back to article All your base are belong to us: Strava exercise app maps military sites, reveals where spies jog

In November, exercise-tracking app Strava published a “heatmap” of user activity which it cheerily boasted comprised a billion activities, three trillion lat-long points, 13 trillion rasterized pixels and 10 TB of input data. It took a while, but late last week someone wondered “how many Strava users are members of the …

Silver badge
Facepalm

see icon..... pretty much sums it all up.

22
0
Anonymous Coward

Collect all the data, ignore users privacy...

...and compromise your security.

Dumbass.

19
8

Re: Collect all the data, ignore users privacy...

There are all kinds of privacy setting the users could have employed. If they couldn't be bothered to switch any of them on you can't blame the service.

14
18
Anonymous Coward

"consider consequences on multiple levels prior to publishing private data"

Or maybe consider consequences on multiple levels prior to collecting private data?

Hope that once governments are bitten themselves hard by the data gathering frenzy, they'll reconsider the rules about data gathering... I wait for the first politician being shown "exercising" at his mistress house...

And, no, opt-out is not enough - people should at least have to opt-in to any data collection.

27
4
Silver badge

Re: "consider consequences on multiple levels prior to publishing private data"

"And, no, opt-out is not enough - people should at least have to opt-in to any data collection"

Strava is a data-collection site. That's what it does. You opt-in by uploading your stuff to jt, it doesn't magically track you without consent.

When I signed up the privacy zone was in the initial setup wizard, so it's a little deceptive for the article to call it off by default. It has to be off as far as it is, because Strava doesn't know where to put it unless you tell it.

Heatmap is just another example of it being really hard to anonymise through aggregation.

21
4
Silver badge

Re: "consider consequences on multiple levels prior to publishing private data"

@AC

absolute nonsense.

They purchased a device and service that is *SPECIFICALLY FOR* data gathering and sharing

Yes, if they purchased something random that was gathering this data, fine. That's not the case though. you seriously aren't suggesting they should have to opt in to make the device function as advertised?

Sorry, but this sort of attitude contributes to the issue. The onus is on the users to understand what they have purchased and use it correctly. The company are doing *exactly* what they say they'll do.

12
6
Silver badge

Re: Collect all the data, ignore users privacy...

" you can't blame the service."

Yes you can. You can blame them for not making the privacy setting default to something sensible. This amounts to an offence under GDPR.

I wonder how many fines its going to take until US manufacturers learn to do things right.

8
10
Silver badge

Re: Collect all the data, ignore users privacy...

"This amounts to an offence under GDPR"

I'm almost certain it won't.

11
4
Silver badge

Re: Collect all the data, ignore users privacy...

"There are all kinds of privacy setting the users could have employed. If they couldn't be bothered to switch any of them on you can't blame the service."

You mean: there is an option in the settings for us not to come around and shoot you in the face. If you couldn't be bothered to switch it on you cannot blame us.

5
4
Silver badge

Re: Collect all the data, ignore users privacy...

""This amounts to an offence under GDPR"

I'm almost certain it won't."

I'd be surprised if it isn't already an offence under the current regulations. They are a processor of sensitive data (where someone is) under DPA, and they cannot just publish all that information in such a way that it can be deanonymized. Obviously showing you coming out of your house is not very anonymous. They might also be in trouble over various national security legislation. Arguably this is material of benefit to terrorists, and its publication would then be an offence under UK law. (Find any route that goes into a military base, for example, and then wait along it.)

7
2
Silver badge

Re: Collect all the data, ignore users privacy...

"They are a processor of sensitive data (where someone is) "

You can look up sensitive data on the ICO website:

https://ico.org.uk/for-organisations/guide-to-data-protection/key-definitions/

It doesn't include location.

Excluding home addresses *is* part of the Strava sign up process. And Strava's privacy policy explicitly acknowledges that people may be identified from aggregate data:

"If you make information or content publicly available on the Services, such information, even when aggregated, is capable of being publicly viewed and possibly associated with you"

There are plenty of bad boys in the industry, but Strava isn't one of them.

They have consent under current DPA for everything they do. They have consent under GDPR, although I don't think they need it (because storing location and deriving profiles from it is the whole reason for the service existing).

Need to go now, time for my daily catch-up with the GDPR lawyers.

6
0
Silver badge

Re: Collect all the data, ignore users privacy...

'Excluding home addresses *is* part of the Strava sign up process.'

Very much this, what surprises me is how many people miss it. I compared my friends house in LA with mine, he is obviously the only person living on his street to use the app despite a reasonable number of people using it as part of their running route. My house in a small town in the UK has apparently never been lived in by someone who has Strava even though I ran about 5 times the distance he did last year.

What I did like was looking in Portsmouth harbour and seeing a feint outline of an aircraft carrier.

3
0
Silver badge

Re: Collect all the data, ignore users privacy...

Does it have to comply with UK DPA / ICO requirements if it's a US company shipping the data straight to the US untouched. Seems unlikely. That kind of "our law applies everywhere" mentality is normally restricted to US gov.

3
0
Anonymous Coward

"ervice that is *SPECIFICALLY FOR* data gathering and sharing"

As I see it promoted, it's for activity tracking and friend sharing, not to sharing with world + dogs.

It's still worrying that people are OK to share those data just to show theirs is longer... but we're in an era when you're a child until well into the forties.... I stopped such kind of behavior when I was eight or nine.

2
0
Silver badge

Re: Collect all the data, ignore users privacy...

"Does it have to comply with UK DPA / ICO requirements if it's a US company shipping the data straight to the US untouched. Seems unlikely. That kind of "our law applies everywhere" mentality is normally restricted to US gov."

It depends. Did the data originate in Nigeria? No. DId it originate in the UK? Yes. Processing UK citizens' data means you fall under the purview of the ICO, and UK law.

2
0
Anonymous Coward

Re: Collect all the data, ignore users privacy...

It's not PII though. The fuzzy line shows where some of the millions of users have been. The only reason you know a line to a front door is your friend is because YOU have Personally identifiable info on your friend, like where they live and the fact that they use Strava. Without that information it may just as easily be the postman or a stalker, and the heatmap gives you no more useful information than that. "privacy experts" are driving me insane at the moment, GDPR is like cat nip for dipshits.

1
2
Silver badge

Re: Collect all the data, ignore users privacy...

'Without that information it may just as easily be the postman or a stalker'

No, you can see the stalker's line in the bushes round the back.

1
0
Silver badge

Re: Collect all the data, ignore users privacy...

It depends. Did the data originate in Nigeria? No. DId it originate in the UK? Yes. Processing UK citizens' data means you fall under the purview of the ICO, and UK law.

This is very much not my field, but that's not my understanding, or the reading I get from (random fairly reliable website) ThomsonReuters https://uk.practicallaw.thomsonreuters.com/1-502-1544

The Data Protection Act (DPA) applies to data controllers that are either:

* Established in the UK and process the data in the context of that establishment.

* Not established in the UK or an EU member state, but use equipment in the UK for processing data (excluding where that data is only in transit).

0
0
Silver badge

Re: Collect all the data, ignore users privacy...

"Not established in the UK or an EU member state, but use equipment in the UK for processing data (excluding where that data is only in transit)."

Well there you go. Transit means passing through, not starting from. I'm not 'in transit' at Heathrow if I get off the bus there, it's if I'm on a connecting flight. The data originated in the UK, so it's covered. And of course the equipment is the smart watch/whatever.

1
0
Silver badge

Re: Collect all the data, ignore users privacy...

"It's not PII though. The fuzzy line shows where some of the millions of users have been. The only reason you know a line to a front door is your friend is because YOU have Personally identifiable info on your friend, like where they live and the fact that they use Strava."

I thought there were statements like 'it's not anonymous if it can be de-anonymized with extra information'.

0
0
Silver badge
Holmes

I've never understood

Why people use and publish results from apps such as this.

Every day I see on social media people posting their running/cycling etc details online. I can literally deduce their home address and what time they enter/leave from here. Even from people I don't know too well.

I'm not a nasty guy, but plenty of people are and they can use this info for not so nice purposes. Seems like common sense isn't too common.

40
1
Silver badge

Re: I've never understood

The problem with Strava is by default it shares it with the world. If you're just sharing the data with your friends*, they probably already know where you live.

* This assumes that you only friend people who really are your friends, and not just any random Tom, Dick or Harry who ask to be your friend...

14
0
Silver badge

Re: I've never understood

I've seen this with some female Facebook friends, and pointed out to them that it makes it easy to figure out where they live. Some care, and correct it, others say "it isn't that hard to find out where someone lives" and don't worry about it.

I suppose that's basically the same argument that you get against "security through obscurity".

1
1
Silver badge

Re: I've never understood

@Mayday

to show off, they think it makes them better than those who don't do(insert activity here).

You know, same deal as the couples who you know are always at each others throats, but social media is just lovey dovey "look at us" stuff.

Same deal, it's to appear good on the internet.

2
1
Silver badge

Re: I've never understood

No different to the people who broadcast on FaceBook that they're by the pool in Benidorm- might as well add "keys are under the mat".

14
0
Silver badge
Thumb Up

Re: I've never understood

There's a site which scrapes that kind of info to demonstrate just how dangerous it can be:

http://pleaserobme.com/

2
0
Silver badge

@ DougS

You might remind your female friends of a basic difference : IRL, someone has to meet you, or at least be told about you, before they think of looking you up. I doubt that stalkers choose their victims by perusing the phone book. If they don't know your name, they can hardly look up your address and they'd have to follow you home before they can correlate an address to a name.

Publishing personal info and travel data on a social site removes that sleuthing requirement. The stalker can just peruse the activities, select a woman he likes and dive into her life. Finding the address is trivial at that point.

Security through obscurity works very well in real life. Do you know where US carrier fleets are at this time ? Hint : don't try finding out - that will land you in very hot water.

2
2

Re: I've never understood

There are basically two reasons. One is that competition is a strong motivator. For a lot of people, including me, leaderboards can motivate people to go out more, or to push faster/further than they might have otherwise. Another is helping to cheer each other on. I have three friends on MapMyRun, I know that the encouragement I get from them is helpful when I'm not doing so well and I certainly hope it works the other way too.

That said, there are good and bad ways to share this data. For example, on MMR those three friends are the only ones who get to see exactly where I've gone, or whether I've gone at all on runs that don't earn me a place on a leaderboard. All anyone else sees is first name, last initial, time on that segment, and date. I *could* open up full sharing, but it's not a default. No heatmaps or anything like that, though I've kind of wished for that as a way to help people find routes worth trying. Overall, I'm pretty comfortable with MMR's approach. If I used Strava, I think I'd be a bit less comfortable.

1
0

Re: I've never understood

I'm going to take wild stab that you're usually out of your house between 11am & 3pm and even if I don't know where YOU live I know people live in houses and they're usually going to be out of them between 11am & 3pm. So, your point is?

3
0
Silver badge

Re: @ DougS

"Do you know where US carrier fleets are at this time ? "

No.

But 30 seconds on google gives me: (from stratfor)

"Carrier Strike Groups

The USS Carl Vinson CSG is underway in the Pacific Ocean for a western Pacific deployment.

The USS Theodore Roosevelt CSG is underway in a deployment in the U.S. 5th Fleet area of responsibility supporting maritime security operations and conducting theater security cooperation efforts.

The USS John C. Stennis is underway in the Pacific Ocean for routine training.

The USS Gerald R. Ford is underway in the Atlantic Ocean conducting test and evaluation operations.

Amphibious Ready Groups/Marine Expeditionary Units

The USS America ARG is underway in the Pacific Ocean returning to its homeport.

The USS Essex is underway in the Pacific Ocean for routine operations.

The USS Bonhomme Richard is underway in the U.S. 7th Fleet area of responsibility conducting routine training."

I await my hot water....

4
0
Silver badge

Re: @ DougS

If you want to know where carrier battlegroups are going to be, even if it's changing from day to day, in the future just ask the prostitutes. They always know. Hell, I've asked them before. Spent 7 years straigt serving on the same tincan (destroyer) and that's one tip most sailors know.

2
0
Silver badge
Pint

So where's the heatmap around El Reg? Oh wait, IT hacks don't exercise, except for their bicep in the 1-pint curls!

13
3

I actually follow one particular el'reg journo on Strava and can tell you they exercise rather a lot, putting some of us to shame..

1
0
Silver badge

Probably Dabbsy. He has to get rid of the anger.

12
0

Good guess but no = )

0
0
Silver badge

Revealing state secrets

Well now, that's going to restrict their movements, what with some countries jailing people for mentioning even commonly-known facts, as "revealing state secrets". Hotel California, anyone?

2
2
Bronze badge
Facepalm

Fail!

If you need an app to tell you when you're "exercising properly" then you're probably not.

11
12

Re: Fail!

In defence, as someone who uses said app and has bought a watch specifically for the task of GPS tracking running & cycling (and swimming, but, it transpires GPS doesn't penetrate water that well, a mere seconds thought beforehand would've made the counter assumption obvious I guess).

It's not so much for it to tell you when to exercise, but to monitor progress, am I getting faster, slower, about the same? Where are those gains being made?

I also suffer from a terrible memory ("the worst case of sleep apnoea in someone of your age and build" means I literally spend half my time sleeping not breathing, so I never hit L3 sleep) so it's useful for tracking when I've been, how much I've done this month and should I do more. I admit my reasoning here is fairly individual.

Plus, as a nerd, who doesn't enjoy an abundance of stats?

14
1
Silver badge

Re: Fail!

That is fine, if you are keeping the data for yourself. But the apps all seem to insist on uploading all the data to their cloud.

I have a Fitbit, but I never activate the GPS when I go out exercising. I track how far I've been, but not where... And to be honest, now that I walk about 6KM to work and back every day, I'm rethinking the need for having the Fitbit at all.

11
2
Silver badge

Re: Fail!

Plus, as a nerd, who doesn't enjoy an abundance of stats?

I'm going to crush your nerd pride here.

The Gov'ment likes stats too. By 'like', We're well into serious BDSM style stalker levels of 'like'. What for, I'm not sure, they think it helps make right decisions, but often the opposite seems true.

7
2
Silver badge

Re: Fail!

"By 'like', We're well into serious BDSM style stalker levels of 'like'."

What? Care to describe how stalking is a BDSM activity?

2
0
Silver badge
Coat

Re: Fail!

Care to describe how stalking is a BDSM activity?

I suppose it depends on what you're wearing while doing said stalking.

9
0
Silver badge

Re: Fail!

"What? Care to describe how stalking is a BDSM activity?"

I read it more as like normal stalking, but with a collar.

6
0
Anonymous Coward

"but I never activate the GPS "

GPS itself is no harm - it only receives, doesn't transmit. It's what the device do with the data the problem. I do use GPS devices to track where I've been and the places and times where I took photos, so I can return them if there's a good reason for.

Just I download them to my computer only, and the data never leave it (of course, the photos with geoloc data are never uploaded to any site or cloud service...)

The day those devices start to attempt to upload them to whatever cloudy destination, I'll stop using them.

I don't really want someone could track where I'm while carrying several thousands $$$ of equipment...

Just, too many apps use the "mine is longer than yours" human weakness to lure people into sharing what they shouldn't.

8
0
Anonymous Coward

Re: Fail!

If the stalker has a shock collar, and the victim the controller, it could work...

http://dilbert.com/strip/2018-01-20

Especially if it has also a "privacy range" of 1km where it activates automatically.

3
0
Silver badge

Re: Fail!

These days people don't know bdsm from voyeurism?

Get off my lawn.

1
0
Silver badge

Re: Fail!

These days people don't know bdsm from voyeurism?

All they know is it's a kink.

1
0
Silver badge

Re: Fail!

Yeah, but Theresa May's a massive voyeur. Leather trousers aside I've seen no clues she's into anything else.

0
0

Re: Fail!

"In defence, as someone who uses said app and has bought a watch specifically for the task of GPS tracking running & cycling (and swimming, but, it transpires GPS doesn't penetrate water that well, a mere seconds thought beforehand would've made the counter assumption obvious I guess)."

Put the watch under your swim cap and it should work while swimming.

0
0
Bronze badge

> Plus, as a nerd, who doesn't enjoy an abundance of stats?

Sure, but do you need to share those stats with world & dog? Apparently the app allows to keep the data private.

10
1

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018