Strava responds to alarming report suggesting that it could be used to track down users

Andrew Griffin
Wednesday 14 June 2023 17:27 BST
Comments
(AFP via Getty Images)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

A new report claims that Strava could be used to track people down – despite the platform’s efforts to make their data anonymous.

Strava is a fitness tracking platform that allows people to log their exercises as well as engage with other based on their workouts. But it also includes other tools, such as its heatmap feature, which is intended to anonymously gather together people’s journeys and show them on one map.

The tool is intended to allow people to see which parts of the world are particularly active, which can be helpful for finding particularly good areas for workouts or trips. But it can also be used to find out people’s personal information, according to a new report.

That heatmap data is anonymised, so that it shows more general trends and cannot be used to track specific people who might mark their routes private. But the new research suggests that it is possible to de-anonymise that data, at least in some cases, to work out who lives where.

The paper, published by three computer science researchers at North Carolina State University, says that “the home address of highly active users in remote areas can be identified, violating Strava’s privacy claims and posing as a threat to user privacy”.

They detailed a complicated process that they claimed was able to find addresses and then combine that with other data from Strava to find the home address of a certain individual. In short, they were able to use the heat map to identify locations where people lived, and then take other location data to work out who might live at that specific house.

The attack will not work on everyone: they need to live in remote areas where people’s houses stand on their own, those users need to have the heat map setting switched on, and might run in patterns that do not identify their home addresses, for instance. But the researchers claimed that a significant number of users could be identified based on publicly available information on Strava.

That is a “violation of user privacy”, the researchers said. And it could also pose a threat to those users, by allowing people’s addresses to be made public, and then matched to certain activities, such as when they work out or where they tend to travel.

The researchers suggested two ways to avoid the attack. One would be to remove heat map data that is clearly near a home, and another would be to add Strava’s existing “privacy zones” tools that block out data from certain locations to its heat map, which is not currently the case.

Strava said that it looks to ensure users’ data stays private, and suggested that people concerned about potential issues turn off the use of aggregated user data on their account.

“The safety and privacy of our community is our highest priority. We’ve long had a suite of privacy controls (including Map Visibility Controls) that give users control over what they share and who it’s shared with,” the company said.

“Strava does not track users or share data without their permission. When users share their aggregated, de-identified data with the Heatmap and Strava Metro, they contribute to a one-of-a-kind data set that helps urban planners as they develop better infrastructure for people on foot and bikes, and makes it easy to plan routes with the knowledge of the community.

“The Global Heatmap displays aggregated data from a subset of Strava activities and will not show ‘heat’ unless multiple people have completed an activity in a given area. Any Strava user who does not wish to contribute to the Heatmap can toggle off the Aggregated Data Usage control to exclude all activities or default their Activity Visibility to be only to themselves (’Only You’) for any given activity.

“We are consistently strengthening privacy tools and offering more feature education to give users control over their experience on Strava. This includes simplifying our Privacy Policy with our Privacy Label at the top.”

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in