Fitness tracking app Strava’s heatmap feature has raised safety concerns over potentially leading threat actors to users’ home addresses.
The feature, which helps users find hiking and running routes, popular exercising hotspots, and even hiking mates, was added to the app in January 2018 to improve user experience.
The feature is based on GPS data and is updated every month. It compiles data from the previous two years, aggregating them into a single map highlighting active areas with bright yellow and white lines.
A month after the feature’s inclusion, Strava provided an opt-out option after learning that it could prove to be a privacy and safety risk to its more than 100 million users.
The main concern was it was also exposing secret or sensitive info through its global heatmaps. Five years ago, a student from Australian National University found that the feature revealed (pdf) the locations of military bases.
However, there is a more critical and immediate problem.
Privacy and safety concerns
Strava’s real safety problem in its heatmap feature lies in stalkers and predators using it to track users to their home addresses and commit felonies. This is because it lets users share their workout routines and running routes with followers.
A study paper (pdf) published last month by researchers at the North Carolina State University Raleigh has now found privacy risks that the heatmap feature presents.
“Strava users expect their personal information to be protected, and our work shows that this is not always the case,” said Anupam Das, senior author of the paper. “This could be particularly problematic for users concerned about stalkers or have other reasons to desire that their location data be kept from the public.”
The study found that all Strava users of a given area can be looked up—one can even know where each anonymous user’s route begins and ends.
Making a Strava account “private” doesn’t help
“In a densely populated area, with lots of routes and lots of users, there is so much data that it would be difficult to track any specific person,” Das said in a statement. “However, in areas where there are few users or few routes, it becomes a simple process of elimination, particularly if the person someone is looking for is a highly active Strava user.”
Das explained that “marking an account private doesn’t necessarily provide additional protection against this tracking technique.” This has left many users confused and concerned about safety.
While Strava stresses that its heatmaps use only aggregate data, making it impossible for anyone to capture private information, Das’s team found vulnerabilities.
“We did reach out to Strava about this, and the company has said it does not share heatmap data unless several users are active in a given area,” said Kevin Childs, first author of the study paper. “However, we were still able to identify the home addresses of some users in certain areas using the heatmap and confirmed those identifications using voter registration data.”