Although popular social fitness app, Strava, takes steps to anonymous users' data, a new paper from researchers at NC State University claims that information such as home addresses might be vulnerable to leaks. The paper claims to raise "significant privacy concerns", particularly in relation to the Heatmap feature.
Strava claims that the heatmap features only use generic data, aggregated from a wider pool of information in order to make it impossible to get specifics about any particular user. The researchers, however, seem to have found a loophole.
It turns out it's possible to look up specific Strava users in a given area, provided they've shared "city-level information" on their profiles. Ill-intentioned users can also look at the generic data in the heatmap to work out where routes are likely to start and finish.
Anupam Das, senior author of the paper, states: “In a densely populated area, with lots of routes and lots of users, there is so much data that it would be extremely difficult to track any specific person. However, in areas where there are few users and/or few routes, it becomes a simple process of elimination – particularly if the person someone is looking for is a highly active Strava user."
As an additional concern, Das notes that users who have marked their accounts as private still show up when anyone searches for a list of all the users in a given area, meaning "marking an account private doesn’t necessarily provide additional protection against this tracking technique."
The Researchers reached out to Strava about this concern, and were told that Strava "does not share heatmap data unless several users are active in a given area".
That said, Kevin Childs, first author of the paper pointed out that they were still able to work out the home addresses of some users using the heatmap, which they then confirmed using voter registration data.
This revelation has caused huge concern among the Strava community, particularly in relation to people who might be trying to protect themselves from stalkers.
Luckily, users can prevent this risk by opting out of the "aggregated data usage" feature, which can be found in the Strava account settings. This will remove all of your data from the heatmap, and prevent any of them from being used in the future.
We reached out to Strava for comment but did not receive a response.
