Fitness app Strava breached US security – it’s time to consider the dangers of data

In Strava’s global heatmap, shared online this week, US soldiers can seemingly be seen jogging around secret military facilities in Syria and Afghanistan.

Sign Up

Get the New Statesman's Morning Call email.

In Swedish, sträva means “strive”. To fitness enthusiasts, Strava means an app, through which you can monitor your progress and socialise with other athletes. To the rest of the world, Strava meant nothing – until the end of January 2018.

Strava is a start-up, a San Francisco-based fitness app that allows joggers and cyclists to track their routes using the GPS on their phones or fitness trackers (such as the wearable activity monitor Fitbit).

In November 2017, Strava posted online a global heatmap – a searchable database that reveals popular exercise routes. Someone, it shows, has been cycling in Antarctica. In North Korea, the map is lit up with tourists exercising around their hotels. But by far the most intriguing sight on Strava’s map are the red and yellow squiggles in the middle of Afghanistan and Syria. United States soldiers jogging around the parameters of their bases are quite literally highlighting the locations of possible secret military facilities.

Strava was designed to track athletic activity – not military secrets. Founded in 2009, the app was estimated to have over a million users in 2015, with the heatmap documenting more than one billion athletic activities covering 5 per cent of all land on earth. Yet the headlines now surrounding this map showcase the unintended and unplanned consequences of modern technology. An Australian student called Nathan Ruser first tweeted about US army bases being “identifiable and mappable” via Strava, and global security experts are now issuing warnings about the app.

If you’ve never heard of Strava until now, it simply makes the story all the more troubling. If a small start-up has this much data, and can cause this much danger, what of Google, Facebook and Apple?

The Strava furore is about a security threat in the most high-level sense. But the app threatens the security and privacy of its individual users, as well as their nations. Just because there isn’t a secret army base along your jogging route, it doesn’t mean you have nothing to worry about. Freely handing over your location, health information and private details to a company is inherently troubling. When you use Strava, you assume you’re tracking yourself – in fact, you’re allowing advertisers, and potentially stalkers or hackers, to monitor your every move.

Humans are inherently tactile creatures, and as data is intangible it is hard to visualise the amount we hand over every day. Strava has finally allowed the world to see the amount of information new tech companies have about their users. The app isn’t unique because it’s collecting masses of data about you or the military – it’s unique because it’s letting you see what it has collected.

In response to complaints it has compromised military secrecy, Strava pointed out that the app allows users to opt out of publicly sharing their exercise routes. “We are committed to helping people better understand our settings to give them control over what they share,” Strava said, placing the onus on the exercising soldiers, rather than on its own technology.

Although the privacy implications of Strava’s heatmap are troubling, we can’t blame an app for the army’s mistakes. In the past, Russian soldiers taking selfies have revealed military secrets, and in 2016 Israeli personnel were banned from playing the mobile game Pokémon Go over similar fears.

The US army obviously needs to be educated about the dangers of location-tracking tech in top-secret locations. But this is a much-needed education for us all. When it comes to warnings about privacy, the Strava story is a fire bell in the night.

Headline-grabbing security stories tend to be the most salacious and sexy, such as when it emerged in October 2017 that Apple’s artificial intelligence could identify and label pictures on iPhones featuring people wearing bras and bikinis (the technology worked offline within individual devices, so photos remained private).

When secret military bases and intimate pictures are on the line, it’s easy to be concerned about our privacy. Yet most people aren’t aware that Google Maps is recording you wherever you go, that Facebook’s facial recognition is actively looking for photos of you across the site, and that Instagram has licence to use your photos however it likes.

There is an added irony: our appetite for extreme stories about privacy has further threatened US army bases. The headlines generated by the Strava incident mean that anyone and everyone is now aware of the app’s security flaws; aid compounds and refugee camps are already mistakenly being labelled as army bases. This could arguably be avoided if everyone – not just Strava and the army – were better informed about digital privacy.

When we download an app, we are voluntarily handing over our data. And most of us still tick “I agree to the terms and conditions” without reading them. But if we can’t trust companies to simplify their privacy policies for us, we will have to start exercising far greater caution online. 

Amelia Tait is features editor at Shortlist.com, she was previously the New Statesman's tech and digital culture writer, and tweets at @ameliargh.

This article first appeared in the 02 February 2018 issue of the New Statesman, The Great Migration