The downside of Strava

[AFHokie]

@cvcalhoun 173518 wrote:

U.S. soldiers are revealing dangerous information by jogging
http://wapo.st/2nlhXed

Who smuggled a fitbit into North Korea and who in NK is allowed to access Strava?

https://labs.strava.com/heatmap/#12.60/125.75131/39.03855/hot/all

Sent from my SAMSUNG-SM-G930AZ using Tapatalk

[TwoWheelsDC]

Can say from personal experience that special forces folks (and the military writ large) are shockingly bad at this type of opsec. “What do you mean I can’t wear my smart watch in the SCIF?!?”

[peterw_diy]

@TwoWheelsDC 173537 wrote:

Can say from personal experience that special forces folks (and the military writ large) are shockingly bad at this type of opsec

From the article: “the Pentagon has encouraged the use of Fitbits among military personnel and in 2013 distributed 2,500 of them as part of a pilot program to battle obesity.”

Brilliant, especially since IIUC Fitbit can only work by sending data to Fitbit servers. (While not easy, at least it appears possible to use Garmin fitness trackers and only collect data locally.)

[Judd]

So the even more fun thing is that you can create a GPX file of a fake activity at one of these areas of interest and then use that to grab a whole bunch of flyby information about individual users, what routes they traveled and when.

Sent from my iPhone using Tapatalk

[consularrider]

Well I did ask our RSO (Regional Security Officer) in Kyiv if there was any issue with me using Strava, especially when riding withe Ambassador.

[peterw_diy]

@consularrider 173554 wrote:

Well I did ask our RSO (Regional Security Officer) in Kyiv if there was any issue with me using Strava, especially when riding withe Ambassador.

And the answer was…?

[hozn]

Interestingly — and maybe relatedly — Strava just made some drastic privacy changes to their APIs. It is pissing off a lot of people, but basically you can no longer get (via API, anyway) things like athlete IDs on segment leaderboards, related activities, or list rides for friends of authenticated athletes. Essentially the Strava API tokens will really only return information for the authorized user now with sometimes vague (firstname + last intial) references to other strava users (but I believe even then only on segment leaderboards).

Kinda throws a wrench into our thoughts of using “related-activities” for scoring (since that information disappeared), but it is a little surprising that this is all still available on their website and in the APIs they use for their apps (it used to be that the features and limitations in their apps matched their published API capabilities).

[Emm]

I’ve always had a gripe with the fact that Strava’s heat maps show private activities, and the portions of activities within your privacy range. So I’m not surprised this eventually came up as a problem, and it’s something I hope Strava fixes somehow. When you live or bike somewhere that’s pretty busy, it’s likely not a major concern since it’s clearly not just you on the route. But if you have your privacy setting so that people can’t find your house, and you live somewhere that isn’t on a popular route, it can cause issues.

For example–see the below loop of my neighborhood on the freezing saddles heat map. It clearly shows a little inlet where I’ve started my garmin on my driveway.

[ATTACH=CONFIG]16596[/ATTACH]

Here’s what it looks like on Strava–where I have a privacy setting in place:
[ATTACH=CONFIG]16597[/ATTACH]

I’ve posted my home address on the forum before, so I’m not screaming about this for freezing saddles since 30 seconds of work on the forum could tell any of you where I live. But generally, I’d prefer things in my privacy zone not appear on heat maps, especially as my home isn’t on a popular route. I put the privacy setting up for a reason–I don’t generally want random Strava people knowing exactly where I live. So hopefully this issue causes Strava to re-think what data they show on heat maps.

[TwoWheelsDC]

@Emm 173585 wrote:

I’ve always had a gripe with the fact that Strava’s heat maps show private activities, and the portions of activities within your privacy range. So I’m not surprised this eventually came up as a problem, and it’s something I hope Strava fixes somehow. When you live or bike somewhere that’s pretty busy, it’s likely not a major concern since it’s clearly not just you on the route. But if you have your privacy setting so that people can’t find your house, and you live somewhere that isn’t on a popular route, it can cause issues.

For example–see the below loop of my neighborhood on the freezing saddles heat map. It clearly shows a little inlet where I’ve started my garmin on my driveway.

[ATTACH=CONFIG]16596[/ATTACH]

Here’s what it looks like on Strava–where I have a privacy setting in place:
[ATTACH=CONFIG]16597[/ATTACH]

I’ve posted my home address on the forum before, so I’m not screaming about this for freezing saddles since 30 seconds of work on the forum could tell any of you where I live. But generally, I’d prefer things in my privacy zone not appear on heat maps, especially as my home isn’t on a popular route. I put the privacy setting up for a reason–I don’t generally want random Strava people knowing exactly where I live. So hopefully this issue causes Strava to re-think what data they show on heat maps.

I just discovered the little checkbox that is on by default that allows for “anonymous” sharing for heatmap purposes. That box is now unchecked…

[Emm]

@TwoWheelsDC 173588 wrote:

I just discovered the little checkbox that is on by default that allows for “anonymous” sharing for heatmap purposes. That box is now unchecked…

Good to know that exists! I haven’t seen it before, and I reviewed the privacy settings pretty thoroughly. Likely not thoroughly enough though.

I’ll likely leave it checked since I don’t actually care enough, and I’m hopefully moving to a busier area soonish. But it’s something they might want to make more obvious to people. I still wish they’d have a “exclude private rides/rides within your privacy zone” option. The all-or-nothing approach isn’t ideal.

[n18]

@peterw_diy 173538 wrote:

From the article: “the Pentagon has encouraged the use of Fitbits among military personnel and in 2013 distributed 2,500 of them as part of a pilot program to battle obesity.”

Brilliant, especially since IIUC Fitbit can only work by sending data to Fitbit servers. (While not easy, at least it appears possible to use Garmin fitness trackers and only collect data locally.)

All Fitbit devices are water resistant; not water proof, unlike Garmin which is usually water proof, so this is another reason to go with Garmin.

[hozn]

@Emm 173591 wrote:

Good to know that exists! I haven’t seen it before, and I reviewed the privacy settings pretty thoroughly. Likely not thoroughly enough though.

I have a suspicion that lots of the options on that privacy page have not existed for very long. I also had never seen that one before. (I also don’t remember the Flyby privacy option, though maybe that is just me being forgetful.) I suspect Strava has known about these issues a little longer than the media attention and has been trying to get ahead of this.

[Emm]

Looks like things just got worse:

http://www.wired.co.uk/article/strava-military-bases-area-51-map-afghanistan-gchq-military

“By uploading an altered GPS file, it’s possible to de-anonymise the company’s data and show exactly who was exercising inside the walls of some of the world’s most top-secret facilities. Once someone makes a data request for a specific geographic location – a nuclear weapons facility, for example – it’s possible to view the names, running speeds, running routes and heart rates of anyone who shared their fitness data within that area.”

[Brett L.]

To me, this is less Strava’s problem and more so – you should not be broadcasting your location if you’re in a secret location……

[LhasaCM]

@Brett L. 173713 wrote:

To me, this is less Strava’s problem and more so – you should not be broadcasting your location if you’re in a secret location……

Agreed. I do think Strava (and others) need to be more mindful of privacy and default to sharing nothing/as little as possible; make users opt into sharing details rather than having to opt out. But the primary onus should be on the user; in some of these cases, users reportedly were creating segments/leaderboards at what would theoretically be a secret location. That seems problematic.

[Author]

Posts