Strava has been the go-to app for athletes since 2009. Packed with great features for athletes, a risk to user data privacy was recently discovered. Your home address may leak.
Strava is arguably the most well-known sports tracking app in the world. With 100 million users in 2022 all over the planet, it is full of features: tracking your exploits by GPS, performance indicators, heart rate or the possibility of following your favorite athletes like Twitter. In 2018, a new feature called heat map appears which anonymously compiles all user activities: cyclists, hikers or runners. The idea was to allow athletes to find places to meet around similar activities and practice them in safer environments. But recently, a team of researchers from North Carolina State University in Raleigh discovered that this heat map could leak compromising personal information.
Identifying personal addresses by collecting heat map data
The system used by Strava is that of OpenStreetMaps, a collaborative mapping project that allows you to freely build a geographical database from around the world. The application is entirely based on this very complete system, since it was created in 2004 and has undergone many improvements since then. It is thanks to this that the researchers have publicly collected the data accessible thanks to the heat map.
For a month, the team aggregated data from shared activities in Arkansas, North Carolina and Ohio. This data collection was then followed by the use of image analysis to identify start zones and stop zones that regularly returned on the heat map. These being close to the streets, this necessarily indicated that a precise address was linked to a source of activity followed. Heatmap screenshots that matched the criteria were selected. Then, an overlay of OpenStreetMaps data at different zoom levels allowed the researchers to precisely identify individual addresses.
The correlation of user data to bring personal addresses out of anonymity
Based on users’ places of residence and activity data, the researchers matched the most frequented areas of activity in the heat map… which therefore included users’ personal addresses.
Strava’s public profiles are very comprehensive: full names and face photos, which makes it even easier to match someone to where they live. The findings of the research team are rather worrying. Their predictions achieved an average accuracy of 37.5%!
To overcome this problem of confidentiality which all French people face, the researchers recommend creating anonymity zones around places of residence to protect the privacy of athletes more effectively. Heatmap is enabled by default, but can be disabled manually. It is also quite possible to make its user data private, which would allow users not to share their name or their fields of activity. A more passive method of protection would be to live in a densely populated area, which makes tracking users nearly impossible via the heatmap.
On June 14, Strava responded to requests from the site BleepingComputer in a press release. The company assures that user privacy is paramount and that it never shares data without explicit permission. She also explains that the heat map can be deactivated at will for those who intend to keep their personal information private.
Even if the firm wants to be reassuring about the confidentiality of the data, the work of the team of researchers is clearly to be taken seriously. If data recovery can be made impossible by users using various means, it goes without saying that this heat map is not completely safe to use at the moment.
Sources: BleepingComputer, Strava
2