back to article All your base are belong to us: Strava exercise app maps military sites, reveals where spies jog

In November, exercise-tracking app Strava published a “heatmap” of user activity which it cheerily boasted comprised a billion activities, three trillion lat-long points, 13 trillion rasterized pixels and 10 TB of input data. It took a while, but late last week someone wondered “how many Strava users are members of the …

Page:

  1. Mark 85 Silver badge
    Facepalm

    see icon..... pretty much sums it all up.

  2. Anonymous Coward
    Anonymous Coward

    Collect all the data, ignore users privacy...

    ...and compromise your security.

    Dumbass.

    1. Oliver Mayes

      Re: Collect all the data, ignore users privacy...

      There are all kinds of privacy setting the users could have employed. If they couldn't be bothered to switch any of them on you can't blame the service.

      1. Doctor Syntax Silver badge

        Re: Collect all the data, ignore users privacy...

        " you can't blame the service."

        Yes you can. You can blame them for not making the privacy setting default to something sensible. This amounts to an offence under GDPR.

        I wonder how many fines its going to take until US manufacturers learn to do things right.

        1. Adam 52 Silver badge

          Re: Collect all the data, ignore users privacy...

          "This amounts to an offence under GDPR"

          I'm almost certain it won't.

          1. DavCrav Silver badge

            Re: Collect all the data, ignore users privacy...

            ""This amounts to an offence under GDPR"

            I'm almost certain it won't."

            I'd be surprised if it isn't already an offence under the current regulations. They are a processor of sensitive data (where someone is) under DPA, and they cannot just publish all that information in such a way that it can be deanonymized. Obviously showing you coming out of your house is not very anonymous. They might also be in trouble over various national security legislation. Arguably this is material of benefit to terrorists, and its publication would then be an offence under UK law. (Find any route that goes into a military base, for example, and then wait along it.)

            1. Adam 52 Silver badge

              Re: Collect all the data, ignore users privacy...

              "They are a processor of sensitive data (where someone is) "

              You can look up sensitive data on the ICO website:

              https://ico.org.uk/for-organisations/guide-to-data-protection/key-definitions/

              It doesn't include location.

              Excluding home addresses *is* part of the Strava sign up process. And Strava's privacy policy explicitly acknowledges that people may be identified from aggregate data:

              "If you make information or content publicly available on the Services, such information, even when aggregated, is capable of being publicly viewed and possibly associated with you"

              There are plenty of bad boys in the industry, but Strava isn't one of them.

              They have consent under current DPA for everything they do. They have consent under GDPR, although I don't think they need it (because storing location and deriving profiles from it is the whole reason for the service existing).

              Need to go now, time for my daily catch-up with the GDPR lawyers.

              1. SkippyBing Silver badge

                Re: Collect all the data, ignore users privacy...

                'Excluding home addresses *is* part of the Strava sign up process.'

                Very much this, what surprises me is how many people miss it. I compared my friends house in LA with mine, he is obviously the only person living on his street to use the app despite a reasonable number of people using it as part of their running route. My house in a small town in the UK has apparently never been lived in by someone who has Strava even though I ran about 5 times the distance he did last year.

                What I did like was looking in Portsmouth harbour and seeing a feint outline of an aircraft carrier.

              2. caffeine addict Silver badge

                Re: Collect all the data, ignore users privacy...

                Does it have to comply with UK DPA / ICO requirements if it's a US company shipping the data straight to the US untouched. Seems unlikely. That kind of "our law applies everywhere" mentality is normally restricted to US gov.

                1. DavCrav Silver badge

                  Re: Collect all the data, ignore users privacy...

                  "Does it have to comply with UK DPA / ICO requirements if it's a US company shipping the data straight to the US untouched. Seems unlikely. That kind of "our law applies everywhere" mentality is normally restricted to US gov."

                  It depends. Did the data originate in Nigeria? No. DId it originate in the UK? Yes. Processing UK citizens' data means you fall under the purview of the ICO, and UK law.

                  1. caffeine addict Silver badge

                    Re: Collect all the data, ignore users privacy...

                    It depends. Did the data originate in Nigeria? No. DId it originate in the UK? Yes. Processing UK citizens' data means you fall under the purview of the ICO, and UK law.

                    This is very much not my field, but that's not my understanding, or the reading I get from (random fairly reliable website) ThomsonReuters https://uk.practicallaw.thomsonreuters.com/1-502-1544

                    The Data Protection Act (DPA) applies to data controllers that are either:

                    * Established in the UK and process the data in the context of that establishment.

                    * Not established in the UK or an EU member state, but use equipment in the UK for processing data (excluding where that data is only in transit).

                    1. DavCrav Silver badge

                      Re: Collect all the data, ignore users privacy...

                      "Not established in the UK or an EU member state, but use equipment in the UK for processing data (excluding where that data is only in transit)."

                      Well there you go. Transit means passing through, not starting from. I'm not 'in transit' at Heathrow if I get off the bus there, it's if I'm on a connecting flight. The data originated in the UK, so it's covered. And of course the equipment is the smart watch/whatever.

      2. DavCrav Silver badge

        Re: Collect all the data, ignore users privacy...

        "There are all kinds of privacy setting the users could have employed. If they couldn't be bothered to switch any of them on you can't blame the service."

        You mean: there is an option in the settings for us not to come around and shoot you in the face. If you couldn't be bothered to switch it on you cannot blame us.

    2. Anonymous Coward
      Anonymous Coward

      "consider consequences on multiple levels prior to publishing private data"

      Or maybe consider consequences on multiple levels prior to collecting private data?

      Hope that once governments are bitten themselves hard by the data gathering frenzy, they'll reconsider the rules about data gathering... I wait for the first politician being shown "exercising" at his mistress house...

      And, no, opt-out is not enough - people should at least have to opt-in to any data collection.

      1. Adam 52 Silver badge

        Re: "consider consequences on multiple levels prior to publishing private data"

        "And, no, opt-out is not enough - people should at least have to opt-in to any data collection"

        Strava is a data-collection site. That's what it does. You opt-in by uploading your stuff to jt, it doesn't magically track you without consent.

        When I signed up the privacy zone was in the initial setup wizard, so it's a little deceptive for the article to call it off by default. It has to be off as far as it is, because Strava doesn't know where to put it unless you tell it.

        Heatmap is just another example of it being really hard to anonymise through aggregation.

      2. rmason Silver badge

        Re: "consider consequences on multiple levels prior to publishing private data"

        @AC

        absolute nonsense.

        They purchased a device and service that is *SPECIFICALLY FOR* data gathering and sharing

        Yes, if they purchased something random that was gathering this data, fine. That's not the case though. you seriously aren't suggesting they should have to opt in to make the device function as advertised?

        Sorry, but this sort of attitude contributes to the issue. The onus is on the users to understand what they have purchased and use it correctly. The company are doing *exactly* what they say they'll do.

        1. Anonymous Coward
          Anonymous Coward

          "ervice that is *SPECIFICALLY FOR* data gathering and sharing"

          As I see it promoted, it's for activity tracking and friend sharing, not to sharing with world + dogs.

          It's still worrying that people are OK to share those data just to show theirs is longer... but we're in an era when you're a child until well into the forties.... I stopped such kind of behavior when I was eight or nine.

    3. Anonymous Coward
      Anonymous Coward

      Re: Collect all the data, ignore users privacy...

      It's not PII though. The fuzzy line shows where some of the millions of users have been. The only reason you know a line to a front door is your friend is because YOU have Personally identifiable info on your friend, like where they live and the fact that they use Strava. Without that information it may just as easily be the postman or a stalker, and the heatmap gives you no more useful information than that. "privacy experts" are driving me insane at the moment, GDPR is like cat nip for dipshits.

      1. SkippyBing Silver badge

        Re: Collect all the data, ignore users privacy...

        'Without that information it may just as easily be the postman or a stalker'

        No, you can see the stalker's line in the bushes round the back.

      2. DavCrav Silver badge

        Re: Collect all the data, ignore users privacy...

        "It's not PII though. The fuzzy line shows where some of the millions of users have been. The only reason you know a line to a front door is your friend is because YOU have Personally identifiable info on your friend, like where they live and the fact that they use Strava."

        I thought there were statements like 'it's not anonymous if it can be de-anonymized with extra information'.

  3. Mayday Silver badge
    Holmes

    I've never understood

    Why people use and publish results from apps such as this.

    Every day I see on social media people posting their running/cycling etc details online. I can literally deduce their home address and what time they enter/leave from here. Even from people I don't know too well.

    I'm not a nasty guy, but plenty of people are and they can use this info for not so nice purposes. Seems like common sense isn't too common.

    1. A Non e-mouse Silver badge

      Re: I've never understood

      The problem with Strava is by default it shares it with the world. If you're just sharing the data with your friends*, they probably already know where you live.

      * This assumes that you only friend people who really are your friends, and not just any random Tom, Dick or Harry who ask to be your friend...

    2. DougS Silver badge

      Re: I've never understood

      I've seen this with some female Facebook friends, and pointed out to them that it makes it easy to figure out where they live. Some care, and correct it, others say "it isn't that hard to find out where someone lives" and don't worry about it.

      I suppose that's basically the same argument that you get against "security through obscurity".

      1. Pascal Monett Silver badge

        @ DougS

        You might remind your female friends of a basic difference : IRL, someone has to meet you, or at least be told about you, before they think of looking you up. I doubt that stalkers choose their victims by perusing the phone book. If they don't know your name, they can hardly look up your address and they'd have to follow you home before they can correlate an address to a name.

        Publishing personal info and travel data on a social site removes that sleuthing requirement. The stalker can just peruse the activities, select a woman he likes and dive into her life. Finding the address is trivial at that point.

        Security through obscurity works very well in real life. Do you know where US carrier fleets are at this time ? Hint : don't try finding out - that will land you in very hot water.

        1. MonkeyCee Silver badge

          Re: @ DougS

          "Do you know where US carrier fleets are at this time ? "

          No.

          But 30 seconds on google gives me: (from stratfor)

          "Carrier Strike Groups

          The USS Carl Vinson CSG is underway in the Pacific Ocean for a western Pacific deployment.

          The USS Theodore Roosevelt CSG is underway in a deployment in the U.S. 5th Fleet area of responsibility supporting maritime security operations and conducting theater security cooperation efforts.

          The USS John C. Stennis is underway in the Pacific Ocean for routine training.

          The USS Gerald R. Ford is underway in the Atlantic Ocean conducting test and evaluation operations.

          Amphibious Ready Groups/Marine Expeditionary Units

          The USS America ARG is underway in the Pacific Ocean returning to its homeport.

          The USS Essex is underway in the Pacific Ocean for routine operations.

          The USS Bonhomme Richard is underway in the U.S. 7th Fleet area of responsibility conducting routine training."

          I await my hot water....

        2. Jack of Shadows Silver badge

          Re: @ DougS

          If you want to know where carrier battlegroups are going to be, even if it's changing from day to day, in the future just ask the prostitutes. They always know. Hell, I've asked them before. Spent 7 years straigt serving on the same tincan (destroyer) and that's one tip most sailors know.

    3. rmason Silver badge

      Re: I've never understood

      @Mayday

      to show off, they think it makes them better than those who don't do(insert activity here).

      You know, same deal as the couples who you know are always at each others throats, but social media is just lovey dovey "look at us" stuff.

      Same deal, it's to appear good on the internet.

    4. Terry 6 Silver badge

      Re: I've never understood

      No different to the people who broadcast on FaceBook that they're by the pool in Benidorm- might as well add "keys are under the mat".

      1. Uncle Slacky Silver badge
        Thumb Up

        Re: I've never understood

        There's a site which scrapes that kind of info to demonstrate just how dangerous it can be:

        http://pleaserobme.com/

    5. Platypus

      Re: I've never understood

      There are basically two reasons. One is that competition is a strong motivator. For a lot of people, including me, leaderboards can motivate people to go out more, or to push faster/further than they might have otherwise. Another is helping to cheer each other on. I have three friends on MapMyRun, I know that the encouragement I get from them is helpful when I'm not doing so well and I certainly hope it works the other way too.

      That said, there are good and bad ways to share this data. For example, on MMR those three friends are the only ones who get to see exactly where I've gone, or whether I've gone at all on runs that don't earn me a place on a leaderboard. All anyone else sees is first name, last initial, time on that segment, and date. I *could* open up full sharing, but it's not a default. No heatmaps or anything like that, though I've kind of wished for that as a way to help people find routes worth trying. Overall, I'm pretty comfortable with MMR's approach. If I used Strava, I think I'd be a bit less comfortable.

    6. PvtVoytek

      Re: I've never understood

      I'm going to take wild stab that you're usually out of your house between 11am & 3pm and even if I don't know where YOU live I know people live in houses and they're usually going to be out of them between 11am & 3pm. So, your point is?

  4. Gene Cash Silver badge
    Pint

    So where's the heatmap around El Reg? Oh wait, IT hacks don't exercise, except for their bicep in the 1-pint curls!

    1. Sampler

      I actually follow one particular el'reg journo on Strava and can tell you they exercise rather a lot, putting some of us to shame..

      1. Destroy All Monsters Silver badge

        Probably Dabbsy. He has to get rid of the anger.

        1. Sampler

          Good guess but no = )

  5. Notas Badoff

    Revealing state secrets

    Well now, that's going to restrict their movements, what with some countries jailing people for mentioning even commonly-known facts, as "revealing state secrets". Hotel California, anyone?

  6. Jonathan Schwatrz
    Facepalm

    Fail!

    If you need an app to tell you when you're "exercising properly" then you're probably not.

    1. Sampler

      Re: Fail!

      In defence, as someone who uses said app and has bought a watch specifically for the task of GPS tracking running & cycling (and swimming, but, it transpires GPS doesn't penetrate water that well, a mere seconds thought beforehand would've made the counter assumption obvious I guess).

      It's not so much for it to tell you when to exercise, but to monitor progress, am I getting faster, slower, about the same? Where are those gains being made?

      I also suffer from a terrible memory ("the worst case of sleep apnoea in someone of your age and build" means I literally spend half my time sleeping not breathing, so I never hit L3 sleep) so it's useful for tracking when I've been, how much I've done this month and should I do more. I admit my reasoning here is fairly individual.

      Plus, as a nerd, who doesn't enjoy an abundance of stats?

      1. big_D Silver badge

        Re: Fail!

        That is fine, if you are keeping the data for yourself. But the apps all seem to insist on uploading all the data to their cloud.

        I have a Fitbit, but I never activate the GPS when I go out exercising. I track how far I've been, but not where... And to be honest, now that I walk about 6KM to work and back every day, I'm rethinking the need for having the Fitbit at all.

        1. Anonymous Coward
          Anonymous Coward

          "but I never activate the GPS "

          GPS itself is no harm - it only receives, doesn't transmit. It's what the device do with the data the problem. I do use GPS devices to track where I've been and the places and times where I took photos, so I can return them if there's a good reason for.

          Just I download them to my computer only, and the data never leave it (of course, the photos with geoloc data are never uploaded to any site or cloud service...)

          The day those devices start to attempt to upload them to whatever cloudy destination, I'll stop using them.

          I don't really want someone could track where I'm while carrying several thousands $$$ of equipment...

          Just, too many apps use the "mine is longer than yours" human weakness to lure people into sharing what they shouldn't.

      2. Teiwaz Silver badge

        Re: Fail!

        Plus, as a nerd, who doesn't enjoy an abundance of stats?

        I'm going to crush your nerd pride here.

        The Gov'ment likes stats too. By 'like', We're well into serious BDSM style stalker levels of 'like'. What for, I'm not sure, they think it helps make right decisions, but often the opposite seems true.

        1. Adam 52 Silver badge

          Re: Fail!

          "By 'like', We're well into serious BDSM style stalker levels of 'like'."

          What? Care to describe how stalking is a BDSM activity?

          1. DougS Silver badge
            Coat

            Re: Fail!

            Care to describe how stalking is a BDSM activity?

            I suppose it depends on what you're wearing while doing said stalking.

            1. Mycho Silver badge

              Re: Fail!

              These days people don't know bdsm from voyeurism?

              Get off my lawn.

              1. kain preacher Silver badge

                Re: Fail!

                These days people don't know bdsm from voyeurism?

                All they know is it's a kink.

                1. Mycho Silver badge

                  Re: Fail!

                  Yeah, but Theresa May's a massive voyeur. Leather trousers aside I've seen no clues she's into anything else.

          2. DavCrav Silver badge

            Re: Fail!

            "What? Care to describe how stalking is a BDSM activity?"

            I read it more as like normal stalking, but with a collar.

            1. Anonymous Coward
              Anonymous Coward

              Re: Fail!

              If the stalker has a shock collar, and the victim the controller, it could work...

              http://dilbert.com/strip/2018-01-20

              Especially if it has also a "privacy range" of 1km where it activates automatically.

      3. dave 76

        Re: Fail!

        "In defence, as someone who uses said app and has bought a watch specifically for the task of GPS tracking running & cycling (and swimming, but, it transpires GPS doesn't penetrate water that well, a mere seconds thought beforehand would've made the counter assumption obvious I guess)."

        Put the watch under your swim cap and it should work while swimming.

  7. ThatOne Silver badge

    > Plus, as a nerd, who doesn't enjoy an abundance of stats?

    Sure, but do you need to share those stats with world & dog? Apparently the app allows to keep the data private.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019