Canadian Trails
Athabasca Landing Trail, Edmonton
Earlier this year, a 20-year-old Australian university student discovered that data from Strava’s global “heatmap” identified military base locations and the movements of American personnel in Syria and Iraq, among other places. This became international news. Security analysts warned that the interactive data illustration – showing where Strava users run and cycle – could put troops and humanitarian workers around the world at risk. In a statement addressed to the Strava community, the company’s ceo wrote that Strava would work with the military and the government to address “potentially sensitive data,” simplify and increase awareness of privacy tools and review some features “to ensure they cannot be compromised by people with bad intent.”
The Ottawa Citizen reported that the Canadian Forces have not had similar problems because military personnel are told to turn off gps devices when they go abroad. In some cases, according to a Department of National Defence spokesperson, taskforce commanders teach people how to turn off tracking on their devices and strip metadata from pictures and posts.
Runners could stand to follow their lead if they care at all about their own privacy and safety.
I’ve been guilt y of thinking that the information we share on Strava seems too vast and banal to attract attention. Over the past three years, I’ve uploaded more than 1,000 activities to the social net work. The majorit y of these are easy runs with lacklustre splits. Until recently, I kept these runs public, not convinced anyone could glean much more from them than the type of shoes and watch I wear.
Closer study would reveal much more: where I live, where I work, who I run with, when I have practice, how much I weigh, and how far I’ll go before replacing a pair of running shoes (1,215 kilometres and
counting, as of this writing). Combining data from that Strava profile with my public posts from Twitter, Instagram, Facebook and LinkedIn would result in a staggering amount of personal information.
“People don’t really think of the risks of aggregated information,” said Jason Nurse, a senior researcher in cyber security at the University of Oxford.
Nurse and his colleagues have researched the privacy risks associated with fitness trackers (like Fitbits) and online social networks (like Strava), and they examined those risks – as well as users’ perceptions of them – in a 2017 paper.
The researchers developed an interactive tool that showed people how data from wearable fitness trackers and online social networks could be combined and used against them.
Bike theft is a classic example. Using route and timing information from rides, thieves can use technology to target expensive bikes and steal them when the time is right. They can even use data from an altimeter sensor to determine which f loor of an apartment building holds an expensive bike.
Fitness data exposure can also make runners more vulnerable to stalking, profiling, manipulative marketing and identity theft, the researchers wrote.
Another compelling example from the paper relates to the workplace. After stalking your Strava profile, an employer could decide to give a job to another candidate, and not because you don’t have a fast enough marathon PB. Obesity-related health problems and maternity leave prove expensive for businesses. It’s possible that hiring managers could discriminate against you if they think you have a high bmi or a resting heart rate that suggests you’re pregnant.
It’s worth mentioning that many people – myself included – appreciate the wealth of data available on Strava. Leaderboards motivate me. Friendships form on the platform. By sharing data with Strava’s heatmap, athletes can help urban planners determine where to install bike lanes or running paths in their municipalities.
Social networks also help me connect with Canadian runners during my reporting. Through Twitter, I met Jeff T., a 34-year-old runner and cyclist in London, Ont., who likes Strava’s heatmap and tracking functions because they allow him to find routes, chase segments and see who has been exercising in his area. In his opinion, it’s up to users to read privacy settings and decide how much information is safe to share. “At the end of the day, if you use these services, you have to take what comes with it,” he told me.
Strava representatives did not respond to questions I posed on what specific changes the company plans to make to its privacy settings in the coming months.
In the meantime, there are a number of things runners can do to mitigate their risks.
“I love technology, but I support using it responsibly,” Nurse said. He recommends not sharing too much, not adding “friends” you don’t know, and varying your physical activity habits so strangers would have a harder time predicting your actions.
On Strava in particular, runners can add privacy zones to protect the locations of their homes and offices and opt out of appearing on leaderboards and other features.