A new report claims that Strava could be used to track people down – despite the platform’s efforts to make their data anonymous.
Strava is a fitness tracking platform that allows people to log their exercises as well as engage with other based on their workouts. But it also includes other tools, such as its heatmap feature, which is intended to anonymously gather together people’s journeys and show them on one map.
The tool is intended to allow people to see which parts of the world are particularly active, which can be helpful for finding particularly good areas for workouts or trips. But it can also be used to find out people’s personal information, according to a new report.
That heatmap data is anonymised, so that it shows more general trends and cannot be used to track specific people who might mark their routes private. But the new research suggests that it is possible to de-anonymise that data, at least in some cases, to work out who lives where.
The paper, published by three computer science researchers at North Carolina State University, says that “the home address of highly active users in remote areas can be identified, violating Strava’s privacy claims and posing as a threat to user privacy”.
They detailed a complicated process that they claimed was able to find addresses and then combine that with other data from Strava to find the home address of a certain individual. In short, they were able to use the heat map to identify locations where people lived, and then take other location data to work out who might live at that specific house.
The attack will not work on everyone: they need to live in remote areas where people’s houses stand on their own, those users need to have the heat map setting switched on, and might run in patterns that do not identify their home addresses, for instance. But the researchers claimed that a significant number of users could be identified based on publicly available information on Strava.
That is a “violation of user privacy”, the researchers said. And it could also pose a threat to those users, by allowing people’s addresses to be made public, and then matched to certain activities, such as when they work out or where they tend to travel.
The researchers suggested two ways to avoid the attack. One would be to remove heat map data that is clearly near a home, and another would be to add Strava’s existing “privacy zones” tools that block out data from certain locations to its heat map, which is not currently the case.
Strava said that it looks to ensure users’ data stays private, and suggested that people concerned about potential issues turn off the use of aggregated user data on their account.
“The safety and privacy of our community is our highest priority. We’ve long had a suite of privacy controls (including Map Visibility Controls) that give users control over what they share and who it’s shared with,” the company said.
“Strava does not track users or share data without their permission. When users share their aggregated, de-identified data with the Heatmap and Strava Metro, they contribute to a one-of-a-kind data set that helps urban planners as they develop better infrastructure for people on foot and bikes, and makes it easy to plan routes with the knowledge of the community.
“The Global Heatmap displays aggregated data from a subset of Strava activities and will not show ‘heat’ unless multiple people have completed an activity in a given area. Any Strava user who does not wish to contribute to the Heatmap can toggle off the Aggregated Data Usage control to exclude all activities or default their Activity Visibility to be only to themselves (’Only You’) for any given activity.
“We are consistently strengthening privacy tools and offering more feature education to give users control over their experience on Strava. This includes simplifying our Privacy Policy with our Privacy Label at the top.”
Read MoreBreakthrough could soon allow us to actually use quantum computers, scientists say
Three and Vodafone are merging. Here’s what that means for your phone
McDonald’s, Delta among websites down after Amazon Web Services cloud crashes
Breakthrough could soon allow us to actually use quantum computers, scientists say
Three and Vodafone are merging. Here’s what that means for your phone
McDonald’s, Delta among websites down after Amazon Web Services cloud crashes