I'm a huge fan of the entire Fitbit product; the hardware is a joy to use, it has great apps for desktop and Android, sync is a breeze, the web app works very well; the whole process has been excellent.
However, having spent close to €300 with the company (for the scale + ultra, and recently upgraded to the Fitbit One), i was very disappointed when I found out about their data policy. Having to pay a premium 50/pa to get access to my own data (it's one of the big 'upsells' of premium) leaves a very bad taste in the mouth.,And now learning that even this doesn't give you access to your raw data is even worse.
I hope Fitbit changes their approach; if anything I think they have it backwards: give me my data for free when I purchase your hardware for life, and upsell me the web app (i'd be happy to pay for it; maybe include the first year free with your hardware purchase); rather this than than give you a pretty complete web app for life for free to record everything i want, but and then charge me to read back my own data!
I run http://openyou.org, a site dedicated to reversing as many medical devices as we (or, well, at the moment, mostly I) can get our (my) hands on.
So far, we've put out Emokit (emotiv epoc headset), libfitbit, libomron, and have started libfuelband and libsensewear. The main problem is just time and lack of people resources. We need more people aware that USB/Bluetooth reversing, while somewhat complex, is not all that inherently difficult. 2 or 3 people working together can easily open up a device and protocol format with a minimal amount of [insert language that supports libusb or hidapi] code. However, not many people are interested in learning that, as they just wanna get the data and run. Understandable, but that means you're waiting on one or two people to finish something that they may lose interest in.
I've been contemplating trying to teach a usb/bt reversing workshop for years now, I should really get around to trying that soon.
There's not a lot of help out there for people who are willing to put the time and effort into protocol reversing but don't know where to start!
EA put out a fitness video game with a wireless heart rate monitor that showed up as a normal HID device via its USB dongle. On sale it was like $40, making it a very inexpensive way to log heart rate wirelessly. But no-one had reversed the protocol, and I couldn't find any online resources to teach me how to do it myself.
I'm pretty sure I threw it out, and the product is discontinued now, but I would encourage you to at least put training materials together, if not a full workshop.
Yeah, I will admit that information does end up being the main problem. I've been doing this long enough that it's pretty much second nature these days, and I just find myself going "but what is there to teach?".
I've taught workshops on other subjects before, and usually once I get going to writing cirriculum that question answers itself in spades, though. Just need the motivation.
I'm finishing up another personal project right now, then I may start on this. I suppose I don't really have much room to complain when I've already set out a solution that just needs to be done. :)
I ran fifteen design workshops in 2010, so feel free to ping me off HN if you have questions or need support. The HID protocol used by the USB version of the Neurosky Mindwave EEG headset is also undocumented AFAIK, and I could test drive your training using that.
Huh. I used to maintain bindings for the old bluetooth neurosky mindset for PureData/MaxMSP, never thought about the issues with their new headset with proprietary radio not having drivers. They were usually pretty good about open sourcing stuff too.
Last workshop I taught was http://artandcode.com/3d/workshops/2b-teledildonics-with-the..., which I had to compress into 3 hours so it was more an overview sort of thing. I think this workshop will require a nice device to start reversing from scratch, which is something else I'm going to have to figure out. Fitbit would suck since you'd have to learn USB, then ANT. Would like to get one HID device, one non-HID, just to cover most of the bases.
very nice, i've been eyeing the emotiv kit, and been delaying because i don't want to pay for the expensive eeg and dev kit version. i'm going to get the epoc soon and hopefully will be able to contribute towards what you guys have done. awesome!
Indeed. Everyone likes to think missing features are some scam that the company that owns the project is perpetrating upon their users, but in reality they probably want to lock you in for the sake of locking you in. They don't know why, but making the data open would be extra work, would help their competitors, and might hurt their chances of being bought. They can always be more open later, but they can't ever un-open. So they're closed.
I agree, there are other reasons for not providing the raw data. For the vast majority of people raw-data just isn't something that is even remotely usable. Even if one is an expert with data analysis, IMHO, it will require a lot of work to process and interpret it correctly. It may even require a deep knowledge about the device and all its quirks-- we're talking about data derived from a cheap accelerometer here. In the end, it is hard to see how opening up the raw data so a few hackers can take a crack at it is advantageous to fitbit or even consumers in general.
I recently wrapped up a 6 month project that entailed extensive Fitbit integration. My client is a fortune 500 company and even with their resources it took them months to become a Fitbit partner. Fitbit also charged a ridiculous amount of money for accessing the 100K devices we were provisioning as compared to the competitors.
If you live in the EU you can send them a data access request, which means they have to provide you with all your personally identifiable information that they keep, in this case that means pretty much everything.
I hate it when companies think that they can get away with making you pay for your data.
This is only really useful if the company is in the EU. If they aren't then they aren't bound by that law. After all, there is nothing your local Data Protection Commissioner / courts can do to them to make them comply.
From looking around the FitBit site, it seems they are in California, so Californian law applies. No EU Data Protection Directive there I'm afraid. (If they were in EU their terms & conditions would probably not be binding anyway, against the EU Unfair Terms & Conditions Directive)
Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question, or where the rights of persons other than the individual would be violated
It would be interesting to send them a request and see what their position is.
I have always been curious about this, from a healthcare perspective. For example, we encrypt PID information one way (the patient has their own unique data access key, which is then encrypted with their password + salt and some 'other stuff'), so we couldn't hand over any information if a data access request was made, even if we wanted to as we don't have access to that information ourselves!
The issue is that the PID is all encrypted, I wouldn't know if we have a John Doe on our system, we can't see anything to verify that user exists or that they're the appropriate owner of said data. We do have an email (which is also encrypted at a system level, which in theory we could access), but verifying an access request based on an email address? I don't know. The way we solve the problem is by making all the data available to the user once they have authenticated, as long as you can login to our website, all your data is available to you, but if you made a direct data access request to us, like a FOI to our office by letter (the typical way it's done), not much I think we could do.
From my understanding, from the yearly IG briefings I used to have, you would be able to provide that requester with information on how to obtain their personal access, and point out to them where they can find the information they have requested.
Information needs to be made accessible, you don't necessarily need to actually provide printouts. For example, FOI requests from news agencies often cover the same topics. This information can and often is posted publicly on the organisation's website and the FOI responses refer the requester to those links.
FOI requests are often made because people don't trust that the "all your information is displayed here on the website" is actually all of the information that is being held on them.
What if the FOI request was supplemented with the users password (changed by them to a temporary one)?
Other possibilities would be encrypting a second copy of the patients data (each time it is stored by the user) using a public key with the corresponding private key held in escrow somewhere on a machine with no network connection. It would then be someone's job, upon receiving an FOI request, to take the patients master-encrypted record(s), put them on the non-connected computer that contains the private key, decrypt, and print out in order to reply to the FOI and then clean up.
If this ability to decrypt data exists, you have yet another layer for the FOI request.
You must track each and every time a patient's data was decrypted and by whom, and that information must be available as well.
Information that you'll probably also need to encrypt, but still be able to search by patient, date, and decrypter. (requests come through to find all records a particular employee has seen within a certain date range as well)
I can see the start of a rabbit hole, which is why organisations dealing in PID have IG teams or consultants who know the laws and know how much needs to be done.
If a patient thinks an organisation is holding out on them, that patient has a way to complain, and the complaints aren't taken lightly from what I've seen.
What would be ideal is to have some kind of "password/data escrow" service that is separate from companies like yours, or the one I'm working with, so that there is a way to recover the data if a password is lost, but a formal/legal separation of the means to access it is maintained.
if you made a direct data access request to us, like a FOI to our office by letter (the typical way it's done), not much I think we could do.
Minor pedantic peeve of mine: Many countries have Freedom of Information (FOI) laws, and Data Protection. Often FOI only refers to government bodies and covers lots of stuff (e.g. "How much per year does my local council spend cleaning the local park?"), however data protection mostly applies to personal data that anyone (government or private enterprise) holds on you. Data Protection laws sometimes make it illegal for the company to tell third parties the personal data about you.
I haven't tackled generated graphs from the SQL data yet but plan to eventually. The one graph on the page was generated with Apple's Numbers. Since it's annual data I don't plan on updating it more than once a year.
I've also been working on something very similar (general data tracking with an awesome API) for a couple of months now. It's not quiet ready yet, but I would love to have your input on it once it's online!
(P.S. My project is also heavily inspired by the features and shortcomings of Daytum (namely the lack of an API), which is frankly the best self tracking tool available at the moment.)
The new fitbit can sync using the iphone's bluetooth 4 connection. This makes syncing a passive rather than an active thing which was the reason I bought the fitbit one even though I had the original one.
This is a rather annoying trend with devices in this class. I own a half dozen otherwise excellent devices like this, each of which require a SaaS subscription to make full use of, any most of which deny me access to the raw data. I have to think that the market for people wanting the raw data is fairly small in comparison to the people who just want a simple, single-device web service, but I think this is disappointing.
The real value in the data is the relationships between various data sources. I really don't care how many steps I take in a particular day, but I do care if there is a relationship between that and my weight, how well I sleep, my heart rate etc. No device, or brand, does everything, nor should they. I want to be able to get my data out so I can use it in interesting ways.
I have thought a lot about not buying any devices in the future that don't allow me access to the data I produce. I think it is probably a good policy, but I would be left with very little in the way of options then. Finding hacks to get data out of devices can be useful, but should we really have to crack each new gadget just to use the data? I think its a pretty sad state of affairs.
Much as I dislike Garmin's lack of support for Linux, I have to second this. My Forerunner 405, eTrex Vista and Vista HCx all download to my computer, with the option (not forced) of uploading. I have full access to .GPX files that I can use with any number of pieces of software (including Google Earth and Maps). Also, I've been pretty happy with the Zephyr HxM hooked up to my N900, and the wife has a Zephyr as well that works well with a Samsung Galaxy III and Google tracks.
Slightly OT, I used to obsess about the accuracy and actual data that these devices provide (had a BodyMedia FIT and now a FitBit), until I realized that the data itself isn't what I'm most interested in.
IMHO the main draw for these devices is their ability to motivate me to be more active, sleep better, etc. Historical data is interesting, but not crucial to that function (although I'd like to see FitBit make the data available). Far more important are real-time feedback mechanisms, such as notices that I achieved a goal, motivating messages ("you're almost there"), etc.
So this may be a counter argument to the "Hacker" culture, but here goes. Hopefully this can spark an interesting discussion.
I own a fitbit, and have loved it. I don't regret paying the $99 for it. I log into the web site, and see my daily totals, and the little graph showing when my activity spikes were. At the end of a grueling day walking around New York City, I can tell my wife that we took 20,000 steps and that's a bit interesting. It's useful and interesting - only to a point.
So after reading this post, my main question is "Why?"
Why do you need minute-by-minute access to pedometer data? What use is it, really? The OP says, basically, "out of curiosity". OK, so hack the thing. There's a number of links for intercepting that data during the sync process. But can you fault fitbit for not providing data that noone (not even the company itself) needs?
What data can the fitbit give you on a minute-by-minute basis that is remotely useful or interesting?
It's just a pedometer. At the end of the day, it tells you you took 10,000 steps or whatever. It's also interesting that you walked 50 miles this month, or have walked up steps to the level of a helicopter flies. Or how many miles you've walked this year.
An example (not for regular sampling, but I hope it gets the point across): if a pedometer records the time of every footfall through the day, you can discern whether your pace is faster on Tuesdays than Sundays, even if you take the same number of steps. If those data are aggregated into steps/hour, you'll never see it.
The lack of open access to the data acquired by a FitBit (I'd been considering buying one) is a certain dealbreaker.
The total number of steps in neat, but I'm more interested in seeing how often and how long I move (or don't move). I consider 20,000 steps followed by 6 hours of non-stop slouching in front of the computer less ideal than just 10,000 steps but never sitting for more than an hour at a time. Fitbit doesn't provide this analysis, but I can do it myself with access to minute-by-minute data.
I wanted to know what fitbit is, but the site redirects me to fitbit.com/de and I closed that site.
How can they be open about data, if they have obviously no clue about open standards, like http accept headers? Worse, there's no way to visit the (official?) fitbit.com site even after that idiotic redirect. I can't access an english version, period. Stupid.
There's a logical flaw in your reasoning "doesn't http accept headers" doesn't imply anything about their understanding of open standards.
While it's perfectly understandable that you might be upset that their site for Germany doesn't offer english language as an option, that's clearly a completely separate issue from how they handle user data.
You're correct. I let my anger about ignoring my explicit preferences, which I expressed in a standard way, lead me to believe that the company doesn't care.
Obviously that's annoyance speaking and speculating based on me being tired with the constant 'Hey, I know better what you want' attitude (Looking at you, Google/Blogger) - I don't even know a single thing about their product (which is why I went to the site in the first place).
Sorry about that. I stand by my point about this sort of redirection being a telltale sign of a flawed web site and lack of respect for user preferences. What else they can or cannot do, I have no clue about and cannot judge.
Given that you're in Germany and they don't have an english version of their Germany website available their two options would be either to send you to the German language website for Germany (which they do) or alternatively send you to the US or UK website which are in english.
I'm not sure it's obvious that sending someone in Germany to the UK/US website (where presumably they'll be unable to buy the product) just because their browser is set to English is the better solution.
While for sites like Blogger language is obviously more important than country, for companies which are country-localized (i.e they treat different countries differently for shipping, taxes, legal, operations, etc.) I would guess that it makes more sense to send you to local country version.
Imagine you were using say a dating site or a takeaway site, you would find it equally frustrating if you were routed away from a local language site to a US specific site just because that's what your language preferences were set to.
b) the region I'd like the product to ship to, if at all
Why is the site different for different countries, ignoring 'translation'? I haven't thought it through, maybe, but I cannot come up with any decent reason for a 'German' site that isn't just the 'US' site in a different language.
In that case, please (dear website) listen to what I'm asking for. If I go to fitbit.com I expect to get the very same thing someone in the US receives. I'd like to talk about the very same site. I don't want someone to redirect me to a localized thing. And certainly not without giving me the opportunity to say 'Yeah, no. That was stupid. I really wanted the original version, silly'.
Same thing: If I go to www.google.com, I want to end up at www.google.com, not www.google.de. If I visit a random post on Blogger, chances are everything content is in English. Except for the 'helpful' Blogger toolbar and whatnot, that are coming up in German, because hey that's where we figured out you're coming from.
Lived in Israel for a year, got a Hebrew toolbar, google.il (and I'd like to know what fitbits would've done there). German vs. English is one thing: I can read both, I just explicitly (url, domain, accept headers) ask for the latter. English vs. Hebrew is another: I cannot read the latter, even if I happen to be - yay for geolocation - in the one state that represents the Hebrew language.
Imagine you were using say a dating site or a takeaway site, you would find it
equally frustrating if you were routed away from a local language site to a
US specific site
Right. Don't send me anywhere if I navigate to example.com, even if I ask for de_DE. Offer a translated version, if you can. Otherwise drop a small (German?) link on your .com, saying 'We noticed you explicitly ask for German content. We got a country specific site right here -> example.de'
A dating site would allow me to register and state my country of origin or interest (which might be Germany, even if I live in Tel Aviv at that time). A takeaway site is really a weird example. www.pizza.de is available in German only for all I can tell and won't redirect me to a random US site because I ask the server to please return en_US or en localized content, _if possible_.
So, for me this whole 'automagic-we-know-it-best' translation/redirection thing is broken by design. It was a constant hassle in the past and just seems to catch on. Which is why I'm pointing it out when I can. I'm sorry for the thread-jacking. Thanks for the exchange so far.
Just to curb some replies: I know that FitBit does other stuff, lasts longer on a charge, has less friction getting data off, etc, but the thing I'm countering is the openness claim. If you have to pay for your data, and you still don't get a copy, it's a) not your data and b) not an open platform. Some basic research would have revealed this, hence why I didn't (and won't) get a FitBit, and I recommend others avoid it too.
I was looking at FitBit but am really not interested in uploading any data. Is it possible to use the FitBit desktop app without permitting it to upload? Would it cache everything locally and function normally or does it require access to be usable at all?
"The Tracker will upload your data every 15 minutes provided you are within range of any plugged in base station (about 15 feet for direct line of sight), the computer is on and not in sleep or hibernate mode, the software is installed and running, and you have an active internet connection."
This implies to me that the data isn't cached locally outside of the Tracker itself, if an internet connection is not available.
libfitbit unfortunately doesn't currently work with the fitbit one, for the older devices it's apparently fine but the one changes how it gets talked to entirely. I've attempted a bit of work with getting something talking to it but it's not an easy thing to do. Their bluetooth dongle presents itself as an HID device and I think hides a lot of the details away from you if you wanted to talk to it over actual bluetooth. I'd love to get it to sync with both their site and to be able to capture the information myself to store.
The flash content must get the data from somewhere, probably in XML, certainly over HTTP. Open Wireshark and capture a session to known where it came from. Then write a program that replicates this behavior and save the data.
I just ran it through fiddler and the Flash content gets the details in XML over HTTP. For steps and floors you get a count in 5 minute units; for calories you get a burn in 5 minute units when you have been active; for sleep you seem to get a score to indicate whether you are asleep or awake every minute you are asleep.
I purchased a FitBit based on it's reputation without realizing that I would have to pay to access the data that I'm collecting... deal breaker! As others have said, I understand charging for an ongoing service like analyzing the data and using their site, but not for just accessing the raw data from the device.
For me, this is the first time that not owning my own data has really put me off. I'll be returning my FitBit.
> like I change my daily targets, but weekly targets dont change.
fwiw I think that is by design; the two things are independent. e.g. you may wish to set a minimum 10k steps a day, but a weekly goal of 100k (or whatever). It's a bit confusing because it sets you up defaults for both day and week where week=7xDay, but it doesn't have to be that way.
The Bodymedia FIT, in addition to being a superior device overall(1), has an API which let's you access caloric burn and other data up to single minute detail levels. If you Google around, there are some blog posts describing how to dump data from it using standard USB serial port drivers.
Repeatedly asks me in which of a list of four places I am (Answer: Neither). Doesn't say 'Because, you know, we won't sell stuff to you if you are not on the list' until you try to check out.
When you reach checkout, you'll see that they are asking you if you're in the US, Canda, Australia or New Zealand, while the shop contains the helpful "Currently BodyMedia FIT only ships within the U.S. and Canada (does not include Quebec)". What happens if I _am_ in Australia or NZ? Weird.
Product looked nice, wanted to impulse buy one right now, but .. guess not.
I would guess the reason they don't sell in Quebec is because their product is not localized for French speakers. The company I work with is nationwide in Canada except for Quebec because of the legal hassles and logistical troubles of localizing for French speakers as mandated by law in Quebec.
"*Subscription required. The LINK Armband does not display information on its own, but rather works in conjunction with the online Activity Manager. Package includes a free 3-month trial period subscription. Monthly, 6-month, and 12-month subscriptions are available."
aehm ... do I understand that correctly, I have to pay them $7 bugs a month to get access to my data? WOW, yes so much better than fitbit :D
Yeah you do in order to use the SaaS, unless you dump the data over USB and process it yourself. Honestly, I have to imagine that the objection to $7/mo is on principle with this crowd, and not a financial issue. This is the same crowd though, who loves to shout "if you're not paying for it, you're the customer" so here we have a situation where you're paying for what you use.
Is the price you're paying set by perception of value, rather than cost of goods sold? Yes, mostly. It is a business. But Bodymedia is aggressive in making their product (both SaaS and armband) better over time, so your subscription fees aren't pure profit.
So if you accept that $7/mo is a negligible cost, and that the price does not need to be simply an invoice of labor and hardware, but an expression of value, then I think this is a no-brainer. This easily delivers $7 of value even without using the API.
A biometric sensor with minute-by-minute granularity of data access for $84/yr plus one-time cost of ~$150? That's very well priced, IMO. It's just the idea of paying twice for a product you already own which hurts -- it's not the easiest pill to swallow, and it kept me from buying one for a while too.
If they want to charge more, they should charge more. It's not just about overall value. For a moment let's focus on devices that charge solely to get the raw data two feet onto a computer. The user pays $5 for this service. What are they actually paying for the company to do? Nothing. They're not buying a license, they're not receiving any service... It's in fact not a sale at all, it's a gift of $5. You can't have a contract without consideration on both sides.
I'm not interested in giving away money just because a product is neat. Charge me the real price up front if you want more money. Or do it right and charge me for analysis but not for raw data dumps.
You're paying for the SaaS, which not only receives the measurements from the device, but processes and stores it, while giving you a UI to access it. And then they maintain the servers, fix the bugs and add features.
So your only gripe really is that they're selling it as a service, instead of a single box install. Which is fine, but let's not pretend that this isn't a legitimate business model and probably the prevailing way of making a dollar in our industry. It's completely legitimate to sell SaaS and allow access only on a subscription basis.
Why shouldn't you pay to have your data stored and compiled into reports on an ongoing basis? And if you don't want that, as I've said, the serial protocol is completely hackable by even noobs.
The problem is not being able to use the device at all without the paid service. You have to pay regardless of whether you want them to store your data or not (I don't). I don't think it's surprising that many people have aversion to paying for a product that they can only use as long as they continue to pay a monthly fee.
But why is the software designed as SaaS in the first place? Capturing and analyzing data and providing a UI are functions easily accomplished by a desktop application. Why are users locked into a subscription model to access the data output by hardware that they've purchased?
Could you explain a bit more when Bodymedia FIT is superior? The FitBit One and Ultra tracks steps taken, floors climbed, and sleep efficiency, and tells you calories burned and distance travelled (the latter two i assume just simply calculated from the raw data collected; you can input your weight and stride length on the site).
I believe the Fitbit is nothing more than a step counter type of device. I could be wrong, but that's what it looks like.
The Bodymedia FIT has actual sensors, it's an armband you have to wear. It monitors temperature among other things. It has been tested against, a $40,000 "portable oxygen analyzer", the gold standard for measuring calories. (source: http://www.bodymedia.com/the_science.html)
Regarding the Bodymedia FIT developer program. It looks you still need a subscription though and one still needs to upload the data from the armband to the website to get at it. Seems kind of pointless. I would want to get the data directly from the USB armband without a subscription.
Suppose you did 100 squats. Which will be closer to reporting your true caloric burn -- a pedometer or a sensor directly contacting your skin and measuring your skin temperature and other variables. The latter, right? The former would probably report 100 steps taken, very slowly.
The total costs are higher though. The Fitbit is a onetime cost of $100-125 where the Bodymedia is $120-150 once and $84/yr. But for me, the cost of the Fitbit is too high for the relatively inaccurate method of collection.
I was planning on getting a FitBit this week, the main purchasing decision against a Nike Fuelband being open access to data. Does anyone have any alternatives they can recommend? I'm especially interested in the sleep tracking side of things.
Why do we need an actual hardware device to get to this data? Don't iPhones and Androids and others have all the internals needed to get the same data, and more, such as altitude, so you can check the incline you are against etc.
I think for lots of people, they don't want carry their expensive smart-phones with them when they exercise. I'm also always forgetting it, don't charge it, etc. These new devices are so small you can basically wear it all day and forget about it.
I'm not sure about Androids, but iPhones do not have a barometric pressure sensor, so the only way to obtain altitude data would be through GPS. For applications like this, where you don't need real-time altitude information, that low-power GPS paper from Microsoft could come in handy, but it's cheaper and lower power to just use a pressure transducer in the first place.
Just got a Jawbone UP, and I can login to my account with them and download a CSV with my data. It's just a daily summary though (i.e. not the full hour by hour or whatever interval it's recording at).
keep emailing and asking on the message boards. Fitbit is a bit slow to get back to people but normally pretty good about it. I built ruby apis to access fitbit before they had an API and a android app prior to them releasing their own. I was in email contact with them the whole time and they were willing to help me out and give me beta access to the api before it was public.
I love fitbit, and hope they allow users to at least download the detailed personal reports.