In November, fitness tracking app firm Strava released what it described as a “most beautiful” dataset – a heatmap of more than more than 3 trillion individual GPS data points, as their users run, cycle, and hike across the globe.
And I agree it’s very beautiful and can certainly see how it might be useful to other fitness fans, who want to see the most popular exercise routes in their city. But this weekend concerns were raised that the level of detail contained within the data visualisation app might actually have an ugly side.
The alarm was first raised by Nathan Ruser, a 20-year-old Australian student and analyst at the Institute for United Conflict Analysts, who in a series of Twitter posts demonstrated that Strava’s heatmap appeared to reveal the movement patterns of security forces at remotely-located military bases.
“It looks very pretty, but not amazing for Op-Sec. US Bases are clearly identifiable and mappable”
As Ruser pointed out, it wasn’t just US military bases which were potentially drawing attention to themselves as soldiers jogged and patrolled.
Not just US bases. Here is a Turkish patrol N of Manbij pic.twitter.com/1aiJVHSMZp
— Nathan Ruser (@Nrg8000) January 27, 2018
All of this data comes through Strava, an app that works with smartphones and fitness trackers to form a “social network for athletes.”
But just as soldiers would be wise about what they share on social networks, so they should take care about the information they might be sharing with the internet through their Fitbit.
One would hope that soldiers on military options are ordered to take off fitness trackers which might be leaking their location, and disable potentially risky apps on their smartphone, but it’s easy to imagine how such things could sometimes be overlooked. And from the evidence produced by Ruser, many have not considered that their fitness tracking when off duty could also be considered a potential problem.
A separate issue to consider is whether identities are also being put at risk. As security researcher Steve Loughran explains in a blog post, although many might believe that the data has been totally anonymised, it’s not as simple as that.
Loughran describes how – after he uploaded faked data of a run around the UK’s Faslane Nuclear Submarine Base – you can get Strava to cough up details of the area’s top runners:
“Once Strava has gone through its records, you’ll be able to see the overall top 10 runners per gender/age group, when they ran, it who they ran with. And, if their profile isn’t locked down enough: which other military bases they’ve been for runs on.”
Makes you think again about the wisdom of using your real name when you registered an account with Strava doesn’t it?
If you use Strava, take a minute to read Rosie Spinks’ article at QZ where she details the privacy options available to you (by default your workout activity, name, and photos are visible to everyone).
Strava, for its part, has said in response to the headlines that is “committed to helping people better understand our settings to give them control over what they share.”
And remember, fitness trackers aren’t the only devices mapping your every move. Virtually all of us are carrying a powerful computer in our pocket which has the ability to monitor our movements with staggering and unblinking accuracy if we allow it. And unless you have taken care to block apps from scooping up your location, you may be in for some shocks.
For instance, as The Guardian describes, Google Maps has over one billion users. And, if you haven’t told it not to, Google is keeping a track of where you go, every single day, in a timeline that stretches back much further than your memory.
Be mindful of the information you are allowing to be shared with internet companies. You have a choice. Use it.
Author Graham Cluley, We Live Security