App map raises security concerns
Athletic network posts activity of 27M users
A fitness tracking app that posted a map with potentially sensitive information about its users sparked concerns over how similar services protect personal data — and what users can do to protect themselves.
Strava is among several apps and devices like Fitbit that are part of the surging fitness tracker market. In most cases, the apps or devices keep tabs on the users’ basic health information such as steps taken, heart rate or sleep.
Some of those apps could collect more, such as calendar or contact information, depending on what permissions they request, said Michelle De Mooy, director of the Privacy & Data Project at the Center for Democracy & Technology. “It’s important to dig into the settings of your phone or whatever device you’re using to see what has asked for access to these different types of data and whether or not you’re comfortable with that,” she said.
Since 2015, Strava has published a global heat map detailing the activity of its 27 million global users. Strava describes itself as a “social network for those who strive,” aimed at athletes who want to track their jogging or cycling activity.
Security experts questioned whether the map could show not only the locations of military bases but specific routes most heavily traveled.
In a statement, Strava said the map doesn’t include data “marked as private.”
According to Strava’s privacy policy, information and content may be accessible to the public, depending on how accounts were set up. Strava and similar apps, including Runkeeper, are more social, allowing users to keep track of specific routes they use to run or bike.
Because it’s a social network, settings often default to public view instead of private.
Fitness trackers and apps have been criticized for vague privacy policies.
“It’s important to dig into the settings of your phone ... to see what has asked for access ... and whether or not you’re comfortable with that.”
Two years ago, the Norwegian Consumer Council claimed that companies, including Fitbit and Garmin, collected more data than needed for their trackers and weren’t clear about how data are managed.
In 2016, Open Effect — a Canadian non-profit group focused on research into how personal data are handled — partnered with the Citizen Lab at the University of Toronto to analyze fitness tracker security. They found seven out of eight devices “emit persistent unique identifiers that can expose their wearers to long-term tracking of their location” if the devices aren’t connected to a smartphone.
“These apps can track your location, and very often, these companies are disclosing sensitive location information to third parties without users’ knowledge or consent,” said Sam Lester, consumer privacy fellow at the Electronic Privacy Information Center.
Michelle De Mooy Privacy & Data Project