A couple of days ago, I posted an article about some some possibly non-public military locations being discovered after fitness tracker company Strava put up a heat map of their users activity. In the 48 hours or so that has passed since then, there has been the expected stories about the DOD doing an investigation and looking at modifying their policies related to fitness trackers. There has also been the normal coverage of members of Congress talking about how this shouldn’t have happened. Where I was a little surprised was to see an article in the Washington Post today titled “Lawmakers demand answers about Strava ‘heat map’ revealing military sites”.
The story talks about a letter co-signed by 9 Democratic members of congress to Strava asking for information. The letter makes a number of statements and asks questions that I think look to shift the blame of all of this on Strava, instead of the military and the individuals who were wearing fitness trackers and publicly broadcasting their location information. I will go through a number of points and include my own response.
I See You
“In recent days, news reports have called attention to the various ways this information could jeopardize individuals’s personal safety and U.S. national security…Although the location information was aggregated and anonymized, analysts warned that the data Strava posted can easily be cross-referenced with other publicly available information to identify individual users.”
The threat to national security I absolutely get and don’t disagree with. There is little argument that the map does show people in locations and from all appearances, some of those locations probably didn’t want to be brought into the public light. That being said, to say that it would be possible to de-aggregate the data and identify specific individuals I would say is just completely false. In Strava’s blog post announcing the release of the map they give a fair bit of information about how the information was gathered, consolidated, and then presented.
According to Strava, the map consists of over 3 trillion (yes with a T) data points. Once those were imported, data points that occurred within a users self-defined “privacy zone” was removed. These are zones that the users themselves are able to define that keeps information about locations immediately surrounding their house or work from being displayed on their public individual maps, as well as in this heat map.
They also filtered out points that were collected when a users was stopped (like at home or work). ” A new algorithm does a much better job of classifying stopped points. If the magnitude of the time averaged velocity of an activity stream gets too low at any point, subsequent points from that activity are filtered until the activity breaches a specific radius in distance from the initial stopped point.”
Further, Strava reports that what you are seeing are not individual data points, or even individual paths, but normalized counts of points. What does that mean? Because this is a heat map, the data you are actual looking at is a color representation of a amount of activity at a particular spot on the map. A spot with 50 activities recorded is represented lighter compared to a spot that has 100 activities recorded. That means you have no way to determine if an individual track moved north or south or any other direction because there is not individual track to view making as best as I can tell, a very tall order (if not impossible) to separate specific activities or users.
I Want the Truth
The letter then goes on to ask six questions.
1. How did Strava decide to publish the heat map online? Was the company aware that the information in the heat map could be de-anonymized to identify individual users? Did the company take any efforts to mitigate safety risks to its users before publishing the map? Before the heat map was published in November 2017, were users given any notice that their information would be included?
While I missed the board meeting where they talked about making this map (sorry, had a doctors appointment), as I talk about above, it appears to me that Strava actually took a fair bit of care to ensure the privacy and anonymity of its users. I have no idea what experts these Congressmen/women have been talking to but I think you would have to work pretty damn hard to identify an individual here, nor I have I seen that mentioned in any news coverage I’ve seen. In reference to the question about users being given notice, we’ll talk about that here in a minute.
2. According to press reports, only users who opted out did not have their information shared in the heat map. What are the default privacy settings for Strava accounts? Was it a default setting to share location information to the global heat map?
I just happened to have signed up for a Strava account a few weeks ago. While it happened after the November creation date of the map (sorry, will have to find another way to track me), it also happened before this story broke, so I am going to have to make the assumption that Strava didn’t make any changes to their privacy settings in the approximate month or so between the two events. Also because I am lazy and actually signed up for the thing on my stationary bike, I haven’t changed any of the settings so everything is at default.
If I go to my settings page, under a tab called “Privacy” I see a number of settings. By looking at the pictures, we see a couple of things. First, that by default “Enhanced Privacy Mode” (whatever that means) is off and that everyone can see my activity on Strava Labs Flyby. I also see a place where I am able to enter an address and choose a distance that defines my privacy zone that hides any data within that zone. I also see that by default the setting called “Make my activities private by default” is turned off; meaning all of my activity is public by default. If I scroll down (the 2nd image) there is also a section called specifically Strava Metro & Heatmap where I am able to “Include my anonymized public activity data in Strava Metro and Heatmap” which defaults to include.
So what does this mean? 1. I should probably update my privacy settings a little bit to at least define a privacy zone but also 2. that users specifically had the option to opt out of both making their data public by default and also allowing their data to be included in this data set by default.
3. Consumers have previously expressed confusion about the multiple settings used by Strava to control how user information is shared. What are the privacy options currently available to Strava users?
I think we just managed to answer that. While I think I am a fairly intelligent person (although my wife has called me a dumb ass more than a few times), I understood those settings pretty easily and think I know what they all mean.
There are three additional questions that I won’t get into because they fall outside of the scope of what I could even guess (really need to not skip that board meeting next time). I absolutely get the reason for concern with classified or other non-public locations being revealed because of this map but to say that we are putting individuals (not related to those locations) at risk is just not true. At the end of the day, Strava is not responsible for any of this, it comes down to the military didn’t have an appropriate policy in place and the people wearing the stupid fitness trackers didn’t use common sense. I love to ride my bike, and use an app (not Strava) to map my routes. I know that it is tracking where I go. I know that it uploads that data. I know that it will display that data publicly if I don’t tell it not to. I know all of this because I can open up the site, look at clearly labeled privacy settings, and make a conscious choice of what I am willing to accept.