Fitness Tracker 'Heatmap' Dubbed Privacy Risk

Researchers say a feature in a jogging and running app called Strava makes it possible to track down a user's home address. However, they make a pretty weak argument about how plausible and successful an attack would be.

Strava lets users track their fitness activities, including running routes. Since 2018, the app has included a "heatmap" feature that shows areas where a lot of users are active. The idea is to let people spot well-used running routes that may be useful for their needs.

The feature has already been criticized after it revealed routes used by US military personnel on foreign deployments. This not only produced outlines of bases, but also showed which public areas runners used, indicating they (perhaps incorrectly) felt those places to be safe.

Strava already has privacy measures to protect users who post their own routes through the app to share their progress. For example, the first and last one-eight of a mile can be automatically obfuscated from routes.

Heatmap Can Be Revealing

However, researchers at North Carolina state believe the heatmap feature can undermine this advantage. That's because in some locations, such as where somebody is the only regular Strava user, it's possible that just one person's activity is enough to show up on a heatmap. (Source: anupamdas.org)

They researched heatmap data in three areas and used automated software to figure out which "heatpaths" began and ended at residential addresses. They then cross-referenced this with public Strava data showing when users had begun and ended activity such as runs.

Using publicly shared names on Strava profiles, they attempted to identify individuals by their address. They then compared this with publicly available voter registration data to check if they were correct.

Success is Limited

While the method worked in principle, the practical success rate was just 37 percent. Even that is somewhat overstating the effect as success was classified as getting an address to the nearest 100 meters. Clearly in many densely populated areas, that's not enough to identify a specific home for certain.

The researchers do make a good point in saying "The ability to identify the home address of Strava users is a violation of user privacy. It demonstrates that seemingly anonymous data is not truly private and can leak information about users."

However, it's unclear at best that this could reliably be used for malicious purposes such as by a stalker who wanted to find someone's home or figure out their regular running routes.

Either way, beyond measures such as not using Strava at all or using a fake name and no profile pic, the researchers do have one key tip to increase privacy. They note users can go to the Privacy Controls section of the app settings, and change the Edit Map Visibility to hide more of the start and finish of each activity, up to a maximum of one mile. (Source: connectthewatts.com)

What's Your Opinion?

Do you use fitness trackers? Do you give much thought to privacy? Have the researchers revealed something important or are their warnings overblown?