Skip to content
Pulsyn
A gavel resting on a courtroom bench, representing how digital health data from fitness trackers is now routinely admitted as evidence in legal proceedings

Your Fitness Tracker Is Evidence: How Health Data Ends Up in Courtrooms and Divorce Filings

James Hoffmann James Hoffmann
May 26, 2026 · 13 min read
PrivacyLegalHealth DataWearablesSubpoena

TL;DR

Your fitness tracker records everything. Steps, heart rate, sleep, location. That data lives on someone else's server, and in at least one murder trial, it was the evidence that convicted the killer. The legal system has figured out that wearables are witnesses that never sleep. Most users have not figured out that the witness works for the prosecution.

The Fitbit murder

On December 23, 2015, Richard Dabate called 911 from his home in Ellington, Connecticut. He told police a masked intruder had shot his wife Connie in the basement, tied him to a chair with zip ties, stabbed him, and burned him with a blowtorch. The intruder, Richard said, sounded like Vin Diesel and wore camouflage.

The police did not believe him. Their dogs found only Richard's scent on the property. His email logs showed he accessed his Outlook account from the home IP address at 8:41 am, contradicting his claim that he had pulled over on the side of the road to email his boss. At 9:18 am, while supposedly driving to work, he searched the ESPN website from the same home network.

The decisive evidence came from Connie's Fitbit One, clipped to her waistband. The device recorded her last movements inside the house at 10:05 am. Richard's timeline put her death just after 9:00 am. The Fitbit data gave prosecutors a one-hour window that collapsed his entire story.

The trial lasted weeks. Defense attorneys argued that Fitbit devices are not medically accurate and that the step counter could have registered false positives. The prosecution countered with the home security system records, the email timestamps, and the scent dogs. The jury deliberated and returned a guilty verdict on May 10, 2022. Richard Dabate was sentenced to 65 years in prison.

The press called it the Fitbit murder. It was the first high-profile case in the United States where fitness tracker data played a central role in a homicide conviction, and it established a precedent that judges, defense attorneys, and privacy advocates are still wrestling with.

The precedent is spreading

The Dabate case was not an anomaly. In 2016, prosecutors in Middletown, Ohio charged Ross Compton with arson and insurance fraud after his house burned down. Compton claimed he packed his bags, threw them out a window, and fled the fire. Investigators subpoenaed data from his pacemaker. The cardiac records showed his heart rate and cardiac rhythms before, during, and after the fire. The data contradicted his claim that he had exerted himself frantically to escape. The case ended in a guilty plea.

In the United Kingdom, a cyclist's Garmin data was used in a personal injury claim to prove that a road accident had reduced his training volume and race performance. The defense requested the data, got it, and the settlement reflected the verified activity drop. These cases do not make international headlines, but they are routine now. Family law attorneys in Texas and Florida have reported requesting Apple Watch and Fitbit data in custody disputes to prove or disprove claims about a parent's physical capability or daily routine.

The common thread is that biometric data has become a new class of evidence. It is not hearsay. It is not testimony. It is machine-generated, timestamped, and increasingly admissible. Defense attorneys can challenge accuracy, calibration, or chain of custody, but the default assumption in most courts is that the data is reliable unless proven otherwise.

What the data actually reveals

The prosecution in the Dabate case did not need sophisticated forensic analysis. Fitbit's step counter and activity timestamps were enough. But the sensors in modern wearables record far more than steps, and attorneys have become increasingly creative about how to use that information.

Heart rate data can establish whether someone was awake, asleep, or physically exerting themselves at a specific time. Sleep stage tracking creates a timeline of unconsciousness that can corroborate or contradict an alibi. GPS and location logs place the device (and usually the wearer) at specific coordinates. Some devices log skin temperature, blood oxygen, and even heart rate variability, each of which can indicate stress, illness, or physical activity.

In personal injury litigation, plaintiffs have submitted Fitbit and Apple Watch data to prove that an accident reduced their daily activity. Defense teams have requested the same data to argue that the plaintiff's step count never dropped. Divorce attorneys in multiple states have subpoenaed wearable data to prove that a spouse claiming disability was still running five miles a day. In one 2019 California case, a father's Garmin data was used to dispute his claim that he was too sedentary to share custody of a dog. The data showed he was walking 12,000 steps daily.

The detail is the point. A smartphone can tell a court that you were awake at 2:00 am. A wearable can tell a court that your heart rate was 110 bpm while you were supposedly asleep, or that your body temperature dropped at exactly the time your partner claims you were not in the room. The granularity transforms the device from a fitness accessory into a biometric surveillance tool that the wearer funded themselves.

A smartwatch on a wrist displaying health metrics, the exact kind of granular biometric data that lawyers now routinely subpoena from wearable companies

How lawyers get it

Most users assume their health data is protected by medical privacy laws. It is not. The Health Insurance Portability and Accountability Act (HIPAA) applies to healthcare providers, insurers, and clearinghouses. It does not apply to Fitbit, Apple, Garmin, Whoop, Oura, or any other consumer wearable company. Your Oura ring data is not medical records. It is consumer data, stored on a company's servers, governed by terms of service that almost no one reads.

When law enforcement or an attorney wants that data, they serve a subpoena directly to the company. The legal standard varies by jurisdiction and case type, but the underlying principle is consistent: if a third party holds your data, the government does not need a warrant to demand it from them. This is the third-party doctrine, established in Supreme Court cases from the 1970s and only partially narrowed by the 2018 Carpenter v. United States decision, which held that warrantless access to historical cell-site location information violates the Fourth Amendment.

Wearable data sits in a gray zone. The Stored Communications Act governs electronic communications held by service providers, but health metrics are not communications. Some states have passed biometric privacy laws (Illinois BIPA, for example), but those focus on commercial collection and consent, not law enforcement access. In practice, most wearable companies comply with subpoenas unless they have a specific policy against it, and even then, a court order usually overrides corporate resistance.

The data retention policies make this worse. Fitbit's current policy states they retain data until you delete your account, but aggregated and de-identified data may be kept indefinitely. Garmin Connect stores your activity history for as long as you maintain an account, and backup archives often persist on servers even after deletion requests. Apple's Health app data is encrypted on-device, but if you enable iCloud backup for Health, the backup is stored on Apple's servers and can be subpoenaed. Oura's privacy policy says they retain data "for as long as necessary to provide our services," which is corporate language for "until we decide otherwise."

Insurance companies have entered the picture, too. Several wellness programs now offer discounts to employees who share wearable data. The pitch is lower premiums for healthy behavior. The catch is that the insurer now has a longitudinal health record that can be subpoenaed in litigation, shared with underwriters, or used to deny future claims. The wearer traded their biometric privacy for a $200 annual discount.

I am not sure where the legal line will end up. Carpenter narrowed the third-party doctrine for cell location, but the Court has not ruled on continuous biometric streams from wearables. My guess is that the granularity of health data will eventually trigger Fourth Amendment protections, but that ruling is years away. Until then, the data is accessible.

Digital documents and screens representing the legal privacy gap between medical records and consumer wearable data that lawyers exploit through subpoenas

The post-Dobbs reality

The legal risk changed in June 2022. The Dobbs decision eliminated the federal constitutional right to abortion, which meant that state prosecutors in jurisdictions with abortion bans could theoretically use period tracking data, location history, and health metrics to build cases against patients and providers.

The response from the wearable industry was predictable. Period tracking apps like Flo and Clue rushed to publish blog posts about data privacy. Oura added an FAQ stating that users could delete their data. Fitbit and Apple emphasized encryption and user control. None of them addressed the core problem: the data was still on their servers, and a valid subpoena in a jurisdiction with an abortion ban would still compel production.

The hypocrisy was not subtle. Flo Health, one of the largest period tracking apps, had already settled with the Federal Trade Commission in January 2021 for sharing users' health data with Facebook, Google, and other analytics firms. The company told users their data was private while simultaneously sending ovulation dates and pregnancy status to advertising networks. After Dobbs, Flo added an "anonymous mode," but the underlying business model (collect health data, monetize through partners) did not change.

The Pentagon's 2025 contract with Oura added another dimension. When a government agency purchases wearable data for military personnel, it creates a template for how that same data might be accessed in other contexts. The contract was framed as a wellness initiative, but the infrastructure it builds (centralized health monitoring, cloud aggregation, longitudinal biometric records) is the same infrastructure that would produce data in a court case, a security clearance review, or an insurance dispute.

The risk is not hypothetical. In 2018, Strava published a global heatmap of running routes uploaded by users. The map revealed the locations and perimeter patrol routes of U.S. military bases in Syria, Afghanistan, and Iraq. The data was anonymized in aggregate, but the underlying GPS traces were uploaded by individual soldiers wearing consumer devices. The Pentagon did not know the bases were visible until journalists pointed it out.

If a public heatmap can expose classified military locations, a subpoena can certainly expose an individual's ovulation cycle, their heart rate during a specific night, or whether they left their home state during a specific week.

What Pulsyn does differently

The problem is architectural, not policy-based. Every company that stores your health data in the cloud can be subpoenaed. The only way to make that subpoena worthless is to ensure the company never has the data in the first place.

Pulsyn stores health data locally on your phone in a SQLCipher-encrypted database. The encryption key is derived from your PIN using 600,000 PBKDF2 iterations, which is the OWASP 2023 recommendation for HMAC-SHA256. We do not know your PIN. We do not have a backdoor. We do not have a copy of your database. If someone serves us a subpoena for your sleep stages or your heart rate variability, the most complete and accurate response we can give is: we do not have it.

Our optional premium tier includes cloud AI, but the cloud models only process data you explicitly choose to upload for advanced analysis. The default is local. The baseline is private. The subscription is not a requirement to use the device, which means the data extraction model (cheap hardware, expensive ongoing data harvesting) does not apply to Pulsyn's business.

The distinction matters. Companies that rely on recurring subscription revenue from health data have an incentive to collect as much data as possible, store it indefinitely, and resist deletion requests that would reduce the value of their dataset. Oura, Whoop, and Fitbit all operate on this model. The subscription is not just for features. It is for the continued accumulation of your biometric history. When you cancel, you do not just lose features. You lose access to the data they collected about you, which remains on their servers.

I am not claiming local-first storage is bulletproof. A local database on your phone can still be subpoenaed from you directly, and a sophisticated adversary with physical access to your unlocked device could extract it. But that is a much higher bar than sending a one-page subpoena to a San Francisco server farm. The difference between "subpoena the company" and "subpoena the individual, then crack AES-256 encryption" is the difference between mass surveillance and targeted investigation.

The wearable industry has spent a decade teaching users to upload everything. The cloud was sold as a convenience: sync across devices, backup your data, share with your doctor. What was not advertised was the legal exposure. When you agree to terms of service, you are not just giving a company permission to store your heart rate. You are giving them custody of evidence that can be demanded by a court.

A locked screen and privacy interface concept, representing the architectural difference between cloud-stored health data and local-first encryption that companies cannot subpoena

The honest part I am unsure about

I think local-first storage is the right answer for health data, but I am less certain about how the legal system will treat it. Courts have not yet ruled extensively on whether compelling a defendant to unlock an encrypted local database violates the Fifth Amendment right against self-incrimination. Some rulings suggest that biometric unlocks (fingerprint, face) are not protected, while PINs and passwords might be. The case law is patchy and varies by federal circuit.

What I do know is that a company cannot be compelled to produce data it does not possess. That is not a legal theory. It is a physical fact. And in a world where prosecutors are learning to treat wearables as silent witnesses, the physical fact matters more than the privacy policy.

About the author

James Hoffmann is the founder of Pulsyn. He has been reverse-engineering BLE health devices and their data architectures for two years.

References

  1. Wikipedia contributors, "Murder of Connie Dabate," Wikipedia, The Free Encyclopedia, accessed May 2026.
  2. Hauser, Christine. "In Connecticut Murder Case, a Fitbit Is a Silent Witness." The New York Times, April 27, 2017.
  3. "Jurors convict Connecticut man of killing wife in 'Fitbit murder' case." NBC News, May 11, 2022.
  4. "Husband sentenced to 65 years in Fitbit murder case." NZ Herald, August 21, 2022.
  5. Carpenter v. United States, 585 U.S. ___ (2018).
  6. "Strava fitness app 'reveals details of secret army bases'." The Guardian, January 28, 2018.
  7. Dobbs v. Jackson Women's Health Organization, 597 U.S. ___ (2022).
  8. Federal Trade Commission. "FTC Finalizes Order with Flo Health for Sharing Sensitive User Data with Facebook and Google." January 2021.

Related Articles