The Strava Heat Map: How a Social Network for Athletes Turned into a National Security Threat
Strava prides itself on “connecting the world’s athletes.” Founded in 2009, the California-based company aims to be a social network for athletes.
Strava is both a website and mobile application that tracks user fitness activity across distances and user-created “segments” or routes. Strava utilizes global positioning system (GPS) technology to record various aspects of position and time during user fitness routines. In addition to collecting data from user apps/devices that connect with Strava, users can contribute their individual-level exercise data manually or from a file.1 Strava also functions as a social network in that users can follow others and, there is a feature that groups users into communities based on their location and routes.
In November 2017, Strava announced the first major update to its global heat map. This heat map feature is a data visualization of all of the activity tracked by Strava users. The heat map includes over 3 trillion individual GPS data points and over 1 billion activities.2 However, shortly after its release, United States (US) military analysts discovered, via the tweets of a student in Australia, a security issue posed by the update.3 The heat map revealed highly sensitive information about the location and movement of active duty service members using the Strava app. When combined with Google Maps and satellite imagery, the heat map revealed routes to and around US military bases and combat zones in Afghanistan and Syria.4 The US armed forces are aware of security threats posed by the use of fitness-tracking devices and cautions service members about using mobile apps that include location tracking features. For instance, the US army has implemented a ban on the use of personal electronic devices in sensitive regions.5 Yet, while precautions are in place, the potential security threats remain dynamic and persistent.
So, while the global heat map revealed potentially serious national security concerns, this isn’t the first time Strava has introduced threats to user privacy and data confidentiality due to its location tracking capabilities. In 2015, Strava users were targeted by bike thieves, which law enforcement officials linked to user data being shared on the Strava platform.6 The thieves utilized publicly available GPS data on Strava to identify an opportune moment to commit the robberies: when cyclists and joggers were out on their regular exercise routes.7 The Strava heat map and bicycle theft incidents highlight the need for user awareness regarding the nature of data collected by mobile apps and other pervasive sensing technologies. The massive volume and granularity of data collected creates opportunities for insights far beyond the use of the Strava app/device.
The goal of this communication is to highlight the potential risks introduced by tech enabled devices and applications. The Strava app was, for our purposes, a “use-case” to demonstrate one technology that collects personal and identifiable information about its users. Examples like Strava are why we are asking developers, researchers, regulators, and ethicists to consider the ethical, legal and social implications with tech-supported research.
The Connected and Open Research Ethics (CORE) initiative was launched in 2015 with support by the Robert Wood Johnson Foundation. CORE is represented by a global community of over 500 stakeholders who are shaping ethical best practices in research using new tools and methods. CORE features:
- The CORE Network is a growing learning community who together are shaping ethical practices (e.g., risk assessment, data management, informed consent).
- The CORE Q&A Forum to post questions or share expertise.
- The CORE Resource Library to share policy and give/take snippets of IRB-approved research protocol and consent language.
Sign up for the CORE Network today by clicking here.
- “Run and Cycling Tracking on the Social Network for Athletes.” Strava, www.strava.com/features.
- Robb, Drew. “The Global Heatmap, Now 6x Hotter – Strava-Engineering – Medium.” Medium, Strava-Engineering, 1 Nov. 2017, www.medium.com/strava-engineering/the-global-heatmap-now-6x-hotter-23fc01d301de?_branch_match_id=497966050024875507.
- Hsu, Jeremy. “The Strava Heat Map Shows Even Militaries Can’t Keep Secrets from Social Data.” Wired, Conde Nast, 30 Jan. 2018, www.wired.com/story/strava-heat-map-military-bases-fitness-trackers-privacy/.
- Liptak, Andrew. “Strava’s Fitness Tracker Heat Map Reveals the Location of Military Bases.” The Verge, The Verge, 28 Jan. 2018, www.theverge.com/2018/1/28/16942626/strava-fitness-tracker-heat-map-military-base-internet-of-things-geolocation.
- Brooks, Jason L, and Jason A Gross. Security Issues and Resulting Security Policies for Mobile Devices. 2013,Security Issues and Resulting Security Policies for Mobile Devices. http://www.dtic.mil/dtic/tr/fulltext/u2/a579735.pdf
- MailOnline, Gemma Mullin for. “Thieves Using Apps Strava and MapMyRide to Spy on Cyclists and Steal Their Expensive Bikes after Finding out Where They Live .” Daily Mail Online, Associated Newspapers, 28 Jan. 2015, www.dailymail.co.uk/news/article-2928129/Warning-thieves-using-cyclists-apps-Strava-MapMyRide-live-steal-expensive-bikes.html.
- Nebeker, C., Linares-Orozco, R., and Crist, K., (2015). A multi-case study of research using mobile imaging, sensing and tracking technologies to objectively measure behavior: Ethical issues and insights to guide responsible research practice. Journal of Research Administration 46(1):118-137. https://thecore.ucsd.edu/wp-content/uploads/2016/10/Nebeker-JRA-Spring-2015_Manuscript.pdf