The Internet Knows Where You Workout

Picture this: Would you tell a stranger the exact location you will be at the exact time of day every day.  Now, imagine sharing this daily information with the entire internet.

Enter the public data sharing of Strava.  I’ll come back to this.

As a Division 1 runner, every mile counts.  Recovery miles, tempo miles, workout miles; all miles have a specific use for us, distance runners.  With the emergence of GPS watches and applications such as Garmin Connect and Strava, distance runners now have the ability to monitor and track every step they take.  

Data has become king in the distance world of running.  For many of the running community, the use of GPS watches have revolutionized training.  With the constant feedback, an athlete can accurately time and pace their runs and workouts.  Connecting these GPS watches with an application such as Strava or Garmin Connect will create a visual map of these runs and offer even more feedback such as heart rate.  When used consistently, these tools can be a powerful log for athletes when analyzing their training. I am constantly looking back at my runs and training weeks to find areas for improvement.

As mentioned before, Strava is one of the top fitness tracking applications.  The application will automatically sync with your GPS watch and download your workout.  Once complete, the application will release a visual map of your run with pacing and heart rate metrics. Strava is at the forefront of innovation within this niche community of fitness applications.  Due to its popularity and success, Strava has accumulated a trope of data concerning the various daily exercise trends of their users.

In November 2018, Strava released a visualization of this immense data in the form of a heat map.  The map contained over 3 trillion coordinates from over 27 million different fitness device users. At a glance, the idea was a interesting insight into the global exercise trends, revealing the most popularly used training routes.  Underneath the beautiful visualization of data lay a national security disaster.

Strava’s release of the heat map revealed not only the most popular areas to train, but consequently the least popular areas to train.  For the normal consumer, this was quickly overlooked as just a byproduct of the original Strava campaign. For the United States Government and multiple other global security agencies, the release was startling.  Out in the Internet for all to see were the fitness habits of top secret government operatives, perfectly tracing their daily movements around some of the most secretive government bases in the world. The map revealed the walking patterns of border patrol officers walking around the US & Mexican border.  Area 51 was perfectly outlined in the Strava map. GCHQ, the British National Security base for electronic spying was mapped as well. Finally, the potential scariest mappings was the jogging activities and troop movements of the US Army in war zones, giving a grave insight into the daily habits of the armed forces.  

This caused an uproar within the US Government as government aides attempted to purge the internet of their troops’ daily movements.  Unfortunately, the damage was already done. Ned Price, a former special assistant to President Obama, said in a tweet that “capable adversaries have almost certainly harvested this data for years.”  This begs the inevitable question: Where does the responsibility fall?

As a Strava user, I looked into the privacy policies myself.  The large majority are set on public, including the all important location data sharing.  Additionally, the privacy settings are not easily found or enacted. The issue rises with the default setting being the public sharing of data.  For the vast majority of the users of Strava, their understanding of this data is similar to any social media platform. Yet, the danger of Strava’s data comes at a greater price than a simple Tweet.

Being public on a fitness app such as Strava displays the daily habits of your life down to the exact location.  For the troops in war zones or secret forces underground in the UK, this can turn deadly. Undoubtable, the intent of these government officials was to not publically share their data, but the option was not turn off or stayed unknowingly on.  

Where does the line get drawn on the company’s responsibility and their user’s own responsibility?  With the power of Strava’s location based data, it would seem their responsibility is greater as this provides insight into the widely private lives of their users.  Additionally, the default setting is on public, causing simple ignorance to allow for this to remain, dumping location data constantly onto the social platform.

Strava has put the responsibility on the user to make their lives private, which in many cases whips their hands clean of the issues.  Yet, when dealing with this type of insight, Strava and other similar companies may want to debate the level of removal from the situation.  For one, the US Government and other agencies have reviewed their policy on fitness trackers. For the individual consumer, we must be aware of the data we are allowing to be shared.  Strava’s stance is their platform allows for privacy (If you know where to look and how to activate it). With this stance coming from our platforms and companies, the burden is on us as users to be double check our settings and preferences.

A stark reminder that your simple 4 mile jog you do every single day may not be the best thing to share publicly.  

10 comments

  1. Upon first reading this post, I was baffled as to why secret government operatives and US Army troops would be using this application in the first place. To me, it seems that even before Strava decided to release their global heat map to the public that it would be a breach of security for the even the company itself to have this data at all. On the other hand, then I remember that these individuals are probably just regular people like you and me in the sense that all they wanted to do was improve themselves and their training with detailed feedback. I’m sure they never would have expected anyone else to care about this information, never mind publish it for the entire world to see. I also see how a great deal of responsibility should be taken by Strava in that this data should have been delicately combed through before its release. Despite its privacy policy and settings, surely they should have known that not all users would appreciate their mappings being made public for a wide variety of security reasons.

  2. The unintended consequences of technology are always interesting to me. I’m sure Strava didn’t really intend for the data to reveal secret bases, but they wanted the users posting about their accomplishments to drive awareness. It’s always a double edged sword.

  3. Wow, I never really thought about fitness tracking apps in this context. I personally love using map my run, but i never thought about how public my runs are, especially since they have a feed of people’s workouts in my area. I agree that in a way apps like Strava get away with what they do because you can opt out of having your data be public, but I agree with you that they also have a responsibility to protect sensitive data. Great insight into a topic that not many of us have given true thought to and I think you sum this up really nicely with your last line.

  4. I remember following the media blitz surrounding Strava’s user route release last winter. Nearly all of the coverage that I saw or read placed blame squarely on Strava’s shoulders, but, as you point out, at least some of the responsibility for the effects of corporate data collection falls on those who are voluntarily providing the data. More generally, your analysis of Strava makes a great point in that social media and online data sources have the potential to be major threats to national security – when used strategically, these platforms can be akin to emailing the daily itineraries of a nation’s population and government directly to a foreign agent’s private account. Though it involves a different type of data and discernible information, the Strava heatmap reminded me of a Washington Post article that analyzed the type of national security-related information that foreign agents could glean just from scanning through President Trump’s tweets and Twitter habits – even timestamps and word frequency counts can be incredibly revealing when looked at with a trained eye: https://www.washingtonpost.com/outlook/president-trumps-twitter-feed-is-a-gold-mine-for-foreign-spies/2017/06/23/e3e3b0b0-5764-11e7-a204-ad706461fa4f_story.html?utm_term=.e913b806372c

  5. As a former runner, I used my Garmin GPS religiously. I never thought twice about sharing my route information because I wanted the benefit of analyzing my training. I would have never thought the data would be shared publically, even for research purposes. I am shocked that no one at Strava thought to double check the location mapping for privacy concerns. However, I do believe that the majority of the blame should be placed on the consumer who agreed to share their location in the first place. I recently turned off the majority of the location services for apps on my phone specifically for this reason. Though this type of personal data may be very insightful at a company level for marketing and research purposes, managers need to become more aware of how publicizing this data can affect its users/the greater population.

  6. Very interesting post! I’m curious if any of the government agencies that were affected by this gave any more thought to privacy requirements or training for their employees. This type of incident becomes a big problem with the opt-out model that is often used by tech/data companies especially in the U.S. Many other countries have begun to enact more stringent policies about opting in to let a company see your data instead of opting out to prevent them from doing so. It really speaks to the fact that although legally we are supposed to read data and privacy agreements, we almost never do and it can have real world consequences.

  7. Wow, I never thought this in depth into the world of digital fitness tracking. I do not own a fitness watch or use an app to track my fitness but greatly see the appeal for others, especially runners like you. Unfortunately, I think a great deal of the population has become somewhat desensitized to checking privacy settings while setting up social platforms and making sure we’re not sharing more information than we should be. While its scary on a personal level knowing Strava tracks your moves, the introduction of higher risk tracking such as with the Army and Area 51 puts a greater number of people in danger. I would’ve hoped the people at Strava would’ve combed through their data better, knowing that certain things on the heat map should not have been shared. As you said this misstep could be a matter of life or death for certain people and Strava should definitely think about changing their privacy settings in the near future for both their protection and their consumers.

  8. This was an excellent blog post, and a pretty alarming unintended consequence of Strava data. This can easily happen to any company as I don’t think software and social media companies are incentivized to provide easy and clear opt out options for data privacy. Reminds me of the stories you hear about local burglars using social media location check-ins with foursquare or Instagram to target houses for robberies.

  9. Great post, a very interesting consequence that I would never have thought of! In my opinion, although it may seem like a privacy breach from the hands of Strava it is ultimately the users responsibility to filter how much data they are willing to share. I am surprised the government agencies would have even allowed these services to be used at sensitive areas, and the blame may fall on them for overlooking these details. However, I think this serves as a stark reminder that we should all be aware what we are sharing through the countless apps we use so frequently. Education on data access has never been needed more!

  10. This was a very fascinating blog post! And I’m a little torn on how to feel about this issue. On the one hand, Strava is providing a service to the users, so they should be able to choose what to do with the data they own. On the other hand, this isn’t a free service, users are already paying for it and so (in theory) they should own their data, not Strava. On the third hand, people who work with sensitive information (like government operatives) should have been smart enough to realize that their data had the opportunity to be used against them, it’s cybersecurity 101. Very well written, lots to consider here!

%d bloggers like this: