Strava Fitness App’s Global Heatmap Reveals Sensitive Locations

Strava, “the social network for athletes,” released an updated version of their Global Heatmap that improved the quality and resolution of their maps in ways that can reveal information about user routines and locations. These changes could potentially compromise the privacy, safety, and security of users and reveal sensitive military information.

The Strava app allows users with Android or Apple phones and wearable devices like the Fitbit and Apple Watch to track their exercise activity, view statistics related to their activities, and share this information with others. Strava’s Global Heatmap is a data visualization that maps all Strava user fitness activity across the world and is available freely on the Internet. The Heatmap shows all shared Strava user paths as they move through common exercise locations like public parks and hiking trails, but the map also highlights paths through small neighborhoods and labeled airports, schools, and military bases across the world.

Strava’s Global Heatmap is impressive, but the problem is that the map resolution has improved so much that the app may be inadvertently revealing the movements of personnel on military bases or at posts in sensitive locations and conflict zones abroad.

When displaying the movements of thousands of people in a crowded city, a single user’s path blends in and becomes anonymous. When a small number of users move along a repeated path in a location where no one else for miles around is using the app, their movements display as a clear path.

The Global Heatmap can starkly highlight the tracked activities of even a small number of people moving along repeated paths in a location where no one else for miles is using a fitness app. An observer might be able to use the Heatmap to scan for areas where an unusual number of outsiders or foreigners have gathered. An actor with malicious intent could view the streets outlining the grounds of a remote location, trace the paths of security patrols, and use this information to breach security or cause harm.

Strava app users can choose to “opt out” and make their activities private, but the app default is set to automatically share user activity data to the Heatmap. The app’s privacy settings include a choice labeled “Private By Default,” but the selection toggle is set to “off” by default. For more information about Strava privacy settings and directions on how to hide user activity, view Strava’s informational blog post, How to Manage Your Privacy on Strava.

A Pentagon spokesperson announced last Monday that Defense Secretary James Mattis has ordered a DoD-wide review of the policies regarding the use of fitness apps and wearable fitness trackers to determine if the policies “need to be updated.” The spokesperson stated in a Military Times article that additional policies may include limitations on wearable devices able to track user location, “to include smart phones.”

UPDATE, 5 MAY 2018

Strava has altered the Global Heatmap so that shared user paths are blurred at the street level for the public. Registered users must log in to view more detail.

Sources:

BBC, Fitness app Strava lights up staff at military bases

Ars Techinica, “Heatmap” for social athlete’s app reveals secret bases, secret places

Military Times, Mattis orders review of how troops use Fitbits, other fitness apps following breach

Strava Heatmap