Sharing your routes with friends and followers is a beloved practice by Strava users. But in recent years, the app’s location settings have been called into question as a potential security threat to runners everywhere. Recently, researchers at North Carolina State University took a closer look at privacy issues in the app.
In 2015, Strava introduced a feature called “heatmap” that aggregated data from the runners, cyclists, and hikers who relied on the app to trace their routes and track their stats. Heatmap allowed users to discover popular trails, meet friends, and complete their workouts in safer, more well-trafficked locations.
However, the researchers found that the heatmap feature may have unintentionally created a tool for tracking and de-anonymizing users if the map data is combined with specific user metadata.
To test their theory, NCSU researchers ran an impressively geeky test that involved collecting data from heatmaps in Arkansas, Ohio, and North Carolina over the course of a month. They then analyzed the heatmap images, overlaid images from OpenStreetMaps (a free geographic database), and pulled available user location data. In the end, their study indicated that finding users’ home addresses is possible on heatmap, especially given that so many users provide their full names and profile images on the app.
By correlating their findings with voter registration data, the researchers also discovered that their location predictions were roughly 37.5 percent accurate. “A more active user produces more heat on the Strava heatmap and therefore is more easily identified,” said the study authors. They also noted that users living in densely populated or unpopulated areas would be the most difficult to track.
Strava does allow users to change map visibility settings and hide their home addresses (or other additional addresses). Further, the hidden polylines in this instance would not be included in the Heatmap.
Strava commented on the study findings: “The safety and privacy of our community is our highest priority. We’ve long had a suite of privacy controls (including Map Visibility Controls) that give users control over what they share and who it’s shared with.
Strava does not track users or share data without their permission. When users share their aggregated, de-identified data with the Heatmap and Strava Metro, they contribute to a one-of-a-kind data set that helps urban planners as they develop better infrastructure for people on foot and bikes, and makes it easy to plan routes with the knowledge of the community.
The Global Heatmap displays aggregated data from a subset of Strava activities and will not show ‘heat’ unless multiple people have completed an activity in a given area. Any Strava user who does not wish to contribute to the Heatmap can toggle off the Aggregated Data Usage control to exclude all activities or default their Activity Visibility to be only to themselves (‘Only You’) for any given activity.
We are consistently strengthening privacy tools and offering more feature education to give users control over their experience on Strava. This includes simplifying our Privacy Policy with our Privacy Label at the top.”
Kells McPhillips is a health and wellness journalist living in Los Angeles. Her work has appeared in Runner's World, The New York Times, Well+Good, Fortune, Shape, and others.
