On Liberating My Smartwatch From Cloud Services

I’ve often said that if we convince ourselves that technology is magic, we risk becoming hostages to it. Just recently, I had a brush with this fate, but happily, I was saved by open source.

At the time of writing, Garmin is suffering from a massive ransomware attack. I also happen to be a user of the Garmin Instinct watch. I’m very happy with it, and in many ways, it’s magical how much capability is packed into such a tiny package.

I also happen to have a hobby of paddling the outrigger canoe:

I consider the GPS watch to be an indispensable piece of safety gear, especially for the boat’s steer, because it’s hard to judge your water speed when you’re more than a few hundred meters from land. If you get stuck in a bad current, without situational awareness you could end up swept out to sea or worse.

The water currents around Singapore can be extreme. When the tides change, the South China Sea eventually finds its way to the Andaman Sea through the Singapore Strait, causing treacherous flows of current that shift over time. Thus, after every paddle, I upload my GPS data to the Garmin Connect cloud and review the route, in part to note dangerous changes in the ebb-and-flow patterns of currents.

While it’s a clear and present privacy risk to upload such data to the Garmin cloud, we’re all familiar with the trade-off: there’s only 24 hours in the day to worry about things, and the service just worked so well.

Until yesterday.

We had just wrapped up a paddle with particularly unusual currents, and my paddling partner wanted to know our speeds at a few of the tricky spots. I went to retrieve the data and…well, I found out that Garmin was under attack.

Garmin was being held hostage, and transitively, so was access to my paddling data: a small facet of my life had become a hostage to technology.

A bunch of my paddling friends recommended I try Strava. The good news is Garmin allows data files to be retrieved off of the Instinct watch, for upload to third-party services. All you have to do is plug the watch into a regular USB port, and it shows up as a mass storage device.

The bad news is as I tried to create an account on Strava, all sorts of warning bells went off. The website is full of dark patterns, and when I clicked to deny Strava access to my health-related data, I was met with this tricky series dialog boxes:

Click “Decline”…

Click “Deny Permission”…

Click “OK”…

Three clicks to opt out, and if I wasn’t paying attention and just kept clicking the bottom box, I would have opted-in by accident. After this, I was greeted by a creepy list of people to follow (how do they know so much about me from just an email?), and then there’s a tricky dialog box that, if answered incorrectly, routes you to a spot to enter credit card information as part of your “free trial”.

Since Garmin at least made money by selling me a $200+ piece of hardware, collecting my health data is just icing on the cake; for Strava, my health data is the cake. It’s pretty clear to me that Strava made a pitch to its investors that they’ll make fat returns by monetizing my private data, including my health information.

This is a hard no for me. Instead of liberating myself from a hostage situation, going from Garmin to Strava would be like stepping out of the frying pan and directly into the fire.

So, even though this was a busy afternoon … I’m scheduled to paddle again the day after tomorrow, and it would be great to have my boat speed analytics before then. Plus, I was sufficiently miffed by the Strava experience that I couldn’t help but start searching around to see if I couldn’t cobble together my own privacy-protecting alternative.

I was very pleased to discovered an open-source utility called gpsbabel (thank you gpsbabel! I donated!) that can unpack Garmin’s semi-(?)proprietary “.FIT” file format into the interoperable “.GPX” format. From there, I was able to cobble together bits and pieces of XML parsing code and merge it with OpenStreetMaps via the Folium API to create custom maps of my data.

Even with getting “lost” on a detour of trying to use the Google Maps API that left an awful “for development only” watermark on all my map tiles, this only took an evening — it wasn’t the best possible use of my time all things considered, but it was mostly a matter of finding the right open-source pieces and gluing them together with Python (fwiw, Python is a great glue, but a terrible structural material. Do not build skyscrapers out of Python). The code quality is pretty crap, but Python allows that, and it gets the job done. Given those caveats, one could use it as a starting point for something better.

Now that I have full control over my data, I’m able to visualize it in ways that make sense to me. For example, I’ve plotted my speed as a heat map map over the course, with circles proportional to the speed at that moment, and a hover-text that shows my instantaneous speed and heart rate:

It’s exactly the data I need, in the format that I want; no more, and no less. Plus, the output is a single html file that I can share directly with nothing more than a simple link. No analytics, no cookies. Just the data I’ve chosen to share with you.

Here’s a snippet of the code that I use to plot the map data:

Like I said, not the best quality code, but it works, and it was quick to write.

Even better yet, I’m no longer uploading my position or fitness data to the cloud — there is a certain intangible satisfaction in “going dark” for yet another surveillance leakage point in my life, without any compromise in quality or convenience.

It’s also an interesting meta-story about how healthy and vibrant the open-source ecosystem is today. When the Garmin cloud fell, I was able to replace the most important functions of it in just an afternoon by cutting and pasting together various open source frameworks.

The point of open source is not to ritualistically compile our stuff from source. It’s the awareness that technology is not magic: that there is a trail of breadcrumbs any of us could follow to liberate our digital lives in case of a potential hostage situation. Should we so desire, open source empowers us to create and run our own essential tools and services.

Edits: added details on how to take data off the watch, and noted the watch’s price.

28 Responses to “On Liberating My Smartwatch From Cloud Services”

  1. […] 我经常说过,如果我们说服技术是魔术,那我们就有可能成为技术的人质。就在最近,我对这种命运深有感触,但是很高兴,我被开源救了。 在撰写本文时,Garmin正在遭受大规模的勒索软件攻击。我也恰好是Garmin Instinct手表的用户。我对此感到非常满意,并且在许多方面,如此小的包装中包含了多少功能,这是神奇的。 我也碰巧喜欢划独腿独木舟: 在支腿独木舟“变迁比赛”中划入香港岛,参加2018年#RHKYCATIR活动!令人惊叹的海岸线和无与伦比的海港景观。即使在台风摧毁了许多设备后,@ RHKYC还是对它产生了印象。 👏👏感谢主持! pic.twitter.com/ECh9nQHDVt -Bunnie(@bunniestudios)2018年11月6日 我认为GPS手表是必不可少的安全装置,尤其是对于船的转向来说,因为当您离陆地数百米远时,很难判断水速。如果您陷入困境,在没有态势感知的情况下,您可能会被赶出大海甚至更糟。 新加坡周围的水流可能非常猛烈。当潮水变化时,南中国海最终将通过新加坡海峡进入安达曼海,导致海流的危险性随时间推移而变化。因此,每次划桨后,我都会将GPS数据上传到Garmin Connect云并查看路线,部分原因是要注意电流的潮起潮落的危险变化。 虽然将此类数据上传到Garmin云很明显并且存在隐私风险,但我们都已经知道了权衡取舍:一天中只有24小时需要担心,而且服务运行得很好。 直到昨天 我们刚刚用特别不寻常的电流包裹了桨,我的划桨伙伴想知道我们在几个棘手位置的速度。我去取回数据,并且……嗯,我发现Garmin受到攻击。 Garmin被扣为人质,并且在传递时也被扣为人质:我一生的一小部分已成为技术的人质。 一堆我的划桨朋友推荐我尝试Strava。好消息是Garmin允许从Instinct监视中检索数据文件,以上传到第三方服务。 坏消息是,当我尝试在Strava上创建帐户时,各种警告铃声响起。该网站到处都是深色图案,当我单击以拒绝Strava访问与健康相关的数据时,遇到了这个棘手的系列对话框: 点击“拒绝”… 点击“拒绝权限”… 点击“确定”… 单击三下即可退出,如果我不注意而只是单击底部的框,那我会偶然选择加入。此后,我被一群令人毛骨悚然的人打招呼欢迎(他们如何从一封电子邮件中对我有很多了解?),然后是一个棘手的对话框,如果回答不正确,则会将您带到一个可以进入的地点信用卡信息,作为“免费试用”的一部分。 由于Garmin至少在硬件上获利,所以收集我的健康数据只是锦上添花;对于Strava,我的健康数据简直是蛋糕。对我而言,很明显Strava向其投资者宣传,他们可以通过将我的私人数据(包括我的健康信息)货币化来获得丰厚的回报。 对我来说这很难。从Garmin到Strava,而不是从人质的情况中解放自己,就像是从平底锅出来直接进入火中。 因此,即使这是一个忙碌的下午……我也计划在后天再划桨,在那之前进行船速分析将是很棒的。另外,我对Strava的经历深感不安,我禁不住开始四处搜寻,看看是否无法拼凑出自己的隐私保护方案。 我非常高兴地发现了一个名为gpsbabel的开源实用程序(谢谢gpsbabel!我捐赠了!)可以将Garmin的半专有(。)“。FIT”文件格式解压缩为可互操作的“ .GPX”格式。从那里,我能够将零碎的XML解析代码拼凑在一起,并通过Folium API将其与OpenStreetMaps合并,以创建我的数据的自定义地图。 即使绕开了尝试使用Google Maps API的“迷路”,这在我所有的地图图块上留下了可怕的“仅用于开发”水印,但这只花了一个晚上–这并不是我最好的时间所有事情都考虑在内,但这主要是找到合适的开源代码并将它们与Python粘合在一起(首先,Python是一种很好的粘合剂,但是它是一种可怕的结构材料。不要用Python构建摩天大楼)。代码质量相当糟糕,但是Python允许这样做,并且可以完成工作。考虑到这些警告,可以将其作为更好的起点。 现在,我可以完全控制自己的数据了,我可以用对我来说有意义的方式对其进行可视化。例如,我已将速度绘制为路线上的热点图,并带有与当时的速度成比例的圆圈,以及一个悬停文字显示了我的瞬时速度和心率: 正是我需要的数据,格式为所需;不多也不少。另外,输出是一个HTML文件,除了简单的链接外,我可以直接共享它。没有分析,没有cookie。仅是我选择与您共享的数据。 这是我用来绘制地图数据的代码片段: 就像我说的那样,不是质量最好的代码,但是它可以工作,并且编写起来很快。 更好的是,我不再将自己的位置或健身数据上传到云中-在我的生活中又有一个监视泄漏点,“黑夜”中确实有一定的满足感,而质量和便利性丝毫不受影响。 这也是关于当今开源生态系统如何健康和充满活力的有趣的元故事。当Garmin云崩溃时,我能够在一个下午内通过剪切和粘贴各种开源框架来替换其最重要的功能。 开源的目的不是在仪式上从源头上编译我们的东西。人们意识到,技术并不是万能的:在可能发生人质绑架的情况下,任何人都可以跟踪面包屑来解放我们的数字生活。如果我们愿意,开源可以使我们创建并运行自己的基本工具和服务。 此条目发布于2020年7月25日(星期六)上午5:24,并归于Hacking,开源Ponderings下。您可以通过RSS 2.0 feed跟踪对此条目的任何响应。 您可以在自己的网站上留下回复或引用。 Read More […]

  2. […] On Liberating My Smartwatch from Cloud Services (bunniestudios.com) […]

  3. gps says:

    Perspective: Strava is not a profitable company.

    If you value the service you are supposed to pay for it. They only recently started a serious subscription for non-basic features push on their users for this. This recent change has pissed existing free users off, but the alternative of an ad filled hellscape or the company and data being bought by evilscumco at a fire sale and ruined would be much worse for us dedicated users. They aren’t monetizing personal health data.

    These don’t feel like “dark patterns” when it comes to a service specifically designed to access and process the kind of personal data you were frustrated to have to go through efforts to deny it.

    Otherwise… I’m jealous of your boating, that looks like fun! =)

    As for Garmin… They designed their own hell. They’ve never been known for software quality. I feel sorry for those stuck cleaning up the mess there but have no faith in them as a company to learn from this.

    • dude says:

      Do you, by any chance, work for strava?

      • gps says:

        Nope, but I use it heavily. If you don’t like data being public, it isn’t a service for you.

        • Thoma says:

          But why do they want to opt-in for the ‘extra’ heart data in such a bad manner?
          Can’t they make th ebest of what I have to offer. And entice me with real value from that heart rate data?
          Why the dark pattern? Why the insidiously formulated question? It’ almost as bad as Ryanair when they came up their optional insurance in the ticket booking process… with “No insurance please” sorted neatly in a long list of countries, between Nigeria and Northern Cyprus. (Countries you actually need were probably moved to the top of the menu)

  4. […] I’ve often said that if we convince ourselves that technology is magic, we risk becoming hostages to it. Just recently, I had a brush with this fate, but happily, I was saved by open source. At the 
 Read More […]

  5. Robert Davies says:

    Just drag and drop GPX file in this: just shows tracks nicely. (openstreetmaps)
    https://evrignaud.github.io/gpx-viewer/

    PS: Astonished by support offered to Dark Patterns by a previous commenter. Sad. Most average person, especially those in vulnerable positions may leave health data. To the previous commentator please do not defend dark patterns. Thanks.

  6. Anonymous says:

    “The point of open source is not to ritualistically compile our stuff from source. It’s the awareness that technology is not magic: that there is a trail of breadcrumbs any of us could follow to liberate our digital lives in case of a potential hostage situation. Should we so desire, open source empowers us to create and run our own essential tools and services.”

    This is beautiful summation of open source, especially “not magic”. Thank you for writing it.

  7. Rich Klein says:

    I wonder if you could take your data in put it in something like a solid pod. https://solidproject.org/

  8. […] On Liberating My Smartwatch from Cloud Services […]

  9. Mit says:

    How about GpxPod
    https://apps.nextcloud.com/apps/gpxpod
    is a nextcloud plugin.

  10. Hi there,

    nice post and reminded my why I started https://quantified-self.io

    First of all I am Dimi, a SW engineer with passion on sports data.

    I have developed

    https://github.com/jimmykane/fit-parser/ for decoding fit files via JS
    https://github.com/sports-alliance/sports-lib for parsing GPX/TCX/FIT and exporting to GPX (with Thomas Champagne from Elevate)
    https://github.com/jimmykane/quantified-self/ for displaying your data

    I am welcoming the sports data world to come and contribute so we can get past this

  11. […] On Liberating My Smartwatch From Cloud Services [bunnie:studios] Garmin’s cloud services were offline over the weekend. They’re starting to come back online now, but hacker bunnie huang discovered that open source tools made it possible to collect data from a Garmin Smartwatch without connecting to the cloud. […]

  12. Alex says:

    Appreciate the effort, but the value of Garmin service is the easiness to use. It was a hard time for them, and for us but it’s not like I find them evil or unusable to the point of quitting.

  13. […] If you take to the outdoors for your exercise, rather than walking the Sisyphusian stair machine, it’s nice to grab some GPS-packed electronics to quantify your workout. [Bunnie Huang] enjoys paddling the outrigger canoe through the Singapore Strait and recently figured out how to unpack and visualize GPS data from his own Garmin watch. […]

  14. […] On Liberating My Smartwatch From Cloud Services [bunnie:studios]Garmin’s cloud services were offline over the weekend. They’re starting to come back online now, but hacker bunnie huang discovered that open source tools made it possible to collect data from a Garmin Smartwatch without connecting to the cloud. […]

  15. M. Brandis says:

    I started using Garmin GPS watches a while ago. And from the beginning I used open source tools. First pyTrainer, now Golden Cheetah. Both can directly import .fit (and a lot of other files) and display maps. Golden Cheetah is made for cyclist, but works also with other sports. https://www.goldencheetah.org/

  16. Jan Vandermeer says:

    In the dropdown of options for Garmin watches, I can’t find one that explicitly says it will extract and convert the FIT semi-proprietary format to GPX. Which would you recommend?

  17. Jan Vandermeer says:

    My bad. I found it. Thanks for this. Cool jailbreak of personal data.

  18. Hina says:

    Hmm would definitely pick one up to hack if the custom os offered phone/sms/mms integration

  19. My website says:

    My brother suggested I may like this web site. He was totally right.
    This post truly made my day. You cann’t consider simply how so much time
    I had spent for this info! Thank you!

  20. Nikhil Golchha says:

    Fine details and a good work around data.
    On a different note, I have always wondered why Garmin rules the hardware world by not providing any support/spares on their hardware. If we have a battery issue, (like most of their high-end watches do, after a usage of around 2-3 years) they expect us to get the entire Core of the equipment. Considering the fact that now hardware can easily be debugged and replaced, I’m convinced the “free” software acts a substitute for their “we replace, not repair” policy.
    Ever wondered, why?

  21. This info is worth everyone’s attention. Where can I find out
    more?

  22. Greg says:

    Hi Bunnie, thanks for this. I appreciate the work you do. I have a garmin instinct, and this works like a charm! If someone needs help running this on Mac, reply here.

  23. Pedro says:

    Hi Bunnie, great topic. I have been looking for a smartwatch (mid and low profile) that don’t send data to any cloud, and looks that there is no one!

    It would be nice if someone in Shenzhen provides a basic smartwatch that can be private with the data, or at least to have the option to not use any cloud synchronization. I think people would buy it.