Computer Scientists Claim Strava Has a “Privacy Loophole.” Here’s What You Need to Know.
A new paper from a trio of computer scientists at North Carolina State University claims that users of Strava are susceptible to anyone finding their personal information, despite the app’s efforts to allow users to anonymize things such as their home addresses.
A recent summary of the report points out that, while users start and end points (which are often their homes) can be hidden from the routes they post, the app’s heatmap function can be used to find what the report calls a “privacy loophole.”
Strava’s heatmaps are a great tool to find new routes, especially when riding in a new city. And given that heatmaps use aggregate data to highlight the most traveled routes in a selected area, they don’t necessarily correlate to the ability to pinpoint a specific person. That is, you can’t see exactly who is riding along a heatmap’s routes. Just that those routes are being ridden.
But in more sparsely populated areas or along less-traveled routes, it can be easy to pinpoint a specific person, according to the report.
“In a densely populated area, with lots of routes and lots of users, there is so much data that it would be extremely difficult to track any specific person,” senior author of the paper and assistant professor of computer science Anupam Das says. “However, in areas where there are few users and/or few routes, it becomes a simple process of elimination—particularly if the person someone is looking for is a highly active Strava user.”
The privacy loophole affects anyone using Strava
The loophole extends to anyone using Strava, including users who don’t post their rides publicly, as that data is still aggregated to the heatmap function.
“Even users who have marked their accounts as private show up when anyone searches for a list of all the users in a given municipality, so marking an account private doesn’t necessarily provide additional protection against this tracking technique,” the report says.
According to the report, anyone can examine the aggregate data on a heatmap and see where each route begins and ends. From there, it’s a process of cross-checking other data, as the researchers did when they checked voter registration records to confirm users’ identities, in order to find a user’s exact location.
However, according to Strava, heatmaps need to reach a certain user threshold to even be included on the site.
“We did reach out to Strava about this, and the company has said that it does not share heatmap data unless several users are active in a given area,” co-author of the paper Kevin Childs said.
Anyone concerned with making their data public can take a further step to protect themselves, however. Simply go into your Strava settings, click on Privacy Controls and opt out of contributing data to the “aggregate data usage” feature. In doing so, you remove your current routes and prevent future ones from being used in your area’s heatmap.
You Might Also Like
