Strava's fitness heatmaps are a 'potential catastrophe'

Strava's fitness heatmaps are a 'potential catastrophe'
From Engadget - February 2, 2018

I am not sure how many times we need to go through this. The trifecta parable of confusing privacy settings, postpublication safety considerations and the requirement of major headlines for companies to give as**t. It's as if the makers of Strava and its ilk are living in a completely different internet.

Let's be clear: Fitness apps have a massive privacy problem. MapMyRun, Nike + RunClub and Strava (to name a few) all come with scary default privacy settings that are combined with mapping tools. These apps are a dream come true for stalkers, terrorists and spies.

And yet, nearly 10 years after Please Rob Me made a devastating mockery of Silicon Valley's reckless location-sharing maniaby using publicly available social-media information to show when people's homes are vacantStrava just burps and says, "Hold my beer."

Strava's global heat maps have been around for awhile but got a big update in November 2017 boasting "1 billion activities" and "3 trillion latitude/longitude points" mined from "10 terabytes of raw input data" from its users. (Spoiler alert: unsuspecting user plot twist ahead. We will probably never know how much of this inadvertent sharing came from Strava's carelessly confusing privacy settings.)

Yet it was the observations of one national-security-policy nerd on Twitter over the past weekend that got all the infosec chickens clucking. "Strava released their global heatmap," tweeted Nathan Ruser. "13 trillion GPS points from their users (turning off data sharing is an option) ... It looks very pretty, but not amazing for Op-Sec. US Bases are clearly identifiable and mappable."

And Strava's location data patty-cake playtime with the data of its "global community of millions of runners, cyclists and triathletes" who use Fitbits and phones is amazing. For spies and bad guys, that is.

With the data, press reported that it's possible to "establish the names and hometowns of individuals who have signed up for a social sharing network where runners post their routes and speeds. One popular route on a base in Iraq has been nicknamed "Base Perimeter" by the U.S. runners who regularly use it. Another outside-the-big-U.S. base in Kandahar, Afghanistan, is called "Sniper Alley."

If only someone in the San Francisco startup's offices had foreseen this. Except they sort of did. People had for months been trying to tell Strava that its privacy protocols were dangerous and that its maps were just a little problematic.

These issues with Strava had been well-established by at least July of last year when a female runner and journalist exposed the company's very real privacy problems in an article for Quartz. I think the article was overlooked and largely ignored because the app's fairly dangerous privacy mess was described as a "feminist issue." As in, it got shuffled off as a women's problem.


Continue reading at Engadget »