Day 6

Fitness apps are now one more reason to revisit your smartphone's privacy settings

Strava's Global Heat Map may have revealed sensitive information about soldiers' locations. Here's what the host of apps on your smartphone reveals about you.
The Global Heat Map, published by the GPS tracking company Strava, uses satellite information to map the locations and movements of subscribers to the company's fitness service, by illuminating areas of activity, The Washington Post reported Sunday. (Strava)

Your fitness data probably says a lot more about you than just your favourite running routes.

Last November, running app Strava updated their global heatmap — a visualization of the most popular running routes around the world. The anonymous data comes from users who allow their running, cycling and swimming data to be shared.

But mapping the world's jogging paths has revealed some potentially sensitive information.

As some discovered and posted on Twitter last weekend, those maps show the potential locations of secret U.S. military bases.



"You can see trails left in very, very remote locations in mountain ranges in Somalia where there is no obvious path to how that person got there," Gavin Sheridan, CEO of VizLegal and former data journalist, tells Day 6 host Brent Bambury.

"You'd imagine that might be a situation where somebody was helicoptered into a certain situation and was extracted out."

Somalia is just one example. Sheridan and Australian student, Nathan Ruser, found possible bases in Djibouti, Niger and Syria.

"If soldiers use the app like normal people do, by turning ... on tracking when they go to do exercise, it could be especially dangerous," Ruser wrote in a tweet. "This particular track looks like it logs a regular jogging route. I shouldn't be able to establish any pattern of life info from this far away."

In this screenshot, Strava's heat map shows a detailed jogging route in the middle of nowhere. "I shouldn't be able to establish any pattern of life info from this far away," says Nathan Ruser. (Strava/Twitter)


Government responds

The United States Department of Defense says that it's now looking to strengthen rules surrounding device security.

"We always are thinking about how do we enhance and adapt our security procedures," Dana White, a Pentagon spokesperson, told reporters at a press conference earlier this week.

Strava also says that they're working with military and government officials to address the concerns and will "continue to increase awareness of our privacy and safety tools."

(Twitter/ Gavin Sheridan)

Despite these statements, Sheridan worries that the data could still be used for nefarious reasons, including to potentially identify people from the anonymized data.

Reverse engineering can provide a fairly comprehensive — and accurate — picture of which users are in an area.

As an example, if someone is looking for a specific group of people, they could create a "geo query" in a particular area, according to Sheridan.

"You can say: 'Hey I want to watch every geotagged post that comes from Twitter, Instagram, Facebook or whatever social platform,' and I'm going to let that run for weeks."

That query could then populate a list of users posting on those platforms in the area. From there, someone could easily make connections to family, friends, occupations and university affiliations.

"All of this data [is] being largely publicly available because the people have chosen to share that information," says Sheridan.


Catching Russia's lie

Four years ago, when it was believed that Russian forces were annexing Crimea, Sheridan used this type of search to determine whether soldiers were in the area. At the time, the Kremlin denied having a presence in the region.

It was easy for Sheridan to find posts by military personnel.

"Oftentimes, that might be a soldier in a country he probably shouldn't be in, and he's taking a selfie," says Sheridan. "He's taking a selfie with his friends who are also soldiers."

Here's the catch: all this data isn't just used for finding forces where they shouldn't be. Take the CN Tower in Toronto for example.

Many unknowingly geotag their photos when posted to social media and that location data can make it easy to discover more details about you. (Gregory Bull/Associated Press)

Thanks to all those selfies, "you'll see it more voluminous at certain times of the day because that's the ... peak hour of the day when people are visiting."

Take that data and look at the accounts attached to it and you learn a lot about strangers.

"I wonder where on their Instagram profile it says they're from, and then deduce how far they traveled to get their say," says Sheridan.


Death of privacy?

If there's an easy solution to the problem, it's to disable geolocation services on your smart devices. However, running apps require GPS tracking to make them work.

For their part, Strava allows you to opt-out of sharing the anonymized data used in the heatmap. But that's only one app.

"I think the problem with that is that it gets more difficult the more people that are involved, because there is always someone who will say, 'Yeah, okay, I understand the guidance,' but they don't necessarily follow it."

Those who don't follow that guidance, says Sheridan, put others at risk.

Fitbit devices are often used by runners and can provide data to fitness apps like Strava. (Dave Kotinsky/Getty Images) (Getty Images)


Even if you don't have a Facebook account, for example, your friends may have uploaded a photo of you. The same goes for Instagram and Twitter. It's those small traces of you that can allow the construct of a web of your social connections.

While privacy isn't dead, it's becoming harder to come by, says Sheridan.

"I think even if you're reduced to very low usage, it's often possible to deduce a pattern regardless."

To hear our full interview with Gavin Sheridan, download our podcast or click 'Listen' at the top of this article.