Yesterday, the Guardian picked up that the global heatmap released by Strava last November showed rather more detail than some people would like.
In particular, the outlines and internal layout of western-military bases in Afghanistan were clearly visible (the photo at the top of this post is a cracking example), as were the outposts of various humanitarian organisations. People, in other words, who have a clear interest in not publicising that at 7am every Wednesday, they take a jog down to the river protected by just their running gear.
My initial reaction was that anyone who puts their life at risk by letting other people know their whereabouts is making a major mistake in using a website whose purpose is to track and publicise your location. No matter what privacy settings you have selected, if the release of the data threatens your life or wellbeing in a major way, don’t put it online. That applies just as much to gps tracks as it does to compromising photos…
I tweeted as much, and I stand by that.
— Rob (@Darkerside) January 29, 2018
However, there’s more here.
Strava released a blog post today, trying to damp down on the news. The core of that was that their privacy settings allow people complete control of how their data is used.
In building [the heatmap], we respected activity and profile privacy selections, including the ability to opt out of heatmaps altogether
I have two issues with that statement’s accuracy.
Firstly, the setting that controls whether your data is shown on the global heatmap is controlled by this checkbox on the website:
So far, so good. Uncheck, and our data is off the heatmap.
However, I can’t find any way to access that setting through the Android app. Here’s the entirety of the privacy setting screen:
So you can’t opt out of the heatmap on Android, and I’m willing to be iOS is the same.
It’s now entirely possible to use Strava without ever using a desktop browser (indeed, photo upload has only been possible on the apps until very recently). Not having a basic security setting visible across all platforms is a major issue, particularly for users in overseas military bases who are, presumably, far more likely to just be using the app than a desktop PC.
You could start using Strava having downloaded the app, create an account through the app. and never know that this privacy setting existed, even if you diligently checked all the options available.
That’s not good.
More seriously, the setting description on the web implies that even if you lock down your account as far as you believe to be possible in the app (“single player mode”, as Strava describe it), your data is still added to the heatmap. It’s described as “anonymous”, but I’d argue that the quality of that anonymity is pretty rough if there’s a trace that leaves a US military base every morning for a jog around the vicinity. Yeah, it might not show your name, but your safety is definitely compromised.
That information is just based on my reading of the setting descriptions, but it seems likely. I’ve got a support ticket in with Strava to clarify – if they ever get back to me I’ll update the post.
Don’t trust web companies with data that, if compromised, puts your life in danger.
If you do work in a place where being attacked is a real risk, check the Strava global heatmap. If there’s a lonely trace along your route, even if that trace isn’t you and you’ve never used Strava, change your route, time and habits.
Strava. Sort your approach to privacy out.
Happily, the most aggressive thing I’m likely to encounter on a run is a confused cow, and they’re not known for their espionage abilities.