Why Strava’s fitness tracking should really worry you

Jan. 29, 2018

As concern about Strava’s fitness tracking spreads like a contagion, thanks to the apparent exposure of U.S. military bases, there are good reasons for the general user to be concerned about the privacy of the popular healthy living app and its competitors.

That’s according to cybersecurity and privacy researcher John Scott-Railton, who told Forbes Strava could’ve done a better job of explaining the potential privacy impact of its products to users. “It’s almost impossible to anonymize individual location data. Moreover, even aggregate location data can still contain important signals about private and even secret things,” Scott-Railton said.

The ability to take publicly-shared location tracking data from Strava and use it to map out military locations was revealed by Australian student Nathan Ruser, who raised concerns over the weekend of Jan. 26, though the maps were live as of November 2017. It is possible to turn off data sharing in Strava, which led to questions about why military personnel were sharing the information in the first place.

The Strava maps light up different routes taken by those in its 27 million users who didn’t turn off location sharing. Whilst the information is anonymized, it’s possible to piece together the data to reveal details about users’ lives.

In a blog post, in which he dubbed the problem “Fit Leaking,” Scott-Railton said he looked at a portion of the available Strava data (all 1.3 terabytes of it) and was able to “identify several covert and non-declared operating bases, diplomatic outposts, and possible intelligence facilities in several ongoing conflict zones in Africa and the Middle East.” In one case, he was able to look at activity in what’s believed to be a drone warfare facility in the Middle East, whilst looking at routes around a Russian embassy in Damascus, Syria. Indeed, in Syria, it was possible to find possible routes between undeclared bases as well as regular patrol routes, he added. Others have found military bases in Taiwan and Afghanistan. Such information could be useful for anyone planning an attack.

Scott-Railton also believes it’s possible, where there’s a low density of tracking information, to determine individual user identities. For instance, he was able to look at a single Californian’s jogging routes from their house and around a regular circuit.

He said that whilst it was understandable people were questioning why military personnel hadn’t turned off data sharing, some of the blame lies with Strava, which keeps an extraordinary amount of revealing information on its customers. “Part of the answer is probably that Strava users felt more private than they actually were,” he added. “This says a lot about how Strava presented privacy choices to users. The platform can see everything, even if you flag things, such as don’t share … Strava just lifted up the curtain in a pretty reckless way on what a location-aware platform can see.”

It’s unclear if Strava conducted any kind of risk assessment when it chose to release the data and it should now expect further impact if more attempts to de-anonymize users are made, said Scott-Railton. The company might want to consider pulling the maps offline entirely, he added.

Now that Strava has lifted that curtain, there are questions about what other platforms have detailed information on all kinds of people, whether military personnel or others who’d be wise to keep their daily lives private. Scott-Railton wondered whether military contractors were turning off location services when using Android phones.

Forbes has the full story

Sponsored Recommendations

The Race to Replace POTS Lines: Keeping Your People and Facilities Safe

Don't wait until it's too late—join our webinar to learn how healthcare organizations are racing to replace obsolete POTS lines, ensuring compliance, reducing liability, and maintaining...

Transform Care Team Operations & Enhance Patient Care

Discover how to overcome key challenges and enhance patient care in our upcoming webinar on September 26. Learn how innovative technologies and strategies can transform care team...

Prior Authorization in Healthcare: Why Now?

Prepare your organization for the CMS 2027 mandate on prior authorization via API. Join our webinar to explore investment insights, real-time data exchange, and the benefits of...

Securing Remote Radiology with the Zero Trust Exchange

Discover how the Zero Trust Exchange is transforming remote radiology security. This video delves into innovative solutions that protect sensitive patient data, ensuring robust...