In November, fitness tracking app firm Strava released what it described as a “most
beautiful” dataset – a heatmap of more than more than 3 trillion individual GPS
data points, as their users run, cycle, and hike across the globe.
And I agree it’s very beautiful and can certainly
see how it might be useful to other fitness fans, who want to see the most
popular exercise routes in their city. But this weekend concerns were raised
that the level of detail contained within the data visualisation app might
actually have an ugly side.
The alarm was first raised by Nathan Ruser, a
20-year-old Australian student and analyst at the Institute for United Conflict
Analysts, who in a series of Twitter
posts demonstrated that Strava’s heatmap appeared to reveal the
movement patterns of security forces at remotely-located military bases.
“It looks very pretty, but not amazing for Op-Sec.
US Bases are clearly identifiable and mappable”
As Ruser pointed out, it wasn’t just US military
bases which were potentially drawing attention to themselves as soldiers jogged
and patrolled.
All of this data comes through Strava, an app that
works with smartphones and fitness trackers to form a “social network for
athletes.”
But just as soldiers would be wise about what they
share on social networks, so they should take care about the information they
might be sharing with the internet through their Fitbit.
One would hope that soldiers on military options
are ordered to take off fitness trackers which might be leaking their location,
and disable potentially risky apps on their smartphone, but it’s easy to
imagine how such things could sometimes be overlooked. And from the evidence
produced by Ruser, many have not considered that their fitness tracking when
off duty could also be considered a potential problem.
A separate issue to consider is whether identities
are also being put at risk. As security researcher Steve Loughran explains in a
blog post, although many might believe
that the data has been totally anonymised, it’s not as simple as that.
Loughran describes how – after he uploaded faked
data of a run around the UK’s Faslane Nuclear Submarine Base – you can get
Strava to cough up details of the area’s top runners:
“Once Strava has gone through its records, you’ll
be able to see the overall top 10 runners per gender/age group, when they ran,
it who they ran with. And, if their profile isn’t locked down enough: which
other military bases they’ve been for runs on.”
Makes you think again about the wisdom of using
your real name when you registered an account with Strava doesn’t it?
If you use Strava, take a minute to read Rosie Spinks’
article at QZ where she details the privacy options available
to you (by default your workout activity, name, and photos are visible to
everyone).
Strava, for its part, has said in response to the
headlines that is “committed to helping people better understand our settings
to give them control over what they share.”
Meanwhile, users of fitness collecting apps like
the Fitbit, Garmin, and Runkeeper, would be wise to check out the tips ZDNet has shared
And remember, fitness trackers aren’t the only
devices mapping your every move. Virtually all of us are carrying a powerful
computer in our pocket which has the ability to monitor our movements with
staggering and unblinking accuracy if we allow it. And unless you have taken
care to block apps from scooping up your location, you may be in for some
shocks.
For instance, as The Guardian describes, Google Maps has over one billion
users. And, if you haven’t told it not to, Google is keeping a track of where
you go, every single day, in a timeline that stretches back much further than
your memory.
Be mindful of the information you are allowing to
be shared with internet companies. You have a choice. Use it.