifies WATs as low-risk wellness products [128,239].As a result, WAT data is not protected by the FD&C (the U.S. Federal Food, Drug, and Cosmetic) Act [33,34].The Privacy Act of 1974 is another relevant law that regulates the collection, usage, and disclosure of PII.But the definition of PII in this act is rather limited [33], as it includes only information such as names, e-mail addresses, and social security numbers.Similarly, WAT data is not protected by the ECPA (the Electronic Communication Privacy Act) [33,34], as the ECPA does not include devices that use radio frequency identification.
Researchers advocate for new WAT regulations, recommend including WAT data in existing frameworks (e.g., the Privacy Act of 1974 [33]) and the expansion of terminologies such as "covered entities" and "third parties" to include SPs [128].Brinson and Rutherford [33] also developed a portal to help users and data brokers interact and determine the use of their data.
Several studies on legislation in other countries have been conducted.Daly [50] discusses that the most important source of WAT regulation in Australia is the TGA (the Therapeutic Goods Administration).However, the TGA's regulations can be easily avoided if WAT manufacturers do not intend for their WATs to be classified as medical devices (as defined by the TGA).Similarly, Katurura and Cilliers [118] showed that the POPIA (the Protection of Personal Information Act) in South Africa cannot force foreign manufacturers to comply.Compared to other countries, in the European Union (EU), the GDPR (General Data Protection Regulation) provides better protection for users [75,135,156].The GDPR has several advantages.First, it forbids processing personal data, except in far-reaching conditions (i.e., if they are anonymized) [135].Second, it forbids the processing of data concerning health, unless the patient has explicitly consented. 11his affects the collection of health-related data, such as heart rate data.Third, it is an enforceable law and is applicable to foreign manufacturers who export their products to the EU [75,156]. 12his is further supported by the Privacy Shield 2.0. 13Fourth, it permits the use of anonymized data for science and research purposes and for the sake of technological development and demonstration [135].

Use of WAT Data in Investigations.
WAT data can be used as evidence in forensic investigations regarding, for example, suspicious deaths, airplane crashes, malpractice [241], and even detecting police brutality [241], especially in cases of racial injustice [166].WAT data integrity can also be assessed-for example, insurance companies can check whether a reported activity was created artificially [225].Several studies present software tools for forensic science [101,225] and guidelines for investigators [5,101].Other studies [5,101,263] show the forensic soundness of their tools or guidelines by using existing WATs.Only one study fails to recover information, after a forensic analysis [160].It used a real-life scenario instructing a participant (with a Fitbit) to walk to a specific location and hit the ground several times, then to return to their point of departure.Future studies should use similar real-life scenarios to validate the reliability of forensic methods.Courts and forensic investigators can face several challenges that reduce the objectivity of judicial decisions [128,241]: -WAT accuracy: To ensure the accuracy of measured metrics, in particular, if a non-standard WAT was used.-Data integrity: To ensure data integrity by confirming that the data were not changed after an incident and that the WAT was not worn by other individuals.-Data handling: To handle massive amounts of data and still create precise statistical/inference models, even if part of the data is missing.-User privacy: To maintain users' privacy during forensic investigations, particularly in interdependent privacy situations [107].Hassenfeldt et al. [104] show that using web scraping and leaderboard information from Strava, they can access other users' information, regardless if their data is private or public.Kumari and Hook [128] argue that courts should try to obtain data from the users themselves or from their acquaintances.Accordingly, asking SPs to share data should not be the first option.

Ethics.
Several studies analyze the ethical implications of using WATs for users [150,227,239].Lupton [150] uses the term dataveillance (i.e., digital surveillance of individuals) to explain how WAT use can lead to "function creep" (i.e., using data for purposes other than living a healthy and active lifestyle).Tuovinen and Smeaton [239] define the term wearable intelligence as the convenience and simplicity of using WATs.They discuss that, unlike in the context of a black box, users need to know that the information presented to them is an approximation generated by computational models and not absolutely accurate.In addition, they warn about a potential power imbalance between non-expert users and expert data analyst entities, as this imbalance can cause further privacy and trust issues.Steinberg [227] discusses the fairness of insurance companies that use WATs as incentive programs, where users can receive a discount on their premiums if they choose to share their data with insurers.
In addition to taking ethics into consideration for users, researchers should be mindful of research ethics.The collection of WAT data can serve in the development of ML models to infer users' states and propose proper interventions for them.It has become common practice to collect such datasets and to share them with the public to support open science.Publicly sharing such a large dataset has privacy risks for the data owners and ethical risks for designers (i.e., designing interventions based on biased datasets).Lee et al. [132] conduct a risk-benefit assessment with WAT data owners and show that financial compensation was the main incentive for data owners.Some data owners accept to provide even more data to receive even more money.Among those who refused the offer, some mentioned they would accept only if the compensation amount was higher.Less than half of the data owners thought they were subject to surveillance.Some also mentioned a lack of trust about how data would be handled by researchers.Given these vulnerabilities, it is important to protect WAT data owners after data collection.We recommend that, beyond routine practices, such as using informed consent and anonymization, researchers should consider data sharing with restricted access.Among the FAIR 14 open science repositories, Zenodo provides an option for restricted access, 15 where data can be stored privately on the platform, and researchers can share access to it only after certain agreements. 16

'Health@Work' or Workplace Surveillance?
In the context of workplaces, existing studies show that employers have a vested interest in promoting the use of WATs for their employees [75,123].This creates a profitable business for WAT manufacturers, as they can sell more of their products (and additional services) to companies. 17ompanies intending to adopt WAT-based wellness programs follow either a wellness model or a performance management model [156].Whereas the former is used to promote healthy lifestyle habits and to enhance the well-being of the employees, the latter aims to increase efficiency, productivity, and safety. 18The concern with the first model is for employees' privacy, whereas the second is more serious, as data can be used to monitor and detect misconduct, and it can negatively affect employees' careers.
Most studies focus on the first model [43,87,88].Many employees report perceiving wellness programs positively.They usually participate in such programs to improve their awareness of their activity levels, to become more physically active [43], or to socialize [87].During the campaigns, employees can become concerned about the erosion of the boundary between their work and personal lives.However, they also tend to discuss their WAT data with colleagues (as an ice breaker for conversations during breaks).In the workplace, discussions about step counts or activities can increase social pressure, breach privacy boundaries, and hence raise tensions.Studies show that not all employees are happy to join such campaigns, and some decide to not join [43,87].
Given the lack of evidence of the long-term benefits of wellness campaigns and the social distance created between participants and non-participants, Gorm and Shklovski [88] suggest reconsidering the notion of "success" in such campaigns.Marassi and Collins [156] discuss the privacy and autonomy concerns of wearing WATs in the workplace and express many reservations, especially about the employees' "right to bodily integrity, " "life-work boundaries, " and the "power imbalance" between employers and employees.In the United States, there is no legislation that protects employees' privacy [34]. 19In the EU, the GDPR does not permit employers to monitor their employees.To address these issues, previous studies recommend (i) clarifying the terms and implications of information disclosure to employees [34]; (ii) proposing new laws that limit data collection by employers [34]; and (iii) using a coaching-based approach, where employers use third-party services that provide health advice to their employees [156].

Privacy-Enhancing Technologies
Users, in general, are open to using PETs [269].Therefore, designing useful solutions could be a promising approach to preserving users' privacy.As an addition to the work of Alqhatani and Lipford [8] that reviews existing PETs provided by known WAT brands, our work reviews the PETs proposed by the literature: 20-Anonymization techniques: Given the high dimension and sequential time-series nature of WAT data, anonymizing such datasets is challenging.Na et al. [169] showed that accelerometer data can be deanonymized with high accuracy.Multiple studies focus on methods for effectively anonymizing WAT data.Parameshwarappa et al. [178] used a multi-level clustering anonymization technique to prevent the re-identification of users.Gong et al. [86] proposed a theoretical framework for federated learning that preserves individuals' privacy and trains an ML model by using multiple WATs' data.Garbett et al. [80] designed 'ThinkActive': an activity-sharing platform for classrooms with the aim of enabling students to use pseudonymized avatars.-Limited sharing and data minimization: Wang et al. [249] studied user preferences and sharing behavior related to partial-data release.Epstein et al. [63] investigated if fine-grained step-count sharing can help users preserve privacy while they share activities.Velykoivanenko et al. [242] assessed users' utility perceptions to inform future PET design.They also show that there is a high potential for implementing data minimization that can avoid certain privacy risks.-Pedagogical solutions: Torre et al. [238] modeled the complexity of WATs and TPAs to compute the probabilities of inferring different information from WAT data.They show that users can protect their privacy by not sharing certain data.Aktypi et al. [4] designed a pedagogical tool that informs users of the risks they are exposed to when sharing certain WAT data (e.g., running route), together with other information (e.g., the information available their social media).Alvarez et al. [9] showed that watching a video about privacy and security risks of collecting and sharing WAT data can significantly improve attitudes toward cybersecurity, whereas a text version of the information has no significant effect.Sanchez et al. [212] modeled the privacy preferences of users and developed a system for recommending personalized privacy settings to users.-Others: Data integrity is critical for healthcare providers and insurance companies that are interested in users' WAT data.Du Toit [59] designed PAUDIT, a decentralized data architecture that enables users to store their WAT data in a personal online data store and permits healthcare providers to read data and audit the logs (i.e., changes made to the access control list).Ghazinour et al. [84] proposed an access-management tool that enhances users' decision making by enabling them to share their WAT data after considering four aspects: purpose (why), visibility (who), granularity (how), and retention (when).

JOINT ANALYSIS OF UTILITY AND PRIVACY
According to privacy calculus theory [17,137], technology users always weigh the perceived benefits and (privacy) risks.Perceived utility and privacy concerns affect users' intentions to use their devices [137,215].Several studies [25,27,175,267] found that users prefer to take a utilitarian approach and that the perceived benefits can outweigh their privacy concerns.They usually perceive a fairly positive effect from data sharing [7,24].However, some users (e.g., older adults [62]) do not make rational tradeoffs by ignoring or underestimating the risks [253].Furthermore, some users often willingly share data, despite compromising their privacy, as they find the health and social benefits worth the risk [147].They sacrifice privacy to receive immediate financial benefits, such as a reduction in insurance fees [185] or a higher wage [132].Although users tend to express concerns when they carefully read previously agreed-to data collection policies, they would not change their usage behavior [49].
Although the utility-privacy tradeoff is often imbalanced toward the side of utility, users can still gain privacy if they can turn off a particular feature that they do not use.This is a privacy-by-design approach known as data minimization; it limits data collection and transfers to only that which is essential for a specific purpose.Similarly, using PETs can increase privacy, possibly at the expense of utility.Some PETs (e.g., privacy checkup reminders) have no effect on utility.To understand if users are willing to pay in terms of utility to protect their privacy, a few papers studied user attitudes or behaviors toward such strategies.For example, Velykoivanenko et al. [242] reveal a potential for storing heart rate and sleep data, only locally on users' primary connected devices and not on Fitbit's website.They also showed that data aggregation (i.e., having less granular data) was well received by the users.Similarly, Zufferey et al. [269] show that users are generally inclined to use PETs when exposed to the privacy risks related to the use of WAT TPAs.For example, the majority of their respondents reported that they would be (slightly to extremely) likely to use PETs such as reminders or data minimization techniques that reduce time or spatial granularity.
Finally, following the definition of privacy (a.k.a.contextual integrity) by Nissenbaum [170], earlier studies [25,36,159] show that users' utility-privacy tradeoff depends on context.Ebert et al. [60] show that WAT users are concerned about privacy marginally more than loyalty card users are.Lehto and Miikael [134] discuss that individuals consider their health data (collected by their doctors) as private/sensitive, unlike data collected from WATs.Furini et al. [77] show that when given a strong altruistic motivation (e.g., sharing data for contact tracing for COVID-19), users tend to agree to share their data.Similarly, research participants might be willing to share their data, as they consider it a donation and contribution to science [132].Finally, Velykoivanenko et al. [242] argue that users' concerns about the inference of certain types of information (e.g., religion and sexual orientation) are heavily dependent on the social norms and conditions in their country of residence.

WAT SECURITY
We first review the security vulnerabilities of WATs, including attacks on WATs' Bluetooth communications, 21 and various vulnerabilities related to companion apps, and discuss ways WAT data can be used to bypass security systems.Next, we review security countermeasures, including security protocols and threat assessments.Last, we review different WAT authentication methods for enhancing user security.

WAT-Phone Communication
A large amount of research has been conducted on WATs and Bluetooth security.Multiple attacks, privacy issues, and mitigation techniques were identified.Table 4 shows all of the studies related to Bluetooth and Bluetooth Low Energy (BLE) security and WATs.By analyzing these studies, we identified six main types of attacks: -Tracking: 22 Several studies [31,51,93,161] analyzed how WATs, from multiple vendors, communicate with their companion apps (generally installed on a smartphone).They show that all of the tested WATs use permanent BLE addresses, which makes them vulnerable to tracking attacks.Although these previous studies state that using address randomization should mitigate the tracking attack, recent studies [40,270] have shown how generic attribute (GATT) profiles 23 can be used to build unique fingerprints.Becker et al. [21] developed a method to track BLE devices by using features extracted from the payload of advertising messages.
-Eavesdropping and injection attacks: 24 Except for one of them, all analyzed studies describing eavesdropping attacks are also about data-injection attacks.Both types of attacks can be performed using similar techniques, such as a Man-in-the-Middle (MitM) attack.Several studies [31,146,265,270] show that multiple WATs use unencrypted communication, either while already paired or during the pairing process with a smartphone.They even permit pairing without authentication.Therefore, an attacker can retrieve information about the devices.Rahman et al. [192] reverse-engineered two WATs (Fitbit and Garmin) and built a framework that can perform various attacks, such as injecting data into the devices.Other studies [46,90,248] performed attacks that force a device to be paired with a fake companion app that grants access to all transmitted data before redirecting it; the fake companion app was also able to inject data and commands.Mendoza et al. [161] analyzed a Fitbit WAT and show that its communication with a paired smartphone does not follow the BLE security specifications and that the device accepts connections from unknown smartphones.Casagrande et al. [38] reverse-engineered Xiaomi devices and firmware; they show that a large amount of information (including the pairing keys) was not properly encrypted during the communication, thus enabling an attacker to not only eavesdrop on communication but to also alter data.-Denial of service: 25 Goyal et al. [93] performed a Denial of Service (DoS) attack on a Fitbit Charge by spamming it with requests that prevent it from communicating with the companion app on a paired smartphone.Rahman et al. [192] developed two different DoS attacks against Fitbit and Garmin devices.They show that it is possible to quickly drain the WATs' batteries by spamming them with BLE requests.Zhang and Liang [265] also show that attackers can conduct DoS by continuously sending fake commands.Classen et al. [46] demonstrate that DoS attacks can be performed on Fitbit WATs by injecting commands to enable the alarm clock or disable the WAT's functionalities, such as pairing and data synchronization.-Traffic analysis: 26 Das et al. [51] analyzed BLE traffic patterns and found that it is possible to identify individual users, with high accuracy.Fafoutis et al. [69] used BLE to analyze the correlation between activity levels and the received signal strength, in the context of a WAT communicating with a smart home system.The results show that the received signal strength and the unencrypted data are strongly correlated.Finally, Barman et al. [16] reported that a large amount of information can be inferred from encrypted Bluetooth traffic between a WAT and its paired smartphone, such as the type of device, actions, and the type of data.-Firmware modification: 27 Shim et al. [219] analyzed a WAT and its companion app's APK.
Using reverse engineering, they analyzed the BLE communication when the companion app attempts a firmware update of the WAT.This enabled them to create a fake gateway for injecting malicious firmware updates.Similarly, Classen et al. [46] reverse-engineered Fitbit's firmware to study how to modify it to build custom firmware.They show that attackers can use unencrypted BLE communication to flash modified firmware onto Fitbit devices.As explained earlier, most WATs use unencrypted communication.
Hale et al. [100] developed an open source platform that aims to be used by researchers to facilitate wearable security investigations.The platform could be used to collect data, conduct attacks, and identify security vulnerabilities.They used their platform to analyze BLE communications of multiple WATs and observed that all of them use encryption protocols to communicate with their companion apps.
In conclusion, WATs tend to not use any protection mechanisms, such as basic cryptographic schemes [100]; in addition, they send unencrypted traffic, mainly for optimization reasons (e.g., to save battery life).As a result, the public attributes of the transmitted packets can be used to track WATs.Not using encrypted communication can lead to eavesdropping, data injection, and/or firmware modification.MitM attacks can be performed to bypass (basic) encryption mechanisms.An attacker can inject fake commands to conduct DoS attacks.Traffic analysis can disclose sensitive information, even if the communication between a WAT and its paired smartphone is encrypted.Finally, whereas some studies proposed mitigation techniques, only a few of them actually evaluated these techniques.

Phone-Server Communication and Data Storage
Several studies analyzed the security of WAT companion apps.Goyal et al. [93] analyzed the code of the companion apps, how the data is stored on the paired smartphone, the apps' privacy policies, and the communication between the app and the SPs' servers for two types for two WAT models.They showed that for both WATs, the data stored on the smartphone is not encrypted and some of it is even shared with third parties.Rahman et al. [192] analyzed the HTTP communication between Fitbit and Garmin devices and their servers.They showed that the data was not encrypted, including the user's credentials for Fitbit.Fereidooni et al. [73] considered users as potential adversaries.Users might want to send fake data to their SP's cloud for financial gain. 28They analyzed multiple WATs and used MitM attacks to inject fake data into their servers.By reverse engineering the companion apps, they showed that multiple companion apps do not encrypt the data stored on the smartphone, which makes it easily readable and writable.
To inject fake data, Fereidooni et al. [73] also conducted MitM attacks between the companion app and the SP.They performed a new attack directly on the WAT by reverse engineering the hardware system and directly accessing the device's memory to inject fake data [72].After synchronization, the fake data was correctly encrypted and registered by the companion app.
Mendoza et al. [161] analyzed how the Fitbit companion app communicates with Fitbit's servers by sniffing HTTP/HTTPS communication and how TPAs can access data using Fitbit's API.They showed that authentication credentials are sent unencrypted and that the OAuth 2.0 protocol 29 is not correctly implemented.This creates vulnerabilities that an attacker can use to gain access to or modify the data.Classen et al. [46] reverse-engineered the Fitbit companion app to study how to modify it.Modifying the app could enable attackers to associate it with another account in order to download a user's data.Finally, Kazlouski et al. [119] analyzed the communication between two well-known (yet anonymized) WAT companion apps and servers.They collected ground truth by using a MitM setup and sniffed the encrypted packets by using Wireshark.Then they computed correlations of the size and frequency of the packets with the activities, heart rate, and step count.They show that activities and metadata of encrypted packets are strongly correlated and that it is possible to use metadata to identify the occurrence and duration of several activities and even to estimate other information (e.g., estimating the heart rate).In conclusion, multiple devices do not implement adequately secure phone storage and communication with the SP's servers, which can lead to serious threats, such as eavesdropping and/or data injection.

Side-Channel Attacks
Side-channel attacks are a type of security attack that are conducted based on extra available information, instead of using vulnerabilities of security protocols.As the main purpose of WATs is to track users' movements, it is possible to use the sensor data to infer sensitive information, such as the words a user writes, their typing on a keyboard, or even their biometrics.
Maiti et al. [153] studied how WAT sensor data can be used to recognize typing patterns on a computer keyboard.Such attacks can be used by adversaries to collect passwords for bypassing authentication systems.Similarly, Maiti et al. [155] used smartwatch sensor data to infer which keys are typed on a 10-digit keypad and a QWERTY keypad on a smartphone.They reached an accuracy of 74% for the 10-digit keys and had a mean accuracy of 30% for the QWERTY keypad.Sabra et al. [207] and Wang et al. [247] showed how similar attacks can be conducted to infer ATM PIN codes.The former obtains an accuracy of 80% for 6-digit PIN codes; this increases to 93% with five attempts.Lu et al. [148] aimed to infer PIN codes and Android pattern lock patterns.They found that it is possible to infer the Android pattern lock pattern two-thirds of the time, within the first 20 guesses.Maiti et al. [154] studied the inference of rotary combination lock passcodes and showed that WAT sensor data (especially gyroscope data) can be used to greatly increase the likelihood of inferring the lock combination.Eberz et al. [61] studied impersonation attacks.They showed that WAT sensor data can be used to mimic an individual's biometrics (e.g., gait), which would enable bypassing biometrics-based authentication systems.
In general, we can affirm that using WAT sensor data to bypass a security system is a potential threat that should be considered by vendors.Several mitigation techniques are proposed.For example, WATs could deactivate sensors when they detect real-time activities such as typing [153].Alternatively, WATs could add fine-grained noise to sensor data, in such a way that activities, such as walking or swimming, are still recognized but fine hand movements, such as typing, are not recognized [247].Or, users can simply remove their devices when they type.

Security Protocols, Countermeasures, and Threat Assessment
Although a large number of studies related to security are about weaknesses, attacks, and privacy leaks, some of them are about new protocols and tools that can help preserve the security of systems.To protect against different attacks, Rahman et al. [192] propose an encryption protocol based on symmetric keys.They show that their solution has little effect on the device's performance.Using a system of tagged packets, Skalka et al. [226] develop a framework to manage and filter private data at the edge-router level.Yan et al. [260] propose an ML-based method that uses received signal strength indicators to detect spoofing attacks from peripheral devices (e.g., additional sensors worn on the foot) with high accuracy.Finally, Xin et al. [258] show that their new framework is effective at detecting when data is injected in WAT sensor data streams through specific data variations.
A few studies aimed to identify and assess the different types of existing attacks.To classify attacks, Mnjama et al. [164] developed a conceptual WAT threat assessment framework based on the CIA triad (i.e., confidentiality, integrity, availability) and on Microsoft STRIDE (i.e., spoofing, tempering, repudiation, information disclosure, denial of service, the elevation of privilege).They analyzed different phases of WAT data transmission and storage and the current health-wearable literature.Moganedi and Pottas [165] identified all known vulnerabilities affecting WATs and discussed these vulnerabilities with regard to their corresponding parts of the WAT ecosystem and the ways they are classified according to various existing standards.To classify the different currently known vulnerabilities, they identified five main components in the WAT ecosystem 183:25  [48] and Johnston and Weiss [114] Gait as an authentication factor Low error rates (2%-3%) (the WAT, Bluetooth, smartphone companion app, WiFi, and cloud storage) and six control families (access control, audit and accountability, identification and authentication, system and communication protection, system and information integrity, and PII processing and transparency).

WAT-Based Authentication for Security
WAT data can be used to enhance security systems by using the collected data to authenticate users, and by either substituting or complementing other credentials.Table 5 provides a concise summary of various authentication methods utilizing WATs for security-related applications.Notably, gait-based authentication was found to exhibit low error rates [48,114].Vhaduri and Poellabauer [244] demonstrated high accuracy in user recognition by using physiological and activity data collected by WATs.Tehranipoor et al. [235] showed the effectiveness of ECG-based keys for user identification.Chen et al. [41] introduced a resilient authentication system that combines credentials and biometrics by using a virtual 12-key keypad on a user's fingers.Sturgess et al. [230] developed an authentication system for NFC payments with smartwatches.This system detects the intent to pay and then authenticates the user when they want to proceed with payment by using their smartwatch and an NFC terminal.This system prevents attackers from paying with stolen devices or from executing unwanted payments with unlocked devices worn by the user.However, in another study, the same authors showed that an attacker of approximately the same height as the user has a 20.6% higher likelihood of impersonating the user [229].In summary, WATs are equipped with multiple sensors that enable them to be used for biometric authentication: the WAT's firmware could use the biometric data to ensure that the device is activated only when used by its rightful owner; third-party services could also use the collected biometric information for user authentication.

OPEN ISSUES AND RESEARCH AGENDA
In our survey, we provide comprehensive information about the utility, privacy, and security of WATs.We reveal several open issues.In this section, we review and categorize these open issues and then make recommendations regarding future research for researchers and opportunities for designers and policymakers.
Defining "WATs".One of the first findings from our survey is that there is no clear definition of WATs and that research on WATs is scattered across different overlapping categories (e.g., wearables, IoT).The lack of a clear definition leads to difficulty in identifying related literature, inconsistent research findings, and ineffective privacy regulations.A first step would be to properly define a "WAT" and to delimit research on the topic for more focused, consistent, and comparable research.This survey makes the first step in this direction.
Designing Privacy-Enhanced WATs.The literature shows that privacy risks are huge, diverse, and widespread in terms of the information that can be inferred and of the consequences.Part of these risks stem from the behaviors of the users; this is due to their lack of knowledge and/or awareness of the WAT ecosystem and the privacy risks.When users are not concerned about privacy, they tend to behave carelessly.In addition, as users often choose utility when considering the utilityprivacy tradeoffs of WATs, PETs must be particularly effective and desirable for users.To achieve this goal, we believe that future research should focus on the following: designing PETs that use the specificities of WAT data (e.g., numerical time series, TPAs), as is done for location data [189], and on pedagogical solutions to increase users' understanding of WAT ecosystems.To do so, a usercentered approach should be taken (e.g., participatory design or co-design [120]).However, the following topics are sufficiently covered in the current research landscape: usage patterns; habits; the underlying reasons for adoption, adherence, and abandonment; and users' privacy concerns.
Improving Privacy for WAT Data.Another issue identified in this survey is related to the policies governing the collection of user data via WATs.SPs enact policies that provide them many opportunities to develop business intelligence and to offer additional services to users.However, this often comes at the expense of diminished privacy for the users whose data was collected.More importantly, informed consents are often presented through long, complex, and tedious-to-read legal text, which induces users to accept the terms without understanding their implications.A few studies propose alternative solutions (e.g., abstractions or visualizations) to improve privacy policy legibility, but unfortunately, none are yet used in practice.Future studies should further investigate this aspect.In addition, competent authorities should create regulations that would require SPs to use easy-to-understand privacy policies.A related issue is the lack of protective regulations for users.The main limitation of the current legislation is that WAT data are not classified as health information.Consequently, WAT SPs are not obliged to adhere to specific legislation, which could offer better protection for users' data (e.g., ECPA and HIPAA).We believe that legal scholars and policymakers should rework existing regulations to better protect WAT users.
Increasing WAT Security.Our survey shows that WATs are vulnerable.Many communications and storage protocols are vulnerable to attacks such as eavesdropping or side-channel attacks.There could be several factors contributing to these vulnerabilities: the low computational power of some WATs; the costs required to implement higher security standards; and/or the characteristics, which are typically not associated with identifiable information, of WAT data.Another interesting perspective to consider is that SPs are typically not considered adversaries in security research, as we noted in our survey.When they are considered adversaries, they are generally considered as honest but curious.This survey reveals that many types of inference are possible with WAT data and that SPs should be modeled as adversaries.Future research should therefore focus on raising WAT security standards and on studying business models and data management plans typically associated with WATs.
Studying Privacy Risks of WATs More Extensively.We also reviewed many studies on HAR and inference.Most of the HAR papers are functionality oriented, wherein they mainly highlight HAR benefits and focus on achieving high performance.Most privacy-oriented inference papers do not consider activities or specific personal information (e.g., health), as most of them study the inference of data, such as passwords or other types of information that could be used for authentication.
We believe that future research should investigate privacy risks more systematically by finding inspiration from inference studies published on location and smartphone data (e.g., religion, political views, or consumption habits), as done recently by Zufferey et al. [268].
Conducting Meta-Analyses and Replication Studies.We identified studies of WATs' utility, privacy, and security that reported heterogeneous and sometimes opposite findings.Meta-analyses could be useful for comparing these diverse and sometimes conflicting findings.Similarly, studies comparing users vs. non-users, as well as some cross-cultural studies, have reported inconsistent findings.This underlines the need for replication studies in WAT research.To enable replication (and reproducibility), researchers should follow transparency and openness practices (e.g., see the work of Niksirat et al. [210] for guidelines on research transparency and openness).

CONCLUSION
In this survey paper, we meticulously reviewed 236 peer-reviewed published papers, with a primary focus on WATs' utility, privacy, and security.In our survey, we delved into diverse aspects of WATs, highlighting their associated benefits while addressing the associated risks.This work showed that WATs are particularly vulnerable to multiple types of attacks.For instance, the data they collect can be used to infer sensitive personal information.After presenting the current state of research, we provided a discussion highlighting multiple opportunities for research.This constitutes an essential step in future research into the utility, privacy, and security of WATs.

Fig. 1 .
Fig. 1.Summary of the survey methodology.The full list of search strings are listed in Section 1.2.

Table 1 .
Summary of the Published Surveys about the Utility, Privacy, and Security of WATs and Generic Wearables

Table 2 .
WAT Users Identified in the Literature with Different Types of Usage Patterns

Table 3 .
Different Factors That Can Positively or Negatively Influence Adoption, Adherence, and Abandonment FactorAdop.Adhe.Aban.To get benefits (increasing PA

Table 4 .
All Articles about Bluetooth Security and WATs , we indicate the considered types of attacks."Active, " as opposed to "Passive, " relates to an attack where the adversary must interfere with the communication protocol.

Table 5 .
Summary of Authentication Methods Using WAT for Security Applications