When the fitness tracking app Strava released its Global Heatmap last November, it’s hard to imagine them weighing the risks of revealing military secrets. But thanks to the internet sleuthing of a 20-year-old Australian student Nathan Ruser—and a story published yesterday by the Washington Post—that’s exactly what has happened.
The Heatmap aggregates activity of Strava’s users all around the globe, and shows which places are the hottest, or most active. In addition to expected hubs of hyper-activity like San Francisco or Manhattan, it also clearly shows places where athletes are working out in the middle of nowhere—such as Kandahar Airfield in Afghanistan.
While the Heatmap feature does not reveal the identity of the users, even the release of aggregate and anonymized user information has troubling implications, said Tobias Schneider, an international security analyst. The Washington Post determined from Schneider’s interview that “the data… offers a mine of information to anyone who wants to attack or ambush US troops in or around the bases.”
This is not the first time Strava’s privacy settings have attracted negative attention. Last summer, I noticed that male strangers were liking my workouts on the app, despite the fact that I’d enabled what’s called Enhanced Privacy. Because I tend to run the same few routes close to my house regularly—and because, as an urban female who also works on the internet, I am used to all manner of privacy invasion—I grew both concerned and curious. I reached out to Strava and wrote a story for Quartz on the implications of the app’s confusing privacy settings.
While my piece did not focus on Strava’s Heatmap feature hitting the headlines now, it was based on the same concerns. In essence: If you use the app in the default way it’s designed to be used—a social network meets a fitness tracker—you could unknowingly be broadcasting an alarming amount of habitual, location-specific information. That fact, one can assume, is how so many users ended up broadcasting their location from military bases or sensitive locations without realizing it.
This morning, when I created a brand new account with a different email than the account I normally use, I was automatically opted into Heatmaps (see blue tick box below), rather than being asked to consent first. This was via the browser and was not an option in the app, but more this later.
On July 28 last year—one day after I interviewed Strava communications lead Andrew Vontz for my story, and four days before my piece on Quartz was published, on August 1—Strava published this blog post clarifying how to use their privacy policy. Since then, it appears they have also updated the language in the app explaining their privacy settings (Update: Strava confirmed for Quartz that they made this change in November of last year). While this may be a positive step, the onus is still very much on you, the user, to make sure you know how your location-based activity is being used. If you’re concerned about how your data on Strava is being used, here’s what you need to know.
The default option: If you set up a Strava account and do nothing, your workout activity, name, and photos are visible to everyone. Anyone can follow you and see your photos, and logged-in users can also download your activities (which include very granular analytics). While Strava likens this public mode to a public Twitter account, the habitual and location-based nature of the app makes it rather different. Depending on how much you use Strava, there is potentially a lot of information to be gleaned about your physical whereabouts from a public profile.
Complete lockdown: On the other end of the spectrum, toggling on “Private by Default” means that no one will see your workouts except for you. In other words, it’s in single-player mode. While this may be helpful for some who simply want to use a fitness tracker, it also strips the app of any social experience whatsoever—even those you want to share your workouts with can’t see them. So it’s not particularly helpful if, like me, your goal is to share your workouts with friends, family, and other people you know.
Enhanced Privacy: While it sounds promising, Enhanced Privacy is far from holistic privacy. While it does prevent people from seeing all your workouts in their feed unless you’ve allowed them to follow you, it does not prevent details or portions of your workouts from showing up elsewhere in Strava’s data—sometimes with your name attached. In addition, if you share a direct link of your activity on social media, anyone can view it.
With Enhanced Privacy enabled, you still need to actively toggle on three things in the in-app privacy settings—Hide from Leaderboards, Hide from FlyBys, and Group Activity Enhanced Privacy–to make sure strangers who do not follow you can’t see details of your workouts. (This is now clarified when you click through to read about Strava’s privacy settings; last July when I reported my story, it wasn’t). You also need to avoid a main feature of the app, Challenges, because your activity could end up on leaderboards if you don’t (and there is no disclaimer when you join one, either.) Even once you do all this, as Strava notes, “your profile can still be found using our athlete search” albeit your identity will be somewhat anonymized.
In app versus browser: For reasons unclear, Strava only allows you to control certain privacy settings in the app. If you really want to take control of all your Strava privacy permissions, you need to take the extra step of logging into your account in your browser. Once you’re there, you need to ensure your Training Log is not public, opt out of contributing to the Heatmap, and set up any “Hidden Locations,” such as your home or office. This last step is key, and prevents people seeing exactly where you start and stop your workouts (i.e. your front door).
When my piece was published in August, some people (notably all men) told me I was being paranoid or turning a technical issue into a feminist one. Turns out, the location-based privacy of fitness apps is important to other people too—like the US Central Command, who are reportedly investigating the matter. As a response, Strava would do well to streamline their policy and make features like Heatmap opt-in by default, rather than opt-out.