Threat model: what does serious threat-modelling for personal nutrition data look like?

Why threat-model nutrition data at all

People dismiss “calorie diary” as low-stakes data. It is not.

Nutrition data is high-frequency (multiple events per day), longitudinal (years of trend), and biometrically linked (weight, body composition, sometimes glucose). It correlates with health status, eating disorders, lifestyle, demographic identity, religion (Halal/Kosher patterns, Lent), and addiction recovery (alcohol consumption logs). A complete diary is more revealing than most people’s social media.

The question isn’t whether the data is sensitive. The question is who plausibly wants it and what they could do.

Threat actors

We’ll enumerate the realistic ones, in roughly descending order of probability you’ll encounter them.

1. The app operator itself (Tier 1)

Probability: certain. Impact: variable.

Every commercial nutrition app holds your data. Some monetise it (Noom, MFP via behavioural-ad sharing). Some don’t (Cronometer, by stated policy and observed traffic). All of them retain it past the point of usefulness to you.

Mitigations: file deletion requests, choose operators with less aggressive policies, self-host.

2. Ad-tech ecosystem partners (Tier 1)

Probability: certain if you use an app with behavioural-ad sharing. Impact: ambient — your “interest profile” gets richer.

DSPs (Demand-Side Platforms), DMPs (Data Management Platforms), and identity-graph providers all aggregate behavioural events. A “logged a high-carb meal” event from MFP becomes a feature in your ad-targeting profile and feeds the broader ad ecosystem.

Mitigations: avoid apps with behavioural-ad sharing; use CCPA “do not sell or share” if eligible; use a separate OS profile or e-mail.

3. Data brokers (Tier 2)

Probability: high if you use a worst-class operator. Impact: hard to assess.

The data-broker ecosystem (Acxiom, LiveRamp, etc.) aggregates from many sources. Whether nutrition-app data flows to them directly is murky; it certainly flows indirectly via the ad-tech graph. The data-broker output is purchased by a wide range of buyers, not all of whom are advertisers.

Mitigations: same as Tier 2; also consider periodic broker opt-outs (DeleteMe, Optery, or by hand).

4. Insurance underwriters (Tier 3)

Probability: variable. Impact: significant.

Health and life insurance underwriters do purchase aggregated lifestyle data. Whether they use granular calorie-tracking data in pricing decisions is something the industry does not openly discuss. The general direction of regulation in the US has been to permit this; in the EU, less so.

The realistic risk: a person logging a frequent high-alcohol pattern, an eating-disorder pattern, or a substance-recovery pattern might see this reflected in life or health insurance pricing if the data leaks (via brokers) to underwriters. We do not know of a clean documented case but the data flows make it plausible.

Mitigations: don’t log substance use in a tracker that has any cloud component. Self-host. Be wary of “wellness program” employer integrations (next).

5. Employer wellness programs (Tier 3)

Probability: variable. Impact: significant.

US employers increasingly offer “wellness programs” with premium discounts tied to participation. These often integrate with consumer apps. The participation is technically voluntary but the discount is meaningful enough that “voluntary” has limits.

The realistic risk: data from your work-incentivised tracker integrates with the employer’s wellness vendor (Vitality, Wellness Corporate Solutions, etc.), who provides aggregate stats to the employer but in some cases more granular data on request. Read the wellness vendor’s terms before opting in. Most employees do not.

Mitigations: don’t link your work-incentivised account to your personal one. Don’t integrate any tracker you actually use with the wellness program. Use a throwaway account if the discount is enough to bother with.

6. Stalkers / abusive ex-partners (Tier 4)

Probability: low for most people, high for some. Impact: severe.

Account-takeover by a partner who has your password is a non-zero threat. Calorie diaries reveal your daily location patterns (where and when you eat), your menstrual cycle (if logged), your sleep schedule, your stress patterns. For people in domestic-violence situations, this is dangerous.

Mitigations: 2FA on every account. Different passwords per service. A safe-word in your password manager so you can detect compromise. The Coalition Against Stalkerware has good general advice.

7. Law enforcement (Tier 4)

Probability: low for most. Impact: variable.

Subpoenas and warrants against consumer apps are standard in many investigations. Operators comply with valid legal process. If you are likely to be investigated for any reason, your nutrition diary on a US-hosted operator is discoverable.

Mitigations: self-host on hardware in a jurisdiction that fits your threat model. Don’t keep data you don’t need.

8. Nation-state / mass surveillance (Tier 5)

Probability: depends on geography. Impact: variable.

Operators in jurisdictions with mandatory data-sharing regimes (China, parts of the Middle East) effectively share data with the state. Western operators are subject to FISA / national-security letters but the prevalence of “nutrition diaries used in state surveillance” appears low.

Mitigations: choose operator jurisdiction. Self-host where possible.

What you actually need to do

For 95% of readers (no specific threat, no public profile, US/EU jurisdiction):

1. Don’t use Noom.
2. If you use MFP, turn off ad-personalisation and don’t link Facebook.
3. Use 2FA.
4. Consider switching to OpenNutriTracker or Waistline.

For people with elevated threat models (public figures, domestic-violence survivors, people in surveilled jurisdictions, people in recovery from substance use):

1. Self-host.
2. Don’t log the threat-relevant categories. (Don’t log substance use in a cloud tracker, full stop.)
3. Use a separate device profile and password manager.
4. Read the relevant jurisdictional privacy regime carefully.

For everyone:

1. File a periodic data-subject access request to see what’s actually held about you. It’s educational.
2. Keep your tracker data minimal. Logging “yogurt” is fine; logging the brand of yogurt and where you bought it is overshare.

What you don’t need to do

You don’t need to abandon tracking entirely. The “all consumer software is surveillance” framing is true but unhelpful. Self-hosted FOSS trackers exist; they work; they’re free. The bar for participating in nutrition tracking without giving up the data has gotten lower over time, not higher.

References

• Coalition Against Stalkerware: stopstalkerware.org
• DeleteMe / Optery: data-broker opt-out services.
• GDPR rights walkthrough
• MFP audit
• Noom audit