More Data, More Responsbility - Analysing the Strava Heatmap

More Data, More Responsbility

Analysing the Strava Heatmap

Stefan Friedli
by Stefan Friedli
time to read: 6 minutes

Keypoints

  • Strava published a heatmap containing the movement information of thousands of their users
  • The data exposed various classified and secret army infrastructure elements
  • Strava refuses to acknowledge the issue and take responsibility and points out their privacy settings

A public heatmap published by the makers of fitness tracking app “Strava” causes an uproar because the data published allows the identification of secret military bases and other critical infrastructure elements. A critical assessment of the controversy.

Fitness has ascended into a secondary religion over the past years, at least according to various Swiss media outlets. Maybe an over-generalization that rings at least partially true considering the masses of runners, bikers and rowers that are drawn to the big outdoors on sunny and rainy days alike. Most of them looking for a balance to their workdays, which is traditionally somewhat lacking in movement.

Making progress is a primary goal of most casual athletes: A higher step count, lower heartrate and, first and foremost, better splits are highly coveted metrics for runners to see if they are actually increasing their own performance. They still exist, the ascetic kind of person who just runs, Rocky-style, without caring much about duration or length, but they are definitely a minority. Most casual athletes measure their workouts using sports watches or similar gadgets made by Garmin, Fitbit, or Nike. Or directly by smartphone. The options are overwhelming, the business with fitness accessories is booming.

Strava Toplists

Once data has been captured, it needs to be analyzed. A variety of apps, such as Runkeepers, Fitbit or Nike’s Running Club are competing for casual athletes’ attention here. Another popular choice is Strava, who has garnered quite a bit of attention over the last couple of days. Strava, located in San Francisco, markets itself as the “Social Network for Athletes” and pursues this promise vigilantly. People running the same segments repeatedly can compare themselves to other people active on these routes. After adding friends, they can complement each other on successful workouts or add comments. A nicely made animation titled “Flyby” even allows it to identify other Strava users that were encountered – or sometimes even better – overtaken on the morning bike ride.

When looking at the data in context of a single run or ride, it is not irrelevant, but hardly of large significance for a large percentage of users. But the more data can be correlated, the more potential for abuse arises. A female runner wrote about her concerns of strangers following her regular routes in 2017. The issue was considered an isolated case and was dismissed by Strava with the advice to adjust privacy settings.

The “Global Heatmap” that Strava published recently made significantly more of a splash. Created from approximately a billion of workouts, roughly ten terabyte of raw data, Strava built an international heatmap showing popular spots to run, swim, and bike. Nathan Ruser, an analyst for UCA, quickly realized that this kind of “Big Data” would yield more than just athletic hotspots, including other areas of interest.

It becamse apparent very quickly that apps like Strava are not exclusively used by casual athletes in rather peaceful western countries, but also by servicemen and -women in war regions. Within a short amount of time, several secret or classified army bases have been identified, partially with correlating patrol or supply routes.

The area of the Pentagon

The public reaction was, as was to be expected, harsh: It was not deemed acceptable, that the life of soldiers would be exposed to new threats due to the irresponsible sharing of this dataset. Strava reacted in a statement and, again, pointed out that the sharing of said information is voluntary and could be deactivated by each individual user.

A statement that is not wrong, but does not relieve Strava of taking responsibility for handling the data entrusted to them in any context with care. When using a very liberal setting as a default, customers need to be informed about said option and the opt-out needs to be easy. With Strava, the opposite is the case: Privacy Settings are confusing at best and offer, all things consider, about six different settings of partial effectiveness. Even proficient users who think they have adjusted their settings properly might actually not have done so and regularly leak sensitive movement data. The standard setting defaults essentially to “Everyone sees everything”. Blaming an enduser for not being able to handle this challenge properly, is absurd.

In a time where the usage of increasingly complex technological tools is penetrating our lifes deeper and deeper, enterprises need to be held accountable under the threat of harsher consequences. The case of Strava illustrates, once again, how important the context of data is to assess their importance or criticality. It is an important lession, also for Swiss companies, to reconsider the secondary usage of the data entrusted to them.

Strava Flyby: Risk or Feature?

About the Author

Stefan Friedli

Stefan Friedli is a well-known face among the Infosec Community. As a speaker at international conferences, co-founder of the Penetration Testing Execution Standard (PTES) as well as a board member of the Swiss DEFCON groups chapters, he still contributes to push the community and the industry forward.

Links

Is your data also traded on the dark net?

We are going to monitor the digital underground for you!

×
I want a "Red Teaming"

I want a "Red Teaming"

Michael Schneider

Human and AI

Human and AI

Marisa Tschopp

Vehicle forensics

Vehicle forensics

Michèle Trebo

Isn’t business continuity part of security?

Isn’t business continuity part of security?

Andrea Covello

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here