back to article New strife for Strava: Location privacy feature can be made transparent

Analysis by mobile device management outfit Wandera has suggested that newly notorious exercise-tracking app Strava's “location privacy” feature isn't very good at hiding users' homes. Wandera's analysis comes after Strava released a "heat map" that was found to offer clues to the location of military bases. Such data was only …

  1. as2003

    It's not the first time it's been said

    Realistically, the only thing randomising the privacy bubble's width will prevent is security researchers writing blog posts.

    Bike thieves tend to be more into bolt cutters and opportunity than statistical analysis, APIs and geometry.

    If you value you your privacy, just set the entire ride to private, or just don't publish your GPS recordings at all.

    1. Gotno iShit Wantno iShit

      Re: It's not the first time it's been said

      Did it need to be said? It was patently obvious, to this Strava user and I'm sure to many others, that centring your privacy circle on your own home would be fantastically dumb.

      1. Adam 52 Silver badge

        Re: It's not the first time it's been said

        Fantastically obvious to my girlfriend too. And me. Can't honestly remember if it was obvious because it's mentioned on the site when you set one up.

        1. Anonymous Coward
          Anonymous Coward

          Re: It's not the first time it's been said

          A system that is designed to be gamed by default, really looks like a bad design. Also, what right do you have to set your "home" position using someone else's? You could put other people in danger.

          Looks to me a very idiotic system from the ground up.

          1. Adam 52 Silver badge

            Re: It's not the first time it's been said

            Go on then, as a non-idiot, describe something better.

            1. Anonymous Coward
              Anonymous Coward

              "describe something better."

              Very easy. Stop to slurp data and publish them online. Only idiots need to brag around, and cunning people monetize it. If you need to publish paths where it's fun to train, there are better ways that don't rely on publishing user data points. It was done before the data slurping, and it still can be done. Just people should turn the brain on before turning on the smartphone.

      2. The Jon

        Re: It's not the first time it's been said

        Like rather than setting "Home" on your vehicle SatNav (GPS) to your actual front door, setting it to an address 2 streets away.

    2. John Robson Silver badge

      Re: It's not the first time it's been said

      I have several 'circles' covering the area I want to 'hide'

      So they overlap and between them provide coverage to the extent that you know which area of town I live in, but no more. Of course you also know when I go past, so it would be pretty easy to track me down...

    3. Anonymous Coward
      Anonymous Coward

      Re: It's not the first time it's been said

      Was looking for this , thank you. Another completely made-up risk in the mind of a security researcher. Like it's been said, I don't think malicious data miners prowl this stuff just to go and steal an expensive bike , which ... surprise,surprise also needs you to physically get to your target. The confluence of all these is highly unlikely but hey... 'security research'!

  2. Voland's right hand Silver badge

    Assuming Strava’s user base is made up of serious cyclists who invest heavily in the best equipment, the app can be used by criminals as an accurate map of where to find expensive bikes they might want to steal.”

    According to a cyclist-fanatic colleague it is already being used. It is not the only one - so are other "boast about my fitness" apps.

    1. Adam 52 Silver badge

      This is going to be the "I heard it from a friend who read it on an Internet forum" level of proof. Possibly based on the dubious syllogism issued by the Welsh police - "There are more bike thefts. More cyclists are using Strava therefore Strava causes bike thefts".

      It might be true, and possibly is in a few cases. Being seen wheeling an expensive bike into your shed is a much more likely explanation.

      1. Voland's right hand Silver badge

        This is going to be the "I heard it from a friend who read it on an Internet forum" level of proof.

        Not quite.

        I heard it from a person who does not use them for this exact purpose and personally knows two social-media-active dolts who have had their 5k+ roadies lifted out of the garage based on (most likely) tracking info +/- social media and too much boasting on forums about their "phenomenal" results.

        The thieves did not touch anything else - car, house, etc. They knew what they were coming for. They came and got it.

        Now, why would you put a 5k roadie in a garage and not designate the garage as a secondary zone on an alarm... That is just in the "I am with stupid" category.

  3. Elmer Phud Silver badge

    "“Assuming Strava’s user base is made up of serious cyclists who invest heavily in the best equipment, the app can be used by criminals as an accurate map of where to find expensive bikes they might want to steal.”"

    Or maybe, just maybe, people using a FREE app to log routes and rides. People who are not too bothered about the latest and lightest?

    1. d3vy Silver badge

      "Or maybe, just maybe, people using a FREE app to log routes and rides. People who are not too bothered about the latest and lightest?"

      Well that just makes it all the easier to target them... If you can identify the people paying the £45 annual charge for premium they are likely to have the nicer bikes...

      Lets not forget that if you can see their route data you can see distance and speed, if you target people keeping a decent pace over regular 50km routes youre they are not going to be riding cheap bikes.

  4. GruntyMcPugh Silver badge

    "the app can be used by criminals as an accurate map of where to find expensive bikes they might want to steal"

    I have used Strava to map my runs, so all thieves are going to find is my four dogs, and one pair of smelly trainers.

    1. Ben Tasker Silver badge
      Joke

      You won't be laughing so much when they decide to get revenge by stealing just one of the trainers, and tidying up behind themselves so that you spend days trying to work out what the hell you've done with the missing one

      1. Korev Silver badge
        Coat

        That'd be sneakery

      2. Simple Si

        Don't forget to secure your phone/GPS tracker unit too in order to reduce the risk of the single shoed perpetrator beating your personal best times during his/her escape.

  5. Dan 55 Silver badge

    GDPR

    Will Strava even be able to publish people's routes inside the EU when the GDPR comes in?

    I'm rather hoping not.

    1. Adam 52 Silver badge

      Re: GDPR

      So much misunderstanding about GDPR. So much ignorance about Strava.

      1. Dan 55 Silver badge

        Re: GDPR

        The GDPR says the data must be rendered anonymous in such a way that the data subject is not or no longer identifiable if it is published by the data controller or processor. That is debatable.

        1. Adam 52 Silver badge

          Re: GDPR

          No it doesn't.

          1. Dan 55 Silver badge

            Re: GDPR

            Oh yes it does - recital 26.

            If the data subject can be discovered with additional data then they're not anonymous, and if they're not anonymous then the data controller has just fallen foul of the GDPR.

  6. Anonymous Coward
    Anonymous Coward

    tracking app has tracks visible

    I don't understand why this is a revelation. A tracking app has been recording tracks, collating then generates a heat map. Strava are quite transparent about this on the users' profile page. You can opt out from having your data used this way, and you can hide your activities from those who you have not permitted to follow you.

    If you don't review your privacy settings then, surprise, your activities are open to all Strava users to see - more fool you.

  7. Chazmon

    This feels a bit like the old urban legend (or possibly true) about thieves stealing cars, hitting home on the GPS and robbing the house.

    Although I am sceptical that this ever actually happened home on my GPS puts you a few streets away as I don't need it for the last bit anyway.

    I am equally sceptical about this application as the alternatives are far simpler. Just watch to see which house your lycra clad target lugs their expensive bike into and rob that one.

    1. Mycho Silver badge

      That urban legend probably comes from the advice about not keeping your address in your wallet so that a mugger who steals your wallet and keys doesn't know what your keys open.

  8. SImon Hobson Silver badge

    Well there was a series on the gogglebox called the real hustle - where they were demonstrating some of the real life hustles being used to separate people from their assets. In one, the presenter hung around a small parking space (someone had a yard in an area where parking was in shortage, rented out the yard for people to park) wearing high vis, carrying a clipboard, and taking random measurements and pretending to write them down - ie he was hiding in plain sight.

    When the yard owner went for a break, he persuaded a punter that they'd now gone "valet parking" style - parked the punter's car, waited for him to leave, then left in the car.

    Ring mark on windscreen - yup, sat-nav in glovebox. So he's got the guy's car, car keys, house keys (one assumes) on the keyring, and the sat nav programmed to tell you where he lives - safe in the knowledge that it'll be several hours (asked how long he'd need parking for) before he returns and finds anything amiss.

    If real crims aren't doing that then I'd be very surprised.

    If someone goes to "Home" on my satnav then they'll find themselves outside the local Police Station ;-)

    1. Jim Mitchell

      My address is on the insurance and registration paperwork in the glovebox. And I don't even have a satnav.

      1. David Nash Silver badge

        Why would you keep your paperwork in such an insecure place as a car glovebox?

        1. Mycho Silver badge

          The logic of keeping things like that in your car changes depending on the country.

  9. Anonymous Coward
    Anonymous Coward

    Sorry but....

    Strava is no different from posting up pictures of your cat on Facebook.

    I use Strava every day, and it's fully private. Only I need to see my performance and routes. Only I need to work out my peaks and troughs and only I need to know exactly where I'm going and when I'm going there.

    People yet again though, have in part, latched on to Strava as a way to showboat and parade like a peacock to their friends. I know of many people who routinely record runs and cycles going into hours, leading far away from their home area.

    Combine it with some basic social engineering and interrogation of social profiles, I can find out where they live and know that every Sunday they bugger off for three hours on a bike.

    Strava should really introduce an option to 'hide map' so you could still share your run data minus any geo data about it. Simply pace, elevation, time, etc. That way running clubs, etc, could still do their own things without being restricted, and people's location privacy is protected.

    1. John Robson Silver badge

      Re: Sorry but....

      That would be a sensible option.

      Particularly for disparate groups - the mapping is of no interest to people who live more than 100 miles from me, but the basic data is.

  10. Michael B.

    So offset your bubble then

    If you are concerned about people calculating your location place your home location offset from your actual location and add a few other offset bubbles so that your home is not at the centre of the privacy zone.

  11. Nimby
    Stop

    Randomization only fuzzes the data insignificantly.

    Call me crazy (plenty do) but randomizing the size of the privacy circle is not much of a solution either. It just means more data points will be needed to improve the accuracy. A single randomized offset of position might help, but is also dangerous to your neighbors as it just means that criminals will break into a neighbor's house. Sorry Bob and Linda. Randomizing the offset of position every time the security zone is departed will at least help, in that it will create something of a fog of uncertainty. But even then, at the end of the day, a criminal knows approximately where to attack and a simple of casing the neighborhood and following the shiny shiny home in person will reveal the correct location. Hardly a difficult task, and one they are likely to already be doing anyway to know the safest time to approach. So any attempt to improve security is still worthless.

    The only safe solution is to STOP CARRYING A TRACKING DEVICE! Seems obvious, and yet...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019