The popular fitness app Strava has drawn heavy criticism when it was revealed that its Global Heatmap of activity isn’t just showing the typical routes of residential runners — it has also revealed detailed locations of military bases around the world.
A number of recent reports have drawn attention to the obvious privacy issues surrounding Strava’s Global Heatmap — a visualization of more than 1 billion activities and 13 trillion data points. Security analysts took a look at the data and concluded that it constituted a data breach which could reveal very sensitive location information, as the New York Times reported.
The company has responded to the fallout, with Strava CEO James Quarles posting “A Letter to the Strava community.” Quarles addresses a few things the company is doing, but details are vague. One example — “We are committed to working with military and government officials to address potentially sensitive data” — is more of a statement than anything.
[We wrote a post about security in fitness apps last year. Check out Stay Aware: Security Risks In Fitness Apps for more information.]
In the letter, Quarles does link to a past post from the company, “How to Manage Your Privacy on Strata.” The post gives users details on how to access and control privacy settings. Tips include adding privacy zones, hiding activities from leaderboards, and opting out of Strava Metro and Heatmap sharing all together.
What To Do
With an app like Strava, users should go into every possible privacy setting to make sure they’re not sharing any data they don’t want to share. It also may help to do as Strava suggests, and create a large privacy zone around one’s house or place of work. When in doubt, switch the toggle off.
Of course, there are other clear answers to this situation, first and foremost being: use another fitness tracking app. And if you’re still concerned about location data, look into using a fitness app that tracks your activity, but doesn’t necessarily map out your runs.
As a Wired UK article points out, the anonymized data within Strava can actually be de-anonymized. While you probably aren’t as concerned as the U.S. military when it comes to giving out precise locations, it’s still worth being aware of what data you’re putting out there — and what you’d rather keep to yourself.