Various places have reported that close examination of Strava’s heat map identifies locations and routes that military and intelligence people might not wish to have identified. This seems to be a bit of an “oopsie” as well as a lesson in just how much data people willingly (if sometimes unknowingly) share with “the cloud”. It’s also a great lesson in the ‘hacker’ mindset and the way that something that seems like a really cool good idea can be taken advantage of for badness.

Let it be noted that I use Strava (amongst other fitness apps). I’m even moderately public about my use of it because I don’t really have anything to hide as I’m not a military chap who has been posted overseas to potentially clandestine locations. However I assume that every bit of exercise I upload to Strava (or Garmin or Runkeeper…) is visible to everyone so I think a bit before starting to log exercise. For example, She Who Must Be Obeyed and I are careful to not start and end our exercise events at our front door and to use the privacy features of Strava (and other exercise apps) so that the first few hundred meters(yards) of any exercise do not show up. This probably doesn’t totally stop potential bad people from figuring out where we live but it does make it a bit harder. I never do the “live stream” thing so it’s hard for bad people to know exactly where I am (and hence by implication where I’m not. i.e. at home) and so on

The trick that social media (and Strava & co are social media, albeit niche social media) figured out is that people like to share with their friends and, often, with strangers who hacve interests in common. Most runners (and cyclists and other sports people) spend a lot of the time exercising alone, which is boring and not very motivating. Strava & co allow you to share and compare your efforts with those of people you know/people near you. There are a lot of benefits from this – two obvious ones are that it can inspire you to train harder and seeing their activites can give you ideas about where you might want to go. In fact I looked at the heat map to see what interesting routes there might be near where I live (interestingly it looks like I did most of them and I suspect a couple of the really dim tracks are in fact me and no one else) and I will look at it when I travel to see interesting routes that I didn’t otherwise know. In addition, Strava has other apps like “route builder” which are even more useful than the global heatmap for figuring out where to go (when it doesn’t crash which it does for me).

In other words the primary goal of Strava and Strava Labs has been achieved by what they offer. Unfortunately one of the things we seem to continually hitting in the age of the internet is that people always get so carried away with the positive benefits of “new data sharing thing” that they ignore potential downsides. It is easy to blame Strava in this case for oversharing, and I admit that Strava doesn’t do a wonderful job of suggesting people check and update their privacy settings, but as it happens Strava have done a fairly good job of letting people opt out of data sharing (see the privacy settings page image below)

Strava Privacy Settings

Strava Privacy Settings. Note the check box you have to have checked to opt in to being on the heat map

I don’t recall if that box was automatically checked for me the first time I logged into my account but it is very easy to switch off and the explanation about what it does is pretty clear:

The Heatmap on Strava Labs is a visualization of a large collection of GPS points recorded by Strava users. For example, a popular street for cyclists looks like a bright line in the Heatmap. Please note, the Heatmap is only regenerated approximately once every quarter so any changes made to your privacy settings will not be reflected until the heatmap is updated. Visit labs.strava.com/heatmap to see the Heatmap for your area.

I’d also like to correct something that I’ve seen in various reports. Fitbits and the like do not track your every movement using GPS. They only do that when you specifically enable GPS tracking to perform an activity. Step/floor counting just uses accelerometers and there’s no tracking of where you were.

OTOH Google does track a lot of location stuff on your phone (and probably Apple does too), unless you are paranoid about blocking it – and sometimes even then – so even if Strava doesn’t know your every movement there’s a good chance Google does (BTW if you want to figure out what is talking and look at blocking it I recommend GlassWire).

Going back to the larger problem. Cloud applications of all sorts gain value from sharing data as widely as possible. Humans in open societies (i.e. the “developed world”) with relatively low levels of crime and very limited governmental oppression/surveillance see no downside to sharing stuff and hence tend to overshare without thinking of security/privacy implications because there is no obvious immediate downside. The only way this will stop is when there is widespread understanding by everyone, from app/product developers to the majority of consumers, that oversharing is bad and potential dangerous. In the case of activity tracking apps like Strava the obvious security hole is that they let random strangers track where their users are. Like I say, Strava does a decent job of letting its users opt out of widespread sharing but it since it gets advantages from getting permission to use/share the data it tries to make it attractive to share. It is clear that Strava particularly (but it is not alone here) has paid no attention at all to the potential downside of information sharing, rather it has been keen to show one and all just how much data it has amassed.

There are, however, plenty of potential downsides, both to do with people who accidentally share data that they would prefer not to have shared and to do with people who share data without thinking about the consequences. As the original reports note, there’s a lot of information that can be obtained from simply knowing that someone runs or bikes a particular route and even more when the route turns out to be popular. The examples people give seem mostly to do with war and nation state actors but I suspect there are a bunch of malicious uses that individual motivated criminals can come up with: finding a suitable spot to ambush runners to mug/rape them is the most obvious but I’m sure there are others.

When you get to identifying individual participants it gets much worse. The obvious one is the stalking aspect (and the related, not at home now aspect), but there are, no doubt, some others that are less obvious. Related to the stalking one is the possibility of tracking friends and relationships, and pivoting of one sort of social media to another to build up more knowledge of the subject and his/her circle of acquaintances. I don’t know whether this is feasible to automate but it could well be that an enterprising crook could mine blackmail. The way this might work is to identify couples who run together and travel. Then you pivot off other social media to find out if they are married to other people. If they are and are of the opposite sex then it is worth doing some additional manual steps to see if there is an opportunity to blackmail. It wouldn’t be fully automated but it would allow a blackmailer to locate people literally half a world away and that reduces the risks of being caught considerably.

I’m not the only person who thinks this way. On the Book of Faeces, Chuck Gannon said something similar (minor cleaning up of the text):

This is a consistent problem of the Information Age, one of the things that neither Toffler nor Mcluhan saw with any clarity. Specifically, that personal data sharing is not merely the handmaiden but the expeditor of interconnectivity. And that ultimately, you cannot guarantee that that information flows just one way. To my mind, there is as much to lose as to gain with the internet of all things.

The other factor, immediacy, certainly shrinks time and therefore space and makes aspects of the globe truly interconnected and communal. But on the other hand, there are elements of genuine (rather than tele-)presence that it shortcuts without providing for adequate behavioral compensation. For instance, how careers can be annihilated during 45 minutes of Twitter spasm that might be based on entirely false or cherry-picked representations of a person or a situation. And of course, the sadly prevalent tendency to say things to people over Facebook or Twitter that you would never say to them in person. In part because, you would get your nose punched.

I am a huge fan of technology and innovation. I am also a fan of judicious consideration of the unintended consequences, and right now, we seem to lack any prudent and effective mechanism to do so.

And if we are not careful, We will reap what we have sown. Even more so than we have already.

Sometimes, I fear that we are no longer in the Information Age, but the Infirmation Age…

The only thing I want to say is that I wish I’d come up with “Infirmation Age” myself.