As concern about Strava’s fitness tracking spreads like a contagion, thanks to the apparent exposure of U.S. military bases, there are good reasons for the general user to be concerned about the privacy of the popular healthy living app and its competitors.
That’s according to cybersecurity and privacy researcher John Scott-Railton, who told Forbes Strava could’ve done a better job of explaining the potential privacy impact of its products to users. “It’s almost impossible to anonymize individual location data. Moreover, even aggregate location data can still contain important signals about private and even secret things,” Scott-Railton said.
The ability to take publicly-shared location tracking data from Strava and use it to map out military locations was revealed by Australian student Nathan Ruser, who raised concerns over the weekend of Jan. 26, though the maps were live as of November 2017. It is possible to turn off data sharing in Strava, which led to questions about why military personnel were sharing the information in the first place.
The Strava maps light up different routes taken by those in its 27 million users who didn’t turn off location sharing. Whilst the information is anonymized, it’s possible to piece together the data to reveal details about users’ lives.
In a blog post, in which he dubbed the problem “Fit Leaking,” Scott-Railton said he looked at a portion of the available Strava data (all 1.3 terabytes of it) and was able to “identify several covert and non-declared operating bases, diplomatic outposts, and possible intelligence facilities in several ongoing conflict zones in Africa and the Middle East.” In one case, he was able to look at activity in what’s believed to be a drone warfare facility in the Middle East, whilst looking at routes around a Russian embassy in Damascus, Syria. Indeed, in Syria, it was possible to find possible routes between undeclared bases as well as regular patrol routes, he added. Others have found military bases in Taiwan and Afghanistan. Such information could be useful for anyone planning an attack.
Scott-Railton also believes it’s possible, where there’s a low density of tracking information, to determine individual user identities. For instance, he was able to look at a single Californian’s jogging routes from their house and around a regular circuit.
He said that whilst it was understandable people were questioning why military personnel hadn’t turned off data sharing, some of the blame lies with Strava, which keeps an extraordinary amount of revealing information on its customers. “Part of the answer is probably that Strava users felt more private than they actually were,” he added. “This says a lot about how Strava presented privacy choices to users. The platform can see everything, even if you flag things, such as don’t share … Strava just lifted up the curtain in a pretty reckless way on what a location-aware platform can see.”
It’s unclear if Strava conducted any kind of risk assessment when it chose to release the data and it should now expect further impact if more attempts to de-anonymize users are made, said Scott-Railton. The company might want to consider pulling the maps offline entirely, he added.
Now that Strava has lifted that curtain, there are questions about what other platforms have detailed information on all kinds of people, whether military personnel or others who’d be wise to keep their daily lives private. Scott-Railton wondered whether military contractors were turning off location services when using Android phones.