Of all the companies to have possibly handed China classified information on Taiwan's missile command centre, Strava seemed an unlikely culprit. But here we are, with the fitness app in the middle of a storm after its heat maps unwittingly exposed activity in military bases around the world. Not a great moment to be Strava, but the fitness company is just one orange blob on a much bigger, more problematic picture.
In Strava's case, not only does it highlight routes most heavily traveled by military personnel, but as people quickly discovered, it's possible to scrape segments and find the names of individuals and the dates of their activities.
That Strava is the biggest one-stop shop for so many fitness watches and trackers means its data is particularly rich and revealing, but it's not the only one doing this. Suunto's Movescount app has a heat map of its own which, while not as detailed as Strava's, is still revealing. Garmin has one too, though the company told us in a statement that it only provides heat map data where it has released a map with Trendline Routing support and includes publicly available road or trail data. That means it's limited to select major cities in just a handful of countries, but a cursory look shows there's still plenty of information to be seen.
We are emitting location data way faster than we can understand the implications
John Scott-Railton, senior researcher at The Citizen Lab (Munk School of Global Affairs, University of Toronto) calls it "Fit leaking". He believes that what we're seeing is a microcosm of a bigger problem around how fitness companies are capturing and using the location data we emit.
"The bigger issue is that most apps enter the world collecting as much data as their developers think might be useful," he tells us, "and of course developers are going to experiment with different things they can do with the data."
So who's at fault?
The problem is one of transparency and consent. I already have a Strava account, but in light of this story I signed up for a fresh one to see how the privacy options are presented to new users. In short, not at all, and neither are they on Suunto's Movesense app; in both cases they're opt-out. On Strava, all of my activities were immediately set visible to the public. At the bottom of the settings menu, in tiny print, it informs me I can hide my home or other sensitive locations by making what Strava calls 'Privacy Zones', but to do so I must leave the app and sign in on the web browser. This is also where users must go if they want to opt out of sharing their heat map data. For its part, Strava says it's currently working to "simplify" the privacy and safety features, in light of the incident.
It's in the interest of a company collecting this kind of data to not discourage everybody from sharing it
At the least, Strava has some level of granularity to these options, which is more than I can say for Suunto and its smaller, more ambiguous set of choices. My privacy was set to 'public' by default when I created a new account. I could change it to private or an option called 'Public/groups & events' but it doesn't tell me what any of these mean in practice.
I could go on, but it's going to be a similar story wherever you look. The fact that these companies aren't doing a sufficient job of signposting privacy settings is what led us to this Strava debacle in the first place. "It's very much in the interest of a company collecting this kind of data to not really discourage everybody from sharing it," says Scott-Railton. "They want that data."
Furthermore, just because these maps offer a way to see our data laid out in front of us, it doesn't mean others don't hold as much – if not more – information. Fitbit, for example, is another huge repository for this sort of data, but chooses to keep it private. "The vast majority of Fitbit users are not Strava users and would not be included in Strava's data set," it told us in response to the Strava story. That might be so, but these companies are still sucking up and holding onto potentially sensitive data.
If you make privacy settings opt-out, most people aren't going to opt out
The Strava incident makes a case for fitness companies to be more transparent about the types of information they're taking from us, and better signpost how users can choose whether we want this information to be shared.
"I think figuring out what privacy controls should be present for location data in wearables should become the top-line activity of every company that sells a wearable that captures this kind of information right now," says Scott-Railton. "Specifically though, Strava's case illustrate that if you make privacy settings opt-out, most people aren't going to opt out, even in very high risk areas."
Potentially sensitive information extends beyond these high-risk military zones too. After all, it's hard to know what type of information you're emitting that could become dangerous when it falls into someone else's hands. "Business and insurance companies that have issued fitness trackers to help people manage their weight and be healthy employees might not realise those employees might also be emitting tremendous amounts of information about how their companies operate, how busy is the factory, what are their shifts like, where is the mining exploration going on?" says Scott-Railton. "What Strava has done is give us a bright, shiny, spooky, glowing map that we can all point to and say, 'Here's the risk'."
But the industry as a whole has a problem, he adds. "We are emitting location data way faster than we can understand the implications. And as a result we're playing catch up."
It's a wake-up call for fitness tracker companies to think about how they handle our data. In its quest to be more of a social network, it was probably inevitable that Strava would be the one to take the hit, but this is a much bigger discussion that involves every other fitness platform that's vacuuming up data right now. The Strava case will no doubt be drawing a fair amount of regulatory attention. Ideally this is something the industry can self-regulate, but we also need to be taking matters into our own hands and figuring this out for ourselves.
The more immediate question is: what kind of response are fitness tracking companies going to show? "Is it going to show it can be mature as a company and take responsibility for this and act quickly to mitigate the harm – and show it's going to change behaviour?" says Scott-Railton. "Or will it be the case that everyone in the industry winces about, hopes doesn't happen to them, and recognises as a turning point in public opinion?"
In a blog post, Strava has already pledged to "increase awareness" around privacy features, but whether this extends to changing its policies to be opt-in is another matter – time will tell. But this could be the start of a shift in the conversation about the personal data we share.
How we test