A loophole in a popular fitness app, Strava, may allow access to home addresses even of users with private accounts, researchers say.
Strava is one of the most popular fitness-tracking applications in the world that enables users to upload activities-related data, including time-stepped GPS data, heart rate, cadence, and more.
To protect privacy, Strava allows private profiles, where users only share data with selected people, and hides the beginning and end of users' routes.
However, North Carolina State University researchers discovered a loophole in a "heatmap" feature, which aggregates activity data in a given area. While all the user data is anonymized, the heatmap feature allows users to see how many other Strava users generate "the heat" — go hiking, running, or cycling.
After analyzing nearly 500,000 screenshots of activities in Arkansas, Ohio, and North Carolina and combining them with OpenStreetMaps and voter registration data, the researchers found a 37.5% chance of a user's home address being tracked.
Tracking a specific person would be difficult in densely populated areas with many routes and users.
"However, in areas where there are few users and/or few routes, it becomes a simple process of elimination – particularly if the person someone is looking for is a highly active Strava user. Even users who have marked their accounts as private show up when anyone searches for a list of all the users in a given municipality, so marking an account private doesn't necessarily provide additional protection against this tracking technique," says Anupam Das, senior author of a paper on the work and an assistant professor of computer science at North Carolina State University.
When the researchers contacted Strava about this issue, the company said it only shares heatmap data if several users are active in a given area. Nevertheless, the research team could still identify some users' home addresses in certain areas using the heatmap feature.
However, the study has limitations. The model used in the study assumes users will begin their activities from their home addresses, but many athletes start from a trail, participate in competitions, etc. Moreover, only 37% of users were mapped to voter registration data, while others opted out of the heatmap data. Users who do not list their home city also do not show up in search.
It is not the first time Strava has come under fire for privacy issues. In 2018, a student from Australian National University discovered that the Strava heatmap highlighted the locations of military bases and outposts, causing national governments to restrict the use of fitness apps on military bases.
While the findings could be problematic for users who are concerned about stalkers or would prefer to keep their location data from the public, there is something they can do to protect their privacy on Strava.
Das says: "Users can go into their Strava account settings and opt out of contributing data to the 'aggregated data usage' feature, which would remove their routes from the heatmap altogether."